HIPAA Risk Assessment Inventory Workbook (166365507)
Transcript of HIPAA Risk Assessment Inventory Workbook (166365507)
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 1/12
Contents
Worksheet name What is covered
Contents This sheet.
Overview * The model of a unit of the HCC.
* What are: technical assets, physical sites, and administrative subunits.
* How to identify a HCC unit's physical sites and administrative subunits.
Process * The process of filling out the HIPAA Risk Assessment Inventory.
* The suggested grading scale.
* Desciptive narrative.
* Some criteria for prioritizing risks.
* Delivery instructions.
Instructions * A description of the four sheets which form the actual Risk Assessment Inventory.
* Descriptions of the fields found on each of those four sheets.
* How to score r isks on each sheet, which are mitigated by different types of Safeguards.
Worksheet name What is covered
I. HCC Unit Names of the HCC Unit, Physical Site(s) and Admin Subunit(s)II. Tech Assets Inventory of technical assets, and assessment of risks mitigated by applicable:
Administrative, Physical and Technical Safeguards.
III. Phys Site(s) Inventory of physical sites, and assessment of risks mitigated by applicable:
Physical Safeguards and Technical Safeguards.
IV. Admin Subunit(s) Inventory of administrative subunits, and assessment of risks mitigated by applicable:
Administrative Safeguards
Worksheet name What is covered
HIPAA Security Regs * Administrative, Physical and Technical Safeguards,
with language taken directly from the regulation itself.* Suggested grading scales for the required Safeguards.
* Summary of the process for addressing the "addressable" safeguards.
Contents of the HIPAA Risk Assessment Inventory Workbook
Explanations
The workbook is divided into three parts:
This workbook contains the HIPAA Risk Assessment Inventory instrument for use by the units of the Health Care Component (HCC) at the
University of Wisconsin - Madison. It was designed by the Risk Assessment Subcommittee of the UW-Madison HIPAA Security Committee.
Before learning about the details of the Risk Assessment Inventory, you may find it helpful to read the summary of language from the HIPAA Security
Regulation, which is included in this workbook as the last sheet named 'HIPAA Security Reg'.
The Risk Assessment Inventory
The HIPAA Regulation, and possible grading scalesC.
B.
This risk assessment inventory is intended to assist the units of the HCC in meeting the risk assessment requirement of the HIPAA security regulation
(45 CFR Part 164.308(a)(1)( ii)(A)), and the risk assessment inventory and migration planning process specified in the UW-Madison policy (#8.4 III(A)(i)).
Completing this risk assessment inventory is not by itself sufficient to meet the requirements of either the regulation or the policy, but is a early step in
an ongoing process leading to compliance.
A.
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 1 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 2/12
Overview
UW-Madison HCC
The Unit of the HCC(has a Security Coordinator)
Other Units
of the HCC
Administrative
Subunits
Physical
Sites
Own and Operate Contain
* Technical assets. These include servers, workstations, network devices, peripherals, portables and applications. See the sheet named 'Instructions' for a more
detailed description of each class of technical assets.
Overview of HIPAA Risk Assessment Inventory
Technical Assets
The HIPAA Risk Assessment Inventory includes three elements:
* Administrative Subunits. The unit of the HCC will consist of one or more administrative subunits that own and operate technical assets. A subunit could be a
distinct department, a sizable research group, a separate service organization, etc. Distinct subunits should have a significant degree of operational autonomy.
Subunits that share the same information technology, human resource, and administrative staff might be treated as one, because most of the relevant policies and
procedures are defined and implemented by those staff members.
* Physical Sites. The unit of the HCC will have one or more physical sites at which technical assets are located. Most technical assets are located at one such
physical site, but a few such as network devices and applications may be distributed among multiple sites. A physical site could be a building complex, a buildingwing or floor, a number of rooms scattered around a building or complex, or in some cases an isolated room with distinct security requirements. Distinct sites will
typically be physically isolated from each other, and should have differing security issues. For example: scattered rooms in the same building may share many of the
same security issues and might be treated as a single physical site, while a server room in the same building might be treated as separate physical site because of its
unique security requirements.
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 2 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 3/12
Process
2
3
4
5 Deliver the inventory and descriptive narrative your Security Coordinator by October 1st 2003 (or
other date as directed by the Security Coordinator.)
If you are the Security Coordinator, deliver a migration plan and the accompanying risk assessment
inventory to the Security Officer by October 14th.
See sheet 'I. HCC Unit'.
Score risk on a five point scale. For example: a scale of A, B, C, D, & F where A (excellent) is low
risk, and F is high risk, and . Risk associated with all applicable safeguards should be assessed, but
spend the most time and attention on the required safeguards. The 'HIPAA Security Regs' sheet in this
workbook includes a possible grading scale for each required safeguard.
The Risk Assessment Inventory is not by itself a complete risk assessment. A descriptive narrative
should accompany the inventory. The narrative should explain "why". Why were those physical sites
and those administrative subunits were selected. Why were various technical assets grouped together.Why were particular scores given, especially when the score was a "A", "D" or "F". It is important to
explain cases where there is minimal risk as well as cases where there is significant risk. To shorten
the narrative, comments may be added to the cells of sheets II. through IV. When the inventory is
printed the comments will follow each sheet.
See sheet 'II. Tech Assets'.
b. Physical Site(s)
Establish a team to Assess risks
When intervening to mitigate significant risks, not all D's and F's are equally important. Take into
account the cost of intervention and the business impact of loss of confidentiality, integrity, or
availability of data. Scores may be grouped whenever that seems appropriate. Add the prioritization tothe descriptive narrative.
Deliver to the Security Coordinator
See sheet 'III. Phys Site(s)'.
Suggestion: have IT, HR, and management representative(s).
Process
Score the risk associated with each applicable safeguard.
Write a descriptive narrative.
Prioritize significant risks (high to low) and add that to the
descriptive narrative.
Process for HIPAA Risk Assessment Survey
Conduct an inventory of unit of the HCC
a. Technical Assets
1
c. Administrative Subunit(s) See sheet 'IV. Admin Subunit(s)'.
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 3 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 4/12
Instructions
Server A computer running the "server" side of client/server applications or services.
Often managed by an assigned system administrator who routinely gives attention to the system.
Network A computer or non-trivial specialized device forming or managing a network, such as a router, switch, wireless network hub or access point, or network monitor. Oftenmanaged by one or more network administrators and/or technicians as a component of the entire network.
Workstation A single-user or shared computer running the "client" side of client/server applications or services; or
A computer attached to instrumentation for the purpose of data acquistion and control. Managed by a single user, administrator, or technician (i.e. "the owner") or managed en
mass by one or more workstation administrators and/or technicians.
Peripheral A printer, plotter, scanner, or other stand-alone I/O device, whether connected to the network or connected directly to a server, workstation, or portable. Managed by a single
user or administrator (i.e. "the owner") or enmass by the workstation administrators and/or technicians.
Portable A laptop, PDA or portable computing device, and similarly portable peripherals. Managed by a single user (i.e. "the owner".) Presents unique security challenges because it can
leave the physically secure environment, or might be connected via a public or wireless network.
Application A software application, other than the operating system or embedded applications. It is not necessary to include in this category any applications that are embedded in a device
such as a peripheral, PDA, network router, etc., because such applications an integral part of the device.
Other Critical or Sensitive
Data?
Y/N: Does the technical asset or physical site either store or process critical or sensitive business data other than PHI?
Score the risk as: A B, C, D, & F, where A (excellent) is low risk and F is high risk. Depending upon Asset Category, n/a may be the appropriate value. The risk factors correspond to specific
provisions of the HIPAA security regulation. See the sheet named 'HIPAA Security Regs' for more detail on each provision.
There is some overlap of risk factors. On the sheet 'II. Tech Assets', each technical asset can be assessed as to the extent it is included in the policies and procedures of selected Administrative or
Physical Safeguards. On the sheet 'III. Phys Site(s)', a few Technical Safeguards are applicable to technological systems used to enhance the physical security of the site. Of particular note:Physical security of a particular technical asset is assessed on 'II. Tech Assets', but overall physical security of a physical site is assessed on the 'III. Phys Site(s)'. Similarly, inclusion of a particular
technical asset in the policy or procedure of an Administrative Safeguard is assessed on 'II. Tech Assets', but overall compliance with an Administrative Safeguard (such as existence of a policy)
is assessed on 'IV. Admin Subunit(s)'.
Asset Category
Use these categories. Within thesame category, it is OK to group
multiple assets together if they
are similar, for example: all
office productivity workstations.
I/E: Is the technical asset Internal or External to the firewall(s) or the physical security permiter. Treat all portable devices as external because they may leave the physical perimeter and/or might
be connected beyond the firewalls. A firewall itself is external.
Operating system (with major version)
Major subsystems that have significant security implications, (e.g. IIS or Apache for a webserver, etc., with major version.)
Make/model for peripherals, PDA's and other devices where the operating system and subsystems are integrated.
IP address (numeric or alphanumeric) or IP address pool, if applicable.
