Your HIPAA and Risk Assessment Experts.
The HIPAA Law requires all Covered Entities (CE) and Business Associates (BA) to implement policies and procedures to prevent, detect, contain, and correct security violations.
Subpart C of the HIPAA Rule, §45CFR164.308(a)(1)(ii)(A) clearly states that a CE and BA must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
A key area for meeting this section of the law is performing the required risk assessment.
Bonadio is your HIPAA and Risk Assessment Expert. We have decades of experience serving organizations with employees ranging from 5 to 20,000 individuals and we are HIPAA consultants. We know the assessment process and can help you accurately navigate the required actions. What’s more we understand that risk assessment means more than just your EMR or EHR. For example, the Office of Civil Rights (OCR) states in its final risk assessment guidance that “The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed.” We take that into account and build our assessment as a repeatable, measurable process.
For your protection, we go beyond what’s simply required.
Our risk assessment goes beyond the traditional process and fully integrates HIPAA’s Flexibility Principle noted in §45CFR164.306(b)(1). We integrate and customize our findings, recommendations and mitigation suggestions based on the size, complexity, and capabilities of your organization. We take into consideration a number of factors including: your technical infrastructure, hardware, and software security capabilities. Once we have established a clear picture of your specific needs, we offer a range of solutions that take into account the costs of security measures while reporting on and measuring the probability and critical hierarchy of potential risks to electronic protected health information (ePHI) that affect your organization.
We perform our assessment based on the Security and Breach Rules. This comprehensive approach addresses ePHI from a number of angles including everywhere it is stored, processed, maintained and subject to interaction within your organization and at your Business Associates and Covered Entities.
Typically, we will review, assess, and report on risks and vulnerabilities to your organization’s information, privacy controls and data security controls that support HIPAA compliance in at least the following areas:
- General and privileged user and system access controls
- Physical access restrictions
- Monitoring and testing of system upgrades
- Segregation of duties
- Systems vulnerability assessment sample
- Incident response program
- Protection from environmental hazards
- Outsourcing and third party vendor controls
- Management and board interaction with IT/IS
- IS/IT disaster recovery plan controls and testing
- Portable device/computers security and use review
- E-Commerce controls
- Operations and IT management
- Policy, procedures, compliance, and management documentation
- Cyber security management
HIPAA specific risk assessment actions
- Bonadio will perform the needed work regarding your existing HIPAA control processes, identify and inventory everywhere your ePHI is stored, processed, or transmitted and focus on performing a risk assessment as identified in the HIPAA Security Rule § 164.308.
- The assessment will:
- Cover the needed HIPAA, HITECH, Breach, and 2013 Omnibus and GINA (where applicable) rules.
- Include an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic and other protected health information held, stored, processed, or transmitted by the organization and its contracted third parties.
- Include a report on our findings with regard to whether the organization has implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
- Include needed testing and interviews with key stakeholders, power users, and Security and Privacy Officers.
- Include third party contract reviews, Business Associate Agreement reviews, policy reviews, and process reviews. Specific outcomes include reports identifying areas ranked by risk, suggested, prioritized remediation and residual risk ranking reports covering technical, physical, and administrative areas.
We will also review and comment on additional compliance and data security needs based on the FTC Red Flag, NY State Privacy Law, and other laws and regulations we may identify based on the data stored, transmitted, and processed by the organization.
Standard risk assessment deliverables
Bonadio's professional reporting and electronic deliverables will include at least:
- Reports that uniquely identify the organizations in the findings
- An Executive Summary with high level management oriented findings
- Detailed findings of programs and processes in place and/or needed to address the organization’s technology and business controls required to meet the regulatory and identified frameworks
- A report covering "Other Matters for Management Consideration" that, identifies risk items that we may discover outside the scope of work, or for those that may not have been considered a risk finding, if needed
- A fully-documented list of required and suggested remediation or recommendations
- On-site meetings — progress, ongoing updates, exit, and Board/Audit Committee — with the organizations to discuss any issues found throughout the assessment, and at the end of the engagement.
Note: We are sensitive to the needs of your organization regarding protection of ePHI. Critical or urgent findings will be reported as soon as they are identified.
For more information, contact the Bonadio Enterprise Risk Management team.