Privacy and Security

Risk Assessment Report

Organization Name

Waverly Family Health Services Clinic

Submitted by

Erika Capalla

Submitted to

Dr. Jonathan Mack

1 University of San Diego © 2017. All Rights Reserved.

Directions

This is a privacy and security risk assessment report template. Refer to the desk audits
you conducted in modules 2, 3 and 4 as you work on this document, as they contain the
information you need to complete this template.

The Privacy and Security Risk Assessment Report Template includes sections for you
to complete, as well as supporting information and instructions to assist you in
understanding the federal requirements for privacy and security in health care. Once
you have filled in all of the required information in this template, you will have created a
Privacy and Security Assessment Report. Completion of this assessment for an
organization meets one of the requirements for Meaningful Use standards and
attestation.

The areas in this template that you need to complete will be indicated as text boxes or
tables where you will type in your content. Follow the directions in each section to
complete the template.

*This template is based on the following, which may be used as references.

 Office for Civil Rights (“OCR”) HIPAA Security Standards: Guidance on
Risk Analysis Requirements under the HIPAA Security Rule –
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/sec
urityrule/rafinalguidancepdf.pdf
 Dept. of Health and Human Service (HHS) HIPAA Security Series: Basics
of Risk Analysis and Risk Management -
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/sec
urityrule/riskassessment.pdf

Things to Consider

The following is a general overview of things to consider when creating a Privacy and
Security Risk Assessment Report.

1. Identify the scope of the analysis. You should take into account all ePHI
(electronic patient health information) created, received, maintained, or
transmitted by the organization. Electronic media could range from a single
workstation in a small practice to networks in organizations with multiple
locations.
2. Gather data. Gather information about how the ePHI is stored, received,
maintained, or transmitted. For example, a solo practice with paper medical
records may be able to identify all its ePHI by analyzing how it uses its billing
software. Be sure to consider any portable electronic media used by the
organization, such as an iPhone or iPad.
3. Identify and document potential threats and vulnerabilities. To start, list
natural, environmental, and human threats, with the latter probably being of
greatest concern. Potential human threats range from employees (the most

2 University of San Diego © 2017. All Rights Reserved.

 common source), ex-employees, and visitors to hackers and criminals. Anyone
who has the access, knowledge, and/or motivation “to cause an adverse impact”
on your practice can act as a threat. Then, note the practice’s vulnerabilities to
the threats you have identified. The practice’s vendors may be able to help you
identify system vulnerabilities.
4. Assess current security measures. These can be both technical and
nontechnical. Technical measures are part of information systems hardware and
software, such as access controls, identification, authentication, encryption
methods, automatic logoff, and audit controls. Nontechnical measures are
management and operational controls, such as policies, procedures, standards,
guidelines, accountability and responsibility, and physical and environmental
security measures.
5. Determine the likelihood of threat occurrence.
6. Determine the potential impact of threat occurrence. The most common
outcomes include, but are not limited to, unauthorized access to or disclosure of
ePHI, permanent loss or corruption of ePHI, temporary loss or unavailability of
ePHI, or loss of cash flow.
7. Determine the level of risk. Use what you wrote down for steps 5 and 6 to do
this step. You might create a risk level matrix using a high, medium, and low
rating system. For example, a threat likelihood value of “high” combined with an
impact value of “low” may equal a risk level of “low.” Or, a threat likelihood value
of “medium” combined with an impact value of “medium” may equal a risk level of
“medium.”
8. Identify security measures and finalize documentation. Keep in mind the
HIPAA Security Rule (see https://www.hhs.gov/hipaa/for-
professionals/security/laws-regulations/index.html) does not require a specific
format for your analysis. When you use this template, you will provide a
summary. In that summary report, you will outline your analysis process, record
the result of each step, and identify security measures that are needed.
Implementation of the identified security measures is a separate process from
the risk analysis.

3 University of San Diego © 2017. All Rights Reserved.

Part I: Executive Summary
In this section, you will provide a one- to two-paragraph summary of the HIPAA Privacy
and Security Risk Assessment and Mitigation Plan for the organization. You do not
need to provide extensive detail, as executive summaries are brief and to the point and
provide an overview of the assessment and next steps.

