Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Organization Name
Submitted by
Christopher Korycki
Submitted to
This is a privacy and security risk assessment report template. Refer to the desk audits
you conducted in modules 2, 3 and 4 as you work on this document, as they contain the
information you need to complete this template.
The Privacy and Security Risk Assessment Report Template includes sections for you
to complete, as well as supporting information and instructions to assist you in
understanding the federal requirements for privacy and security in health care. Once
you have filled in all of the required information in this template, you will have created a
Privacy and Security Assessment Report. Completion of this assessment for an
organization meets one of the requirements for Meaningful Use standards and
attestation.
The areas in this template that you need to complete will be indicated as text boxes or
tables where you will type in your content. Follow the directions in each section to
complete the template.
Things to Consider
The following is a general overview of things to consider when creating a Privacy and
Security Risk Assessment Report.
1. Identify the scope of the analysis. You should take into account all ePHI
(electronic patient health information) created, received, maintained, or
transmitted by the organization. Electronic media could range from a single
workstation in a small practice to networks in organizations with multiple
locations.
2. Gather data. Gather information about how the ePHI is stored, received,
maintained, or transmitted. For example, a solo practice with paper medical
records may be able to identify all its ePHI by analyzing how it uses its billing
software. Be sure to consider any portable electronic media used by the
organization, such as an iPhone or iPad.
3. Identify and document potential threats and vulnerabilities. To start, list
natural, environmental, and human threats, with the latter probably being of
greatest concern. Potential human threats range from employees (the most
The Waverly Family Health Services Clinic has an above average administrative,
technical and physical HIPAA Privacy and Security Risk Assessment and
Mitigation Plan. They are very thorough and detailed for a clinic their size small
staff size. They would need only to make small investments of time and money to
be even more comprehensive.
All ePHI data is stored in a cloud-based server and accessed via PC-based DELL
workstations throughout the office.
Security Officer
Indicate who the organization’s privacy and security officers are. Include their title in the
organization. Many organizations have a privacy and security officer role that is held by
one person.
Inventory
Identify how ePHI is created, stored, received, or transmitted. This includes identifying
internal sources (e.g. servers, desktop computers, etc.) and external sources of ePHI,
such as vendors or consultants who create, receive, maintain or transmit ePHI. Also,
indicate if there is a documented process for updating the inventory. Include how paper-
based documents containing PHI are managed and disposed of.
4 University of San Diego © 2017. All Rights Reserved.
All ePHI is stored on dedicated desktop PCs and linked to a cloud
server which is backed up every 30 min. All inventory is documented
and updated by Mrs. Jones. All paper based ePHI are shredded
through an outside vender through locked, freestanding trash bins in
the office that are emptied every week by the vendor. There is a
business associate agreement with them to provide shredding
services.
PHI Access
In this section, indicate who can access ePHI in the organization. Provide a brief
summary in the text box below. You will provide more detail by specific role and user
access to PHI in the table below.
*HIPAA requires that when PHI is used or disclosed, the amount disclosed must be
limited to the "minimum necessary" to accomplish the purpose of the use or disclosure.
Administrative Safeguards
The Administrative Safeguards are the policies and procedures that bring the Privacy
Rule and the Security Rule together. They are the pivotal elements of a HIPAA
compliance checklist that govern the conduct of the workplace and require that a
Security Officer and a Privacy Officer (which may be the same person) be assigned to
put measures in place to protect ePHI. Keep in mind that a risk assessment is not a
one-time requirement, but rather a regular task necessary to ensure continued
compliance.
Overview
The following is an overview of administrative safeguards. The audit tool contains
specific requirements.
Technical Safeguards
The Security Rule defines technical safeguards as the policy and procedures that
protect electronic protected health information and control access to it. The only
stipulation is that ePHI – whether at rest or in transit – be encrypted once it travels
beyond an organization’s internal firewalled servers. This is so that any breach of
confidential patient data renders the data unreadable, undecipherable and unusable.
Thereafter, organizations are free to select whichever mechanisms are most
appropriate. The following is an overview of technical safeguards the audit tool provides
specific items.
Overview
The Physical Safeguards focus on physical access to ePHI irrespective of its location.
ePHI could be stored in a remote data center, in the cloud, or on servers that are
located within the premises of the HIPAA covered entity. They also stipulate how
workstations and mobile devices should be secured against unauthorized access.
Overview
The following is an overview of physical safeguards and requirements. The audit
tool contains specific requirements.
There are breach notifications per policy which are sent to Mrs. Jones. The standard
HIPAA breach protocol procedures are then followed.
Disaster recovery plan includes definitions of emergency, staff roles, backup procedures
and downtime procedures. There is built in planned access to emergency ePHI.
Annual Training
Indicate the organization’s annual staff privacy and security training program or
processes.
Initial training for all new employees and annual training for aspects of privacy and
cybersecurity including: malware access, preventing cyber threats, changing
passwords, log in reminders, downtime procedures, and general workplace security
measures.
Waverly Family Health Services does not currently carry cyber insurance plan.
Recommended: AIG CyberPolicy. AIG carries 22% of the cyber insurance market.
Includes cyber plans in its commercial casualty insurance plans which is a
recommended bundle. It’s a large carrier with great access to resources and customer
service.
Overall Waverly Family Health Services is well above average in terms of thoroughness
and completeness in their overall security for a clinic their size. All 3 major audits:
administrative, technical and physical, all were generally ranked low threat overall and
had detailed and thorough security features, policies and protocols. Administratively the
clinic is very well organized and well trained and aware of cyber threats. Mrs. Jones is
experienced and is sufficient for a clinic of this size. However, she is not certified in any
major cyber security certification and thus lack the deep technical skills to respond to a
direct attack. This is normal as a clinic of the Waverly’s size could not afford to hire a full
time cybersecurity expert on staff. Overall technical audit and administration is solid.
Physical audit is rather secure with the exception of a dedicated security system. With
the probability that a breach or attack could come from a physical person such
monitoring safeguards would be beneficial.