HIPAA Risk Assessment Inventory Workbook (166365507)

7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)

http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 1/12

Contents

Worksheet name What is covered

Contents This sheet.

Overview * The model of a unit of the HCC.

* What are: technical assets, physical sites, and administrative subunits.

* How to identify a HCC unit's physical sites and administrative subunits.

Process * The process of filling out the HIPAA Risk Assessment Inventory.

* The suggested grading scale.

* Desciptive narrative.

* Some criteria for prioritizing risks.

* Delivery instructions.

Instructions * A description of the four sheets which form the actual Risk Assessment Inventory.

* Descriptions of the fields found on each of those four sheets.

* How to score r isks on each sheet, which are mitigated by different types of Safeguards.


I. HCC Unit Names of the HCC Unit, Physical Site(s) and Admin Subunit(s)II. Tech Assets Inventory of technical assets, and assessment of risks mitigated by applicable:

Administrative, Physical and Technical Safeguards.

III. Phys Site(s) Inventory of physical sites, and assessment of risks mitigated by applicable:

Physical Safeguards and Technical Safeguards.

IV. Admin Subunit(s) Inventory of administrative subunits, and assessment of risks mitigated by applicable:

Administrative Safeguards


HIPAA Security Regs * Administrative, Physical and Technical Safeguards,

with language taken directly from the regulation itself.* Suggested grading scales for the required Safeguards.

* Summary of the process for addressing the "addressable" safeguards.

Contents of the HIPAA Risk Assessment Inventory Workbook

Explanations

The workbook is divided into three parts:

This workbook contains the HIPAA Risk Assessment Inventory instrument for use by the units of the Health Care Component (HCC) at the

University of Wisconsin - Madison. It was designed by the Risk Assessment Subcommittee of the UW-Madison HIPAA Security Committee.

Before learning about the details of the Risk Assessment Inventory, you may find it helpful to read the summary of language from the HIPAA Security

Regulation, which is included in this workbook as the last sheet named 'HIPAA Security Reg'.

The Risk Assessment Inventory

The HIPAA Regulation, and possible grading scalesC.

B.

This risk assessment inventory is intended to assist the units of the HCC in meeting the risk assessment requirement of the HIPAA security regulation

(45 CFR Part 164.308(a)(1)( ii)(A)), and the risk assessment inventory and migration planning process specified in the UW-Madison policy (#8.4 III(A)(i)).

Completing this risk assessment inventory is not by itself sufficient to meet the requirements of either the regulation or the policy, but is a early step in

an ongoing process leading to compliance.

A.

Printed: 9/7/2013HIPAA Risk Assessment Inventory

Copyright (c) 2003, University of Wisconsin Board of Regents

Page 1 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html



Overview

UW-Madison HCC

The Unit of the HCC(has a Security Coordinator)

Other Units

of the HCC

Administrative

Subunits

Physical

Sites

Own and Operate Contain

* Technical assets. These include servers, workstations, network devices, peripherals, portables and applications. See the sheet named 'Instructions' for a more

detailed description of each class of technical assets.

Overview of HIPAA Risk Assessment Inventory

Technical Assets

The HIPAA Risk Assessment Inventory includes three elements:

* Administrative Subunits. The unit of the HCC will consist of one or more administrative subunits that own and operate technical assets. A subunit could be a

distinct department, a sizable research group, a separate service organization, etc. Distinct subunits should have a significant degree of operational autonomy.

Subunits that share the same information technology, human resource, and administrative staff might be treated as one, because most of the relevant policies and

procedures are defined and implemented by those staff members.

* Physical Sites. The unit of the HCC will have one or more physical sites at which technical assets are located. Most technical assets are located at one such

physical site, but a few such as network devices and applications may be distributed among multiple sites. A physical site could be a building complex, a buildingwing or floor, a number of rooms scattered around a building or complex, or in some cases an isolated room with distinct security requirements. Distinct sites will

typically be physically isolated from each other, and should have differing security issues. For example: scattered rooms in the same building may share many of the

same security issues and might be treated as a single physical site, while a server room in the same building might be treated as separate physical site because of its

unique security requirements.






Process

2

3

4

5 Deliver the inventory and descriptive narrative your Security Coordinator by October 1st 2003 (or

other date as directed by the Security Coordinator.)

If you are the Security Coordinator, deliver a migration plan and the accompanying risk assessment

inventory to the Security Officer by October 14th.

See sheet 'I. HCC Unit'.

Score risk on a five point scale. For example: a scale of A, B, C, D, & F where A (excellent) is low

risk, and F is high risk, and . Risk associated with all applicable safeguards should be assessed, but

spend the most time and attention on the required safeguards. The 'HIPAA Security Regs' sheet in this

workbook includes a possible grading scale for each required safeguard.

The Risk Assessment Inventory is not by itself a complete risk assessment. A descriptive narrative

should accompany the inventory. The narrative should explain "why". Why were those physical sites

and those administrative subunits were selected. Why were various technical assets grouped together.Why were particular scores given, especially when the score was a "A", "D" or "F". It is important to

explain cases where there is minimal risk as well as cases where there is significant risk. To shorten

the narrative, comments may be added to the cells of sheets II. through IV. When the inventory is

printed the comments will follow each sheet.

See sheet 'II. Tech Assets'.

b. Physical Site(s)

Establish a team to Assess risks

When intervening to mitigate significant risks, not all D's and F's are equally important. Take into

account the cost of intervention and the business impact of loss of confidentiality, integrity, or

availability of data. Scores may be grouped whenever that seems appropriate. Add the prioritization tothe descriptive narrative.

Deliver to the Security Coordinator

See sheet 'III. Phys Site(s)'.

Suggestion: have IT, HR, and management representative(s).

Process

Score the risk associated with each applicable safeguard.

Write a descriptive narrative.

Prioritize significant risks (high to low) and add that to the

descriptive narrative.

Process for HIPAA Risk Assessment Survey

Conduct an inventory of unit of the HCC

a. Technical Assets

1

c. Administrative Subunit(s) See sheet 'IV. Admin Subunit(s)'.






Instructions

Server A computer running the "server" side of client/server applications or services.

Often managed by an assigned system administrator who routinely gives attention to the system.

Network A computer or non-trivial specialized device forming or managing a network, such as a router, switch, wireless network hub or access point, or network monitor. Oftenmanaged by one or more network administrators and/or technicians as a component of the entire network.

Workstation A single-user or shared computer running the "client" side of client/server applications or services; or

A computer attached to instrumentation for the purpose of data acquistion and control. Managed by a single user, administrator, or technician (i.e. "the owner") or managed en

mass by one or more workstation administrators and/or technicians.

Peripheral A printer, plotter, scanner, or other stand-alone I/O device, whether connected to the network or connected directly to a server, workstation, or portable. Managed by a single

user or administrator (i.e. "the owner") or enmass by the workstation administrators and/or technicians.

Portable A laptop, PDA or portable computing device, and similarly portable peripherals. Managed by a single user (i.e. "the owner".) Presents unique security challenges because it can

leave the physically secure environment, or might be connected via a public or wireless network.

Application A software application, other than the operating system or embedded applications. It is not necessary to include in this category any applications that are embedded in a device

such as a peripheral, PDA, network router, etc., because such applications an integral part of the device.

Other Critical or Sensitive

Data?

Y/N: Does the technical asset or physical site either store or process critical or sensitive business data other than PHI?

Score the risk as: A B, C, D, & F, where A (excellent) is low risk and F is high risk. Depending upon Asset Category, n/a may be the appropriate value. The risk factors correspond to specific

provisions of the HIPAA security regulation. See the sheet named 'HIPAA Security Regs' for more detail on each provision.

There is some overlap of risk factors. On the sheet 'II. Tech Assets', each technical asset can be assessed as to the extent it is included in the policies and procedures of selected Administrative or

Physical Safeguards. On the sheet 'III. Phys Site(s)', a few Technical Safeguards are applicable to technological systems used to enhance the physical security of the site. Of particular note:Physical security of a particular technical asset is assessed on 'II. Tech Assets', but overall physical security of a physical site is assessed on the 'III. Phys Site(s)'. Similarly, inclusion of a particular

technical asset in the policy or procedure of an Administrative Safeguard is assessed on 'II. Tech Assets', but overall compliance with an Administrative Safeguard (such as existence of a policy)

is assessed on 'IV. Admin Subunit(s)'.

Asset Category

Use these categories. Within thesame category, it is OK to group

multiple assets together if they

are similar, for example: all

office productivity workstations.

I/E: Is the technical asset Internal or External to the firewall(s) or the physical security permiter. Treat all portable devices as external because they may leave the physical perimeter and/or might

be connected beyond the firewalls. A firewall itself is external.

Operating system (with major version)

Major subsystems that have significant security implications, (e.g. IIS or Apache for a webserver, etc., with major version.)

Make/model for peripherals, PDA's and other devices where the operating system and subsystems are integrated.

IP address (numeric or alphanumeric) or IP address pool, if applicable.

Example: Win2000 Server, IIS, www.dept.wisc.edu

Internal or External

to the Firewall?

Name of the asset, an inventory tag, or a descriptive tag, (e.g. server name, "Router #7", "Jane Doe's laptop", "3rd floor printer", etc.) Asset name should be unique among all assets of the HCC

entity.

For technical assets ('II. Tech Assets'): the room and building, also the "site" at which it is located (if there are multiple "sites") and the "subunits" of the which have personnel using or managing

the asset (if there are multiple "subunits".) For portable assets, the location of the asset's owner. For applications, the location of the server(s). Otherwise whatever seems reasonable. For physical

sites ('III. Phys Site(s)'): the rooms and buildings or other description of what makes up the site. For administrative subunits ('IV. Admin Subunit(s)'): the list of sites at which the subunit has

personnel or equipment.

Description

Stores or Processes PHI? Y/N: Does the technical asset or physical site either store or process PHI?An asset or site that does not store and process PHI may still create a threat to other assets which do have PHI.

The sheet named 'I. HCC Unit', is a summary of the physical sites and administrative subunits of the unit of the HCC. Enter the name of the HCC unit, and the names of the administrative subunits and physical sites. These are

carried forward on the other sheets for consistency.

The sheets numbered II., III. and IV. are for scoring the risk associated with each technical asset, physical site and administrative subunit respectively. A descriptive narrative should accompany the scores. To shorten the

narrative, comments can be added to the sheets, and when printed will follow each sheet.

There are four sheets in the template, numbered I. through IV.

Filling out sheets I. through IV.

Instructions for the HIPAA Risk Assessment Inventory

Estimate of Risk

(The Risk Factors)

The Fields (Columns) of Sheets II. through IV.

Asset

Location






HCC Unit

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

2324

25

26

27

28

29

30

31

A B C

Updated: 9/7/13

Unit Name

Example Unit Name

Site Name

Example site name 1

Example site name 2

Example site name 3

Add more sites here

Unit NameExample subunit name 1

Example subunit name 2

Add more subunits here

In determining what administrative subunits exist in the unit of the HCC,consider the degree of autonomy of the subunit. The distribution of

information technology, human resource, and administrative staff is a

possible guide. Units sharing the same IT, HR, and administrative staff

may not be sufficiently autonomous to be considered separate units for

purposes of HIPAA compliance, because most provisions of the HIPAA

security rule have strong IT, HR, or administrative components.

Enter the name of the unit of the HCC, typically a

division or department name. This name willappear on each inventory sheet.

Enter the names of each physical site at which the

unit of the HCC has personnel or equipment. These

become line items on the sheet named

'III. Phys Site(s)'.

Enter the names of each administrative subunitwithin the unit of the HCC which has significantly

different administrative, personnel or technical

policies or policies and procedures. These become

line items on the sheet named

'IV. Admin Subunit(s)'.

Administrative Units of the HCC Entity

Unit of the HCC

Physical Sites of the Unit of the HCC

I. HIPAA Risk Assessment Inventory, The Unit of the HCCThis is the first of four worksheets, numbered I. through IV.

Fill in names below to populate those sheets.

In determining what physical sites exist in the unit of the HCC, consider

not only the degree of physical separation, but also the extent to which

their security needs differ. Scattered rooms in the same building may

have very similar security needs. Facilities in two or three different

buildings may also have similar needs. On the other hand, a single room

(such as a "server room") could have significantly different security

needs, even when located in the same building with other facilities.