The HIPAA Privacy and Security Risk Assessment and Mitigation Plan
begins with the Information Security Officer, Mrs. Jones. Mrs. Jones
manages the privacy and security policies and procedures, including
providing staff access to PHI. The HIPAA Privacy and Security Risk
Assessment and Mitigation Plan includes Administrative Safeguards,
Technical Safeguards and Physical Safeguards. These safeguards provide
protection of ePHI and paper-based PHI. Policies and procedures are
enacted to address the security of PHI. Review of security policies and
procedures reveal areas in need of mitigation.

Part II: Scope

In this section, indicate the scope of the assessment with one paragraph or more.
Indicate the setting, what was assessed during the audits, and where ePHI/ PHI data is
stored.

The scope of the assessment is within the Waverly Family Health Services
Clinic. The audits assessed the administrative safeguards, technical
safeguards and physical safeguards. Business Associate contracts were
assessed, including the types of business associates, such as Jones
billing service, paper shredding company, lab processing company,
medical supply company and subcontractors. The audit assessed for
breaches and unintended release of data, of which there were none
reported. Physical devices, USB Hard Drive and Mobile Technology were
assessed for proper usage. Policies and Procedures for Privacy and
Security were assessed. Staff training including content and frequency
were assessed. Emergency Plan, Incident Response and Downtime
Response to unplanned downtime were assessed. Policies for risk
management were audited. Workforce Management Policies and
Procedures were audited. An assessment of potential known threats and
clinic response was assessed. Hardware, software and physical systems
were audited. The clinic’s auditing policy itself was audited. The risk
analysis policy was audited. ePHI is stored in the Practice Fusion EHR,

4 University of San Diego © 2017. All Rights Reserved.

 billing software and calendar for managing. PHI data is stored in paper-
based charts locked in the back of the office.

Part III: Risk Assessment and User Access

Risk Assessment Methodology
In this section, indicate how the assessment occurred. Was it conducted onsite, as a
desk audit, or a combination of the two? This section is less than a paragraph and
provides the reader with a brief understanding of how the assessment was carried out.

The assessment occurred using an onsite interview with the Information

Security Officer, Mrs. Jones. The administrative safeguards, technical
safeguards and physical safeguards were audited during the assessment.

Security Officer
Indicate who the organization’s privacy and security officers are. Include their title in the
organization. Many organizations have a privacy and security officer role that is held by
one person.

The Information Security Officer and the Privacy Officer roles belong to
Mrs. Jones who has been the Clinic Manager for Waverly Clinic for 10
years. Mrs. Jones is also a key stakeholder.

Inventory
Identify how ePHI is created, stored, received, or transmitted. This includes identifying
internal sources (e.g. servers, desktop computers, etc.) and external sources of ePHI,
such as vendors or consultants who create, receive, maintain or transmit ePHI. Also,
indicate if there is a documented process for updating the inventory. Include how paper-
based documents containing PHI are managed and disposed of.

ePHI is created, stored, received and transmitted from computer

workstations. ePHI is also created, stored, received and transmitted from
personal devices via Practice Fusion accessed on a web app. ePHI is
stored in the cloud. The documented process for updating inventory is
through one person who tracks hardware purchases, placement and
movement. Paper based documents containing PHI are sent to a paper
shredding company which provides HIPPA compliant management and
destruction of HIPAA data.

Business Associate Agreements

Indicate the Business Associate agreements that exist or need to be established for
organizations or companies that access PHI through the health care organization. Refer
to the following website for information regarding BA requirements.

5 University of San Diego © 2017. All Rights Reserved.

 https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html?language=es

Below is a general description of a Business Associate:

 performs or assists in performing a company function or activity involving the
use and disclosure of protected health information (including claims
processing or administration, data analysis, underwriting, etc.); or
 provides legal, accounting, actuarial, consulting, data aggregation,
management, accreditation, or financial services, where the performance of
such services involves giving the service provider access to PHI.

