Talk to a Tech:

Your Organization Probably Isn’t HIPAA Compliant



The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996.  The HIPAA Privacy Rule covers Protected Health Information in any medium and the HIPAA Security Rule covers electronic protected health information. This extensive listing of responsibilities is seemingly never ending and highly regulated.  The fines associated with failure in compliance has affected companies of all shapes and sizes.  

The American Medical Association reports on their website;

In June 2005, the U.S.Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom"knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of$250,000, and imprisonment for up to ten years.


A Deeper Dive

Protected Health Information (PHI) is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:

  • the individual’s past, present or future physical or mental health or condition or
  • the provision of health care to the individual or
  • the past, present, or future payment for the provision of health care to the individual

Additional Employer Responsibilities Under HIPAA

  • Employers must put in place security rule compliance policies and procedures.
  • Medical records must be stored separately and apart from other business and personnel records, to ensure their confidentiality and limited access.

Employers (or their providers) must update plan documents and business associate agreements to comply with the security rules. All programs that deal with employee health information such as flexible spending plans, wellness programs, or employer self-insured options must be HIPAA compliant.

  • State privacy laws that may be even stricter and must be complied to.
  • Employees must be notified every time there is a substantive change in their plan that may affect medical privacy. Additionally, if the employer's state makes substantive changes, new privacy amendments may be necessary.
  • Employers must notify employees of their privacy rights, then update the notice, redistribute the notice, or point to it every three years starting by April 14, 2006, for large plans and April 14, 2007, for small plans.
  • Employers must train any employee who has contact with medical records in appropriate HIPAA compliance.
  • Employers must investigate any privacy complaint that they receive. Consequently, employers may want to have a written policy for responding to and investigating any privacy complaint that they receive. Employers should put the results of their investigation in writing.
  • Employers must discipline any employee who disregards or disobeys HIPAA privacy requirements.


PHI prescribes a number of required policies, procedures and reporting mechanisms that must be in place for all information systems that process ePHI within the Covered Entity. It also prescribes required and addressable implementation specifications designed to protect the confidentiality, integrity and availability of ePHI within the enterprise. These specifications fall into five categories:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • Policies and Procedures

So how does a business manage its compliance piece and protect its patients? How does a business not spend critical overhead dollars? How does a business manage its Physical, Administrative and Logical Safeguards? How does a business protect itself and it’s employees from a massive mistake?

Businesses that want to manage HIPAA efficiently make a simple call to NetSource One. We understand the technology that guards your consumers’ sensitive health information. We have the tools and expertise to help you meet HIPAA standards.

The NetSource One HIPAA Risk Assessment is not just another “checklist” approach. We use a structured methodology to collect and present the data required to demonstrate your compliance with the HIPAA regulations.

Think of it like a medical engagement. We will:

1. Gather information about your current condition.

2. Conduct ‘lab tests’ to get under the skin of your information technology.

3. Provide a treatment plan.


NetSource One presents you with a package designed specifically to meet auditor requirements. Our package includes:

· The Risk Analysis required by regulation

· Supporting Worksheets and Reports that document your compliance efforts, and,

· Management Plan to re mediate any shortfalls.


Simple, easy, effective HIPAA management is only a phone call away. To further discuss this process, please contact:

Wes Reynolds, CISSP

Information Security Consultant

(989) 498-4549


Security News

Locky Email Virus Spreading Like Wildfire

Stop Threats Before They Hit the Network

As some of you may know there is a devastating email virus spreading like wildfire. The Malware is called “Locky”. It is disguising itself as an email attachment and has been using various file types (Word Doc, Excel, ZIP, PDF and etc.). Once you open the attachment Locky Malware can encrypt 164 different file types. Locky encrypts files on all fixed drives, removable drives and also on RAM disk drives. The hackers are after your money, they are trying to get users to pay them to remove the virus, do not follow payment instructions or give your personal information!!!

How to reduce risk of being infected:

  • Use an advanced email firewall service such as Barracuda
  • As always, don’t open suspicious attachments (e.g. .doc, .xls, and .zip files)
  • Keep recent backup copies of important data in a secure place either online or offline
  • Ensure that your system and applications are fully updated and patched
  • Disable Microsoft Office macros by default and never enable macros in strange/unknown attachments that you receive via email

We have been seeing a large increase of the message types on our Barracuda Anti-Spam filter over the last 72 hours. Our Barracuda Anti-Spam filter is currently catching the emails and attachments for all of our Anti-Spam customers, but everyone is still at risk until the threat is fully detectable. For those who are unaware the Barracuda Email Security Gateway is integrated with a cloud-based service that pre-filters email before delivery to the onsite Barracuda Email Security Gateway. The Cloud Protection Layer is continuously updated with definitions in real time from Barracuda Central. In addition, Barracuda’s global cloud infrastructure provides the flexibility to handle email surges during specific periods of the day and during Denial of Service attacks. For our clients who do not use Barracuda or other spam firewall please contact us with any questions or concerns.

Learn More