HIPAA laws continue to evolve and so does the need to ensure proper compliance and risk mitigation. HIPAA requires business associates to undergo internal risk analysis to identify potential risks, evaluate possible impact and make any changes the organization sees fit to minimize risk. Taking this a step further, APS engages an independent third party for additional oversight of our HIPAA compliance. APS undergoes annual HIPAA Compliance and Security Audits in two distinct ways:
Physical Safeguards: HIPAA Security Rules require all devices with ePHI to have HIPAA physical safeguards in place. This includes mobile devices, such as laptops, smart phones and tablets that have access or can transmit ePHI in any way. Further, APS contracts with an independent third party to validate the existence of these safeguards and evaluate other physical safeguards to ensure minimum necessary access to PHI throughout our operations. This includes physical access to various areas throughout our operation, visibility of PHI at work stations, controlling disposal of electronic and paper PHI, abilities to export data from devices and training programs around this and all HIPAA related rules and regulations.
Vulnerability Scans and Penetration Testing: Although the HIPAA Security Rule does not contain a specific provision regarding internal and external vulnerability scan or penetration testing, APS views this as a key to ensuring data security within our systems. Vulnerability scans are a tool to identify potential vulnerabilities within an entity’s security posture and penetration tests attempt to exploit an entity’s vulnerabilities in order to assess risk and determine the effectiveness of an entity’s security controls. APS engages with a third party independent auditor annually to identify vulnerability and attempts to penetrate our systems and applications to ensure security inside and outside of our organization.