Some examples of Business Associates are as follows:

 A third party administrator that assists the company with billing and claims
processing.
 A CPA firm whose accounting services to a health care provider involves
access to protected health information.
 An attorney whose legal services involve access to protected health
information.
 A consultant that performs utilization reviews for the company.
 An independent medical transcriptionist that provides transcription services
for the company. 


Waverly Clinic has Business Associate Agreements with Jones Billing

Service, a paper shredding company, a lab processing company and a
medical supply company. Waverly Clinic also has Business Associate
Agreements with subcontractors of Business Associates to ensure that
they meet HIPAA requirements.

PHI Access
In this section, indicate who can access ePHI in the organization. Provide a brief
summary in the text box below. You will provide more detail by specific role and user
access to PHI in the table below.

All staff can access ePHI in the organization, with the access level based
on staff role. The Information Security Officer, Mrs. Jones assigns access
based on staff role and responsibilities.

Summary of Access Authorization

Using the table below, indicate each job or role in the organization and its associated
user rights or access. An example is provided in the first row of the table.

*HIPAA requires that when PHI is used or disclosed, the amount disclosed must be
limited to the "minimum necessary" to accomplish the purpose of the use or disclosure.

Job Title User Rights/Access to PHI Miscellaneous

6 University of San Diego © 2017. All Rights Reserved.

(e.g. front office staff)
Dr. Waverly (Clinic owner
and Medical Director)
Dr. Jones (Physician and
Clinic Partner)
Mrs. Johnson (Physician’s
Assistant)
Mrs. Wright (Nurse
Practitioner)
Mrs. Jones (Clinic Director,
Privacy and Security Officer)
Ms. Phelps (Front Office
Clerk)
7 University of San Diego © 2017. All Rights Reserved.
(e.g. -access EHR (e.g. occasional interns may receive
-access to patient billing access to specific data systems
-access to appointment scheduling containing PHI)
-patient emails)
-All electronic databases
(Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)
-All paper based clinical charts
-All electronic databases
(Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)
-All paper based clinical charts
-All electronic databases
(Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)
-All paper based clinical charts
-All electronic databases
(Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)
-All paper based clinical charts
-All electronic databases
(Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)
-All paper based clinical charts
-All electronic databases
(Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)
-All paper based clinical charts
Ms. Smith (Back Office -All electronic databases
Medical Assistant) (Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)

-All paper based clinical charts

Mr. Lawrence (Clinic -All electronic databases
Accounts and Billing) (Practice Fusion EHR, billing
software, calendar for managing
appointments for patients)

-All paper based clinical charts

Part IV: Privacy and Security Audit

In this section, utilize the information you obtained from your desk audits in Modules 2,
3 and 4. Follow the directions to complete each table. You will use the information in the
tables to create your report summary.

Administrative Safeguards
The Administrative Safeguards are the policies and procedures that bring the Privacy
Rule and the Security Rule together. They are the pivotal elements of a HIPAA
compliance checklist that govern the conduct of the workplace and require that a
Security Officer and a Privacy Officer (which may be the same person) be assigned to
put measures in place to protect ePHI. Keep in mind that a risk assessment is not a
one-time requirement, but rather a regular task necessary to ensure continued
compliance.

Overview
The following is an overview of administrative safeguards. The audit tool contains
specific requirements.

 Conducting risk assessments– Among the Security Officer´s main tasks

is the compilation of a risk assessment to identify every area in which
ePHI is being used, and to determine all of the ways in which breaches of
ePHI could occur.
 Introducing a risk management policy– The risk assessment must be
repeated at regular intervals with measures introduced to reduce the risks
to an appropriate level. A sanctions policy for employees who fail to
comply with HIPAA regulations must also be introduced.
 Training employees to be secure– Training schedules must be
introduced to raise awareness of the policies and procedures governing

