HIPAA -  Planning, Training and Consulting Solutions

Companies who work with protected health information (PHI) are directed to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The American Recovery and Reinvestment Act of 2009, in Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.


The consultants of our strategic Business Partner, Covington & Associates, LLC conducts audits designed to mirror the Office of Civil Rights (OCR) HIPAA Audit program to analyze processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. The OCR audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.


As a result of a constantly changing healthcare industry, and the Omnibus Act, many compliance programs that were put into place a decade ago, are no longer sufficient to ensure compliance in today’s environment. With the increased use of Electronic Health Records (HER) and growing dependence on information technology to further our health care needs, it is essential to look at compliance with new focus.  For example, did you know that Healthcare providers are required to have a Business Continuity and Disaster Recovery Plans - And that those plans must be tested?


Our HIPAA compliance audit services allow your organization to evaluate the impact of HIPAA requirements before a formal evaluation is ever required by the OCR. This supports your executive team to be proactive and confident that the system sufficiently addresses the requirements and standards outlined by HIPAA and reduces the potential of non-compliance citations.  Fines can be up to $10,000 per violation.


As healthcare facilities continue to digitize patient medical information, files will be more easily accessible to medical professionals and perhaps patients. As more stakeholders become involved in the care process, patient safety must remain a paramount concern for any healthcare provider.


The professional consultants of our strategic Business Partner, Covington & Associates, LLC can provide comprehensive assistance to any healthcare provider, government entity or long-term care facility, whether they need medical litigation support or they want to insulate themselves from future problems related to HIPAA provisions. By working with our experienced experts, facilities can also obtain valuable healthcare IT consulting support that will allow them to achieve better patient health outcomes without putting their safety in jeopardy.


The HIPAA Privacy and Security Rule calls for severe penalties for healthcare providers that commit HIPAA violations. The Department of Health and Human Services (HHS) can penalize a facility (as little as) $100 for every violation, up to $25,000 annually for minor violations. Healthcare providers can avoid these penalties by showing that they corrected a data breach within 30 days and made a concerted effort to prevent the violation from happening in the first place.


Penalties escalate to a maximum of $50,000 per record in fines and a one-year prison sentence if an individual is found to have deliberately committed a violation and such penalties grow exponentially if greater degrees of intent – involving personal gain, for example – can be proven.

Our audit services vary based on the type of covered entity reviewed and our audit program assess compliance in the following areas:


  • Privacy Rule requirements for:

    1. Notice of privacy practices for PHI

    2. Rights to request privacy protection for PHI

    3. Access of individuals to PHI

    4. Administrative requirements

    5. Uses and disclosures of PHI

    6. Amendment of PHI

    7. Accounting of disclosures

  • Security Rule requirements for administrative, physical, and technical safeguards

  • Breach Notification Rule

"We tried using templates, and they just did not fit our business model.  We now manage our HIPAA requirements using plans tailored for for our healthcare practice"