National Health IT Week: Post-Presentation Q&A

In the effort to carry on the theme for National Health IT Week, InfoGard’s technical staff has committed to providing answers to post-presentation questions on “10 Steps to Protect My Covered Entity From Breach” posted on October 6, 2015. Additional Q&A’s will be added to the existing list. Check back for updates periodically. To submit additional questions, email

1. How often should a covered entity conduct an SRA?

An SRA should be conducted commensurate with the changing environment. The more change occurs in the physical environment, policies, and staff, the greater the possibility of new risks emerging, and existing risks becoming more severe. With a rapidly changing environment you might consider an SRA every quarter; with a stable environment every three (3) years may be sufficient.

2. What are the benefits of a third-party risk assessment compared to internally conducted SRAs?

Third-party risk assessments can offer industry-leading expertise. Additionally, they are independent from any employee prejudices of the environment and provide a fresh set of eyes. However, having internal staff members trained can provide cost savings as well as rapid responses to new threats or situations.

3. Should I contract out everything to avoid dealing with all the security requirements myself?

This can be a great solution since some covered entities have many clients and already have experience managing EPHI as required by HIPAA and conducting SRAs. However, many businesses are not. When subcontracting IT services, such as hosting your EHR offsite, ensure that the business associate agreement (BAA) includes all security items for which the business associate (BA) is responsible. Additionally, obtain evidence they are actually doing what is required. While you may be able to avoid direct penalties from OCR by this method, when a breach occurs there still might be damage to your reputation, high staff turnover, and indirect financial cost that often amounts to six (6) figures even for small clinics.

4. I have an employee who is HIPAA certified; does this offer me security?

Security is only as deep as the individual’s expertise. There is no government backed certification program, and all certifications are simply private guarantees. Sitting down with a HIPAA lawyer and other HIPAA security experts at least once can make a huge difference in the security of the site.

5. Do I need to have an employee who is an expert in hacking to avoid a breach?

No. There are many tools available to secure your network and IT equipment which require only a general IT background. Consider purchasing some of the industry tools to help facilitate security. Often times installing these tools will help educate your staff on security in the process.

National Health IT Week: 10 Steps to Protect My Covered Entity From Breach

As part of National Health IT Week, InfoGard presents a prerecorded webinar detailing 10 steps a covered entity can take to help protect itself from a breach.

Our technical staff will be answering questions about this presentation, HIPAA requirements, and security risk assessments via email and here on the blog throughout National Health IT Week. Send your questions to

Slides from this presentation can be found here.


InfoGard is a Proud Partner in National Health IT Week

This October, InfoGard Laboratories is a Proud Partner in National Health IT Week. National Health IT Week is the premier event offering all healthcare stakeholders an opportunity to unite under one banner, expressing the benefits that health information technology (IT) brings to U.S. healthcare. “One Voice, One Vision.”

Initiated in 2006 by the Healthcare Information and Management Systems Society (HIMSS), National Health IT Week has emerged as a landmark occasion for using health IT as part of the overall solution to improve America’s healthcare as a bipartisan, federally led, market driven initiative.

The Week consists of events in Washington DC and across the country, including National Health IT Week participants —vendors, provider organizations, payers, pharmaceutical/biotech companies, government agencies, industry/professional associations, research foundations, and consumer protection groups— all working together to elevate national attention to the advantages of advancing health IT.

As the healthcare community becomes more technologically advanced, InfoGard sees the increasing concern of protecting patient health information (PHI), especially in electronic form. As part of National Health IT Week, InfoGard will release a prerecorded webinar presenting 10 steps that detail how a covered entity can protect itself from a potential breach. Following the presentation, viewers will have the opportunity to submit questions via email which will be answered by InfoGard’s technical staff and posted on our Health IT Blog throughout the Week.

The webinar will be released here on the blog at 11am PDT on Tuesday, October 6, 2015. Visit for a full list of the Week’s activities.

Security Risk Assessment Introduction

Breach of healthcare records is a rising threat that has affected millions of Americans. InfoGard understands this threat and partners with healthcare facilities to assess potential risks and provide guidance to create, implement, and maintain a risk management plan.

In the coming weeks we will be talking through why breaches are on the rise, quick fixes to make your healthcare facility more secure, how to deal with business associates that handle protected health information (PHI), and other topics related to healthcare and PHI security.

Leave a comment or contact us if there is a specific topic you would like to see covered.

SRA Training Workshop-web - Copy

Security Risk Assessment Workshop

InfoGard recognizes the concerns healthcare providers have with safeguarding patient information. The healthcare industry has seen a rise in the number of breaches to health records over the past 4. Offering guidance and hands on classroom experience focusing on security risk assessment of healthcare facilities, InfoGard will be conducting a training workshop on September 22, 2015 in Los Angeles.

This interactive workshop will provide a clear and practical understanding of the security requirements surrounding healthcare facilities. Attendees will learn how to identify, categorize, and address potential risks within a facility.

To find out more about the workshop and to register click here.

For more information on InfoGard’s Security Risk Assessment services, please visit