“Covered entities” and “business associates” of covered entities are required to comply with all of HIPAA’s mandates, including those contained in the Security Rule. Covered entities include health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. The types of functions or activities that may make a person or entity a business associate include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services may be: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; or financial.
If you need further information regarding who must comply with HIPAA’s requirements, please call us. We can help.
Individually identifiable information is defined as information, including demographic data, that relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or could be used to identify the individual.
The HIPAA Security Rule applies to all individually identifiable health information a covered entity (or its business associate) creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
No. All providers who are HIPAA-governed entities/providers must have a risk analysis performed.
No. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is your responsibility to have a HIPAA-compliant risk analysis conducted.
While it is possible that you could do risk analysis yourself if you have the appropriate expertise in-house, it is important to know that a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge in all of the areas that HIPAA’s Security Rule addresses. TSG offers you that expertise and the peace of knowing that your risk analysis has been professionally and expertly conducted.
No. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a complete and systematic security risk analysis or documenting (in the manner that the Government requires) that one has been performed. In conducting your risk analysis, TSG will customize its review and compliance recommendations to the specific parameters (e.g. size, sophistication, scope) of your business or practice.
Yes. An appropriate security risk analysis will involve review of all electronic devices that store, capture, or modify electronic protected health information. This will include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone), but it will include much more than just that.
Yes. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. In addition to the initial risk analysis and report, TSG can offer you all ongoing monitoring and security compliance services that are required under HIPAA.
TSG was created to provide dependable review and recommendations to help your business fulfill all of the HIPAA electronic data requirements. We have nearly ninety years experience in privacy, auditing/accounting, and telecom compliance.Learn More