P&N is now EisnerAmper

Effective May 21, 2023, P&N has joined EisnerAmper. Read the full announcement here.

Consulting Services • Published 12/01/2016 Protecting Your Data: Information Security for HIPAA and HITECH


Protecting your data before an incident occurs is becoming increasingly crucial for organizations. And with heightened scrutiny and increased penalties under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, keeping your data safe and your security measures up-to-code is a top priority.

If your organization needs an assessment of your information security controls in accordance with the HIPAA Security Rule and the HITECH Act, below is an overview of the security risk analysis and remediation process. These steps can help ensure your organization protects your data and avoids costly penalties.

Security Risk Analysis - The first step to help protect your organization from potential data breaches is to conduct a security risk analysis. The goal of this analysis is to identify potential threats and vulnerabilities. Threats and vulnerabilities to sensitive data can exist in many technical and non-technical forms. For example, team members with unnecessary access to sensitive data.

During a risk analysis, you will also identify and assess your current security measures, and verify that your security and control measures are in compliance with the safeguards prescribed by HIPAA and/or HITECH.

Policy Development - Once you have performed a security risk analysis, the next step is to create policies to address the security vulnerabilities and enhancements identified during the risk analysis process.

Employee Training - Once you have processes and policies in place, it is critical to communicate these policies and train your employees on the procedures. People are often the weakest link in any security chain. Even the most effective security is subject to human nature. An employee who has not been properly trained on security procedures is more susceptible to exploitation by a hacker. Hackers often seek to take advantage of the trusting nature of employees through phishing, malicious email attachments, and other methods in order to gain entry to data systems or physical locations.

Security Management Program - Through your risk assessment and analysis of security vulnerabilities, you will have a resulting corrective action plan. The corrective action plan is where the rubber meets the road. It is critical to not only take the necessary remediation steps to correct security gaps or vulnerabilities identified by the risk assessment, but also to establish ongoing control testing and compliance monitoring processes to maintain compliance and data security going forward.


Security breaches are no longer a matter of if, but when. Organizations must prepare for the security events of the future and must be prepared to respond. You need an objective assessment of your information security controls to identify key security risks and implement best practice security standards to mitigate these risks.

P&N assists organizations with security risk analysis, policy and procedure development, employee training, and risk management in accordance with HIPAA, HITECH and other security standards.

Learn more about our Cybersecurity & Forensics Services

Scroll to Top