HIPAA Help | Medcurity

Need a solution for your outdated processes and messy spreadsheets?

We know HIPAA compliance is complicated. That's why Physicians Insurance has partnered with Medcurity, a highly experienced and dedicated team of professionals to help you stay on top of things and give you peace of mind that you are compliant.

Medcurity can assist you with your annual security risk analysis and to create and manage your policies and procedures with confidence.

And better yet, Physicians Insurance members receive a 25% discount on their Medcurity subscription. 

Physicians Insurance receives no fee or commission from the referral of this product to members. Medcurity is not a legal affiliate of Physicians Insurance A Mutual Company and we cannot guarantee the regulatory or legal accuracy of any compliance advice provided by Medcurity.



A HIPAA Compliance Platform

You can protect your organization and your patients’ information. With Medcurity, you can build or complement your HIPAA Privacy and Security program with the most intuitive tools and helpful guidance available.

Conduct Your Security Risk Analysis With Confidence: Provides guidance, explanations and definitions throughout the process. Receive guidance  as you add users and locations and complete the assessment at your pace. After completing the assessment, you receive an audit-ready report with detailed, prioritized actions items that you can assign to team members, log progress and track them to completion from a Medcurity dashboard.

Customized Security Policies and Procedures: Medcurity provides more than policies and templates or generic content. After you complete their questionnaire for a policy, they automatically create a document matched to your workflow and environment. They can add your branding and provide you with a private link to share with your team. The platform helps you keep your policies current by providing prompts before review dates.



Managing Your Business Associate Agreements Electronically: Using paper or individual document files can be difficult to manage.The Medcurity platform gives you one place to oversee and run the whole process. Just enter the associate's name and information, scope of work and they will take it from there.

Sheila Chumbley
Security Officer
Spokane Digestive Disease Center, a Physicians Insurance member

Has worked with Medcurity for three years utilizing their HIPAA risk analysis resources. She finds Medcurity easy to work with, loves their online dashboards so she can quickly and easily make corrections and to monitor her group's progress.


Karen Ferguson
Practice Manager
Arthritis Northwest, Spokane

HIPAA security is something that gets pushed down with all that they have on their plates as caregivers but Medcurity has been invaluable to help guide us with our risk evaluation and HIPAA compliance, but also our work with our population health IT platform and the high standards that we have to achieve.



HIPAA, the Health Insurance Portability and Accountability Act, is a federal law created in 1996. Although HIPAA has many purposes, one of its most notable uses is to protect and secure patient data. HIPAA is enforced by the OCR (The Office of Civil Rights).

1. Who is required to follow the HIPAA rules and regulations?

Health plans, health care clearinghouses, and health care providers that transmit PHI (Protected Health Information) electronically are required to follow HIPAA. These organizations are known as covered entities. Some examples of covered entities include clinics, hospitals, pharmacies, nursing homes, and health insurance companies. Business associates that handle covered entities’ PHI are also required to follow HIPAA. 

2. What is Protected Health Information?

Protected Health Information (PHI) is any information created, sent or received by a covered entity that could identify an individual. Some examples would include a patients’ name, address, birthdate or social security number. PHI also includes any information about a patient's health status, treatment, prognosis, and billing/payment. All of this information must be protected and not shared without patient authorization. 

3.    What am I required to do under HIPAA?

HIPAA requires all healthcare organizations to follow the safeguards outlined in the Privacy Rule and the Security Rule. These are the types of safeguards defined in the Security Rule: 

Physical: Performing the necessary measures and following policies and procedures to protect the electronic system and buildings of an organization from natural disasters and criminal intrusions. 

Administrative: Taking the necessary actions and following policies and procedures, to manage, develop and implement a security program that will protect ePHI, as well as manage conduct in a covered entity’s workforce to protect that information. 

Technical:  Creating and enforcing policies and procedures that ensure ePHI is protected when accessed with technological devices. 

Privacy: Implementing standards for providing individuals with privacy rights and helping individuals understand and control how their health information is used. 

