HIPAA Security Assessment Information for IT Providers

Before a managed IT service provider can offer their services to clients in the healthcare industry, they need to fully understand HIPAA compliance. Many providers offer a HIPAA security assessment, where healthcare businesses conduct a risk assessment to reveal any areas where private patient information may be at risk. This can help to prevent any breaches and ensure privacy. IT providers themselves should keep in mind that HIPAA, although directly related to healthcare, is indirectly tied into information technology that deals with healthcare clients. This means that MSPs are responsible for maintaining compliant practices, too. Read on for answers to some frequently asked questions regarding HIPAA, who must comply, and how IT service providers are involved.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was originally passed in 1996 and has been updated and expanded several times to reflect changes in technology. HIPAA sets a broad range of standards for the administration of healthcare. Many of them directly deal with protected health information (PHI). PHI is usually described as personally identifiable health information that can take on the form of written, verbal, or another form of data. The electronic form of this data is called ePHI. HIPAA has specific standards for protecting this data, including requirements for network security and management. Organizations that fall under the governance of this act must protect all ePHI that is received, created, maintained, or transmitted in order to remain compliant.

Who must comply with HIPAA?

There are three main categories that HIPAA classifies those who must comply with the act. These categories are outlined below:

Covered Entities

This classification includes healthcare organizations that handle ePHI, including health plans, healthcare providers, and more.

Business Associates

This category includes service providers who receive, create, maintain, or transmit ePHI for a covered entity. Some examples may include insurance processing services, network management services, and more.


This group encompasses all employees, volunteers, and trainees of a covered entity or business associate that makes contact with any sensitive information. This also includes anyone who is under “direct control” of the organization, regardless of whether they are paid or not.

Does HIPAA affect IT service providers?

Because IT service providers can fall under the category of business associates when working with clients in the healthcare industry, they are required to comply with certain parts of HIPAA. For example, most MSPs must sign a business associate agreement that contractually obligates the IT provider to protect the privacy and security of the ePHI that they handle on the client’s behalf. Furthermore, if an IT provider has any subcontractors, they must also sign a business associate agreement if they handle any ePHI.

How can IT service providers comply?

The most relevant section of HIPAA for managed IT service providers is called the Security Rule. This rule sets standards for protecting ePHI. For instance, covered entities must do the following:

  • Ensure the confidentiality, integrity, and availability of ePHI.
  • Protect ePHI from hazards and threats.
  • Protect ePHI from unauthorized use and disclosure.
  • Ensure workforce compliance with HIPAA guidelines.

A HIPAA security assessment can actually work to recognize gaps in security that may lead to a break in compliance. Catching these gaps can ensure that patient data is kept safe and can even help businesses to avoid HIPAA-related fees. The failure to conduct a HIPAA risk assessment can prove to be costly, as many HIPAA violations are subject to hefty fines. Some of the largest fines ring up at $5.5 million and can be attributed to organizations failing to identify where the risks to the integrity of ePHI were. There are also fines for potential breaches, where organizations fail to test for HIPAA compliance at all or where a test is too weak to identify any security gaps.

Here at Contigo, we know that IT governance – especially HIPAA compliance – is a critical part of both the healthcare industry and every other industry that serves them. Identifying, understanding, and managing risks are at the core of any IT best practices program. When it comes to conducting a HIPAA security assessment, let us help you perform the most thorough risk assessment through our NIST Cybersecurity Framework. This helps us to identify who has control over your business’s data, protect your systems and information, detect abnormalities via monitoring and updating security programs, respond to disasters and security incidents, and to recover any lost information through ongoing backups. All of these actions help us to create a safer, more reliable network that is one hundred percent HIPAA compliant. Cybersecurity in the healthcare setting should never be a concern. So, when in doubt, source it out – we are always happy to help your business’s data remain secure via our tried-and-true processes. Contact us to get started today.

Previous ArticleIT Considerations During COVID-19: From End User Support to Security Next ArticleHow the Cloud Is Changing IT Disaster Recovery