A security risk analysis is a systematic and ongoing process of both identifying and examining potential threats and vulnerabilities to protected health information and implementing changes to make patient health information more secure. Under the HIPAA Privacy and Security Rule, health care organizations are required to perform active risk prevention and safeguarding of patient information to ensure patient privacy.
2.1 Risk Assessment Questionnaire: This online risk assessment questionnaire, consisting of several technology topics areas, has been designed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR), NIST, and other applicable data privacy laws and regulations.
2.2 Risk Management: This risk management action plan is designed to organize and prioritize identified risks based on probability and impact criteria. The prioritized high risks need to be mitigated first.
2.3 Templates for Policies and Procedures: The list of updated templates, derived from NIST, CIS, and other authoritative organizations for different technology systems and processes, is used as policy document to implement security controls.
All covered entities and business associates must comply with the HIPAA/HITECH privacy, security, and breach rules, which specifically focus on protecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). As part of this requirement, EHR 2.0 has developed an easy-to-use HIPAA/HITECH assessment online toolkit for small organizations to evaluate privacy, security, and breach rule requirements. Our toolkit consists of:
3.1 ePHI Inventory Template: Thefirst step in HIPAA/HITECH assessment is to identify the ePHI systems, processes, and people involved in creating, receiving, maintaining, and transmitting ePHI. This template helps organizations develop ePHI master inventory.
3.2 Sample Master Information Policies and Procedures: HIPPA security policies reflect the “rules” governing electronic Protected Health Information (ePHI) handling procedures. This includes physical security policy, technology security policy, sanction policy, access policy, contingency plans, security incident procedures, and a social media section, among others.
3.3 HIPAA/HITECH Assessment Checklist:
This easy-to-use HIPAA/HITECH security rules checklist covers all 28 administrative safeguards
, 12 physical safeguards
, and 12 technical safeguards
. This assessment checklist helps healthcare organizations to discover the gap areas based on the required and addressable HIPAA/HITECH security rules, in addition to the privacy and breach rule requirements.
3.4 Breach Determination Chart: This flow chart has been developed to apply a consistent approach in performing a risk assessment, to determine if the breach notifications are required to be implemented as a result of a possible breach of unsecured Protected Health Information (PHI).
3.5 HIPAA Training for Staff: This online training module covers all the important areas for HIPAA awareness training for healthcare staff with assessment questions and certificate of completion.