HIPAA-C
HIPAA / HITECH Security Rule Compliance
Illumant leverages deep HIPAA Security expertise to help healthcare institutions, providers, payers, and business associates reduce the burden of HIPAA / HITECH / Meaningful Use compliance — while improving real security to avoid breaches and penalties.
The healthcare security challenge
Hospitals, clinics, health plans, and business associates ("covered entities") have to make ePHI available to clinicians and patients on demand — billing, insurance, imaging, lab, EHR — while protecting that data from theft and accidental disclosure. They do this in open, heavily-trafficked environments, with under-staffed and budget-constrained IT teams, under one of the most heavily-regulated frameworks in U.S. law.
Illumant's HIPAA-C service is a straightforward solution for the Security Risk Analysis required by §164.308, the safeguards required by §164.310 and §164.312, and the Meaningful Use objective tied to that same risk analysis. HHS audits and breach-notification penalties are rising — non-compliance is no longer abstract.
The Security Rule, in plain terms
§164.308 — Administrative
Administrative safeguards
Security management process, assigned security responsibility, workforce security, information access management, awareness training, incident procedures, contingency planning, and BAA management. The required Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A)) lives here.
§164.310 — Physical
Physical safeguards
Facility access controls, workstation use and security, and device & media controls — including disposal, re-use, accountability, and data backup/storage of ePHI.
§164.312 — Technical
Technical safeguards
Access control (unique IDs, emergency access, automatic logoff, encryption), audit controls, integrity controls, person/entity authentication, and transmission security.
§164.314 / §164.316 — Organizational & Documentation
Organizational & documentation
Business associate contracts, group health plan requirements, and the policies, procedures, and documentation retention obligations that wrap the rest.
What's included
- HIPAA Security Risk Assessment (RA-HIPAA) — qualitative + quantitative analysis with cost-benefit risk reduction
- HIPAA Gap / Policies, Procedures and Practices Assessment (PPPA-HIPAA Gap)
- Perimeter Security Assessment & Penetration Testing (PSA) of internet-facing ePHI systems
- Critical Asset Security Assessment (CASA) of EHR/EMR, billing, scheduling, imaging
- LAN Security Assessment (LANSA) of internal networks and clinical VLANs
- Social Engineering — phishing, vishing, and pretext-based testing of clinical and admin staff
- Physical Security Assessment of facilities housing ePHI
- Sample HIPAA-C deliverable available on request
Case study — hospital / clinic
Illumant helped a hospital/clinic comply with the security risk assessment and safeguards requirements of the HIPAA Security Rule, the HITECH Act, and Stage 1 Meaningful Use, while performing technical penetration testing to provide a real assessment of the organization's security posture and its preparedness in defending itself from cyber-attacks.
Healthcare vertical →Related security assessments
What we typically pair with a HIPAA engagement.
PSA
Perimeter Security Assessment & Penetration Testing
Find the weaknesses in your perimeter before hackers do.
CASA
Critical Asset Security Assessment
Test the systems that, if breached, would hurt the most.
LANSA
LAN Security Assessment
Assume breach — then prove what an insider can reach.
SocEng
Social Engineering
Test employee awareness of cyber-security threats.
PhySA
Physical Security Assessment
Locks, badges, cameras, and the humans guarding them.
WASA
Web Application Security Assessment
OWASP-aligned testing of the apps your business runs on.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.