SecureState has developed a Privacy Rule framework that is more auditable and repeatable than what is currently available to the public.

The Health Information Portability and Accountability Act (HIPAA) was enacted in 1996 to protect health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA addresses the security and privacy of health care data. A HIPAA Gap is often used ahead of a full audit and highlights areas of compliance weakness for a company to improve upon. If selected for audit, there is very little time to respond – organizations have one opportunity to upload all requested information - within 10 business days. Without sufficient planning, this is all but impossible and being unprepared to respond dramatically increases fines, if viewed as willful neglect. During a HIPAA Gap, SecureState will examine administrative, physical and technical safeguards, and the policy, procedural, and privacy requirements for your organization. SecureState will examine each of these areas through a variety of methods, including interviews with key personnel and documentation reviews.


The HIPAA rules apply to covered entities and business associates. From healthcare providers to benefits administrators, pharmacies, and various service providers-, HIPAA mandates that organizations have controls and processes in place to secure PHI in both hard copy and electronic formats. Audits by the Department of Health and Human Services’ Office for Civil Rights (OCR) have resulted in numerous findings and settlements, which have increased post-OMNIBUS (9/2013).

SecureState's HIPAA Gap will identify areas of noncompliance, reducing the cost, confusion, and complexity of HIPAA/HITECH compliance and helping your organization to avoid damages, often totaling millions of dollars, which could result from an ePHI/PHI compromise.


SecureState consultants are experts in understanding both the technical and business aspects of your organization. Our experienced team has worked with many organizations in the commercial, government, and health and human services sectors; including providers and service organizations. As part of these relationships, SecureState has gained extensive knowledge and experience with National Institute of Standards and Technology (NIST) security control frameworks, such as NIST SP 800-66, that are commonly used in government agencies and can be adopted by commercial organizations. In addition, SecureState has CIPP/US professionals on staff to help with both Security and Privacy Rules outlined within HIPAA.

Approach and Methodology

To assess the effectiveness of an organization's HIPAA compliance, SecureState professionals will interview key individuals in information services and functional areas focusing on information security policies, procedures, and practices. SecureState interviews are specifically designed to address technical interviews most efficiently and effectively. Documentation that supports organizational controls is then gathered and reviewed for compliance with the HIPAA regulation.

SecureState will identify and assess various functional areas and information security risks associated with key applications and networks that deal with protected health information, and will use this information to identify gaps related to HIPAA privacy and security specifications.

SecureState’s end goal is to provide a road map for your organization to effectively protect ePHI/PHI and achieve full HIPAA compliance, which can successfully be demonstrated in the event of a formal audit. We will provide an assessment report outlining all findings and a roadmap to achieve these goals.

Get Started!