HIPAA Training, HIPAA Consulting, Houston
Risk Analysis, Assessments & Remediation

Citiscape IT offers outsourced security and compliance services designed around the unique needs, requirements, and regulations of medical practices and their business associates with a special focus on HIPAA, HITECH, and Texas Health Law compliance. Our comprehensive and practical solutions have helped numerous organizations secure their information systems, protect the privacy of clients and customers and comply with complex regulatory requirements. We understand the requirements are complicated and thus we offer a variety of options to help medical professionals get – and remain – compliant. From do-it-yourself webinars and kits to hands-on consulting, we are here to take the stress out of the process. Today, technology and regulations are constantly evolving... at a faster pace than ever before. To move forward, you need to understand the implications. Providing more than a simple risk analysis, we work with Covered Entities and Business Associates to develop appropriate policies, procedures and training exercises. Results from the OCR Random Audit Protocol are more than revealing, especially as they relate to smaller practices. Having the knowledge that policies exist and understanding procedure are two different things.

Citiscape IT provides expert privacy, security, HIPAA training and consulting, risk assessments, loss prevention, regulatory and electronic health information exchange consulting services requiring a company security license in the State of Texas. We provide services with integrity. We are specific in how we work together, providing our clients with thorough, complete and timely services and communicating with you throughout the process. Our specialties include:

  • Strategic planning with HIT / IT best practices
  • Risk assessments, analyses & remediation
  • HIPAA training classes (onsite or at our facility)
  • Policy white paper development (federal & state)
  • Expert witness: healthcare, HIT, privacy, security
  • Outsourced compliance officer
  • Development & implementation of efficient, secure methods of HIE's
  • Policy, procedure, process evaluation & development
  • Compliance strategic planning
  • Compliance audits & assessments
  • Defensible security incident investigation
  • Breach notification assistance


A la Carte Offerings

  • HIPAA/HITECH Compliance Services: Running your practice has recently become more demanding with the accelerated enforcement of Privacy and Security rules. Citiscape IT offers options to help you implement and monitor your security processes and procedures within the State of Texas privacy law guidelines.
  • EMR, EHR, PPM Consulting Services: Bringing you more than 30 years of software development and medical IT systems experience, we have the technical expertise to advise, consult, and implement an EMR system that is compliant, usable, and addresses the workflow of the practice.
  • Unbiased, Vendor-Neutral Consulting Services: To conduct a proper Risk Analysis or Risk Assessment (HIPAA, PCI-DSS, or otherwise), your security vendor providing the service should be independent, unbiased and not tied to any special interests (in-house IT staff, outsourced IT staff, etc.). HHS will favor this.

On-Demand and A la Carte plans are designed to provide a client the ability to purchase packages of time or specific service needs. It is a great option for practices that have a single need for set-up or restructure.

Experience That Counts:

  • Amazing Charts EHR

  • Canfield Product Lines

  • Compulink EHR / PPM

  • eClincial Works

  • GE Centricity EMR

  • Homecare Homebase

  • Inform & Enhance (Mentor Solutions)


  • MacPractice Product Suite

  • NexTech EMR / PPM

  • Patient NOW EMR / PPM

  • Praxis EMR / PPM

  • Result Sets (RSI)

  • Softdent

  • Total MD

  • Welch Allyn


For Houston healthcare and medical practices using EMR systems containing ePHI, we provide HIPAA certified, state licensed IT security consultants that have decades of software development and IT experience in the medical industry, as well as Microsoft certified professionals. We reach out to the medical community by providing security services that are cost effective, practical, and affordable.

Microsoft Office 365 Cloud Migration Specialists


For regulated businesses and medical practices, Microsoft offers a compliant, reasonably priced cloud based solution. We have performed numerous migrations in 2012 and 2013 (with references) for small and medium sized businesses and medical practices that have asked for our assistance in thjs area. Microsoft Office 365 offers compliance in ISO 27001, EU Model clauses, HIPAA BAA, and FISMA, and is verified by third-party auditors. This can be a solid choice for those that need a cloud-based solution and don't want the expense of on-site Exchange management headaches. Call 281-733-2422 for more details and a needs assessment.