8 University of San Diego © 2017. All Rights Reserved.

 access to ePHI and how to identify malicious software attacks and
malware. All training must be documented.
 Developing a contingency plan– In the event of an emergency, a
contingency plan must be ready to enable the continuation of critical
business processes while protecting the integrity of ePHI while an
organization operates in emergency mode.
 Testing of contingency plan– The contingency plan must be tested
periodically to assess the relative criticality of specific applications. There
must also be accessible backups of ePHI and procedures to restore lost
data in the event of an emergency.
 Restricting third-party access– It is the role of the Security Officer to
ensure that ePHI is not accessed by unauthorized parent organizations
and subcontractors, and that Business Associate Agreements are signed
with all business partners who will have access to ePHI.
 Reporting security incidents– The reporting of security incidents is
different from the Breach Notification Rule, as incidents can be contained
and data retrieved before the incident develops into a breach.
Organizations should stress the need for all employees to be aware of
how and when to report an incident in order that action can be taken to
prevent a breach whenever possible.

Administrative Risk Audit Matrix Summary

Instructions:
1. Using the table below, fill in the “Security Privacy Concern” column with the privacy
or security issue(s) you identified in your audit.
2. For each security privacy concern, indicate the following:
a) Identify the existing mitigations/controls
 Indicate if there are any existing controls or if there are no controls
b) Indicate the impact (high/med/low) of each security privacy concern on the
organization. This could be high, which might mean risk of breach, or low
with no risk of breach.
c) Indicate steps you are proposing to mitigate the risk.
3. Add any additional information you have identified or have concerns about.

Security Existing Impact of Risk Mitigation Plan (brief summary

Privacy Controls to (i.e. High, Med, or statement)
Concern Mitigate Risk Low)
Information Information High Policies and procedures must be
systems not systems enacted that indicate that focus
categorized currently not must be directed toward information
based on categorized systems that must remain for daily
potential operations to continue and steps
impact if can be taken to lessen the impact of
unavailable that loss to ensure that back-ups
are in place.

9 University of San Diego © 2017. All Rights Reserved.

No formal No current High Policies and procedures must be
documented formal enacted to provide direction on how
program to documented to proceed upon discovery of
mitigate program threats and vulnerabilities to ePHI
threats and identified through risk analysis to be
vulnerabilities utilized on other threats and
to ePHI vulnerabilities identified in the
identified future.
through risk
analysis
No policies Paper based High Policies and procedures must be
and charts locked up enacted to address the unsecured
procedures at the end of the fax machine that prints out lab
regarding day and a policy results off hours to prevent
access for is in place for unauthorized access by
non-workforce managing faxes maintenance personnel, placing the
members such fax machine in a locked room
as accessible only to authorized staff
maintenance or utilizing the storage feature in the
personnel fax machine.
No policies Mrs. Jones is Medium Policies and procedures must be
and the Information enacted to screen workforce
procedures to Security Officer members, such as background
screen and responsible for checks and verification of
verify providing access credentials.
trustworthiness to staff members
of workforce but she does not
members prior describe the
to access. screening
process
procedure.
No policies High Policies and procedures must be
and enacted that direct that the
procedures are Information Security Officer sends
in place to communication to all staff members
direct that regarding any new cyber threats or
email security issues that arise such as
communication email phishing.
must be done
to provide
updates to
staff on
security
threats.
No policies The clinic does Low Policies and procedures must be
and indicate who has enacted for identifying and

10 University of San Diego © 2017. All Rights Reserved.

procedures for access to ePHI assessing the criticality of its
identifying and during down information systems applications
assessing the time. and the specifically the storage of
criticality of the data.
clinic’s
information
systems
applications
that would be
accessed
through the
implementation
of its
contingency
plans.
Were the Low Policies and procedures must be
Waverly Clinic enacted that specify that Waverly
to be a Clinic’s own subcontractors must
business meet HIPPA requirements to
associate of protect PHI.
another
covered entity,
there is no
indication from
Mrs. Jones
that the clinic’s
own
subcontractor
must also meet
HIPPA
requirements

Technical Safeguards
The Security Rule defines technical safeguards as the policy and procedures that
protect electronic protected health information and control access to it. The only
stipulation is that ePHI – whether at rest or in transit – be encrypted once it travels
beyond an organization’s internal firewalled servers. This is so that any breach of
confidential patient data renders the data unreadable, undecipherable and unusable.
Thereafter, organizations are free to select whichever mechanisms are most
appropriate. The following is an overview of technical safeguards the audit tool provides
specific items.

