Download your IT & Cybersecurity Buying Guide just in time for Cybersecurity Awareness Month

Guided HIPAA Compliance
Risk Assessment


HIPAA Compliance

Risk Assessment Services

Who Must Be HIPAA Compliant?

HIPAA Privacy Rule

HIPAA Security Rule

HIPAA + Cybersecurity

Our Process

Process FAQs

Additional Resources

HIPAA compliance might be mandatory,
but you don't have to go it alone

As a health services provider, covered entity, or business associate we know you're busy helping your patients and managing your office. Now you have the added responsibility of HIPAA compliance. We get it, it can be complex and confusing, but we can take the burden of compliance off your shoulders. Here's how we can help:

HIPAA is more than just regulation, it's about your patients' safety and your peace of mind. By being HIPAA compliant, you can:

  • 1
    Identify and close gaps in your cybersecurity framework
  • 2
    Satisfy the requirement for a security risk assessment
  • 3
    Become eligible for the Medicaid Promoting Interoperability Incentives

TechStak gives you the confidence to know your
business and patient data are protected

HIPAA Risk Assessment

Access the tools and guidance you need to comply with HIPAA Security and Privacy Rules. Conduct an accurate and thorough assessment of potential risks and vulnerabilities related to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by your organization. Performing a HIPAA security risk assessment will ensure you are prepared in case of an audit, but most importantly, ensure you can protect the confidential and private information of your patients.

  • HIPAA Security Risk Assessment
  • HIPAA compliance snapshot
  • Threat analysis and risk determination
  • Remediation and workplan
  • Get compliant.

Talk with us about your needs, get a quote and schedule your HIPAA risk assessment today.

HIPAA Compliance Services

As a leading provider of accessible and affordable small business IT and security services, we offer a comprehensive array of solutions that enable organizations in the healthcare sector to improve their security posture, ensure industry compliance, and close their resource gaps.

  • HIPAA Security Awareness Training
  • HIPAA Security Policies
  • Dark Web Scan
  • Website Scan
  • Network Vulnerability Scan
  • Vetted Network of Managed IT Security Service Providers.

Talk with us about your needs, get a quote and schedule your HIPAA risk assessment today.

Who must be HIPAA compliant?

HIPAA (Health Insurance Portability and Accountability Act) was formed in 1996 and, among other things, protects patient health information. HIPAA encourages the development of a health information system through the establishment of standards and requirements, and applies apply to two groups: covered entities and their business associates who electronically transmit certain health information . A covered entity is one of the following:

  • Health Plan
     - an individual or group plan that provides, or pays the cost of, medical care
  • Health Care Clearinghouse
     - a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements
  • Healthcare Provider
     - a provider of medical or other health services, and any other person furnishing health care services or supplies.   

A business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity. Examples of business associates whose services include access to protected health information (PHI) are:

  • CPA
  • Attorneys
  • Pharmacies

Visit the Department of Health and Human Services (HHS) website for more detailed information on HIPAA for professionals.


HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to safeguard PHI while allowing the flow of health information to provide high quality healthcare. It applies to all healthcare providers using not only electronic health record systems (EHR), but also paper and oral means of communication to transmit healthcare data.

Privacy Rule Basics:

  • Requires appropriate safeguards to protect the privacy of PHI
  • Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization
  • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections

Privacy Rule Examples:

  • Employee training on privacy policies and procedures
  • Procedure to properly dispose of documentation containing PHI
  • Implement safeguards on medical records

HIPAA Security Rule

The HIPAA Security Rule requires covered entities, business associates, and their subcontractors to become HIPAA compliant by implementing safeguards to protect electronic protected health information (ePHI) that is created, received, or maintained. It specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Most violations of the HIPAA Security Rule result from businesses not following policies and procedures to safeguard ePHI, thus preventing them from becoming HIPAA compliant.

Security Rule Basics:

  • Establish a national set of security standards for ePHI
  • Protects health information held or transmitted in electronic form
  • Requires administrative, physical, and technical safeguards to secure ePHI
  • Supports the Privacy Rule requirement to reasonably safeguard PHI in all forms

Security Rule Examples:

  • Implement strong password management policy with employees
  • Limit access controls to who can view PHI
  • Ensure encryption of all PHI

Some of the most common violations of HIPAA that prevent a covered entity or business associate from being compliant result from not following policies and procedures to safeguard PHI:

  • Failure to conduct a risk analysis
  • Failure to provide patients with copies of their PHI on request
  • Unauthorized accessing of PHI
  • Impermissible disclosures of protected health information (PHI)
  • Texting PHI

HIPAA compliance alone is not enough

With TechStak, you can be confident you're covered. Your HIPAA compliance service includes

  • HIPAA Policies & Procedures
  • Policy Acknowledgement
  • Annual HIPAA Training
  • Business Associate Agreements
  • Disaster Recovery Plan
  • Security Incidents
  • Server Room Access
  • Employee Management & Reporting
  • Dark Web Breach Assessment
  • Ongoing Cybersecurity Management

TechStak's Gold Standard Methodology

The methodology used by TechStak to perform the HIPAA Risk Assessment is based on risk assessment concepts and processes described in the National Institute of Standards & Technology methodology for conducting the HIPAA risk analysis (NIST SP 800-30 Revision). It focuses on threats, vulnerabilities, and their associated risks to develop a more complete picture of an organization cybersecurity preparedness. This methodology is widely accepted as the gold standard in HIPAA risk assessments.

TechStak's Risk Assessment includes an administrative, physical, and technical assessment of an organization against the HIPAA security regulation.

The output of the Risk Assessment will give you a good understanding of the risks to ePHI and provide you with specific steps and actions that you should take to lower the risk. Download our Gold Standard Guidebook for a more detailed description of the TechStak HIPAA services methodology.

methodology table

Process FAQs

How long does it take?
Completing the risk assessment will take about 2.5 hours. The assessment can be paused and resumed at a later date if necessary. Employees will need to take the HIPAA Security Training which is an online training class. Once they complete the class, they will take a short compliance quiz. Employee training and compliance testing takes about 1 hour. Training and testing can be started and stopped and spread over a couple of days.

Who will manage the process?
We will manage the entire process for you, and we will also be available for any assistance required during the risk assessment process.

What do I need to do?
Create an account in our portal which will give you access to complete your organizational profile, the risk assessment, as well as upload your current policies and procedures for consideration during the risk assessment process.

Who will need to be involved?
It is required to have an individual selected to have overall responsibility for the risk assessment. This person should have the knowledge to answer all questions about the organization and within the risk assessment questionnaire, or know where to find the answers. You may need to seek the assistance of in-house or outsourced IT support for technical questions.

What do my employees need to do?
Employees will be required to create logins to the portal if training is being given. Employees must pass each compliance test with 80% or better.

Does this guarantee that I am compliant?
The TechStak HIPAA service does not guarantee that you are compliant with the HIPAA Security Rule. The service provides education and tools to help you implement the HIPAA Security Rule. The HIPAA Security policies and procedures are a foundation for implementing the Security Rule. It is the organization’s responsibility to ensure that all employees comply with the policies and procedures. In addition, the HIPAA Security risk assessment identifies areas that the organization needs to concentrate on to further protect electronic protected health information (ePHI or better known as patient information). It is the organization’s responsibility to use the risk assessment and implement the recommendations to further protect ePHI.

DISCLAIMER: The TechStak HIPAA service is not legal advice. You should consult with legal counsel to ensure a full legal interpretation of the law.

Ready to get started?
Engage with your new tech provider today
Find A Provider