The Importance of Cybersecurity to Private Equity and M&A Firms: Part Two
In a previous post, we shared an Accenture study that cited the cyber risks faced by private equity (PE) and mergers and acquisitions (M&A) firms.
HIPAA requirements don’t just include implementing security controls, you also have specific responsibilities whenever a data breach occurs. There are steps you are required to take in both reporting the breach and in investigating the breach to confirm what data was exposed.
Finding the proper vendor is difficult because most providers only help with certain elements of HIPAA compliance. Some companies may perform some self-audits but don’t help with implementation or vice versa.
Rhodian will help you manage your incidents from a privacy point of view. This means ensuring you are meeting all of your obligations for notification, investigations, and remediation of the incident.
We will help you with managing any third-party vendors that you work with. You are ultimately responsible for HIPAA compliance for any information that you give to business associates.
You will get access to individual coaching on maintaining your HIPAA program where you can get tailored advice for your business depending on what issues you are facing.
Services to help reduce risk.
The U.S. The Department of Health & Human Services (HHS) has identified 7 core elements for an effective compliance program. Some of these are straightforward but some are left open to interpretation.
Here, we break down each of these 7 objectives, outlining how these elements should be applied to meet your HIPAA obligations:
HIPAA requires that covered entities have written policies and procedures that address each aspect of the law. Some companies believe that a notice of privacy practices is sufficient to be compliant with this rule, but that is not true. The documents provided must be an accurate reflection of your privacy practices by giving the details of your day-to-day operations. As this is a legal document, this can be difficult for businesses that lack the in house legal expertise to prepare these documents. Since this is the first document most auditors will request when evaluating your compliance, you want to make sure it’s prepared properly.
Every organization must assign a HIPAA privacy officer and a compliance committee. The privacy officer is responsible for developing a HIPAA compliant privacy program and enforcing it to achieve compliance. This includes protecting the integrity of personal health information (PHI), employee privacy training, conducting risk assessments and developing HIPAA compliant procedures where necessary. In order to properly fulfill this role, the person will have to keep up-to-date with all relevant state and federal laws.
It’s imperative that your company trains employees on how to properly handle and protect PHI. Training must be provided to each member of the workforce within a reasonable period of time after the employee joins the covered entity. The training should also be tailored depending on the person’s role and occur “periodically” for current employees.
It’s important that your organization’s culture have a sense of openness around compliance issues. Employees should be able to report concerns about compliance/privacy issues without fear of retaliation. They should also be able to ask for clarification and have documentation available to them to ensure they are acting in accordance with the corporate policy.
The same way people should get regular checkups to make sure they are healthy, it’s important that your business has regular internal audits to make sure that everything is working as expected. This way you can be confident that you are HIPAA compliant and will pass an external audit. For this to be effective it’s important that your internal audits are closing following HIPAA requirements. It does you no good if you pass an internal audit but the criteria that was being used doesn’t reflect the requirements of the Office for Civil Rights (OCR).
You need to have a documented plan of how you will enforce your HIPAA compliance program. This includes notification of new policies, making documentation available to employees, employee training and disciplinary action when people do not comply with the directives laid out by management. It’s important to establish and publicize what actions will be taken when an employee doesn’t adhere to the compliance program.
Responding to violations quickly is very important in being compliant and avoiding fines. Whenever a violation occurs, it should be reported to the appropriate channels, including but not limited to the privacy officer of the organization. You may be able to avoid penalties if you can correct a data breach within 30 days. Additionally, you are obligated to give notice of reportable breaches “without reasonable delay” but no later than 60 days after discovery. You also have an obligation to have a means for customers to file complaints and respond to complaints from your customers within 180 days of them filing a complaint.
Related Blog Posts
In a previous post, we shared an Accenture study that cited the cyber risks faced by private equity (PE) and mergers and acquisitions (M&A) firms.
What do sensitive information, such as client data, financial records, and confidential business information have in common? The risk of cyber-attack. We don’t mean to
In November of last year, Professional Security Magazine Online ran an article entitled, “Cyber attack probability”. It said this, in part: Ransomware is so advanced we’ve
Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.
Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.