Example: Win2000 Server, IIS, www.dept.wisc.edu
Internal or External
to the Firewall?
Name of the asset, an inventory tag, or a descriptive tag, (e.g. server name, "Router #7", "Jane Doe's laptop", "3rd floor printer", etc.) Asset name should be unique among all assets of the HCC
entity.
For technical assets ('II. Tech Assets'): the room and building, also the "site" at which it is located (if there are multiple "sites") and the "subunits" of the which have personnel using or managing
the asset (if there are multiple "subunits".) For portable assets, the location of the asset's owner. For applications, the location of the server(s). Otherwise whatever seems reasonable. For physical
sites ('III. Phys Site(s)'): the rooms and buildings or other description of what makes up the site. For administrative subunits ('IV. Admin Subunit(s)'): the list of sites at which the subunit has
personnel or equipment.
Description
Stores or Processes PHI? Y/N: Does the technical asset or physical site either store or process PHI?An asset or site that does not store and process PHI may still create a threat to other assets which do have PHI.
The sheet named 'I. HCC Unit', is a summary of the physical sites and administrative subunits of the unit of the HCC. Enter the name of the HCC unit, and the names of the administrative subunits and physical sites. These are
carried forward on the other sheets for consistency.
The sheets numbered II., III. and IV. are for scoring the risk associated with each technical asset, physical site and administrative subunit respectively. A descriptive narrative should accompany the scores. To shorten the
narrative, comments can be added to the sheets, and when printed will follow each sheet.
There are four sheets in the template, numbered I. through IV.
Filling out sheets I. through IV.
Instructions for the HIPAA Risk Assessment Inventory
Estimate of Risk
(The Risk Factors)
The Fields (Columns) of Sheets II. through IV.
Asset
Location
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 4 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 5/12
HCC Unit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2324
25
26
27
28
29
30
31
A B C
Updated: 9/7/13
Unit Name
Example Unit Name
Site Name
Example site name 1
Example site name 2
Example site name 3
Add more sites here
Unit NameExample subunit name 1
Example subunit name 2
Add more subunits here
In determining what administrative subunits exist in the unit of the HCC,consider the degree of autonomy of the subunit. The distribution of
information technology, human resource, and administrative staff is a
possible guide. Units sharing the same IT, HR, and administrative staff
may not be sufficiently autonomous to be considered separate units for
purposes of HIPAA compliance, because most provisions of the HIPAA
security rule have strong IT, HR, or administrative components.
Enter the name of the unit of the HCC, typically a
division or department name. This name willappear on each inventory sheet.
Enter the names of each physical site at which the
unit of the HCC has personnel or equipment. These
become line items on the sheet named
'III. Phys Site(s)'.
Enter the names of each administrative subunitwithin the unit of the HCC which has significantly
different administrative, personnel or technical
policies or policies and procedures. These become
line items on the sheet named
'IV. Admin Subunit(s)'.
Administrative Units of the HCC Entity
Unit of the HCC
Physical Sites of the Unit of the HCC
I. HIPAA Risk Assessment Inventory, The Unit of the HCCThis is the first of four worksheets, numbered I. through IV.
Fill in names below to populate those sheets.
In determining what physical sites exist in the unit of the HCC, consider
not only the degree of physical separation, but also the extent to which
their security needs differ. Scattered rooms in the same building may
have very similar security needs. Facilities in two or three different
buildings may also have similar needs. On the other hand, a single room
(such as a "server room") could have significantly different security
needs, even when located in the same building with other facilities.
Printed: 9/7/2013HIPAA Risk Assessment Survey
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 5 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 6/12
Technical Assets
1
2
3
4
5
6
7
8
910
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2930
31
32
33
34
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AA AB AC AD AE AF AG AH AI AJ
(6) (8) (b) (c)
A u t h o r i z a t i o n a n d / o r S u p e r v i s i o n ( A )
W o r k f o r c e C l e a r a n c e P r o c e d u r e ( A )
T e r m i n a t i o n P r o c e d u r
e ( A )
I s o l a t i n g t h e C l e a r i n g h
o u s e F u n c t . ( R )
A c c e s s A u t h o r i z a t i o n ( A )
A c c e s s E s t a b l i s h m e n t & M o d . ( A )
M a l i c i o u s S o f t w a r e ( A )
L o g i n M o n i t o r i n g ( A )
P a s s w o r d M a n a g e m e n
t ( A )
I n c i d e n t R e s p o n s e & R
e p o r t i n g ( R )
D a t a B a c k u p P l a n ( R )
D i s a s t e r R e c o v e r y P l a n ( R )
E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )
T e s t i n g a n d R e v i s i o n P
r o c e d u r e ( A )
A p p a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )
P e r i o d i c E v a l u a t i o n ( R
)
C o n t i n g e n c y O p e r a t i o n s ( A )
I n c l u s i o n i n S e c u r i t y P
l a n ( A )
A c c e s s s C o n t r o l & V a l i d a t i o n ( A )
M a i n t e n a n c e R e c o r d s ( A )
W o r k s t a t i o n U s e ( R )
W o r k s t a t i o n S e c u r i t y ( R )
M e d i a D i s p o s a l ( R )
M e d i a R e - u s e ( R )
M e d i a A c c o u n t a b i l i t y ( A )
D a t a B a c k u p a n d S t o r a g e ( A )
U n i q u i e U s e r I d e n t i f i e r ( R )
E m e r g e n c y A c c e s s P r o
c e d u r e ( R )
A u t o m a t i c L o g o f f ( A )
Examples: Delete
Default Server Server n/a n/a n/a
Default Network Network n/a n/a n/a n/a n/a n/a n/a n/a
Default WS Workstation n/a
Default Peripheral Peripheral n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a
Default Portable Portable E n/a
Default Application Application n/a
Risk Factor Key
Risk Factor (A) D, F Failu
Risk Factor (R) ExceThose marked (R) must be filled out.
Descriptive Information
(a)
Phys 164.310
(a)
I n t e r n a l o r E x t e r n a l t o F i r e w a l l ? ( I / E )
(d)
AssetCategory (One of:
Server,
Network,
Workstation,
Peripheral,
Portable,
Application)
Location
(Rm, Bldg, also:
Phys Site
(if multiple), &
Admin Subunit(s)
(if multiple))
(7)
Description
(As Appropriate:
Make/Model,
Operating System,
Major Subsystem(s),
IP number or name)
S t o r e s o r P r o c e s s e s P H
I ? ( Y / N )
O t h e r c r i t i c a l o r s e n s i t i v e d a t a ? ( Y ? N )
A
Tech 164.3
Those marked (A) need to be filled out as time permits.
InterB, C
n/a Not
Estimate of Risk:
A B, C, D, & F, where A is low risk and F is high Risk
Color Key Inte
Example Unit Name
II. HIPAA Technical Assets Risk Assessment
If desired when adding rows, copy formulas from an existing empy row in order to apply the default values.
Instructions
(3) (4) (5)
Admin 164.308(a)
Expand to multiple sheets as needed. Insert new rows between any two rows above.
Technical Asset
(Name or
other tag)
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 7/12
Physical Sites
1
2
3
4
5
6
7
8
9
10
1112
13
14
15
16
17
18
19
20
21
22
23
24
A B C D E F G H I J K L M N O P Q R
Tech 164.312
(b) (c) (a) (b) (d)
C o n t i n g e n c y O p e
r a t i o n s ( A )
F a c i l i t y S e c u r i t y
P l a n ( A )
A c c e s s s C o n t r o l & V a l i d a t i o n ( A )
M a i n t e n a n c e R e c
o r d s ( A )
W o r k s t a t i o n U s e
( R )
W o r k s t a t i o n S e c u r i t y ( R )
M e d i a D i s p o s a l ( R )
M e d i a R e - u s e ( R )
M e d i a A c c o u n t a b i l i t y ( A )
D a t a B a c k u p a n d
S t o r a g e ( A )
E m e r g e n c y A c c e s s P r o c e d u r e ( R )
A u d i t C o n t r o l s ( R
)
P e r s o n o r E n t i t y
A u t h e n t i c a t i o n ( R )
Example site name 1
Example site name 2
Example site name 3
Add more sites here
Risk Factor Key
Poor or Nothing -- High Risk
n/a Not Applicable
Color Key Interpretation
A
Risk Factor (A)
Risk Factor (R)
Instructions
Excellent -- Low Risk
D, F
O t h e r c r i t i c a l o r
s e n s t i v e d a t a ? ( Y ? N )
Physical Site
(Name)
9/7/2013
Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.
Location
(Rm(s) / Bldg(s) or
other description)
Good or Moderate
Updated:
Admin Subunits
(Admin Subunits
with Personnel or
Equipment at the
Physical Site)
S t o r e s o r P r o c e s s e s P H I ? ( Y / N )
Physical 164.310
(a)
Those marked (R) must be filled out.
Those marked (A) need to be filled out as time permits.
