The Health Insurance Portability and Accountability Act of
1996 provides for the protection of patients’ health care information. In
response to growing demand for security expertise in health care, Practical
Security Inc. (PSI) provides a full line of HIPAA support services for small
and medium sized health care organizations. The new services are focused around
self-certification support using published HIPAA security criteria.
The government has not approved any organization to certify
covered entities in compliance with HIPAA security requirements but strongly
recommends “self-certification.” Self-certification is documented in a letter
signed by the organization’s executive management and compliance officer. This
letter clearly states management's responsibility for the effectiveness of the
information security control structure.
The HIPAA Audit is the first step of a three-step process
towards self-certification. The second step is for the self-certifying entity
to correct required items and the third step is to have PSI confirm that all
required items have been corrected before creating and signing a
HIPAA Security Audit
This security audit includes a HIPAA gap analysis and
Business Impact Analysis (BIA) based on the security provisions of section
142.308 of HIPAA. This section describes the administrative, physical, and
technical control measures required to protect confidentiality (security),
integrity, and availability of protected health information (PHI).
PSI returns periodically to reassess security controls and
processes. This meets the expectation of due diligence recommended in the
published HIPAA guidance documents.
Third Party Review
Objectivity is crucial to the validity of the self-certification.
The Department of Health and Human Services (HHS) has strongly
recommended outside review of compliance in self-certification.
Practical Security, Inc. acts as an external party with adequate
training regarding generally accepted security guidelines