4.    Is there a way to become certified as HIPAA-compliant?

No. There is no official “HIPAA certification process”. However, the OCR (Office of Civil Rights) states that any organization that acts in “good faith” to comply with the rules and regulations will be considered HIPAA compliant. Some aspects of this include:

  1. Conducting an SRA (security risk analysis) regularly 
  2. Creating policies and procedures that explain exactly how patient information will be protected 
  3. Implementing and following a Risk Management Plan
  4. Requiring your Business Associates to sign contractual agreements 
  5. Training your employees on a regular basis
  6. Documenting any and all evidence of following HIPAA guidelines 

5. How often should I perform a Security Risk Analysis (SRA)?

HIPAA guidelines state that organizations may individually determine how often they should perform an SRA, as long as it is reasonable and appropriate for their organization size. The HIPAA Security Rule requires a regular security risk analysis, as well as a risk analysis following significant changes in the organization’s structure, facilities, or technologies. 

6.    Is a comprehensive Security Risk Analysis required annually?

Although an annual SRA is not mandatory under HIPAA, it is a key measure under other federal programs such as MACRA MIPS and Promoting Interoperability. Both of these programs require SRAs to be completed annually. In order to meet these requirements and to maintain a relevant and compliant security risk plan, it is recommended to conduct an SRA at least once a year. 

7.    What departments in a large organization are typically involved in the Security Risk Analysis process?

The executive team as well as the compliance and IT departments play major roles in conducting an SRA. Other participants might include the facilities team, human resources, medical records, and the security team. Creating and updating a Security Risk Analysis with a large team can be a complex task, especially if you’re using spreadsheets. The Medcurity platform eliminates this problem by allowing multiple users to have individual access to the specific safeguard categories that align with their job responsibilities.  

 8. In the event of a desk audit or breach audit, what type of information is typically requested by the OCR from the healthcare organization?

The covered entity will typically be asked to provide the most recent comprehensive security risk analysis. They will also be asked for privacy and security policies that were in place at the time of the breach and that relate directly or indirectly to the type of breach that occurred. They will need to produce a narrative about the event that occurred, including the follow-up actions that were taken. Finally, they will be asked for evidence that procedures were being followed, for example audit logs, backup testing logs, and more. 

Medcurity provides tools to build or update organizational policies, as well as templates for frequently used tracking documents, and of course, an audit-ready final report for each SRA.

9. Why should I consider a HIPAA Compliance platform over our current excel spreadsheets? 

Excel spreadsheets historically are the usual method to track yearly HIPAA Compliance requirements, such as the Security Risk Analysis and Risk Management Plan with assigned actions. However, by utilizing Medcurity’s automated and interactive platform, it easily assigns out tasks to specific departments and users, generates on-demand reports, including relevant updates, and alerts as deadlines approach. These capabilities will simplify and streamline your HIPAA Compliance Program as well as the audit process. 

  • Medcurity’s platform offers multiple functions that greatly simplify completing an SRA including:
  • Offering real time updates 
  • Ability to retrieve information at any time
  • Keeping a record of all previous SRAs, so that each year you don’t have to start from scratch
  • Enabling collaboration across multiple departments by giving each user individual access to the
  • And much more! 

10. Does it make sense for my size of organization to implement a HIPAA Compliance platform?

Regardless of your organization’s size, developing a HIPAA Compliance program for your entire organization to adopt can be tedious. The value of a dynamic tool is found in how it can alleviate the project management and administrative burden. If you are the sole owner of your practice’s HIPAA Compliance program, Medcurity’s intuitive interface is easy to use with added definitions and citations for constant guidance. If you have multiple departments collaborating on this, Medcurity’s platform includes user assignments, suggested remedial action items specific to your organization’s risk as well as system alerts for deadlines at the individual level. Medcurity’s platform assists in building your Security and Privacy Policy Program and tracks your Business Associates. Having Medcurity’s tool in place clarifies HIPAA Compliance and streamlines accurate implementation for every size organization.

Your Medcurity subscription includes phone and email support from a highly experienced team. On-site support is also available upon request.

To learn more or register today, contact Ari Van Peursem at (509) 418-2236 or arivp@medcurity.com, or visit medcurity.com.

Making Life Easier

You have patients to care for, so we want to help make your life easier by reducing hassle, streamlining compliance processes, and increasing your confidence that things are taken care of.

About Medcurity

Medcurity was built to help healthcare organizations manage complex HIPAA and security requirements in one powerful platform. Their team has decades of experience in healthcare, technology, and compliance.