Healthcare / Medical Research

The Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare facilities (hospitals, clinics, and private practices…) that have access to Protected Health Information (PHI) take actions to ensure the protection of patient data. Anytime a healthcare facility outsources a service, the service must also be HIPAA compliant. The following covered entities must follow The Health Insurance Portability and Accountability Act (HIPAA) regulations: Health plans, healthcare providers, including doctors, clinics, hospitals, nursing homes, pharmacies, and Health care clearinghouses. HIPAA also applies to covered entities and business associates (i.e., third parties that perform specific functions or activities that require the use of personal health information (PHI), including, for example, claims processing or administration). Entities that provide data transmission of PHI on behalf of a covered entity (or its business associate) and that require access on a routine basis to that PHI (such as regional Health Information Organizations (HIOs)) are business associates under HIPAA. While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronically protected health information or e-PHI. Being compliant with HIPAA Security Rules, all covered entities must ensure the confidentiality, integrity, and availability of all e-PHI data. By detecting and safeguarding against anticipated threats to the security of the information, protecting against anticipated, impermissible uses or disclosures that are not allowed by the rule, and certifying compliance by their workforce. Healthcare organizations continually face evolving cyber threats putting patients' data at risk. The data is valuable to attackers, and healthcare providers must continually evolve their cybersecurity controls and defensive mechanisms. Under HIPAA, all covered entities must perform a risk analysis to determine whether preventive controls are in place to protect PHI. Stetson performs risk analysis assessments and gap analysis to help covered entities become HIPAA compliant and improve security posture. Annual assessments are vital to create a repeatable enterprise risk management program.