Most Common Problems

  • Lack of credible Risk Analysis
  • No event or access monitoring
  • No Business Continuity/Disaster Recovery plans in place
  • Lack of an incident response plan
  • Inadequate documentation

Covered Entities Should Confirm

  • That they have performed a recent HIPAA security risk analysis and that particular risks and vulnerabilities have been identified and mitigated
  • That administrative, physical, and technical safeguards have been extended to cover ePHI stored on mobile devices such as smart phones, tablet computers, and flash drives
  • That they precisely document their on-going (at least annual) HIPAA training and monitoring of computer networks that store ePHI

How We Can Help

  • Perform a Risk Analysis
  • Implementation of compliance manual, procedures, and controls


In January 2013, The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a final rule that implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We have found that most practices are HIPAA compliant but not HITECH or Security Rule compliant. Covered entities and business associates must comply with the HIPAA Security Rule. The Security Rule has three major safeguards; each safeguard is comprised of a number of standards, which, in turn, are comprised of a number of implementation specifications which are either required or addressable.

  1. Administrative Safeguards
    9 standards and 23 implementation specifications
  2. Physical Safeguards
    4 standards and 10 implementation specifications
  3. Technical Safeguards
    5 standards and 9 implementation specifications

Where are you with your compliance efforts? How confident are you that they would stand up under an OCR audit?

Trout, Ebersole & Groff, LLP can help close the gap by working with you and the procedures you already have in place for HIPAA, and coordinate with your in-house or external IT personnel to design policies and procedures specifically for your organization, based on the complexity of your system.

For additional information about our HIPAA HITECH Compliance Services, please contact Tony Miscavige, CPA, CBCP at 717-569-2900 or .

Support Resources

1705 Oregon Pike
Lancaster, PA 17601
Phone: 717-569-2900
Fax: 717-569-0141
5000 Ritter Road, Suite 104
Mechanicsburg, PA 17055
Phone: 717-697-2900
Fax: 717-697-2002
Toll Free: 800-448-1384    Email: