Why Senior Care Organizations Should Get a HIPAA Security Assessment (HSA)


hipaa-assessment blog-1

From caregiver mobile apps to “smart” homes, digital tools are becoming a necessity for seniors transitioning between types of care. As care goes more digital, it becomes more critical than ever for senior living organizations to protect their IT systems against data breaches and the costly HIPAA fines that come with them.

HIPAA Compliance in Senior Living 

The Health Insurance Portability and Accountability Act (HIPAA) is a government legislation designed to protect health related data, ranging from employee information to patient records. HIPAA helps to hold U.S. healthcare organizations accountable for protecting data when switching from paper to electronic record systems.

Healthcare is going more digital by the day, particularly in senior care. Obtaining and maintaining HIPAA compliance is an ongoing cybersecurity role, which senior care organizations may consider outsourcing. At vcpi, we understand the unique HIPAA challenges in home health and assisted living, and how they differ from brick and mortar healthcare companies. For example, the Covered Entity must educate all employees, including home health workers, on how to remain HIPAA compliant. Home health employees who use their own devices are at greater risk of loss and theft. It is unsafe to allow personal device use for agency work unless proper security measures are implemented. 


Vcpi HIPAA Assessment Services 

The scope of vcpi’s HIPAA Security Assessment (HSA) details the enterprise-wide administrative, physical, and technical controls that protect a company’s Protected Health Information (PHI) in multiple forms.

Typically, our team visits client sites and conducts phone calls to obtain information for the HSA, which includes their existing cybersecurity documentation. We analyze the technical, administrative and physical security controls, assigning risk levels to each as well as recommendations for improvement. Our reports also present the client’s current compliance levels based on the HIPAA Security Rule and HITECH Act

We present findings and recommendations on how to remediate risks to organizational management. 

Note: These reports are not intended to make a statement or declaration on the client’s overall compliance with HIPAA Security Rule, HITECH Act or any other applicable regulations. Compliance statements are the clients’ and appropriate regulatory enforcement authority’s responsibility. 

Assessment Methodology 

Our HIPAA Security Assessment (HSA) leverages the HIPAA Security Rule and HITECH Act requirements to assemble a baseline of security control objectives.
Vcpi works with clients to perform the following:

  • Obtain necessary documentation
  • Complete assessment paperwork
  • On-site visits
  • Identify, discuss and follow up on findings 

First, our team assesses the client’s existing documentation, including company policies, standards, procedures and related Information Security governance documents. We record every piece that satisfies control objectives in the HSA. 

After analyzing documentation, we meet with key client security representatives to discuss their security control environment. We typically conduct these discussions with the review and testing or remaining physical, technical, and administrative controls to measure their effectiveness.

Risk Ratings

After collecting and analyzing security control data, our team assigns risk ratings to each control. These findings explain the severity of risk and potential impacts to the client’s business operations, information assets, and systems.

Risk Level
Potential impact to business operations, information assets, and systems
Recommended Recovery Time Frame 


Severe or catastrophic

0 – 90 days


Serious: other security controls implemented in the environment may provide partial coverage for this deficiency.

3 – 6 months


Minimal: security control environment provides adequate protection according to industry regulations and best practices.

6 – 12 months


The below graphic displays a typical outcome:

vcpi findings hipaa


Cost is variable based on scope, industry, and related factors.

About vcpi

Founded in 2000, vcpi is headquartered in Milwaukee, Wisc. and is privately held by Agility Holdings, LLC. The team at vcpi helps care providers best serve their employees, residents and patients by removing technology distractions with outsourced IT support rooted in the unique world of senior living. vcpi offers a range of services focused on senior living organizations including managed cloud hosting, security & access management, US based 24/7 service desk, IT consulting, network management and more. To learn more, please visit vcpi.com.