Printed: 9/7/2013HIPAA Risk Assessment Survey





Technical Assets

1

2

3

4

5

6

7

8

910

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

2930

31

32

33

34

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AA AB AC AD AE AF AG AH AI AJ

(6) (8) (b) (c)

A u t h o r i z a t i o n a n d / o r S u p e r v i s i o n ( A )

W o r k f o r c e C l e a r a n c e P r o c e d u r e ( A )

T e r m i n a t i o n P r o c e d u r

e ( A )

I s o l a t i n g t h e C l e a r i n g h

o u s e F u n c t . ( R )

A c c e s s A u t h o r i z a t i o n ( A )

A c c e s s E s t a b l i s h m e n t & M o d . ( A )

M a l i c i o u s S o f t w a r e ( A )

L o g i n M o n i t o r i n g ( A )

P a s s w o r d M a n a g e m e n

t ( A )

I n c i d e n t R e s p o n s e & R

e p o r t i n g ( R )

D a t a B a c k u p P l a n ( R )

D i s a s t e r R e c o v e r y P l a n ( R )

E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )

T e s t i n g a n d R e v i s i o n P

r o c e d u r e ( A )

A p p a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )

P e r i o d i c E v a l u a t i o n ( R

)

C o n t i n g e n c y O p e r a t i o n s ( A )

I n c l u s i o n i n S e c u r i t y P

l a n ( A )

A c c e s s s C o n t r o l & V a l i d a t i o n ( A )

M a i n t e n a n c e R e c o r d s ( A )

W o r k s t a t i o n U s e ( R )

W o r k s t a t i o n S e c u r i t y ( R )

M e d i a D i s p o s a l ( R )

M e d i a R e - u s e ( R )

M e d i a A c c o u n t a b i l i t y ( A )

D a t a B a c k u p a n d S t o r a g e ( A )

U n i q u i e U s e r I d e n t i f i e r ( R )

E m e r g e n c y A c c e s s P r o

c e d u r e ( R )

A u t o m a t i c L o g o f f ( A )

Examples: Delete

Default Server Server n/a n/a n/a

Default Network Network n/a n/a n/a n/a n/a n/a n/a n/a

Default WS Workstation n/a

Default Peripheral Peripheral n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

Default Portable Portable E n/a

Default Application Application n/a

Risk Factor Key

Risk Factor (A) D, F Failu

Risk Factor (R) ExceThose marked (R) must be filled out.

Descriptive Information

(a)

Phys 164.310

(a)

I n t e r n a l o r E x t e r n a l t o F i r e w a l l ? ( I / E )

(d)

AssetCategory (One of:

Server,

Network,

Workstation,

Peripheral,

Portable,

Application)

Location

(Rm, Bldg, also:

Phys Site

(if multiple), &

Admin Subunit(s)

(if multiple))

(7)

Description

(As Appropriate:

Make/Model,

Operating System,

Major Subsystem(s),

IP number or name)

S t o r e s o r P r o c e s s e s P H

I ? ( Y / N )

O t h e r c r i t i c a l o r s e n s i t i v e d a t a ? ( Y ? N )

A

Tech 164.3

Those marked (A) need to be filled out as time permits.

InterB, C

n/a Not

Estimate of Risk:

A B, C, D, & F, where A is low risk and F is high Risk

Color Key Inte

Example Unit Name

II. HIPAA Technical Assets Risk Assessment

If desired when adding rows, copy formulas from an existing empy row in order to apply the default values.

Instructions

(3) (4) (5)

Admin 164.308(a)

Expand to multiple sheets as needed. Insert new rows between any two rows above.

Technical Asset

(Name or

other tag)



Physical Sites

1

2

3

4

5

6

7

8

9

10

1112

13

14

15

16

17

18

19

20

21

22

23

24

A B C D E F G H I J K L M N O P Q R

Tech 164.312

(b) (c) (a) (b) (d)

C o n t i n g e n c y O p e

r a t i o n s ( A )

F a c i l i t y S e c u r i t y

P l a n ( A )

A c c e s s s C o n t r o l & V a l i d a t i o n ( A )

M a i n t e n a n c e R e c

o r d s ( A )

W o r k s t a t i o n U s e

( R )

W o r k s t a t i o n S e c u r i t y ( R )

M e d i a D i s p o s a l ( R )

M e d i a R e - u s e ( R )

M e d i a A c c o u n t a b i l i t y ( A )

