Atlantic.Net Blog

Strengthening Your HIPAA IT Audit & Compliance Department

Sam Guiliano
by Atlantic.Net (82posts) under HIPAA Compliant Hosting

Have you been concerned with meeting the demands of the Health Insurance Portability and Accountability Act? Whether you are a covered entity or business associate, it’s essential to strengthen your HIPAA compliance IT mechanisms now. Let’s look at why compliance is increasingly important and how to quickly “beef up” your efforts.

  • The Debate over Healthcare Regulations
  • Warnings from HHS OCR
  • Misconceptions on HIPAA IT Requirements
  • HIPAA Compliance IT Surveys & Sanctions
  • Nutshell Business Associate HIPAA Audit Checklist
  • Beef Up HIPAA IT with a Trusted Provider

The Debate over Healthcare Regulations

Healthcare companies and the companies that provide services for their protected health information should take notice that we have entered a new, more aggressive world when it comes to the connection between HIPAA and technology.

While everyone wants their private, protected health information to be safe, the HHS rules are a hotly debated topic, and for good reason:

  • Side #1 – Threat to innovation – As indicated in Fortune, regulations tie the hands of the healthcare field, making it difficult for firms to take advantage of groundbreaking advances in technology.
  • Side #2 – Ominous threat landscape – The massive, long-term hacks of Anthem and Community Health Systems have made the federal government consider compliance a top priority.

Innovation is certainly a legitimate concern: better diagnostics and treatments could be derived by health researchers and data scientists allowed to take full advantage of big data analytics and other technologies. However, security is fundamental too – especially given Reuters’ revelation that health information is worth 10 times what credit cards are on the black market.

Warnings from HHS OCR

Between June 2013 and June 2014, the Office for Civil Rights posted nine settlements totaling more than $10 million, one of which was of unprecedented size: $4.8 million. To highlight the fact that those fines were just the beginning, head OCR Chicago regional lawyer Jerome B. Meites told Law360 the upcoming activity by the regulatory agency would “pale in comparison to the next 12 months.” He added, “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up.”

Fast-forward to June 2015, and we see the same scenario: HealthITSecurity reports that Health and Human Services is again broadening its audit activities. This time, the focus is business associates. Beginning in the summer or fall, the HIPAA audit process will begin shifting into hyperdrive, with OCR director Jocelyn Samuels noting that both covered entities and business associates will now be under scrutiny to verify their HIPAA information technology (a change from previous audit efforts that focused exclusively on healthcare companies).

Misconception on HIPAA IT Requirements

You don’t have to be compliant with the healthcare laws if your company is a “mere conduit,” as is the case with many telecom and IT services. This exemption applies to situations in which data is only being transmitted or temporarily stored, such as in a healthcare hosting scenario. Examples include ISPs and paging companies. Any cases that go beyond pure transmission are not considered conduits.

“The key difference between a conduit and Business Associate is the transient versus persistent nature of the opportunity to view the PHI,” said HealthITSecurity. “To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored.  It is irrelevant whether the service provider actually views the PHI.”

HIPAA Compliance IT Surveys & Penalties

The OCR has mailed out initial questionnaires to be filled out by companies that could be audited, a number of which are business associates. Based on the information provided by each organization, the Office for Civil Rights will decide whether to move forward with an audit. Some audits will occur directly at businesses, while others will be performed remotely.

HIPAA violations can lead to costly penalties as discussed above. HHS can hit entities with fines in excess of $50,000 for any instance of noncompliance, even if the company didn’t mean to neglect the rule. In more extreme situations, when the agency determines that a violation was intentional and that the organization did not take steps to rectify it, settlements can be as much as $1.5 million for the year.

Nutshell Business Associate HIPAA Audit Checklist

The primary concern for business associates is the HIPAA Omnibus Rule. Here is a basic checklist of its expectations:

  • Implement protections so that PHI is not accessed without authorization
  • Notify covered entities when data is compromised
  • Verify that any subcontractors follow the parameters of HIPAA
  • Complete business associate agreements (BAA’s) with all relevant clients and subcontractors
  • Record and retain documentation of all healthcare privacy and security efforts.

Beef Up HIPAA IT with a Trusted Provider

You are fully responsible for some aspects of HIPAA compliance, such as staff training and the development of in-house policies and procedures. However, it’s a good idea to simplify the IT hosting aspect by working with an experienced, healthcare-ready provider – especially when beefing up compliance must be fast and error-free.

“Atlantic.Net’s reputation for 100% up-time, their secure infrastructure and expertise in Healthcare IT were key components in finalizing our partnership,” said Complete Healthcare Solutions VP of Product Development Joseph Nompleggi. “Our partner’s financial strength and proven track record are something we view with great confidence.”   Why not spin up a HIPAA Compliant Server in under 30 seconds and experience our fast Cloud Servers.

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom