HIPAA Training & Compliance Services





Networking & Security
HIPAA Compliance 


Cruise Courses
Study Resources


San Francisco







Program Info






Ethical Hacking







  • What is HIPAA and Why Tiburon Technical?
    • What is HIPAA?
      • The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that calls for regulations to protect the privacy, security and integrity of medical records. These regulations, drafted by the Health and Human Services Administration (HHS) in collaboration with the healthcare industry, cover all aspects of the handling, storage and transmission of patient healthcare information.
    • Who must comply?
      • HIPAA does not apply solely to healthcare providers. Any organization handling or storing personally-identifiable data relating to an individual’s health and treatment is subject to the HIPAA regulations. These organizations include insurance companies, hospitals, healthcare providers, and employers among others.
    • When does it take effect?
      • The Transaction and Code Set regulations compliance deadline was delayed to October 16, 2003; a detailed Transaction Regulation Compliance Plan must be submitted to HHS by October 16, 2002.
      • The Privacy regulations compliance deadline is April 14, 2003 (or 2004 for "small health plans").
      • Regulations for Security and Identifiers have been proposed but not finalized, and there are no deadlines for them as yet.
    • Why should you be concerned?
      • Failure to comply with the HIPAA regulations carries both financial and criminal penalties. Identifying the most efficient and cost-effective way to achieve compliance requires an early and comprehensive approach.
    • How can we assist you?
      • Our HIPAA Compliance Practice Group works with you to meet the challenges posed by the sweeping HIPAA regulations, protect your patients’ and employees’ privacy, improve security and meet the demands of your customers for improved protection of personal data. We leverage our extensive knowledge of and experience with security, systems integration, application development, access control, database administration and records management to offer a range of solutions:
        • Education and Compliance Awareness
        • Gap and Risk Assessments
        • Strategy and Remediation Planning
        • Complete End-to-end Remediation Solutions
        • Ongoing Compliance Management
        • 24x7 Managed Compliance Services
      • Because we combine technological know-how with our partner firms' legal expertise, we can identify and solve your problems relating to the use, management, transmission and storage of medical data under the new HIPAA regulations. We are a full-service technology consulting company and can provide strategies and technologies to improve reliability, performance and efficiency as we work together to deliver HIPAA compliance.


    Tiburon Technical HIPAA Service Offerings

    • Education and Compliance Awareness
      • To help you understand the impact of HIPAA on your organization, we offer both executive/management and employee training seminars to educate members of your organization about HIPAA and to work with those in charge of compliance to understand the choices and strategies available to them.
    • Gap and Risk Assessments
      • Our Gap Assessment delivers a clear understanding of the gaps that exist in your major technical systems (e.g. records management, billing, accounts receivable, etc.) under the HIPAA regulations.
      • We perform information, physical systems and investigative audits on technology systems to produce an assessment of the existing gaps. Our clients receive an executive summary as well as a comprehensive report that includes audit results, cost/benefit analysis and an assessment of major risk areas.
      • Our Risk Assessment helps clients prioritize scarce dollars by analyzing risk versus cost.
    • Strategy and Remediation Planning
      • In helping to create a road map for HIPAA compliance, we emphasize selecting the ‘right solution’ in light of both technical needs and cost considerations. With our technologically agnostic approach, we use our expertise to help you make the choice that best meets the needs and constraints of your organization.
      • Tiburon Technical project managers have the training and experience to work alongside you to develop your plans in an efficient and structured way so that implementation is easy to direct and control.
      • We deliver a phased implementation plan, including scope, alternatives, costs, and timeframes. This deliverable, along with the Gap Assessment, provides a full picture of both the scope of the compliance problem and recommended solutions.
    • Remediation Implementation
      • Our Remediation program leverages the knowledge gained in the Gap Assessment and the Strategy and Remediation Planning phases and our years of technology expertise to implement the appropriate technology solution for your HIPAA compliance needs.
      • Tiburon Technical's experienced project managers can provide the direction and control necessary to make sure your remediation achieves its goals quickly and economically.
      • Upon completion of the engagement, we transfer the knowledge we have gained about your systems to your IT team. This ensures a cost-effective on-going compliance management process and provides tremendous value your ongoing IT strategy.
    • Compliance Management
      • Most organizations add new systems or modify current ones on an ongoing basis. All of this activity has an impact on HIPAA compliance.
      • In order to help ensure HIPAA compliance on an ongoing basis, we offer compliance management and maintenance services. We proactively review systems and infrastructure for HIPAA compliance, update security patches, manage firewalls, perform regular security audits, and otherwise reduce the risk of failing to comply with the HIPAA regulations, not to mention preventing unwanted systems intrusions or security breaches.
      • The end result is reduced compliance costs as well as potentially significant cost savings from reduced liability.