D a t a B a c k u p a n d

S t o r a g e ( A )

E m e r g e n c y A c c e s s P r o c e d u r e ( R )

A u d i t C o n t r o l s ( R

)

P e r s o n o r E n t i t y

A u t h e n t i c a t i o n ( R )

Example site name 1

Example site name 2

Example site name 3

Add more sites here

Risk Factor Key

Poor or Nothing -- High Risk

n/a Not Applicable

Color Key Interpretation

A

Risk Factor (A)

Risk Factor (R)

Instructions

Excellent -- Low Risk

D, F

O t h e r c r i t i c a l o r

s e n s t i v e d a t a ? ( Y ? N )

Physical Site

(Name)

9/7/2013

Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.

Location

(Rm(s) / Bldg(s) or

other description)

Good or Moderate

Updated:

Admin Subunits

(Admin Subunits

with Personnel or

Equipment at the

Physical Site)

S t o r e s o r P r o c e s s e s P H I ? ( Y / N )

Physical 164.310

(a)

Those marked (R) must be filled out.


B, C

III. HIPAA Physical Site Risk Assessment

Example Unit Name


(d)






Administrative Subunits

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

A B C D E F G H I J K L M N O P Q R S T U V W X Y

(2) (6) (8)

R i s k A n a l y s i s ( R

)

R i s k M a n a g e m e n t ( R )

S a n c t i o n P o l i c y ( R )

I n f o r m a t i o n S y s t e m A c t i v i t y R e v i e w ( R )

A s s i g n e d S e c u r i t y R e s p o n s i b i l i t y ( R )

A u t h o r i z a t i o n a n d / o r S u p e r v i s i o n ( A )

W o r k f o r c e C l e a r a n c e P r o c e d u r e ( A )

T e r m i n a t i o n P r o

c e d u r e ( A )

I s o l a t i n g t h e C l e a r i n g h o u s e F u n c t . ( R )

A c c e s s A u t h o r i z a t i o n ( A )

A c c e s s E s t a b l i s h

m e n t & M o d . ( A )

S e c u r i t y R e m i n d

e r s ( A )

M a l i c i o u s S o f t w a r e ( A )

L o g i n M o n i t o r i n

g ( A )

P a s s w o r d M a n a g e m e n t ( A )

I n c i d e n t R e s p o n s e & R e p o r t i n g ( R )

D a t a B a c k u p P l a

n ( R )

D i s a s t e r R e c o v e r y P l a n ( R )

E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )

T e s t i n g a n d R e v i s i o n P r o c e d u r e ( A )

A p p a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )

P e r i o d i c E v a l u a t i o n ( R )

B u s i n e s s A s s o c i a

t e s ( R )



Add more subunits here

Risk Factor Key

Not Applicable

Instructions

Those marked (R) must be filled out.


Interpretation

Excellent -- Low Risk

Good or Moderate

Poor or Nothing -- High Risk

IV. HIPAA Administrative Subunit Risk Assessment


Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.

9/7/2013Updated:Example Unit Name

Administrative

Subunit

(Name)

Location(s)

(Phys Site(s) at which

the Admin Subunit

has Personnel or

Equipment)

(4)

Risk Factor (A)

Risk Factor (R)

Color Key

n/a

B, C

D, F

A

(7)

(b)Admin 164.308(a)

(5)(1) (3)






HIPAA Security Regulation, and Some Possible Grading Scales for Risk

Standards Sec. Definition Possible Grading Scale for Required Safeguards *

Risk Analysis (R) Conduct an accurate and thorough assessment of the

potential risks and vulnerabilities to the confidentiality,

integrity, and availability of electronic PHI held by the

covered entity.

A. RA completed. Risks fully prioritized and followup actions scheduled.

B. RA completed. Risks not yet prioritized and followup actions not scheduled.

C. RA started but not completed. Top risk areas identified.

D. RA planned and method being developed

F. RA not started

Risk Management (R) Implement security measures sufficient to reduce risks

and vulnerabilities to a reasonable and appropriate level to

comply with Sec. 164.306(a).

A. RM action plan developed and fully implemented

B. RM action plan developed and partially implemented

D. RM action plan developed and scheduled but not yet started.

E. RM action plan brief list developed but no implementation to date.

F. No RM action plan.

Sanction Policy (R) Apply appropriate sanctions against workforce members

who fail to comply with the security policies and procedures of the covered entity.

