HIPAA Compliance Services

We provide many services to help you align with the HIPAA compliance standard.

NuHarbor Security has worked with some of the largest Hospitals and Healthcare providers in the country to help protect their patient information and comply with the HIPAA compliance standard.



HIPAA

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States law that provides the provisions for data privacy and security for safeguarding medical information. The HIPAA Privacy and Security Rules provide safeguard requirements for Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) held or transmitted by a covered entity or business associate.



NuHarbor Security HIPAA Security Services

NuHarbor Security offers a breadth of services to help organizations and covered entities conform with the HIPAA compliance security standards. We have extensive experience partnering with organizations and healthcare providers to comply with HIPAA, improve their security posture, and reduce the cost to conform with the HIPAA legislation. As described below, our Security Services and Professional Services align directly with many components of the HIPAA Security Standards.

Compliance Services

Recent Blog Posts

The Difference Between a Controls Assessment and a Risk Assessment

By: Kristof Holm We’ve written several blogs on risk assessments and controls assessments. However, these two terms are often co-mingled, used interchangeably, or incorrectly. Unfortunately, it’s very easy to do this and often if we aren’t careful even professionals...

HIPAA Security Services Alignment:

ADMINISTRATIVE SAFEGUARDS	SUMMARY REGULATION	HOW WE HELP
164.308(a)(1)(i)	Security Management Process Implement policies and procedures to prevent, detect, contain and correct security violations. Specifications include: · Risk analysis (1A) · Risk management (1B) · Sanction policy (1C) · Information system activity review (1D)	Risk Assessment and Risk Management Security Policy Development MSSP (Managed Security Services Provider)
164.308(a)(2)	Assigned Security Responsibility	Customer directed
164.308(a)(3)(i)	Workforce Security Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information (EPHI) and to prevent those workforce members who do not have access from obtaining access to electronic protected health information. Specifications include: · Authorization and/or supervision (3A) · Workforce clearance procedure (3B) · Termination procedures (3C)	Security Policy Development
164.308(a)(4)(i)	Information Access Management Implement policies and procedures for authorizing access to EPHI. Specifications include: · Isolating health care clearinghouse functions (4A) · Access authorization (4B) · Access establishment and modification (4C)	Security Policy Development
164.308(a)(5)(i)	Security Awareness Training Implement a security awareness and training program for all members of its workforce including management. Specifications include: · Security reminders (5A) · Protection from malicious software (5B) · Log-in monitoring (5C) · Password management (5D)	MSSP (Managed Security Services Provider) Security Awareness Program Implementation and Delivery
164.308(a)(6)(i)	Security Incident Procedures Implement policies and procedures to address security incidents. Specifications include: · Response and reporting	Security Policy Development Incident Response Playbook Development
164.308(a)(7)(i)	Contingency Plan Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contain EPHI. Specifications include: · Data backup plan (7A) · Disaster recovery plan (7B) · Emergency mode operation plan (7C) · Testing and revision procedures (7D) · Applications and data criticality analysis (7E)	Security Advisory and Consulting
164.308(a)(8)	Evaluation Perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the above administrative safeguard requirements.	HIPAA Security Assessment Infrastructure Penetration Testing Application Penetration Testing Static/Dynamic Code Reviews
164.308(b)(1)	Business Associate Contracts and Other Arrangements	Security Advisory and Consulting
PHYSICAL SAFEGUARDS	SUMMARY REGULATION	HOW WE HELP
164.310 (a)(1)	Facility Access Controls Implement policies and procedures to limit physical access to its electronic information systems while ensuring that properly authorized access is allowed. Specifications include: · Contingency operations (i) · Facility security plan (ii) · Access control and validation procedures (iii) · Maintenance records (iv)	Security Policy Development Security Advisory and Consulting
164.310(b)	Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI.	Security Policy Development Security Advisory and Consulting
164.310(c)	Workstation Security Implement physical safeguards for all workstations that access EPHI, to restrict access to authorized users.	Security Policy Development Security Advisory and Consulting
164.310(d)(1)	Device and Media Controls Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. Specifications include: · Disposal (i) · Media re-use (ii) · Accountability (iii) · Data backup and storage (iv)	Security Policy Development Security Advisory and Consulting
TECHNICAL SAFEGUARDS	SUMMARY REGULATION	HOW WE HELP
164.312(a)(1)	Access Control Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights. Specifications include: · Unique user ID (i) · Emergency access procedure (ii) · Automatic logoff (iii) · Encryption and decryption (iv)	Security Policy Development MSSP (Managed Security Services Provider)
164.312(b)	Audit Controls Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.	Security Policy Development MSSP (Managed Security Services Provider)
164.312(c)(1)	Integrity	Security Policy Development Security Advisory and Consulting
164.312(d)	Person or Entity Authentication	Security Policy Development Security Advisory and Consulting
164.312(e)(1)	Transmission Security Implement technical security mechanisms to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. This includes both: · Security measures to ensure that EPHI is not improperly modified; and · Mechanisms to encrypt EPHI The appropriate control should be determined through a risk analysis to ensure that EPHI is protected in a manner commensurate with the associated risk when it is transmitted from one place to another. With regard to unsolicited EPHI –e.g., in email from patients — protection must subsequently be afforded once that information is in the possession of the covered entity.	Security Policy Development Security Advisory and Consulting

ASSESSMENT & ADVISORY

SECURITY TESTING

PROFESSIONAL SERVICES

SECURITY CERTIFICATIONS

COMPLIANCE ASSESSMENTS