HIPAA 5010

As we reported in the January 2012 edition of The Houston Medical Journal, HIPAA 5010 (aka HIPAA X12) is the new standard regulating electronic transmission of health care transactions, which was slated to start January 1, 2012. CMS (Center for Medicare and Medicaid Services) granted a grace period (not extension) of 90 days before enforcement of this new transmission standard. The transactions specified in the HIPAA 5010 standards are as follows:

270/271 Eligibility Benefits
276/277 Claim Statutes
820 Payroll deductions and group premium payments
834 Benefit Enrollments and Maintenance
835 Health Care Claims Payment Advice
837 Health Care Claims (Professional, Institution, Dental)

The final rule adopting ICD-10 as a standard was published in January 2009 and set a compliance date of October 1, 2013 – a delay of two years from the compliance date initially specified in the 2008 proposed rule.

"ICD-10 codes are important to many positive improvements in our health care system," said HHS Secretary Kathleen Sebelius. "We have heard from many in the provider community who have concerns about the administrative burdens they face in the years ahead. We are committing to work with the provider community to reexamine the pace at which HHS and the nation implement these important improvements to our health care system."

ICD-10 codes provide more robust and specific data that will help improve patient care and enable the exchange of our health care data with that of the rest of the world that has long been using ICD-10. Entities covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will be required to use the ICD-10 diagnostic and procedure codes.

Helping Houston Medical Practices Develop a Unified Approach to Information Security in BA Relationships

Medical and Healthcare groups experienced the largest incidence of insider theft, as did non-financial businesses according to a forthcoming study from the Identity Theft Resource Center (ITRC). Hacking and insider theft accounts for 40% of breaches in 2011 in the Healthcare sector. This is not good. The pace of EMR acceptance picks up steam daily, making security of patient data the number one downside of moving to EHR's. We all need to make a strong commitment to the responsibility of protecting EHR as a system and as a solution in Healthcare. Security should be viewed as a strategic process, but there's no doubt the process is heavily influenced by regulatory compliance issues. For healthcare and other organizations that deal with regulated data, it has to be a balance of both—secure the data and secure the process. Getting covered entities to require proof of compliance from their Business Associates has the greatest potential for protecting PHI. We offer third party information security and HIPAA auditing services for Houston Medical Practices to verify BA compliance. Call us for details at 281-733-2422 ext 301 (option #1). The need for Houston Healthcare Practices to avoid financial and reputational risks from compliance cases has never been greater than it is now. Contact us today for a plan of action.

Managing HIPAA & HITECH Act

Risk in the PHI Supply Chain

HITECH and the NPRM published in the Federal Register July 14, 2010 significantly impacts how Covered Entities and Business Associates manage health IT security risk under HIPAA. The 2013 HIPAA Omnibus Rules Increase Risks for business associates (BA's). The HIPAA Omnibus Rule, which took effect on March 26, 2013, finalizes multiple revisions to previous HIPAA regulations. For the first time, business associates, are directly liable for multiple provisions of HIPAA rules. This creates a PHI supply chain in which everyone on the chain needs to be concerned about the security controls of everyone else in the supply chain.

  • Business Associates: the definition of a business associate expanded to include data transmission services such as HIEs and RHIOs and subcontractors of business associates that have access and maintains PHI. This includes IT consultants, cloud providers, MSP's, and other third party providers commonly used today. That IT consultant or third party contractor offering software or infrastructure support and maintenance needs to sign a Business Associate Agreement identifying permissible use to the CE.
  • HIPAA Security Rule: Business Associates are now statutorily liable for complying with the HIPAA Security Rule (subject to CMS / OCR audits as well as directly liable) per the recent updated Omnibus Rule. Contractors of Business Associates are contractually liable.
  • Penalties: penalties for noncompliance apply not only to Covered Entities, but also Business Associates and Business Associate subcontractors.
  • Claiming Ignorance of the Rule Is No Excuse: "Oops, we didn't know:" a Business Associate can no longer use "lack of knowledge" as a defense to limit liability for HIPAA non-compliance violations.
  • Dual Liability: Business Associates have contractual liability to their Covered Entity for HIPAA compliance via Business Associate Agreements as well as statutorily liable to the government for HIPAA compliance.
  • In the State of Texas: Business Associates become Covered Entities and our state healthcare laws (HB300), which are stricter than Federal HIPAA laws, trump Federal HIPAA laws.

The central goal of HIPAA regulations is to protect the security and privacy of information pertaining to an individual's health records, known as protected health information (PHI), throughout the intricate network of health care providers, insurers, and service providers that interact with this information. The second step was to fortify technology with an equally widespread set of data privacy and security requirements. At first, HHS held only health care providers and other "covered entities" directly liable for HIPAA Privacy and Security Rules, and regulated downstream business associates through agreements stipulating that firms "reasonably and appropriately" protect PHI. The new Omnibus Rule goes further and increases enforcement scope to include the whole chain of third-party business associates and subcontractors that interact with PHI. Through policies, training, and risk assessments (mandatory, not optional under HIPAA), you can reduce liability to your practice by making sure all of your Business Associates and vendors have a commitment to a robust information security program and are auditable by you, the Covered Entity.

