Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Organization Name
Submitted by
Erika Capalla
Submitted to
This is a privacy and security risk assessment report template. Refer to the desk audits
you conducted in modules 2, 3 and 4 as you work on this document, as they contain the
information you need to complete this template.
The Privacy and Security Risk Assessment Report Template includes sections for you
to complete, as well as supporting information and instructions to assist you in
understanding the federal requirements for privacy and security in health care. Once
you have filled in all of the required information in this template, you will have created a
Privacy and Security Assessment Report. Completion of this assessment for an
organization meets one of the requirements for Meaningful Use standards and
attestation.
The areas in this template that you need to complete will be indicated as text boxes or
tables where you will type in your content. Follow the directions in each section to
complete the template.
Things to Consider
The following is a general overview of things to consider when creating a Privacy and
Security Risk Assessment Report.
1. Identify the scope of the analysis. You should take into account all ePHI
(electronic patient health information) created, received, maintained, or
transmitted by the organization. Electronic media could range from a single
workstation in a small practice to networks in organizations with multiple
locations.
2. Gather data. Gather information about how the ePHI is stored, received,
maintained, or transmitted. For example, a solo practice with paper medical
records may be able to identify all its ePHI by analyzing how it uses its billing
software. Be sure to consider any portable electronic media used by the
organization, such as an iPhone or iPad.
3. Identify and document potential threats and vulnerabilities. To start, list
natural, environmental, and human threats, with the latter probably being of
greatest concern. Potential human threats range from employees (the most
The HIPAA Privacy and Security Risk Assessment and Mitigation Plan
begins with the Information Security Officer, Mrs. Jones. Mrs. Jones
manages the privacy and security policies and procedures, including
providing staff access to PHI. The HIPAA Privacy and Security Risk
Assessment and Mitigation Plan includes Administrative Safeguards,
Technical Safeguards and Physical Safeguards. These safeguards provide
protection of ePHI and paper-based PHI. Policies and procedures are
enacted to address the security of PHI. Review of security policies and
procedures reveal areas in need of mitigation.
The scope of the assessment is within the Waverly Family Health Services
Clinic. The audits assessed the administrative safeguards, technical
safeguards and physical safeguards. Business Associate contracts were
assessed, including the types of business associates, such as Jones
billing service, paper shredding company, lab processing company,
medical supply company and subcontractors. The audit assessed for
breaches and unintended release of data, of which there were none
reported. Physical devices, USB Hard Drive and Mobile Technology were
assessed for proper usage. Policies and Procedures for Privacy and
Security were assessed. Staff training including content and frequency
were assessed. Emergency Plan, Incident Response and Downtime
Response to unplanned downtime were assessed. Policies for risk
management were audited. Workforce Management Policies and
Procedures were audited. An assessment of potential known threats and
clinic response was assessed. Hardware, software and physical systems
were audited. The clinic’s auditing policy itself was audited. The risk
analysis policy was audited. ePHI is stored in the Practice Fusion EHR,
Security Officer
Indicate who the organization’s privacy and security officers are. Include their title in the
organization. Many organizations have a privacy and security officer role that is held by
one person.
The Information Security Officer and the Privacy Officer roles belong to
Mrs. Jones who has been the Clinic Manager for Waverly Clinic for 10
years. Mrs. Jones is also a key stakeholder.
Inventory
Identify how ePHI is created, stored, received, or transmitted. This includes identifying
internal sources (e.g. servers, desktop computers, etc.) and external sources of ePHI,
such as vendors or consultants who create, receive, maintain or transmit ePHI. Also,
indicate if there is a documented process for updating the inventory. Include how paper-
based documents containing PHI are managed and disposed of.
PHI Access
In this section, indicate who can access ePHI in the organization. Provide a brief
summary in the text box below. You will provide more detail by specific role and user
access to PHI in the table below.
All staff can access ePHI in the organization, with the access level based
on staff role. The Information Security Officer, Mrs. Jones assigns access
based on staff role and responsibilities.
*HIPAA requires that when PHI is used or disclosed, the amount disclosed must be
limited to the "minimum necessary" to accomplish the purpose of the use or disclosure.
Administrative Safeguards
The Administrative Safeguards are the policies and procedures that bring the Privacy
Rule and the Security Rule together. They are the pivotal elements of a HIPAA
compliance checklist that govern the conduct of the workplace and require that a
Security Officer and a Privacy Officer (which may be the same person) be assigned to
put measures in place to protect ePHI. Keep in mind that a risk assessment is not a
one-time requirement, but rather a regular task necessary to ensure continued
compliance.
Overview
The following is an overview of administrative safeguards. The audit tool contains
specific requirements.
Technical Safeguards
The Security Rule defines technical safeguards as the policy and procedures that
protect electronic protected health information and control access to it. The only
stipulation is that ePHI – whether at rest or in transit – be encrypted once it travels
beyond an organization’s internal firewalled servers. This is so that any breach of
confidential patient data renders the data unreadable, undecipherable and unusable.
Thereafter, organizations are free to select whichever mechanisms are most
appropriate. The following is an overview of technical safeguards the audit tool provides
specific items.
Overview
The following is an overview of technical safeguards and requirements. The audit
tool contains specific requirements.