Overview
The following is an overview of technical safeguards and requirements. The audit
tool contains specific requirements.

11 University of San Diego © 2017. All Rights Reserved.

  Implement a means of access control– This not only means assigning a
centrally controlled unique username and PIN code for each user, but also
establishing procedures to govern the release or disclosure of ePHI during
an emergency.
 Introduce a mechanism to authenticate ePHI– This mechanism is
essential in order to comply with HIPAA regulations, as it confirms whether
ePHI has been altered or destroyed in an unauthorized manner.
 Implement tools for encryption and decryption– This guideline relates
to the devices used by authorized users, which must have the functionality
to encrypt messages when they are sent beyond an internal firewalled
server, and decrypt those messages when they are received.
 Introduce activity audit controls– The audit controls required under the
technical safeguards are there to register attempted access to ePHI and
record what is done with that data once it has been accessed.
 Facilitate automatic logoff– This function – although only addressable –
logs authorized personnel off the device they are using to access or
communicate ePHI after a pre-defined period. This prevents unauthorized
access of ePHI should the device be left unattended.

Technical Risk Audit Matrix Summary

Instructions:
1. Using the table below, fill in the area called “Security Privacy Concerns” with the
privacy or security issues you identified in your audit.
2. For each security concern, indicate the following:
a) Identify the existing mitigations/controls
 Indicate if there are any existing controls or no controls
b) Indicate the Impact on the organization (high/med/low) for each concern.
This could be high, which might mean risk of breach, or low with no risk of
breach.
c) Indicate steps you are proposing to mitigate the risk.
3. Add any additional information you have identified or have concerns about.

Security Existing Impact of Risk Mitigation Plan (brief summary

Privacy Controls to (i.e. High, Med, or Low) statement)
Concern Mitigate Risk
The clinic Low Policies and procedures must be
does not enacted to classify risk type in order
indicate the to better determine what is needed to
type of risk address the issue and improve clinic
of its procedures.
activities
and
information
systems as
either low,

12 University of San Diego © 2017. All Rights Reserved.

moderate or
high based
on risk
analysis.
The clinic Medium Policies and procedures must be
does not enacted for managing auditing
use the processes based on the results of the
evaluation annual audit so that the clinic can
from their improve their auditing processes by
risk audits to keeping informed of how they are
determine performing.
the
frequency
and scope
of its audits.
Clinic The clinic Low Policies and procedures must be
results from performs enacted that direct utilizing audits as
the audits yearly audits. learning tools to improve clinic
are not security operations, such as
indicated to identifying security incidents that
be used for occur when the 2-factor
security authentication is used.
system
modification.
The clinic is High Policies and procedures must be
not able to enacted that direct that all
encrypt transmitted data must be encrypted.
transmitted The clinic must locate a company
data. immediately which is able to encrypt
their transmitted data.
Patients High Policies and procedures must be
have access enacted that restrict and monitor wi-fi
to clinic wi- usage by patients.
fi.

Physical Safeguards
The Security Rule defines physical safeguards as “physical measures, policies, and
procedures to protect a covered entity’s electronic information systems and related
buildings and equipment, from natural and environmental hazards, and unauthorized
intrusion.” The standards are another line of defense (adding to the Security Rule’s
administrative and technical safeguards) for protecting an organization’s EHR.

The Physical Safeguards focus on physical access to ePHI irrespective of its location.
ePHI could be stored in a remote data center, in the cloud, or on servers that are
located within the premises of the HIPAA covered entity. They also stipulate how
workstations and mobile devices should be secured against unauthorized access.

13 University of San Diego © 2017. All Rights Reserved.

 Overview
The following is an overview of physical safeguards and requirements. The audit
tool contains specific requirements.

