What do I have to do?

Every covered entity must conduct a security risk assessment as outlined by HIPAA (HHS).  Additionally, the covered entity should develop information security policies that further protect PHI and respond to the most current security risk assessment.

What is a Security Risk Assessment?

A comprehensive questionnaire that highlights existing and potential security and privacy violations.  An assessment is required every year. 

What is a Business Associate Agreement (BAA)?

Any business associate or partner of yours that has access to patient information must have a completed Business Associate Agreement that includes the new Omnibus rule effective as of 2013.  This agreement should explicitly spell out how a data breach will be reported and responded to. GSG Compliance offers BAA templates. 
What if I have existing Business Associate Agreements? 

Your existing Business Associate Agreements may not include the new Omnibus rules as mandated through HIPAA.  Updated Business Associate Agreements are required by September 2014 for a covered entities business associates. 

What if I do not do a Security Risk Assessment? 

If a covered entity is attesting for Meaningful Use (MU) and a Security Risk Assessment (SRA) has not been completed, 100% of stimulus dollars may need to be returned upon demand.


When a Covered Entity experiences a security or privacy breach, fines and penalties can be assessed if you are not compliant. HHS’ Office of Civil Rights has an established penalty schedule.  The costs can be detrimental to any business.

What kind of fines and penalties can be assessed? 

Failure to comply with HIPAA may result in fines and penalties.  Fines may range between $100’s of dollars to $1,500,000.  Criminal penalties can range from 1 to 10 years.  Severity of fines and penalties depends on how much “reasonable diligence” you have performed as well as other factors.  Reasonable diligence means that you have taken the proper steps to protect the private health information. Sample questions that need to be asked of a Covered Entity are as follows:

Have you done the Security Risk Assessment?

Have you updated your Business Associate Agreements?

Have you updated your Information Security Policies?

You and only you are responsible for taking the steps needed to safeguard Personal Health Information (PHI).

What type of Information Security Policies do I have to put in place?  

Every Covered Entity must have policies in place that describe how the entity will manage various security issues as it relates to protecting PHI.  An entity's policies need to be customized to fit specific needs and requirements while adhering to HIPAA guidelines. 

Do I need to train my staff?

Yes.  At a minimum, an entities employees must complete training on HIPAA guidelines once per year.  It is important to make sure you have proof of completion for each staff member (physicians included).

How much is this going to cost me? 

GSG Compliance will provide you a project based quote.  Prices are based on volume of work required, size of Covered Entity and number of locations.  Regardless, our pricing has been scaled appropriately to reflect each covered entities needs and we will always deliver affordable, efficient and compliant products and services.



Get Started

If there is any way we can help you, please contact us:

GSG Compliance, LLC
2300 Lakeview Parkway, Suite 700
Alpharetta, GA 30009
877-828-8809 (fax)