A. Policy is completed and full implemented. Staff well trained to follow policy.

B. Policy is completed and full implemented. Still some gaps in training.C. Policy is completed. Implementation and training not well developed.

D. Policy may be started but not completed or approved. Minor consequences if a failure.

F. Policy not written and/or implemented. Major consequences if a failure.

Information

System Activity

Review

(R) Implement procedures to regularly review records of information

system activity, such as audit logs, access reports, and security

incident tracking reports.

Same as Sanction Policy

Assigned Security

Responsibility

(R) Identify the security official who is responsible for the

development and implementation of the policies and

procedures required by this subpart for the entity.

A. Security Officer assigned and fully engaged.

B. Security Officer assigned and becoming familiar with responsibilities

C. Recruiting Security Officer

D. Trying to agree on requirements of Security Officer F. No SO on the horizon

Authorization

and/or

Supervision

(A) Implement procedures for the authorization and/or

supervision of workforce members who work with

electronic protected health information or in locations

where it mi ht be accessed.

Workforce

Clearance

Procedure

(A) Implement procedures to determine that the access of a

workforce member to electronic protected health

information is appropriate.

Termination

Procedures

(A) Implement procedures for terminating access to electronic

protected health information when the employment of a

workforce member ends or as required by determinations

made as specified in paragraph (a)(3)(ii)(B) of this

section.

Isolating Health

care

Clearinghouse

Function

(R) If a health care clearinghouse is part of a larger

organization, the clearinghouse must implement policies

and procedures that protect the electronic protected health

information of the clearinghouse from unauthorized

access by the larger organization.

Not Applicable

Access

Authorization

(A) Implement policies and procedures for granting access to

electronic protected health information, for example,through access to a workstation, transaction, program,

process, or other mechanism.

Access

Establishment

and Modification

(A) Implement policies and procedures that, based upon the

entity's access authorization policies, establish, document,

review, and modify a user's right of access to a

workstation, transaction, program, or process.

Implementation

164.308

(a)(2)

Security Management Process

Implement policies and

procedures to prevent, detect,

contain, and correct security

violations.

164.308

(a)(1)

Workforce Security


procedures to ensure that all

members of its workforce have

appropriate access to electronic

PHI, as provided under paragraph

(a)(4) of this section, and to

prevent those workforce members

who do not have access under

paragraph (a)(4) of this section

from obtaining access to

electronic PHI.

164.308

(a)(3)

Information Access

Management

Implement procedures for

terminating access to electronic

PHI when the employment of a

workforce member ends or as

required by determinations madeas specified in paragraph

(a)(3)(ii)(B) of this section.

Administrative Safeguards

164.308

(a)(4)

The administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (PHI) and to manage the

conduct of the covered entity's workforce in relation to the protection of that information.








Security (A) Periodic security updates.

Protection from

Malicious

(A) Procedures for guarding against, detecting, and reporting

malicious software.Log-in

Monitoring

(A) Procedures for monitoring log-in attempts and reporting

discrepancies.

Password

Management

(A) Procedures for creating, changing, and safeguarding

passwords.

Security Incident Procedures


procedures to address security

incidents.

164.308

(a)(6)

Response and

Reporting

(R) Identify and respond to suspected or known security

incidents; mitigate, to the extent practicable, harmful

effects of security incidents that are known to the covered

entity; and document security incidents and their

outcomes.

A. Response team in place and effective. All incidents documented and followed up.

B. Response team in place and effective. Incidents documented and some followed up.

C. Response team designated but less than effective. Sporadic documentation and followup

D. No response team, documentation or followup – minor consequences of failure

F. No response team, documentation or followup – major consequences of failure

Data Backup Plan (R) Establish and implement procedures to create and

maintain retrievable exact copies of electronic protected

health information.

A. Plan is completed and full implemented. Staff well trained to follow plan.

B. Plan is completed and full implemented. Still some gaps in training.

C. Plan is completed. Implementation and training not well developed.

D. Plan may be started but not completed or approved. Minor consequences if a failure.

F. Plan not written and/or implemented. Major consequences if a failure.

Disaster Recovery

Plan

(R) Establish (and implement as needed) procedures to restore

any loss of data.

