HIPAA – Risk Assessment Service

The InfoTech Innovators solution powered by one of our elite security business partners will provide you with the tools and expertise you need to help you comply with the HIPAA Security Rule. Our solution was developed by experts knowledgeable with the HIPAA Security Rule, computer and network security, and security training. The combination of these skills are apparent in the level of detail and knowledge that the service provides.

Our Risk Assessment and Solution consists of the following:

18+ Policies and Procedures that address:

Administrative Safeguards

These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Physical Safeguards

These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Technical Safeguards

These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

Policies and Procedures include:

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedure
  • Contingency Planning
  • Evaluation
  • Business Associate Contracts
Policies and Procedures include:

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Control
Policies and Procedures include:

  • Access Control
  • Audit Control
  • Person or Entity Authentication
  • Transmission Security

Each Policy and Procedure is a separate Microsoft Word document. The Policies and Procedures are customized with the name of your organization. Most of our clients do not require any changes or additional customizations to the Policies and Procedures but customization is an optional service if you need it.

In addition to the 18 Policies and Procedures, our solution also includes forms and checklists that address:

  • Device and Media Tracking
  • Computer use guidelines
  • Tracking access to server and equipment rooms
  • Breach notification checklists

A detailed Risk Assessment is required under the HIPAA Security Rule. It is also considered the foundation of the HIPAA Security Rule.
The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:RISK ANALYSIS (Required).Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization].

We will perform a detailed Risk Assessment that follows the methodology described in NIST Special Publication (SP) 800-30 Rev 1. Specifically the  Risk Assessment will do the following:

The output of the Risk Assessment consists of a 10-15 page Executive Summary as well as a 20+ page detailed report. The Executive Summary is an easy to understand overview that discusses the current state of your overall risk to your systems that contain ePHI as well as recommendations to lower the risk to each system. The detailed report looks at each system that contains ePHI and documents the threats to the system, the vulnerabilities to the system, the current safeguards in place to protect the system and the additional recommended safeguards to lower the risk to the system.

The Risk Assessment report will give you a good understanding of the risks to ePHI and provide you with specific steps and actions that you should take to lower the risk.

HIPAA Security Training and Compliance Testing:

One of the most important steps you can take to protect ePHI and patient information is to provide security training to all of your employees. Security training is a requirement under the HIPAA Security Rule

STANDARD § 164.308(a)(5) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).Security training for all new and existing members of the covered entity’s workforce is required by the compliance date of the Security Rule. In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.-Department of Health and Human Services Security Standards: Administrative Safeguard

The HIPAA security service provides in-depth training on the HIPAA Security Rule as well as advice for best practices in protecting ePHI and patient information.  The training is provided in an online format which is both engaging and convenient to staff members. Training usually takes around 1 hour to complete.  Staff members can start a training session stop and resume the session from where they left off.  They can take the training during work hours or complete the training at home after hours.Once staff members have completed the online training, they will take a short 15-20 question online quiz to demonstrate their knowledge regarding the HIPAA Security Rule.  If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security Training.  If they do not receive an 80% score on the quiz they can retake it as many times as they need to.

When the entire staff has completed training, a report can be accessed that lists each of the staff members, the date they took the training and the highest score they received on the training quiz.

12 Months Use of the HIPAA Secure Compliance Portal

Included in the Service is 12 months access to the HIPAA Secure Compliance Portal. The HIPAA Secure Compliance Portal makes it easy to manage everything that you need to achieve and stay compliant with the HIPAA Security Rule.

The HIPAA Compliance Portal makes it easy to manage all aspects of HIPAA security compliance. The compliance portal will store the 18 HIPAA security policies and procedures. Employees will be able to access the policies and procedures, read summaries of each of the policies and procedures, and watch short entertaining videos that describe each policy and procedure.  In addition, the HIPAA compliance portal has the ability to upload other policies and procedures and important documents such as HIPAA privacy policies and procedures, disaster recovery procedures, HR policies and procedures, etc. Employees can access all the policies and procedures via the HIPAA compliance portal.

Administrators of the HIPAA compliance portal can utilize the functionality to perform the following functions:

1. Access the HIPAA security risk assessment documents.

2. Track and maintain all business associates including uploading any business associate agreements.

3. Track electronic protected health information (ePHI) that enters or leaves the organization.

4. Capture and record any security incidents that affect patient data or ePHI.

5. Provide HIPAA security training to new employees.

6. Track repairs or maintenance to critical area such as server rooms and other areas that store sensitive ePHI.

7. Access employee HIPAA security training reports.

HIPAA Security Risk Assessment

Has your Healthcare practice performed the required HIPAA Risk Assessments?

If not, InfoTech Innovators can help!

We are Certified HIPAA Security Professionals (CHSP)


 Note: Only the US Department of Health and Human Services, Office of Civil Rights (HHS-OCR) can determine if a Healthcare provider or business associate is HIPAA compliant, and thus this assessment service cannot “claim, guarantee or certify” that your practice is compliant with the HIPAA or other federal, state or local laws and regulations. The HIPAA  Service offered does not guarantee compliance with the HIPAA Security Rule.  The service provides education and tools to help implement the HIPAA Security Rule.  The HIPAA Security policies and procedures are a foundation for implementing the Security Rule.  It is the organization’s responsibility to ensure that all employees comply with the policies and procedures.  In addition, the HIPAA Security risk assessment identifies areas that the organization need to concentrate on to further protect electronic protected health information (ePHI, or better known as patient information).  It is the organization’s responsibility to use the risk assessment and implement the recommendations to further protect ePHI.  It should also be noted that the HIPAA Security Service is not legal advice.  Consult with legal counsel to ensure a full legal interpretation of the law.


Comments are closed.