Skip to content

Securing Healthcare

Meet Your HIPAA Compliance Requirements

We work with hospitals, healthcare providers, and insurance organizations nationwide to safeguard patient data and ensure adherence to the Health Insurance Portability and Accountability Act (HIPAA). Our information risk and cybersecurity services align your internal processes and leadership's expectations with HIPAA requirements.

Talk to an Expert

HIPAA Requirements

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to improve the efficiency of the healthcare system while safeguarding sensitive patient information. Over time, HIPAA has evolved to address the growing complexity of digital health data, culminating in a set of rules that govern how health information is used, disclosed, and protected. These rules - Privacy, Security, and Breach Notification - form the backbone of HIPAA compliance and are enforced by the U.S. Department of Health and Human Services (HHS). Together, they ensure that individuals' health data is handled with care, confidentiality, and accountability.

Who is Affected by HIPAA?

Covered Entities

A covered entity under HIPAA is any organization or individual that falls into one of three categores; health care providers, health plans, or health care clearinghouses. Health care providers - such as doctors, clinics, dentists, psychologists, and pharmacies - are considered covered entities if they transmit any health information electronically in connect with transaction for which HHS has adopted a standard (like billing or insurance claims). Health plans include health insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare and Medicaid. Health care clearinghouses are entities that process nonstandard health information into standard formats or vice vera. If an organization fits into one of these categories and engages in electronic transactions, it is required to comply with HUPAA regulations.

Business Associates

A business associate is a person or organization that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of protected health information (PHI). This includes a wide range of services such as billing, claims processing, data analysis, legal, actuarial, accounting, consulting, and IT support. Importantly, a business associate is not part of the covered entity's workforce but is instead an external party. To be classified as a business associate, the entity must have access to PHI in order to perform its duties. HIPAA requires that covered entities have a written agreement - known as a Business Associate Agreement (BAA) - with each business associate, outlining the responsibilities and safeguards required to protect PHI.

Protected Health Information (PHI)

The information protected under HIPAA is known as protected health information (PHI). This includes any individually identifiable health data - such as names, addresses, birth dates, Social Security numbers, and medical records - that is created, received, stored, or transmitted by a covered entity or business associate. When this information exists in electronic form, it is referred to as electronic protected health information (ePHI). HIPAA's protections apply regardless of the format, ensuring that sensitive data is safeguarded whether it's on paper, spoken, or digital.

Protected Health Information

Some CMMC Requirements Explained

SPRS Score

A key component of CMMC compliance is the Supplier Performance Risk System (SPRS) score, which reflects an organization's implementation of NIST SP 800-171 security requirements. Contractors must conduct a self-assessment and submit their score to SPRS, with higher scores indicating stronger cybersecurity postures. These scores are used by the DoD to evaluate a contractor's risk level and determine eligibility for certain contracts. Maintaining an accurate and up-to-date SPRS score is essential for demonstrating compliance and competitiveness in the defense marketplace.

 

Certification Assessment

CMMC certification assessments are conducted at three levels, each corresponding to the sensitivity of the information handled. Level 1 requires an annual self-assessment for basic safeguarding of FCI. Level 2, which applies to contractors handling CUI, requires a third-party assessment every three years, unless the DoD permits self-assessment for select programs. Level 3, intended for the most sensitive environments, involves government-led assessments. These assessments verify threat organizations have implemented the required practices and processes to protect DoD information effectively.

 

NIST 800-171 Controls

At the core of CMMC Level 2 and Level 3 requirements is NIST SP 800-171, a set of 110 security controls designed to protect CUI in non-federal systems. These controls cover areas such as access control, incident response, system integrity, and configuration management. Organizations must implement and maintain these controls to achieve certification, and their effectiveness is evaluated during CMMC assessments. NIST SP 800-171 serves as the technical foundation for CMMC, ensuring that cybersecurity practices are aligned with federal standards.

 

How We Can Help You

 

Community

The BorderHawk Community, composed of security and compliance professional, offers strategic value to leadership and risk management teams. Within the community, leaders gain access to real-time insights on emerging threats, regulatory updates, and proven mitigation strategies - shared by BorderHawk experts and peers who face similar challenges.

This collective intelligence accelerates decision-making, enhances incident response readiness, and fosters a culture of continuous improvement. For compliance officers and CISOs, the ability to benchmark practices, validate interpretations of complex regulations, and source solutions to nuanced problems reduces isolation and increases confidence in their programs.

Ultimately, the BorderHawk community strengthens organizational resilience and ensures that security and compliance efforts are both proactive and aligned with industry best practices.

Community Engagement

Risk Assessment

 

Risk Assessment

Risk assessments are essential for any organization aiming to maintain strong security and compliance postures. They provide a structured approach to identifying vulnerabilities, evaluating potential threats, and understanding the impact of security incidents on sensitive information.

By regularly conducting risk assessments, organizations can prioritize resources effectively, implement targeted safeguards, and demonstrate due diligence in meeting their regulatory, contractual, and internal requirements. Risk assessments not only reduce the likelihood of data breaches and compliance violations, but also build trust with patients, partners, and regulators by showing a proactive commitment to protecting sensitive information.

In a rapidly evolving threat landscape, risk assessments are not just a regulatory checkbox - they are a strategic necessity.

Overwatch Compliance Framework

A detailed compliance framework is critical for organization to navigate the complex landscape of regulatory and contractual mandates. Such a framework provides a structured, repeatable approach to managing policies, processes, incident response, and security controls - ensuring that every aspect of compliance is addressed systematically. 

The rigor the Overwatch Framework brings helps eliminate gaps, reduce human error, and align internal practices with external expectations. Moreover, a well-documented framework enhances accountability, simplifies audits, and enables faster adaptation to regulatory changes.

The Overwatch Framework transforms compliance from a reactive obligation into a proactive, strategic asset that supports operational excellence and builds stakeholder trust.

Overwatch-just-logo