Same as Data Backup Plan

Emergency Mode

Operation Plan

(R) Establish (and implement as needed) procedures to enable

continuation of critical business processes for protection

of the security of electronic PHI while operating in

emergency mode.

Same as Data Backup Plan

Testing and

Revision

(A) Implement procedures for periodic testing and revision of

contingency plans.

Applications and

Data Criticality

(A) Assess the relative criticality of specific applications and

data in support of other contingency plan components.

Evaluation (R) Perform a periodic technical and non-technical evaluation, based

initially upon the standards implemented under this rule and

subsequently, in response to environmental or operational

changes affecting the security of electronic PHI, that establishes

the extent to which an entity's security policies and procedures

meet the requirements of this subpart.

A. Technical and non/tech evaluations conducted after all major environmental or operational changes.

B. Technical and non/tech evaluations conducted after some major environmental or operational changes.

C. Evaluations conducted sporadically.

D. Evaluations not conducted. Minor consequences of not conducting.

F. Evaluations not conducted. Major consequences of not conducting.

Business Associate Contracts

and Other Arrangement

164.308

(b)

Written Contract

or Other

Arrangements

(R) A covered entity, in accordance with Sec. 164.306, may permit a

business associate to create, receive, maintain, or transmit

electronic protected health information on the covered entity's

behalf only if the covered entity obtains satisfactory assurances,

in accordance with Sec. 164.314(a) that the business associate

will appropriately safeguard the information.

A. Business associate contracts exist for all entities. BA’s audited periodically.

B. Business associate contracts exist for all entities. BA’ s audited by exception only.

C. Business associate contracts exist for some entities. BA’ s not audited.

D. Business associate contracts do not exist. Minor consequences likely.

F. Business associate contracts do not exist. Major consequences likely.

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

Security Awareness and

Training

Implement a security awarenessand training program for all

members of its workforce

(including management).

164.308

(a)(5)

Administrative Safeguards (continued)

(2) Implement an equivalent alternative measure if reasonable and appropriate.

Implementation

Contingency Plan

Establish (and implement as

needed) policies and procedures

for responding to an emergency or

other occurrence (for example,

fire, vandalism, system failure,

and natural disaster) that damages

systems that contain electronic

PHI.

164.308

(a)(7)

164.308

(a)(8)

Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.

Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health

information; and

(ii) As applicable to the entity--

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate--


Copyright (c) 2003, University of Wisconsin Board of RegentsPage 10 of 12

http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html





Contingency

Operations

(A) Establish (and implement as needed) procedures that

allow facility access in support of restoration of lost data

under the disaster recovery plan and emergency mode

operations plan in the event of an emergency.

Facility Security

Plan

(A) Implement policies and procedures to safeguard the

facility and the equipment therein from unauthorized

physical access, tampering, and theft.

Access Control

and Validation

Procedures

(A) Implement procedures to control and validate a person's

access to facilities based on their role or function,

including visitor control, and control of access to software

programs for testing and revision.

Maintenance

Records

(A) Implement policies and procedures to document repairs

and modifications to the physical components of a facility

which are related to security (for example, hardware,

walls, doors, and locks).

Workstation Use (R) Implement policies and procedures that specify the proper

functions to be performed, the manner in which those

functions are to be performed, and the physical attributes

of the surroundings of a specific workstation or class of

workstation that can access electronic PHI.

A = Policy and procedure in place that address the following for workstations that access electronic

PHI: proper workstation functions, manner in which those functions are to be performed and physical

surroundings of workstation.

B = Draft policy and procedure being revised.

C = Determining proper workstation functions, end-user behavior and physical surroundings for

workstation. Evaluating resources to reach intended outcome.

D = Workgroup charged to develop Workstation Use Policy.

F = No efforts towards Workstation Use Policy.Workstation Security (R) Implement physical safeguards for all workstations that

access electronic PHI, to restrict access to authorized

users.

Similar to Workstation Use

Disposal (R) Implement policies and procedures to address the final

disposition of electronic PHI, and/or the hardware or

electronic media on which it is stored.

A = Policy and procedure in place to address the final disposition of electronic PHI

and/or the hardware or electronic media on which it is stored.