 Facility access controls must be implemented (addressable) –

Procedures have to be introduced to record any person who has physical
access to the location where ePHI is stored. This includes software
engineers, cleaners and even a handyman coming to change a light bulb.
The procedures must also include safeguards to prevent unauthorized
physical access, tampering, and theft.
 Policies relating to workstation use (required) – Policies must be
devised and implemented to restrict the use of workstations that have
access to ePHI, to specify the protective surrounding of a workstation (so
that the screen of a workstation cannot be overlooked from an unrestricted
area) and govern how functions are to be performed on the workstations.
 Policies and procedures for mobile devices– If mobile devices are to
be allowed access to ePHI, policies must be devised and implemented to
govern how ePHI is removed from the device before it is re-used.
 Inventory of hardware – An inventory of all hardware must be
maintained, together with a record of the movements of each item. A
retrievable exact copy of ePHI must be made before any equipment is
moved.

Physical Risk Audit Matrix Summary

Instructions:
1. Using the table below, fill in the area called “Security Privacy Concerns” with the
privacy or security issues you identified in your audit.
2. For each security concern, indicate the following:
a) Identify the existing mitigations/controls
 Indicate if there are any existing controls or if there are no controls
b) Indicate the Impact on the organization (high/med/low) for each concern.
This could be high, which might mean risk of breach, or low with no risk of
breach.
c) Indicate steps you are proposing to mitigate the risk.
3. Add any additional information you have identified or have concerns about.

Security Existing Impact of Risk Mitigation Plan (brief summary

Privacy Controls to (i.e. High, Med, or Low) statement)
Concern Mitigate Risk
The clinic does Medium Policies and procedures must be
not indicate that enacted that coordinate physical
physical and and technical security related
technical activities.
security related
activities are

14 University of San Diego © 2017. All Rights Reserved.

coordinated to
reduce the
impact on
individuals.

The clinic does The clinic Medium Policies and procedures must be
not provide indicates that enacted that describe details on the
details about they do have a security plan.
the security plan facility security
or indicate that plan.
they take the
steps necessary
to implement
the security
plan.
The clinic does The clinic Low Policies and procedures must be
not indicate that does indicate enacted that direct that the clinic
maintenance the room must keep maintenance records
records are kept where with the history of physical changes
with the history information for the clinic in order to prevent
of physical systems and unauthorized access.
changes for the ePHI are kept.
facility.
The clinic does Medium Clinic must have policies and
not describe a procedures in place that document
process to the repairs and modifications made
document the to the physical security features
repairs and that protect the facility,
modifications administrative offices and treatment
made to the areas
physical
security
features that
protect the
facility,
administrative
offices and
treatment areas.

The clinic does The clinic Low Policies and procedures must be
not indicate does indicate enacted that direct that the clinic
where all of the that there are must maintain an inventory and
workstations are workstations location record of all of its
located. throughout the workstation devices.
clinic including
workstations in

15 University of San Diego © 2017. All Rights Reserved.

 each exam
room and a
public
workstation.
The clinic does High Policies and procedures must be
not manage the enacted immediately, that manage
personal personal devices that access the
devices of the EHR (Practice Fusion) and direct
staff or require that such devices must have anti-
antivirus virus software installed.
software.
Mrs. Jones Mrs. Jones High Policies and procedures must be
does not specify does indicate enacted that direct the proper
how electronic that one storage of electronic devices until
devices and person is they can properly be disposed of.
media are responsible for
physically all hardware
protected and movement.
securely stored
until they can be
properly
disposed of.
The clinic does High Policies and procedures must be
not have enacted that direct the proper
policies and removal of ePHI from electronic
procedures for devices and media prior to disposal
removing ePHI of such devices.
from electronic
devices or
media prior to
disposal of such
devices.

The clinic does High Policies and procedures must be

not have enacted on how to dispose of
policies and devices or media containing ePHI.
procedures that
specify how to
dispose of
electronic
devices and
media
containing
ePHI.

16 University of San Diego © 2017. All Rights Reserved.

The clinic does High Policies and procedures must be
not require that enacted that require that all ePHI is
all ePHI is removed from equipment or media
removed from before the equipment or media is
equipment or removed from the clinic for offsite
media before maintenance or disposal.
the equipment
or media is
removed from
the clinic for
offsite
maintenance or
disposal.

