Case Study: Miami Jewish Health Systems and BlueOrange Compliance

Center Post

Safeguarding the privacy and security of its residents, clients and patients became progressively more challenging for LeadingAge member Miami Jewish Health Systems in Miami, FL, as it entered the complex world of paperless electronic medical and billing records.

A new CAST Supporter Case Study entitled Turning HIPAA and HITECH Complexities into Compliance through the Power of Partnership explores how challenging it is to keep up with the complex requirements of federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

“We had purchased a generic security policies package to help us develop the required HIPAA security measures alone, but the policy development process was cumbersome, complicated and did not provide the required support and guidance,” says Bernardo Larralde, director of information technology (IT) at Miami Jewish Health Systems. 

To meet these challenges, Miami Jewish Health Systems partnered with CAST Supporter BlueOrange Compliance, a company that helps health care organizations navigate privacy and security laws.

Assessing and Remediating Security Deficiencies

BlueOrange Compliance helped Miami Jewish Health Systems by:

  • Performing a customized assessment of the organization’s data security, including an evaluation of its policies, procedures and controls. 
  • Providing a snapshot that identified key areas of importance and set benchmarks for improvement over the next 9 months. 
  • Supporting and guiding the remediation process. 

“We have a good understanding of our security infrastructure and any possible area of concern, and BlueOrange was able to analyze our environment and provide guidance to help us mitigate our risk exposure,” says Larralde.


Miami Jewish Health Systems’ HIPAA security compliance went from a 3 to a 7+ in the first year after BlueOrange’s initial assessment and remediation, according to the CAST case study. Specifically, Larralde points out 3 significant outcomes of his organization’s partnership with BlueOrange:

  • Improved security of documentation through analysis: “We used to just think about security with each new roll-out,” says Larralde. “Now we analyze, document, and monitor all security aspects. We had good policies in place, but did not have a process for monitoring their use.” 
  • More robust security practices: Miami Jewish Health Systems now has a process for ensuring that business associates are compliant with its security practices. In addition, end-user training has been expanded and continually enhanced. 
  • Enhanced educational development: The security knowledge of IT staff improved by 25% the first year, and an additional 35% the second year, according to the organization’s estimates. 

Keys to Success

Larralde identifies 2 keys to achieving improved security:

  • Make data security a team effort that involves every department.
  • Be proactive about maintaining security.

“Security compliance is a continuous cycle,” he says. “To be successful, you must continually analyze, implement, monitor and adjust.”