B = Draft policy and procedure being revised.

C = Determining scope of devices require disposition of PHI electronic data.

Evaluating methods to reach intended outcome.

D = Workgroup charged to develop Device and Media Control Disposal Policy.

F = No efforts towards Device and Media Control Disposal Policy.

Media Re-use (R) Implement procedures for removal of electronic PHI from

electronic media before the media are made available for

re-use.

Similar to Disposal.

Accountability (A) Maintain a record of the movements of hardware and

electronic media and any person responsible therefore.

Data Backup and

Storage

(A) Create a retrievable, exact copy of electronic protected

health information, when needed, before movement of

equipment.

The physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Physical Safeguards

Facility Access Controls


procedures to limit physical

access to its electronic

information systems and the

facility or facilities in which they

are housed, while ensuring that

properly authorized access is

allowed.

164.310

(a)

164.310

(b)

Implementation


164.310

(c)

Device and Media Controls

Implement physical safeguards

for all workstations that access

electronic PHI, to restrict access

to authorized users.

164.310

(d)






(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and









Unique User

Identification

(R) Assign a unique name and/or number for identifying and

tracking user identity.

A. All users identified uniquely within organization, ultimately linked to UW ID

B. Few users accessing PHI but all uniquely identified within unit. No linkage to UW ID

C. Many users accessing PHI, all uniquely identified within unit only

D. Several users accessing PHI, identified by group or shared access

F. No unique way of identifying users

Emergency

Access Procedure

(R) Establish (and implement as needed) procedures for

obtaining necessary electronic protected health

information during an emergency.

A. Well documented step-by-step procedures in place to provide access to PHI in emergency such as

loss of power or environmental controls

B. Some procedures available for accessing PHI in emergency

C. No procedures in place for emergency access but no time-critical PHI

D. Contain some time-critical PHI with no procedure for emergency access

F. Contain large amounts of t ime-critical PHI with no procedure for emergency access

Automatic Logoff (A) Implement electronic procedures that terminate an

electronic session after a predetermined time of inactivity.

Encryption and

Decryption

(A) Implement a method to encrypt and decrypt electronic

protected health information.

Audit Controls (R) Implement hardware, software, and/or procedural

mechanisms that record and examine activity in

information systems that contain or use electronic

protected health information.

A. All PHI contained in database that supports full record-level logging of database access

B. File-level logging of all modifies and writes for any PHI

C. Small number of users or PHI and minimal logging of system activity such as log-ins

D. Large body of users and significant amounts of PHI with no mechanism in place to log account

activity such as log-ins

F. No mechanism in place to log access to any PHI

Integrity


procedures to protect electronic

protected health information from

improper alteration or destruction.

164.312

(c)

Mechanism to

Authenticate

Electronic PHI

(A) Implement electronic mechanisms to corroborate that

electronic protected health information has not been

altered or destroyed in an unauthorized manner.

Person or Entity Authentication (R) Implement procedures to verify that a person or entity

seeking access to electronic protected health information

is the one claimed.

A. Two-level identification of individuals including some combination of passwords, ID cards,

biometrics and certificates

B. Widespread use of ID cards or specific policy in place to specify password useC. Policies requiring password use by all staff

D. General use of password authentication of individuals but no policy addressing password use

F. No procedures in place to authenticate individual users

Integrity Controls (A) Implement security measures to ensure that electronically

transmitted electronic protected health information is not

improperly modified without detection until disposed of.

Encryption (A) Implement a mechanism to encrypt electronic protected

health information whenever deemed appropriate.


164.312

(a)

164.312

(b)

164.312

(d)

Transmission Security

Implement technical security

measures to guard against

unauthorized access to electronic

protected health information that

is being transmitted over an

* These are simply suggestions that might be used as a starting point. Do not rely on these being representative of the regulation or the intent of the regulators.




Access Control

Implement technical policies and

procedures for electronic

information systems that maintain

electronic protected health

information to allow access only

to those persons or software

programs that have been granted

access rights as specified in Sec.

164.308(a)(4).

164.312

(e)


(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and


Implementation

The technology and the policy and procedures for its use that protect electronic protected health information (PHI) and control access to it.


Technical Safeguards




Documents

HIPAA Risk Assessment Inventory Workbook (166365507)