Meaningful Use & Risk Assessments

One of the Meaningful Use (MU) core objectives for eligible professionals, eligible hospitals and critical access hospitals is to conduct thorough technical risk assessment of EHR and ePHI systems. We help organizations identify key vulnerabilities in ePHI and EHR systems and assist in building a plan to mitigate the risks by fixing, transferring or accepting risks.

  • CFR45 164.308(a)(1)(ii)(A) of the HIPAA Security Rule requires that the organization "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information [ePHI] held by the covered entity".

  • CFR45 164.308(a)(1)(ii)(B) requires an organization to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with CFR 45 164.306(a) which is the General Requirements of the Security Rule.

It is best practice to complete your Risk Assessment prior to the beginning of your 90 day attestation period. You must update the Risk Assessment for each year you are planning to attest for Meaningful Use.

Houston Data Security - Physical & Logical


For properly monitored software, network infrastructure, and ePHI that are subject to HIPAA regulatory compliance, physical and logical security solutions apply. The threat of litigation should be a major concern to decision makers in the healthcare industry, and should be a driving force to take a serious look at auditing facilities and implementing endpoint security as well as hiring security professionals for assistance. Contact us today for further information on how we can assist Houston Healthcare Practices in this specific area. We can assist your Houston Medical Practice with secure and defensible solutions.

Committed to the HIPAA Compliance Process


The Health Insurance Portability and Accountability Act, also known as HIPAA, creates solutions to address two distinct issues within the medical field. The first part of HIPAA addresses health insurance. It regulates health insurance coverage when employees leave their current place of employment. The second part of HIPAA addresses quality, security, and privacy standards for electronic medical records. An electronic medical record is a tool that can greatly improve the quality and accuracy of patient health care records but must be monitored to prevent protected health information from being obtained by unauthorized individuals from Covered Entities as well as Business Associates. Compliance with HIPAA cannot be achieved by implementing policies and procedures alone. It is an ongoing process requiring not only knowledge of the regulations but also a complete understanding of the flow of patient information within your organization. Employees need repeated education, ongoing training (mandated by Texas State Law), and management needs to know that policies and procedures are being followed. These requirements pertain to the security and confidentiality of Personal Health Information (PHI).

As a Business Associate, (CE under Texas State Law), Citiscape IT has introduced detailed procedures and systems to ensure that Personal Health Information (PHI) is used and disclosed in accordance with HIPAA rules and regulations.

Procedures and systems introduced include:

  • Confidentiality agreement with all the employees having access to any PHI
  • Electronic access control monitoring
  • Mandatory training, testing, and certification programs on handling PHI
  • Standard operating procedures for data backups and disaster recovery
  • Physical security / monitoring of office facilities
  • Routine and event based audits for HIPAA compliance
  • Annual background checks and investigations of employees in compliance with CMS Office of E-Health Standards and Services Workforce Clearance 164.308(a)(3)(ii)(B)
  • On-site inspection and compliance audits of our Houston office facility

We offer project management, risk analysis, regulatory compliance services, IT audit, HIPAA security audits, security as a service, security management plans, data conversion source code audits, and information security audits for all businesses and medical practices in the Houston area. We are highly experienced with many popular EMR software solutions for medical practices. From consulting and à la carte services to turnkey EMR and practice management implementation services, Citiscape IT will help you solve the puzzles that keep your practice from experiencing optimal profitability, while reducing cost and creating an environment that allows providers to get back to practicing medicine.


Houston, Texas

HIPAA & Texas Healthcare Law Training, Consulting & Remediation


Our Houston office is equipped with training classroom areas, as well as separate conference rooms, which can accommodate 15-20 guests. More tables can be added if needed. We will develop a custom package specifically for your organization that can be presented at our facility or yours. Completion certificates for HIPAA and Texas HB300 will be provided upon completion and are required for audits and proof of attendance (required by the State of Texas). Our training classes are geared specifically around your medical practice office hours and can also be performed during a weekend.

Our Guarantee
No off-the-shelf presentations. We take pride in designing and executing training events that exceed our customers' expectations.

The absolute BEST Houston Security & Compliance Consulting Firm in Texas. We Make IT Right!!