Frequently Asked Questions

Have A Question? We Have Your Answer.

Who must comply with HIPAA’s requirements?

“Covered entities” and “business associates” of covered entities are required to comply with all of HIPAA’s mandates, including those contained in the Security Rule.  Covered entities include health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically. 


A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  The types of functions or activities that may make a person or entity a business associate include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services may be: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; or financial.


If you need further information regarding who must comply with HIPAA’s requirements, please call us.  We can help.


What type of information does HIPAA’s Security Rule require me to safeguard?

Individually identifiable information is defined as information, including demographic data, that relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or could be used to identify the individual.


The HIPAA Security Rule applies to all individually identifiable health information a covered entity (or its business associate) creates, receives, maintains or transmits in electronic form.  The Security Rule calls this information “electronic protected health information” (e-PHI).  The Security Rule does not apply to PHI transmitted orally or in writing. 


Is the security risk analysis optional? Even if I am a small provider?

No. All providers who are HIPAA-governed entities/providers must have a risk analysis performed.


I have an Electronic Health Records (EHR) system. Wouldn’t my EHR vendor have covered everything I need to do about privacy and security under HIPAA?

No. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is your responsibility to have a HIPAA-compliant risk analysis conducted.


Can I do the security risk analysis myself? Or do I need to hire an outside vendor, like TSG?

While it is possible that you could do risk analysis yourself if you have the appropriate expertise in-house, it is important to know that a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge in all of the areas that HIPAA’s Security Rule addresses. TSG offers you that expertise and the peace of knowing that your risk analysis has been professionally and expertly conducted.


I can get a risk analysis check list off the internet. Isn’t that good enough?

No. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a complete and systematic security risk analysis or documenting (in the manner that the Government requires) that one has been performed. In conducting your risk analysis, TSG will customize its review and compliance recommendations to the specific parameters (e.g. size, sophistication, scope) of your business or practice.


Will my security risk analysis require you to look at anything beyond my EHR system?

Yes. An appropriate security risk analysis will involve review of all electronic devices that store, capture, or modify electronic protected health information. This will include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone), but it will include much more than just that.


Will I have to do risk analysis more than once?

Yes. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. In addition to the initial risk analysis and report, TSG can offer you all ongoing monitoring and security compliance services that are required under HIPAA.

Useful Links

Give us a call
Have a security question?
Send us a message
Stay Connected!
Connect with us on LinkedIn
Technology Solutions Group

TSG was created to provide dependable review and recommendations to help your business fulfill all of the HIPAA electronic data requirements. We have nearly ninety years experience in privacy, auditing/accounting, and telecom compliance.

Learn More