Procedures are High Policies and procedures must be

not enacted that describe how ePHI
implemented in should be removed from storage
the clinic that media/electronic devices before the
describe how media is re-used.
ePHI should be
removed from
storage
media/electronic
devices before
the media is re-
used.

There is no High Policies and procedures must be

indication by enacted to maintain records of
Mrs. Jones of employees removing electronic
records of devices and media from the facility
employees that has or can be used to access
removing ePHI.
electronic
devices and
media from the
facility that has
or can be used
to access ePHI.

Part V: Risk Mitigation Strategies

Policy for Breach Notification

17 University of San Diego © 2017. All Rights Reserved.

Provide a summary of the organization’s breach notification policy. The policy should
indicate who the organization’s privacy and security officer is, and what the
organization’s reporting protocol is when a breach is identified.

Waverly Clinic’s Privacy and Security Officer is Mrs. Jones. A policy is in place
for breach notification. However, Waverly Clinic does not provide details on their
breach notification policy. The policy should follow the HIPAA Breach Notification
Rule and follow the appropriate steps including notifying the Secretary and
depending on the number of individuals involved, whether more than or fewer
than 500 individuals.

Disaster Recovery Plan

Indicate the organization’s disaster recovery plan and what their downtime plan is when
access to ePHI is not available.

A policy is in place for a disaster recovery plan, which includes definitions for an
emergency, back up procedures and down time procedures. The disaster
recovery plan policy describes roles during a disaster, including who is
responsible for activating the disaster plan. The disaster recovery plan also
describes how often the disaster drill is held, which is annually. A policy is in
place for downtime and how to function when the ePHI is not available, which is
through the cloud. All ePHI is backed up to a cloud and the clinic is able to
access all data backed up to the cloud within 30 minutes via web access. Drills
are performed every 6 months to verify that data can be accessed during
downtime.

Annual Training
Indicate the organization’s annual staff privacy and security training program or
processes.

Waverly Clinic annual privacy and security training for all employees. The annual
training addresses malware access, preventing cyber threats, changing
passwords and log in reminders.

Cyber Insurance
Indicate if the audit organization has a cyber insurance plan. If the organization lacks a
covered plan, indicate in this section what cyber insurance plan you would recommend.
This will require you to research information on the web to find an appropriate cyber
plan. Provide a brief summary of the cyber insurance you would recommend for the
organization (if indicated), and why you selected that particular cyber insurance
company.

Waverly Clinic does not have a cyber insurance plan. A possible cyber insurance
plan that I would recommend for Waverly Clinic based on their current needs,
through research of HIMSS recommendations, is a portfolio and package product
which includes network security coverage, privacy coverage, 1st party costs

18 University of San Diego © 2017. All Rights Reserved.

coverage and 3rd party liability coverage. This plan was chosen due to the clinic
working with many different business associates. Although OneBeacon
Technology Insurance provides first party coverage for cyber-related events,
adequate third-party coverage is not indicated. At this time, cyber insurance
coverage through AIG is the best option, since AIG allows for a broad
combination of cyber insurance coverage, including both first party and third-
party coverage with property performance insurance.

Summary of Risk Assessment and Mitigation Recommendations

In this section, write a three- to four-paragraph summary of your Privacy and Security
audit. Include your recommendations for mitigating security privacy concerns or threats
you identified.

