Frequently Asked Questions


The Security Rule (2005)

The Security Rule regulates cybersecurity and establishes guidelines for protecting electronic PHI (ePHI). The Security Rule uses the National Institute of Standards and Technology Risk Management Framework (NIST-RMF) 800-53 to set guidelines for safeguarding ePHI. The Security Rule establishes administrative, physical, and technical safeguards that entities who come into contact with PHI must implement.3

1. Administrative Safeguards

Administrative safeguards require entities to document the activities they perform for HIPAA compliance. Some of the required activities include:
  • Designating a Security Officer (Your Privacy and Security Officer can be the same person)
  • Training all staff members who come in contact with PHI
  • Completing a thorough Risk Assessment
  • Documenting Security Policies and Procedures
  • Designating a Security Officer
  • Documenting a Disaster Recovery Plan
The Administrative Safeguards are the plans that set the standards for the Physical and Security Guidelines. It’s important to take time to plan for HIPAA compliance first and then implement policies you create. This saves both time and money.

2. Physical Safeguards

Physical safeguards regulate the way entities handle physical systems and equipment that contain PHI. Devices like servers and computers must be kept in a secure location. Any office or building where these devices that contain PHI are stored should have physical security, backup power, and fire suppression systems. Tracking employees’ and vendor access to the building is also a good idea. It’s important to keep detailed access logs of personnel that enter secure onsite spaces to control, monitor, and limit who sees PHI. If you use a Managed Service Provider or IT contractor, you must have a signed Business Associate or Business Associate Subcontractor Agreement with them.

3. Technical Safeguards

Technical safeguards outline IT-related security practices to protect ePHI. HIPAA requires entities to encrypt data in three phases: at rest, in transit, and in storage. PHI transmitted via email should be sent using email encryption to safeguard the information as it passes from sender to recipient. Only the intended recipient can open an encrypted email, so sensitive information remains safe even when you send it to the wrong person. Examples of technical safeguards include:
  • Assigning unique logins for users
  • Setting automatic timeouts in systems containing PHI
  • Using 2-factor authentication for all systems that hold ePHI
  • Installing anti-malware software on devices
  • Encrypting hard drives
  • Password protecting all devices
  • Locking desktop computers to workstations4

Covered Entities

  • Est. 700,000
  • Health care providers who bill electronically
  • Health plans that pay providers
    • Medicare, Medicaid
    • Private Health Plans
    • Self-Insured Businesses

Business Associates 

  • Est. 2-3 million
  • Companies that support Covered Entities
  • Come in contact with ePHI or the systems that have it
Federal HIPAA Enforcements (Penalties)
  • 2014 +215 = $14 million
  • 2016 + 2017 = $42 million
  • 2018 + 2019 = $41 million

HIPAA Guidance & Enforcement

  • Business Associate Liability Fact Sheet (link) - BA's MUST
    • Comply with the Security Rule - All 40+ requirements
    • Protect PHI, not disclose it, report breaches to Covered Entities
    • Manage Subcontractors to ensure their HIPAA compliance
  • Tennessee Imaging Practice $ 3 million Penalty (link)
    • Failed to conduct an accurate and thorough assessment of their risks
    • Failed to sign a business Associate Agreement with its IT support vendor and 3rd party data center
  • March 2020 - 1 doctor medical practice - $ 100,000 (link)
    • Failed to conduct an accurate and thorough assessment of their risk

Office of Civil Rights (OCR) has under went budget cuts for 2020. Say's it will make up budget cuts with enforcement. (link)

This is a statement heard by many, and it is a MYTH. FACT: ePHI is everywhere. It is in every document, e-mail, scanned image, photograph, electronic fax, even voice messages that can identify a patient and includes information about their treatment, diagnosis or payment. What is PHI?  Protected Health information (PHI)
  • Identifiable (18 different identifiers)
  • Plus treatment and/or diagnostic information
Electronic Protected Health information (ePHI)
  • PHI in electronic form 
  • Words, images, voice files
  • On any media
  • HIPAA - Heath Insurance Portability & Accountability Act - 1996
  • HITECH Act - 2009
  • Privacy Rule - spoken, written, and electronic patient info
  • Security Rule - framework for protecting electronic patient data
  • Breach Notification Rule - patient notification & govt. reporting
  • HIPAA Omnibus Final Rule - changed all 3 rules in 2013
Compliance is anything that someone makes you do.
  • Cybersecurity is not compliance
  • Cybersecurity is Protecting Data
  • Compliance is doing it in accordance with rules, and creating the written evidence necessary o survice an audit, investigation, or lawsuit.

We primarily focus on Organic SEO methods. This allows for companies to have a more long term approach and can cost less in the long run. PPC strategies work, but they stop as soon as you stop paying. Creating Quality Content, Building Brand Awareness and Site Authority are things that will last. This is not to say we are against PPC, and a lot of times we will recommend a hybrid approach to take advantage of the short term gains. At the end of the day, this is not an exact science, but the methods and strategies applied correctly will deliver results. Online marketing is changing at a faster rate than ever before and so we must continually change as well.

We are vendor agnostic and can work with any vendor, however, we do have direct partnerships with Microsoft, Dell, Zixcorp, Tawk, GoDaddy, TechData, and others. We currently use Google for advertising and marketing campaigns as 90+% of searches are funneled through their platform, however, we no longer recommend Google for mail or web hosting due to company policies and past privacy concerns. If you have any concerns or questions, send us an email. We would love to chat.

As more companies and websites have been impacted by cyber-security, we only provide full web hosting management. This allows us to have complete control, and complete responsibility for updates and issues related to your site. If you want to host with another provider, we understand, but we will not be able to service your site. We do offer free site migration. Additionally, upon request, you will have access to your site 24/7.

I know you have heard this before, but it is true; every project we take on is unique. Yes there are similarities, but there are a few factors that really make the difference: Bundling, Speed of Delivery, and Internal Application Impact. Even though our process may be very defined, how it applies to our client's is totally different. Set up a discovery call, we promise we won't even talk cost the first time, unless you want to.

For us, it is a matter of involvement. Our consulting services can consist of assessment, strategy development, implementation and/or review, whereas we perform the services. Our coaching approach is more directly focused around the team not the task or project. We tell our clients, the best way to figure out which service they need is to figure out who will be answering most of the question.

Simple answer is no. We are unique in that we are actually in a position to implement our strategies directly and through a network of premier partnerships. Of course, if you wish to just use us for consulting, that is perfectly fine too. He offer ad-hoc, per project and long term plans.