Tel No. (+91) 98440 42424

Health Information Privacy


August 21, 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) came into exists. HIPAA was enacted as a broad Congressional attempt at healthcare reform - it was initially introduced in Congress as the Kennedy-Kassebaum Bill. The landmark Act was passed in 1996 with two objectives.


One was to ensure that individuals would be able to maintain their health insurance between jobs. This is the Health Insurance Portability part of the Act. It is relatively straightforward, and has been successfully implemented.

The second part of the Act is the "Accountability" portion. This section is designed to ensure the security and confidentiality of patient information/data. In addition, it mandates uniform standards for electronic data transmission of administrative and financial data relating to patient health information.

The HIPAA legislation required the Department of Health and Human Services (DHHS) to broadcast regulations on the specific areas of HIPAA, called the Rules. These Rules were finalized at various times and health care organizations had 2 or 3 years (depending on size) to comply with the specific requirements.

he Rules are composed of Standards. The HIPAA Standards resulted from many years of public and private sector collaboration. Industry workgroups were formed and reports written with recommendations on how to better manage and protect health information. The goal of this initiative was to define uniform standards for transferring health information among healthcare providers, health plans, and clearinghouses (covered entities) while securing health information and ensuring patient privacy and confidentiality.

Who is Affected by HIPAA?

HIPAA applies to health plans, healthcare clearinghouses, and to healthcare providers that electronically transmit health information in connection with standard transactions.

Health plan

"Health plan" generally includes any individual or group plan, private or governmental that provides or pays for medical care. Employee health benefit plans are excluded if they are self-administered and have fewer than 50 participants. Government-funded programs are excluded if their principal purpose is something other than providing or paying for health care, or if their principal activity is the direct provision of health care or the making of grants to fund health care.

Healthcare clearinghouse

"Healthcare clearinghouse" is a public or private entity that processes health information received from another entity, or converts transactions from non-standard into standard format, or vice versa. The regulations distinguish between a clearinghouse dealing with information in its own right (in which case it is bound by all the requirements of the regulations), and in its capacity as a business associate of another covered entity (in which case some of the requirements do not apply, but it is bound by its business associate contract with the covered entity). For example, the patient rights provisions would be enforced through the business associate contract, not directly.

Healthcare provider

"Healthcare provider" is any person or organization who furnishes, bills, or is paid for health care in the normal course of business. However, healthcare providers are covered by the rules only if they transmit electronic health information in connection with a standard transaction.

Processes of protect against internal and external threats

HIPAA Assessment

SMCPL team of experts will conduct a comprehensive onsite risk assessment. This includes an evaluation of your organization’s regulatory status based on security standards, administrative safeguards, technical safeguards, organizational requirements, policies & procedures, and documentation requirements. The report developed is based on the findings outlining any deficiencies and will include the steps needed to remediate them.


SMCPL does not just provide a gap analysis and walk away. Our team creates a customized Remediation Project Plan based on the findings, enabling your organization to track its progress. Covered entities and business associates can then correct the identified deficiencies with internal resources or outsource that work effort to SMCPL. SMCPL provides security consulting, network design, technology evaluation and selection, policy and procedure development, and IT integration and configuration services.

Validation and Reporting

Upon completion of deficiency remediation, SMCPL conducts a final audit review and issues a report of compliance. The report gives authorities, partners, and leadership proof of your organization’s compliance validated by a nonbiased third party.

Analyse the Administrative, Physical, IT and Policies & Procedure operations to determine what is in scope for the HIPAA / HITECH regulatory requirement.
Assess the BA's regulatory posture and provide a report outlining deficiencies and vulnerabilities and the steps needed to remediate them.
We provide assistance creating the Remediation Project Plan which is available to the Company's Project team for the life of the entire project. Covered Entities and Business Associates may correct deficiencies with internal resources or outsource that work to SMCPL.
Upon completion of deficiency remediation, SMCPL conducts a final audit review and issues a report of compliance. This report can be shared with all appropriate authorities as proof of third party validation of compliance.
Regulatory compliance is an ongoing process that requires monitoring compliance levels by performing required daily, monthly, quarterly and annual compliance tasks and preparing audit documentation for planned and unplanned audits.

Health Information Trust Alliance (HITRUST)

The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), a build upon of HIPAA information security guidelines and requirements, has become the information protection framework for the healthcare industry. The HITRUST CSF is a collaboration of healthcare, technology, and information security leaders charged with creating a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.

In the past, the standard for information security in the healthcare industry was the Health Insurance Portability and Accountability Act (HIPAA). Instituted in 1996, the primary goal of HIPAA is to make it easier for people to keep their health insurance, to protect sensitive healthcare information, and to reduce healthcare administrative costs.

HIPAA standards require healthcare providers to ensure the confidentiality, integrity and availability of any data they create, access, store or transmit, and also provide reasonable protection of this sensitive data. Oftentimes however, HIPAA guidelines are too vague and allow too much latitude in their interpretation. As a result, healthcare providers that adhere to HIPAA requirements are often unsure of what constitutes “reasonable and appropriate” protections. At times, providers may introduce security policies that are unnecessary, or even at times, inadequate.

HITRUST helps organizations by laying out a comprehensive and efficient framework for managing security requirements described in HIPAA. HITRUST should be looked at as an important, industry-managed approach to meeting HIPAA security requirements.