The Privacy and Security audit has revealed areas of strength and areas in need of
correction. With the Administrative Safeguards Audit, one area of strength is that
policies and procedures are in place for assessing and managing risk to the clinic’s
ePHI. A second area of strength is that there are policies and procedures in place that
direct the discipline of workforce members who have access to ePHI and access ePHI
inappropriately. A third area of strength is that there are policies and procedures for a
review of information system activity by all users in the clinic. Policies are in place to
keep audits of the activity for 7 years. A fourth area of strength is that there is a
specified Information Security and Privacy Officer, Mrs. Jones, who serves as the expert
regarding security and privacy of ePHI. Mrs. Jones is also responsible for managing all
access to ePHI. A fifth area of strength is that roles and responsibilities of all clinic
members are clearly described. Also, access is based on those roles and
responsibilities. A sixth area of strength is that all clinic staff are provided annual
security training and disaster response training. A weakness within the Administrative
Safeguards Audit is that there are no policies and procedures regarding access for non-
workforce members such as maintenance personnel. In these situations, maintenance
personnel have access to PHI that is left on an unsecured fax machine overnight. My
recommendation is that the fax machine is turned off overnight and turned on again in
the morning when clinic staff arrive and are able to retrieve faxes. Or, the fax machine
can be in a locked room that only clinic staff with verified access are able to reach. A
second weakness is that there are no policies and procedures to screen and verify
trustworthiness of workforce members prior to access. A recommendation to mitigate
this security concern is to ensure that background checks and verification of credentials
are completed through specified policies and procedures. A third weakness is that there
are no policies and procedures are in place to direct that email communication must be
done to provide updates to staff on security threats. My recommendation is that the
Information Security Officer must provide updates via email or paper communication on
the most current threats to ePHI so that clinic staff are aware and can take the proper
precautions. Regarding the Technical Safeguards audit, one strength is that Waverly
clinic analyzes all user access every 3 months and are able to view what systems,
databases and EHR are accessed. A second strength is that the clinic has a unique
identifier for each authorized user, a two-factor authentication is used and users must
change their passwords every 3 months. Also, there is an automatic log off after a

19 University of San Diego © 2017. All Rights Reserved.

specified period of time. A third strength is that in the event of emergency, ePHI can be
accessed through a cloud and routine testing to ensure access is performed every 6
months. A fourth strength is that all computer workstations and PHI data are encrypted.
However, a weakness in conjunction with that strength is that the clinic is not able to
encrypt transmitted data. My recommendation for mitigation would be that policies and
procedures must be enacted that direct that all transmitted data must be encrypted. The
clinic must locate a business associate immediately who is able to encrypt their
transmitted data. A second weakness is that patients have access to clinic wi-fi. This
serves as an entry point for unauthorized access to ePHI and for introduction of different
types of malware. My recommendation would be monitor and restrict wi-fi usage or
remove patient wi-fi access entirely as there is specified required reason for providing
wi-fi access other than to provide ease of access to wi-fi. Regarding the Physical
Safeguards Audit, one strength is that there is an inventory maintained of all physical
systems, devices and media in the clinic. A second strength is that there are policies
and procedures in place for physical protection of the clinic and equipment. A third
strength is that policies and procedures are in place for when staff are terminated or a
key is lost. A fourth strength is that policies and procedures are in place to have access
granted by staff role. A fifth strength is that policies and procedures are in place for how
clinic staff and the public access workstations. A sixth strength is that Mrs. Jones
indicates that staff are not allowed to bring in devices and connect to laptops, PCs or
other web enable devices. A seventh strength is that all workstations are encrypted and
have privacy screens. The area of concern that requires mitigation is how staff can
access the EHR-Practice Fusion through their own personal devices, however, the clinic
does not manage the personal devices of the staff or require antivirus software. My
recommendation would be the immediate implementation of policies and procedures
regarding managing the personal devices of staff who access Practice Fusion on their
personal devices. The clinic must either provide secure devices that can access
Practice Fusion off site or ensure that personal devices are secured prior to staff
access. A second area of concern is that the clinic does not have policies and
procedures for removing ePHI from electronic devices or media prior to disposal of such
devices. My recommendation would be that policies and procedures must be in place
that describe the removal of ePHI prior to disposal of devices. A third area of concern is
that procedures are not implemented in the clinic that describe how ePHI should be
removed from storage media/electronic devices before the media is re-used. The
recommendation for mitigation is that policies and procedures must be in place that
describe how ePHI should be removed from storage media/electronic devices before
the media is re-used. A fourth area of concern is that the clinic does not have policies
and procedures that specify how to dispose of electronic devices and media containing
ePHI. The recommendation is that policies and procedures must be in place that direct
how to dispose of electronic devices and media that contain ePHI if they cannot be
removed prior to disposal. Overall, the clinic is able to maintain the privacy and security
of their ePHI, however, several key concerns must be addressed immediately in order
to prevent breach of information.

20 University of San Diego © 2017. All Rights Reserved.