HIPAA Assessments

Protection of Medical Information


The Health Information Portability and Accountability Act (HIPAA) Privacy Rule was created to protect the privacy of personally identifiable information and personal health information, protecting the patient’s right to privacy while still being able to receive the best medical care available.   The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification after a breach of protected health information. These complicated rules require reporting specific information to various government agencies within strict time windows, and the consequences of failing to meet these requirements can include astronomical fines or sanctions prohibiting future work. 

This may include civil penalties for:

  • Unlawfully refusing to remove a record
  • Unlawfully refusing access to a record
  • Failing to maintain accurate, relevant, timely, and complete information
  • Failing to comply with any Privacy Act provision or agency rule that adversely affects the subject of a record
  • Failing to comply with the HIPAA Privacy and Security Rules

These penalties may include damages and attorney fees for failing to protect personally identifiable information (PII), and fines dependent on the nature and extent of harm for failing to protect personal health information (PHI). In 2014, a single insurance company in Puerto Rico was hit with a $6.8 million sanction, due to a mailing error impacting approximately 13,000 beneficiaries, and a single hospital in Louisiana was fined $32.5 million, because of mishandling patient records.


Given what’s at stake, allow Aerstone to help you ensure that your business is compliant with HIPAA and that your patients’ data is protected!  Aerstone can provide a workable risk mitigation strategy that continues to protect the patient, covers a variety of uses and disclosures, and promotes a high quality of care.  If you are not 100% sure of your firm’s HIPAA requirements, we can also help you interpret the law and determine the proper path for your business, creating HIPAA-compliant processes. Many firms outside of the medical space are surprised to learn that they are still required to adhere to HIPAA requirements, based on what may seem on the surface to be trivial medical data. If needed, we can assist you with the incident response  process, should a security incident occur. As a first step toward assessing your firm’s HIPAA exposure, visit HealthIT.gov.


Aerstone’s cybersecurity experience and privacy knowledge puts us in a unique position to help your business protect itself from HIPAA noncompliance, and potentially astronomical fines. (If we have any certifications as a HIPAA organization, whether at the corporate or individual level, this is a good place to mention them). Aerstone can assess your HIPAA compliance, help you define a comprehensive compliance strategy for your business, and if necessary, assist in engineering the proper controls and network configurations to ensure that health data is properly protected. We can also help draft the required policies and procedures to ensure these measures continue to function in the long term, to help protect your firm from fines or sanctions.

Services By Type




Services By Environment



Our Experience Sets Us Apart

Aerstone is an NSA-certified vulnerability assessor, and a service-disabled veteran-owned small business.
We approach each engagement with the highest levels of professionalism, determination, and creativity, honed by years of working with
security professionals across the military, intelligence community, civilian government, and private industry.

Contact our sales team at sales@aerstone.com for more information.