-
HIPAA Security Risk Analysis
Due to our focus and knowledge of the NIST guidelines for HIPAA Security Rule Compliance, we understand that covered entities "May consider asking the business associate to conduct a risk assessment that addresses administrative, technical, and physical risks, if reasonable and appropriate." (NIST 800-66, rev 1, p48). ClearDATA provides risk analysis as a service to our clients to evaluate vulnerabilities and risk potential. This ensures that the integrity, confidentiality and compliance are maintained.
The USHC Security Risk Analysis (SRA) is focused specifically on the three areas of 45 CFR 164.308(a)(1); namely, the Administrative, Physical and Technical safeguards. Each of these areas is analyzed to verify that they are: a) sufficient to be effective, b) currently operational, c) applicable for the organization and d) represent applicable compliance programs. Additionally, we review the organization's vendor relationships and Business Associate Agreements, and if necessary, conduct an SRA for the Business Associate. The deliverable is a final analysis and executive report appropriate for an executive and/or Board meeting, along with a complete remediation plan.
The HIPAA Security Risk Analysis is a thorough, on-site appraisal to determine the administrative, physical and technical -computing security risks endemic to your site. This analysis creates the security foundation on which all your necessary security activities are based. This includes all physical safeguards for your information systems as well as all related equipment and facilities. The result of the Security Risk Assessment is a series of documents in our final report outlining the current administrative, physical and technical computing environmental risks and a series of possible solutions unique for each covered entity.
USHC HIPAA Security Risk Analysis Process:
- We conduct an initial high level review of the security infrastructure and your current processes and programs for improvement.
- We perform an assessment of current HIPAA security compliance operations including a physical site review of all facilities to include a review of the safeguards in place, vulnerabilities and specific threats to these safeguards.
- We guide you in the development of a protected health information (PHI) inventory of both electronic PHI and other forms. If a PHI inventory has not been done in the recent past, and is a necessary step to determine risk especially for unsecured PHI.
- We evaluate your existing security policies and procedures to determine if they are a) sufficient to be effective, b) currently operational, c) applicable for your organization and d) represent applicable compliance programs.
- We establish new compliance requirements from the ARRA HITECH Act of 2009 related to security.
- We determine gaps in documentation of existing policies and procedures.
- We execute a critical analysis of the typical vulnerability and likelihood of threats as well as establish a threat matrix.
- We make recommendations on remediation of gaps, improving safeguards and related compliance. Including specific security measure and safeguard recommendations such as network and information system activity auditing tools.
- This is compiled into a formal written HIPAA Security Risk Analysis report that compiles all findings and recommendations, as well as presentation by phone or webinar of the findings.
Features:
- In-depth analysis of your Administrative, Physical and Technical Safeguards per Security Rule
- Expert review of your physical computing environment
- Interrogation of your current security software & protocols
- Assessment of your electronic transmission procedures for PHI
- Detailed report of your security vulnerabilities to the confidentiality, integrity and availability of EPHI (electronic protected health information)
- List of physical and electronic controls specific to your office environment
- Provide specific security viewpoints that you want to consider when implementing your physical and computing safeguards
