Turnkey Privacy / Security Risk Analysis & Mitigation Plan for HIPAA

HIPAA security risk assessment

Satisfy the Quality Payment Program Promoting Interoperability requirement byallowing SecureVitality to conduct or review a security risk analysis and mitigation plan- don’t put your practice or healthcare organizationat risk!

Contact us

TURNKEY

Our Turnkey for Privacy & Security Risk Assessment

A Risk Assessment is required to fulfill Promoting Interoperability under the Quality Payment Program/ MACRA. A risk assessment will assess the threats and vulnerabilities to your practice and your protected health information. We use a proven method to review, document your risks, and to develop a detailed HIPAA Privacy & Security Risk Analysis and Mitigation Plan and meet the Advancing Care Information requirement for the Quality Payment Program/ MACRA.

Not having a risk assessment is “Willful Neglect” of the HIPAA Omnibus Rules, and places your practice at great risk for HIPAA compliance violations, fines and the loss of trust between your practice and your patients. CareVitality, Inc. has spent years developing a cost effective, complete risk assessment process to help your practice complete this HIPAA compliance requirement and help protect your practice from a breach of data or other security risks.

Assess Your Risks with a Security Risk Analysis

Satisfy the Quality Payment Program Promoting Interoperability requirement by allowing CareVitality to conduct or review a security risk assessment and mitigation plan – don’t put your practice or healthcare organization at risk!

Additional HIPAA Security Risk Assessments We Provide

Encryption Assistance for HIPAA Security Compliance

Vulnerability Scanning and Penetration Testing

Security Risk Assessment Newsletters

Our service includes a customized Information Security Handbook for your Healthcare Organization (complete with security risk policies and compliance procedures) to address the HIPAA Security and Omnibus Rules which allow you to provide evidence of compliance with HIPAA regulations and protect patient information.

Business Associate Agreements

Our service provides customized Business Associate Agreements (BAA) for HIPAA Covered Entities (CE) and Business Associates.

HIPAA Policies & Procedures

Our service includes a customized Information Security Handbook for your Healthcare Organization (complete with security risk policies and compliance procedures) to address the HIPAA Security and Omnibus Rules which allow you to provide evidence of compliance with HIPAA regulations and protect patient information.

Ongoing Security Training

Our trained staff provide HIPAA security risk seminars (eligible for CME Credit) to educate medical professionals and staff on how to safeguard their ePHI.

Perform

We Perform a Comprehensive HIPAA Privacy/ Security Risk Assessment & Mitigation Plan

Receive guidance on how to put administrative, physical and technical safeguards in place for threats as outlined by the Security Rule.
Identify and document potential threats and vulnerabilities, assess the likelihood of their occurrence, manage the impact of these security risks and determine the level of risk to your patients’ health information.
Create a risk mitigation plan with recommendations and safeguards to mitigate risk.
Receive Assistance in healthcare security risk mitigation efforts for your medical organization.
Upon client’s request, we can provide Vulnerability Scanning and Penetration Testing to further enhance the security risk assessment findings.

FAQ

Frequently Asked Questions

The Covered Entity of Business Associate is required to designate who they want to be as their Security Officer and/or Privacy Officer. The Security Official may be a provider, a practice manager, IT staff member or a third party firm may be designated to conduct the risk assessment. In some organizations the HIPAA Privacy Officer and the Security Officer are the same person. If this is the case, it is important for the security official to not only be an expert in HIPAA but also IT. If the Security official does not have a great deal of IT expertise it is important for them to hire a third party vendor knowledgeable and experienced in conducting and completing the HIPAA Privacy & Security Risk Assessment.
No, there are not different types of risk assessment for Covered Entities and Business Associates.
A HIPAA privacy risk assessment deals with privacy risks in any medium whereas a HIPAA security risk assessment deals with security risks as it relates to a patient’s electronic protected health information (ePHI).

Any Covered Entity or Business Associate is required to perform a HIPAA Risk Assessment.

In preparation for a security risk assessment it is helpful to have a list of users and hardware for the organization ready for the assessment.

The hardware list should have a list of all the hardware inventory, all operational and non-operational hardware, operating system of the hardware, the software applications used for protection of the hardware (anti-virus, anti-malware, anti-spyware and advanced endpoint protection for ransomware, etc..).

The user list should have a list of all their active users in the system and what health information technology they have access to.

Additionally, the Security Official needs to have administrative access to complete the Security Risk Assessment to be able to review audit trails/ audit logs, review password requirements and the details of what a person has access to.

Among some of the most important risks are as follows:

  • Giving someone too much access for their job responsibility.
  • Not completing pre-employment background check and drug test for employees.
  • Having unencrypted patient electronic protected health information (ePHI) on computers creates a compliance issue.
  • Lack of employee privacy & security training in the organization.
  • Using unencrypted emails when releasing patients electronic health information (ePHI).
  • Unsecured or misconfigured firewall which can compromise the organization’s data or network.
  • Improper Disposal of patients electronic protected health information (ePHI) or other company records.
  • Not having Anti-virus, Anti-Malware, Anti-Spyware and advanced endpoint detection and remediation.

The risk assessment should have the following areas: Physical/ Environmental, Technical and Administrative Safeguards. Under each of these assessment areas the required items needed to be assessed and addressed.

    1. Physical safeguards in a risk assessment refers to the measures an organization takes to protect its physical facilities, equipment, and other assets from unauthorized access or damage. Examples of physical safeguards include locked doors, security cameras, and restricted access to sensitive areas.
    2. Technical safeguards in a risk assessment refers to the measures an organization takes to protect its electronic information systems and data from unauthorized access or disclosure. Risk management entails evaluation of the organization’s physical security measures, including the security of computer systems (including encryption, access controls, and intrusion detection systems), management of servers, and other electronic equipment. Additionally, a description of the organization’s data backup and disaster recovery plans should be included in the risk assessment.
    3. Administrative safeguards in a risk assessment refers to the policies, procedures, and training programs an organization has in place to protect the confidentiality, integrity, and availability for handling, storing, and transmitting ePHI. As part of the risk assessment it needs to be determined if there are gaps in the organization’s policies, procedures and practices that need to be addressed. Examples of administrative safeguards include HIPAA compliance training and correct management of health information, periodic risk assessments, and incident response plans.

Overall, a HIPAA security risk assessment audit should include an evaluation of all three types of safeguards to ensure that the organization is adequately protected against potential threats to the confidentiality, integrity, and availability of ePHI.

HIPAA Security Risk Assessment Report should address the assessment items and should document the following for each Vulnerability:
    • Vulnerability Assessments
      • Threat
      • How the Threat was identified
      • Analysis of Threat Likelihood
      • Impact
      • Impact Level
      • Overall Risk Level Anaylsis
      • Recommended HIPAA Approved Safeguard
Then, a Summary table can be completed as follows which include recommendations to mitigate these risks identifying the following:
    • Risk (Vulnerability/ Threat Pair)
    • Safeguard Recommendations
    • Risk Level Analysis
    • Responsible Owner of Mitigating the Risk
    • When the Risk was identified
    • When The Target Completion Date is to Mitigating the Risk
    • Area to Mark the Completion Date and by Whom

The goal of a HIPAA security risk assessment audit report is to provide the organization with a clear and actionable plan for improving its compliance program and reducing its risk of non-compliance with HIPAA Privacy and Security regulations.

GET IN TOUCH

Contact us. Anytime.​

Fill out the form or give us a call and we’ll happily help you in any way that we can.
Schedule a Meeting
Contact Us