    Access Control, Logging, Audit, and Single Sign-On
    • The Requirements…
    One of the areas most often in need of immediate remediation for both HIPAA compliance and for overall system security is specified within the HIPAA Privacy Regulations. Specifically, we have found that that healthcare organizations fail – and are therefore vulnerable – in the requirements to control access to Protected Health Information, and to record (log) which person accesses which records so that accesses can be audited.
    • Architecting a Solution...
      • The Problem…
      In order to satisfy these requirements, systems will need to require unique identification of the person making an inquiry. In current scenarios at many healthcare institutions, such identification is not recorded, usually because of the onerous nature of traditional logon procedures. The problem is compounded by the fact that many individuals often need to access multiple systems, each requiring its own logon and password regime. Furthermore, in order to be compliant with the regulations, systems are required to record all Protected Healthcare Information access (logging) and to audit the information as appropriate.
      • The Questions…
      How can compliance be achieved without requiring everyone to know several passwords or change how they perform their work? How can compliant systems provide easy sign-on and sign-off functionality so that only authorized individuals access information, and so that all information access are correctly tracked? How can all those systems be economically upgraded to support the required logging and auditing capabilities?
      • The Solution...
      Access control, logging, and auditing problems can all be solved through the adoption of an integrated, universal access control system using authorization-based rules tied to authentication devices, including a combination of biometric and proximity card-reader devices. These systems provide an easy, uniform means for staff to gain the proper access while denying improper access, and provide the necessary level of access logging to enable the required audit functions under the regulations. Furthermore, a universal access control system works on top of the systems already in place, minimizing the number of systems that must be modified to attain compliance.
    • Implementing the Solution...
      • Authentication: To obtain universal compliance with proper logon procedures, authentication for login has to be easy, fast, and unobtrusive, and logging off has to be automatic to prevent use of a logged-in terminal by an unauthorized person. Modern biometric scanners (fingerprint, hand scan, iris scan, face scan) are increasingly inexpensive and easy to deploy, and provide a high level of certainty for user identification. Using a proximity card to regulate access provides a second layer of security in the logon process, and provides a means for automatic log-off when a user leaves the area of the terminal. This combination provides a high level of security.
      • Authorization – Single Sign-On: To implement the automatic logon and log-off, there needs to be a facility to provide access to whatever systems and information the user is authorized to access. This requirement defines a need for the use of Single Sign-On (SSO) technology, whereby an authorization process, through a single login, provides access to various systems depending on each user’s identification, role, or context.
      • Logging and Auditing: In addition to access control, many authorization management products can also perform the required logging and audit capabilities, solving that problem simultaneously without having to deal with the problem on a system-by-system basis.
      • Flexibility: Since not all patient’s information will be subject to the same access limitations, and since the limitations may change from time-to-time as patients are permitted to grant or rescind access at will, the authorization management tool must be able to recognize differences both in users and in data within systems.
      • Following the Standard: Any solution implemented should conform to the Object Management Group (OMG) Resource Access Decision (RAD) standard, designed by security specialists specifically for healthcare industry requirements.
    • Tiburon Technical Can Help...
      • Tiburon Technical can help you design, specify, and implement HIPAA-compliant technologies to create the required levels of authentication, authorization control, logging and auditing capabilities. We can assist with the selection of the right products and tools from a range of vendors to create the best OMG-RAD compliant access control and SSO solutions for our Healthcare clients.