Physical Safeguards
The Security Rule defines physical safeguards as “physical measures, policies, and
procedures to protect a covered entity’s electronic information systems and related
buildings and equipment, from natural and environmental hazards, and unauthorized
intrusion.” The standards are another line of defense (adding to the Security Rule’s
administrative and technical safeguards) for protecting an organization’s EHR.
The Physical Safeguards focus on physical access to ePHI irrespective of its location.
ePHI could be stored in a remote data center, in the cloud, or on servers that are
located within the premises of the HIPAA covered entity. They also stipulate how
workstations and mobile devices should be secured against unauthorized access.
The clinic does The clinic Medium Policies and procedures must be
not provide indicates that enacted that describe details on the
details about they do have a security plan.
the security plan facility security
or indicate that plan.
they take the
steps necessary
to implement
the security
plan.
The clinic does The clinic Low Policies and procedures must be
not indicate that does indicate enacted that direct that the clinic
maintenance the room must keep maintenance records
records are kept where with the history of physical changes
with the history information for the clinic in order to prevent
of physical systems and unauthorized access.
changes for the ePHI are kept.
facility.
The clinic does Medium Clinic must have policies and
not describe a procedures in place that document
process to the repairs and modifications made
document the to the physical security features
repairs and that protect the facility,
modifications administrative offices and treatment
made to the areas
physical
security
features that
protect the
facility,
administrative
offices and
treatment areas.
The clinic does The clinic Low Policies and procedures must be
not indicate does indicate enacted that direct that the clinic
where all of the that there are must maintain an inventory and
workstations are workstations location record of all of its
located. throughout the workstation devices.
clinic including
workstations in
Waverly Clinic’s Privacy and Security Officer is Mrs. Jones. A policy is in place
for breach notification. However, Waverly Clinic does not provide details on their
breach notification policy. The policy should follow the HIPAA Breach Notification
Rule and follow the appropriate steps including notifying the Secretary and
depending on the number of individuals involved, whether more than or fewer
than 500 individuals.
A policy is in place for a disaster recovery plan, which includes definitions for an
emergency, back up procedures and down time procedures. The disaster
recovery plan policy describes roles during a disaster, including who is
responsible for activating the disaster plan. The disaster recovery plan also
describes how often the disaster drill is held, which is annually. A policy is in
place for downtime and how to function when the ePHI is not available, which is
through the cloud. All ePHI is backed up to a cloud and the clinic is able to
access all data backed up to the cloud within 30 minutes via web access. Drills
are performed every 6 months to verify that data can be accessed during
downtime.
Annual Training
Indicate the organization’s annual staff privacy and security training program or
processes.
Waverly Clinic annual privacy and security training for all employees. The annual
training addresses malware access, preventing cyber threats, changing
passwords and log in reminders.
Cyber Insurance
Indicate if the audit organization has a cyber insurance plan. If the organization lacks a
covered plan, indicate in this section what cyber insurance plan you would recommend.
This will require you to research information on the web to find an appropriate cyber
plan. Provide a brief summary of the cyber insurance you would recommend for the
organization (if indicated), and why you selected that particular cyber insurance
company.
Waverly Clinic does not have a cyber insurance plan. A possible cyber insurance
plan that I would recommend for Waverly Clinic based on their current needs,
through research of HIMSS recommendations, is a portfolio and package product
which includes network security coverage, privacy coverage, 1st party costs
The Privacy and Security audit has revealed areas of strength and areas in need of
correction. With the Administrative Safeguards Audit, one area of strength is that
policies and procedures are in place for assessing and managing risk to the clinic’s
ePHI. A second area of strength is that there are policies and procedures in place that
direct the discipline of workforce members who have access to ePHI and access ePHI
inappropriately. A third area of strength is that there are policies and procedures for a
review of information system activity by all users in the clinic. Policies are in place to
keep audits of the activity for 7 years. A fourth area of strength is that there is a
specified Information Security and Privacy Officer, Mrs. Jones, who serves as the expert
regarding security and privacy of ePHI. Mrs. Jones is also responsible for managing all
access to ePHI. A fifth area of strength is that roles and responsibilities of all clinic
members are clearly described. Also, access is based on those roles and
responsibilities. A sixth area of strength is that all clinic staff are provided annual
security training and disaster response training. A weakness within the Administrative
Safeguards Audit is that there are no policies and procedures regarding access for non-
workforce members such as maintenance personnel. In these situations, maintenance
personnel have access to PHI that is left on an unsecured fax machine overnight. My
recommendation is that the fax machine is turned off overnight and turned on again in
the morning when clinic staff arrive and are able to retrieve faxes. Or, the fax machine
can be in a locked room that only clinic staff with verified access are able to reach. A
second weakness is that there are no policies and procedures to screen and verify
trustworthiness of workforce members prior to access. A recommendation to mitigate
this security concern is to ensure that background checks and verification of credentials
are completed through specified policies and procedures. A third weakness is that there
are no policies and procedures are in place to direct that email communication must be
done to provide updates to staff on security threats. My recommendation is that the
Information Security Officer must provide updates via email or paper communication on
the most current threats to ePHI so that clinic staff are aware and can take the proper
precautions. Regarding the Technical Safeguards audit, one strength is that Waverly
clinic analyzes all user access every 3 months and are able to view what systems,
databases and EHR are accessed. A second strength is that the clinic has a unique
identifier for each authorized user, a two-factor authentication is used and users must
change their passwords every 3 months. Also, there is an automatic log off after a