The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules establish federal requirements for ensuring patient health information is protected.
Compliance with HIPAA Privacy and Security regulations can help ensure health information is not accessible to hackers, bad actors and others that pose a threat to patients’ privacy and security.
For health care providers, although complex, compliance with HIPAA is especially important. The federal government can impose severe sanctions on organizations found in violation of HIPAA. Federal regulations for Promoting Interoperability (PI) and the Quality Payment Program (QPP) also require participating providers to perform a security risk assessment each year to be in compliance with these programs.
The Kentucky REC can help with navigating HIPAA’s requirements to safeguard the confidentiality, integrity and availability of patient information. We offer three services to aid health care organizations: Security Risk Analysis, Vulnerability Scanning, and Project Management services.
For more information on these services, click the boxes below or contact the Kentucky REC today.
Security Risk Analysis
A Security Risk Analysis is an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic patient health information (ePHI).
Project Management Services
Planning is essential to mitigating risks. Whether it’s a policy limiting the use of unencrypted portable devices or testing back-ups to ensure a disaster recovery plan is effective, having a strategy and a plan helps prevent the unauthorized access, use, or disclosure of ePHI.
WEEKLY HIPAA TIP
HIPAA Privacy & Security: Contingency Planning Series – Part 5
How Often Should Your Contingency Plan be Reviewed and Updated?
The HIPAA Security Rule requires that a Covered Entity or Business Associate performs a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirement of this subpart. CFR 164.308(a)(8)
Here are some recommended best practices for ensuring you have an effective Contingency Plan:
- Review Contingency Plan annually in conjunction with other HIPAA Security Policies & Procedures. Provide review/update dates on your Contingency Plan Policies.
- Ensure the plan is updated when you hire new staff, purchase new IT hardware/software or change locations.
- Periodically test the plan to make sure it works and retain documentation of when testing takes place.
Check out our Weekly HIPAA Tips next week for our new series.
This reminder is part of a series of HIPAA Security Reminders from the Kentucky Regional Extension Center. These reminders can be used by covered entities and business associates looking to comply with the HIPAA Security Rule’s CFR §164.308(a)(5)(ii)(A), which states, “Security reminders (Addressable). Periodic security updates.”
Feel free to share this with your workforce/staff to remind them of the importance of safeguarding protected health information (PHI), especially PHI that is in electronic form (ePHI). A new security reminder is posted at the beginning of each week. If you have any questions or would like to speak to someone at the REC about HIPAA Privacy and Security please contact us at Kentucky REC or call (859) 323-3090.
Previous HIPAA Webinars
Recorded July 2025
The Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information (NPRM) on Jan 6, 2025. This will be the first major update to the HIPAA Security Rule since the HIPAA Omnibus Rule in 2013. This webinar provides an overview of the proposed changes and expected timelines for regulated entities to meet compliance with the new rule.
Recorded May 2023
Security incident response and reporting is a required standard of the HIPAA Security Rule. Ransomware is the #1 security threat for all healthcare organizations, making this security standard more important than ever. Kentucky REC HIPAA Team Lead Amy Daley, along with guest speaker Ryan Lewis, of CISA, share guidance and templates for creating a security incident response plan, focusing on cyberattacks.
RESOURCES
Recorded November 2024
With the number of healthcare data breaches continuing to rise, it’s important that healthcare organizations address oversights in their HIPAA security compliance program.
Kentucky REC advisor Amy Daley and guests from CISA share important updates from HHS regarding new goals for enhancing cybersecurity in the healthcare and public health sectors. They also discuss the most common “high risk” findings from the security risk assessments conducted in 2023.
Recorded December 2022
Kentucky REC advisor Amy Daley focuses on the safeguards most organizations need to strengthen in order to be better prepared for protecting against and responding to a ransomware attack.