    HIPAA Training

    • Security Management Practice

      • Security Principles

      • Risk Assessment and Analysis

      • Certification

      • Gap Analysis

      • Data Classification

      • Hiring Practices

      • Policies, Procedures, Standards and Guidelines

      • Security Management

      • Sanction Policy

      • Training  

    • Security Models and Architecture

      • Security Perimeter

      • Layered Security Design

      • Security Policy

    • Disaster Recovery and Business Continuity

      • Contingency Planning Requirements

      • Determining Goals

      • Analyzing Critical Business Functions

      • Identifying Resources and Systems to Support Critical Functions

      • Backup Alternatives

      • Recovery and Restoration

      • Response Procedures

      • Emergency Mode Operation  

    • Operations Security

      • Operational Security

      • Administrative Management

      • Accountability  

    • Physical Security
      • Assigning Security Responsibility

      • Media Controls

      • Access Controls

      • Accountability

      • Data Backup, Storage and Disposal

      • Physical Access Controls

      • Equipment Control

      • Facility Security Plan

      • Access Authorizations

      • Maintenance Records

      • Testing and Revision

      • Policy/Guideline on Workstation Use

      • Security Awareness Training

      • End Users

      • Administrators  

    • Access Control

      • Authentication

      • Data Authentication

      • Entity Authentication  

    • Authorization Control Techniques

      • Role-based

      • Context-based

      • User-based

      • Access Control Lists  

    • Authentication Solutions

      • Tokens

      • Biometrics

      • Smart Cards  

    • Telecommunications and Networking Security

      • Communications/Network Controls

      • Access Controls

      • Alarm

      • Audit Trail

      • Integrity Controls

      • Message Authentication

      • Enterprise Networks

      • Firewall Systems

      • Intrusion Detection

      • Internet Access

      • Intranet

      • Extranet

      • Wide Area Networks (WANs)

      • Remote Access

      • IPSec VPNs

      • Entity Authentication

      • Event Reporting

      • Wireless Security  

    • Cryptography

      • Encryption Systems

      • Symmetric Encryption Solutions

      • Asymmetric Encryption Solutions

      • Public Key Infrastructure (PKI)

      • Certification Authority (CA)

      • Registration Authority (RA)

      • Digital Certificates

      • Planning for a PKI in a Health Care Entity  

    • Electronic Signature Requirement

      • Message Integrity

      • Non-repudiation

      • User Authentication

    • Digital Signature Implementation

      • Ability to Add Attributes

      • Continuity of Signature Capability

      • Counter Signatures

      • Independent Verifiability

      • Interoperability

      • Message Integrity

      • Multiple Signatures

      • Non-repudiation

      • Transportability

      • User Authentication

      • Digital Certificates

      Law, Investigation and Ethics

      • Attacks and Hackers

      • Threats

      • Dictionary Attack

      • Brute Force Attack

      • Spoofing

      • Social Engineering

      • Identification, Protection and Prosecution

      • Liability

      • Forensics

      • Ethics

      • Code of Ethics  

    • Application and System Development

      • Virus Attacks

      • Device versus Application Security

      • Java Application Security

      • ActiveX Security

      • Database Security

      • Malicious Code

    • Risk Management and Security Policy
      • Security Policy

      • Framework

      • Information Protection Policy

      • Remote Access Policy

      • Chain of Trust Agreement  

    • Security Assessment

      • Asset Inventory

      • Creating a Baseline

      • Certification 

    Back to Top