Due to our focus and knowledge of the NIST guidelines for HIPAA Security Rule Compliance,
we understand that covered entities "May consider asking the business
associate to conduct a risk assessment that addresses administrative,
technical, and physical risks, if reasonable and appropriate." (NIST
800-66, rev 1, p48). ClearDATA provides
risk analysis as a service to our clients to evaluate vulnerabilities and risk
potential. This ensures that the integrity, confidentiality and compliance are
Security Risk Analysis (SRA) is focused specifically on the three areas of 45
CFR 164.308(a)(1); namely, the Administrative, Physical and Technical
safeguards. Each of these areas is
analyzed to verify that they are: a) sufficient to be effective, b) currently
operational, c) applicable for the organization and d) represent applicable
compliance programs. Additionally, we
review the organization's vendor relationships and Business Associate
Agreements, and if necessary, conduct an SRA for the Business Associate. The
deliverable is a final analysis and executive report appropriate for an
executive and/or Board meeting, along with a complete remediation plan.
Security Risk Analysis is a thorough, on-site appraisal to determine the
administrative, physical and technical -computing security risks endemic to
your site. This analysis creates the security foundation on which all your
necessary security activities are based. This includes all physical safeguards
for your information systems as well as all related equipment and facilities.
The result of the Security Risk Assessment is a series of documents in our
final report outlining the current administrative, physical and technical
computing environmental risks and a series of possible solutions unique for
each covered entity.
USHC HIPAA Security Risk Analysis Process:
- We conduct an initial high level review of the security infrastructure and your current processes and programs for improvement.
- We perform an assessment of current HIPAA security compliance operations including a
physical site review of all facilities to include a review of the safeguards in
place, vulnerabilities and specific threats to these safeguards.
- We guide you in the development of a protected health information (PHI) inventory of both
electronic PHI and other forms. If a PHI inventory has not been done in the
recent past, and is a necessary step to determine risk especially for unsecured
- We evaluate your existing security policies and procedures to determine if they are a)
sufficient to be effective, b) currently operational, c) applicable for your
organization and d) represent applicable compliance programs.
- We establish new compliance requirements from the ARRA HITECH Act of 2009 related to
- We determine gaps in documentation of existing policies and procedures.
- We execute a critical analysis of the typical vulnerability and likelihood of threats as
well as establish a threat matrix.
- We make recommendations on remediation of gaps, improving safeguards and related
compliance. Including specific security measure and safeguard recommendations such as network and information system activity auditing tools.
- This is compiled into a formal written HIPAA Security Risk Analysis report that compiles all findings and recommendations, as well as presentation by phone or webinar of the findings.
- In-depth analysis of your Administrative, Physical and Technical Safeguards per Security
- Expert review of your physical computing environment
of your current security software & protocols
- Assessment of your electronic transmission procedures for PHI
report of your security vulnerabilities to the confidentiality, integrity and
availability of EPHI (electronic protected health information)
- List of physical and electronic controls specific to your office environment
- Provide specific security viewpoints that you want to consider when implementing your
physical and computing safeguards