HIPAA: Health Insurance Portability and Accountability Act of 1996- where privacy and security meet.

The HIPAA privacy and security rules require that all of the employees of a HIPAA covered entity and business associates be trained on HIPAA requirements when first employed and then “periodically”; annually or whenever there is a change in working practices or technology. MARDAC supports updated training for new rules, or guidelines issued by HHS, the OCR, or the OIG. Our training is not a “one size fits all” approach since your employees have different responsibilities in terms of HIPAA privacy and security regulations.

With the increase in regulatory audits and fines that the healthcare industry is facing, it is imperative that organizations be proactive in compliance and revenue practices.




A CE (covered entity) must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule of HIPAA. At Mardac, we will help you write and acknowledge your policies and procedures as required. Policies and procedures that employees will understand the importance of in keeping their company solvent and compliant.

  • Risk Assessments: Covered entities are also required to conduct HIPAA risk assessments as part of their security management processes. At Mardac, we can help you evaluate the likelihood and impact of potential risks to ePHI, implement appropriate security measures to address the risks identified in the risk analysis and document the chosen security measures, and where required, the rationale for adopting those measures.

    The risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly reevaluate potential risks to ePHI.

  • 42 CFR Part 2: We take pride in working with CEs that partake in 42 CFR part 2: SUDS diagnoses and the privacy requirements that are required for CEs that work with patients with SUDS diagnoses. 42 CFR part 2 is a regulation that implements statutory provisions enacted in the 1970s at a time when individuals seeking treatment for substance abuse disorders faced significant consequences, even legal problems, because they sought help. We will help you distinguish between HIPAA and 42 CFR part 2 and what the requirements are for each.

  • Medical Record Requirements: Your Notice of Privacy Practices has to describe how your patients can get their medical records. Be sure to make sure it has been updated since no later than 2013 and is posted on your website and in your front lobby. Your staff must be trained on your NPP. We can help write and train your staff on the issues that concern the NPP
  • Employee Training
  • Policies and Procedures
  • Notice of Privacy Practices
  • Business Associate Agreements
  • Risk Assessments
  • HIPAA Audit

Case Study 2:

A recently opened clinic wants to be HIPAA compliant but is unsure what is required.

Our Solution:

Our Solution: We provided a HIPAA compliance plan with policies and procedures, plus provided staff training. We wrote their Notice of Privacy Practices, Business Associate agreements and performed a risk analysis.