B, C
III. HIPAA Physical Site Risk Assessment
Example Unit Name
Descriptive Information
(d)
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 7 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 8/12
Administrative Subunits
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
A B C D E F G H I J K L M N O P Q R S T U V W X Y
(2) (6) (8)
R i s k A n a l y s i s ( R
)
R i s k M a n a g e m e n t ( R )
S a n c t i o n P o l i c y ( R )
I n f o r m a t i o n S y s t e m A c t i v i t y R e v i e w ( R )
A s s i g n e d S e c u r i t y R e s p o n s i b i l i t y ( R )
A u t h o r i z a t i o n a n d / o r S u p e r v i s i o n ( A )
W o r k f o r c e C l e a r a n c e P r o c e d u r e ( A )
T e r m i n a t i o n P r o
c e d u r e ( A )
I s o l a t i n g t h e C l e a r i n g h o u s e F u n c t . ( R )
A c c e s s A u t h o r i z a t i o n ( A )
A c c e s s E s t a b l i s h
m e n t & M o d . ( A )
S e c u r i t y R e m i n d
e r s ( A )
M a l i c i o u s S o f t w a r e ( A )
L o g i n M o n i t o r i n
g ( A )
P a s s w o r d M a n a g e m e n t ( A )
I n c i d e n t R e s p o n s e & R e p o r t i n g ( R )
D a t a B a c k u p P l a
n ( R )
D i s a s t e r R e c o v e r y P l a n ( R )
E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )
T e s t i n g a n d R e v i s i o n P r o c e d u r e ( A )
A p p a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )
P e r i o d i c E v a l u a t i o n ( R )
B u s i n e s s A s s o c i a
t e s ( R )
Example subunit name 1
Example subunit name 2
Add more subunits here
Risk Factor Key
Not Applicable
Instructions
Those marked (R) must be filled out.
Those marked (A) need to be filled out as time permits.
Interpretation
Excellent -- Low Risk
Good or Moderate
Poor or Nothing -- High Risk
IV. HIPAA Administrative Subunit Risk Assessment
Descriptive Information
Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.
9/7/2013Updated:Example Unit Name
Administrative
Subunit
(Name)
Location(s)
(Phys Site(s) at which
the Admin Subunit
has Personnel or
Equipment)
(4)
Risk Factor (A)
Risk Factor (R)
Color Key
n/a
B, C
D, F
A
(7)
(b)Admin 164.308(a)
(5)(1) (3)
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 8 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 9/12
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition Possible Grading Scale for Required Safeguards *
Risk Analysis (R) Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic PHI held by the
covered entity.
A. RA completed. Risks fully prioritized and followup actions scheduled.
B. RA completed. Risks not yet prioritized and followup actions not scheduled.
C. RA started but not completed. Top risk areas identified.
D. RA planned and method being developed
F. RA not started
Risk Management (R) Implement security measures sufficient to reduce risks
and vulnerabilities to a reasonable and appropriate level to
comply with Sec. 164.306(a).
A. RM action plan developed and fully implemented
B. RM action plan developed and partially implemented
D. RM action plan developed and scheduled but not yet started.
E. RM action plan brief list developed but no implementation to date.
F. No RM action plan.
Sanction Policy (R) Apply appropriate sanctions against workforce members
who fail to comply with the security policies and procedures of the covered entity.
A. Policy is completed and full implemented. Staff well trained to follow policy.
B. Policy is completed and full implemented. Still some gaps in training.C. Policy is completed. Implementation and training not well developed.
D. Policy may be started but not completed or approved. Minor consequences if a failure.
F. Policy not written and/or implemented. Major consequences if a failure.
Information
System Activity
Review
(R) Implement procedures to regularly review records of information
system activity, such as audit logs, access reports, and security
incident tracking reports.
Same as Sanction Policy
Assigned Security
Responsibility
(R) Identify the security official who is responsible for the
development and implementation of the policies and
procedures required by this subpart for the entity.
A. Security Officer assigned and fully engaged.
B. Security Officer assigned and becoming familiar with responsibilities
C. Recruiting Security Officer
D. Trying to agree on requirements of Security Officer F. No SO on the horizon
Authorization
and/or
Supervision
(A) Implement procedures for the authorization and/or
supervision of workforce members who work with
electronic protected health information or in locations
where it mi ht be accessed.
Workforce
Clearance
Procedure
(A) Implement procedures to determine that the access of a
workforce member to electronic protected health
information is appropriate.
Termination
Procedures
(A) Implement procedures for terminating access to electronic
protected health information when the employment of a
workforce member ends or as required by determinations
made as specified in paragraph (a)(3)(ii)(B) of this
section.
Isolating Health
care
Clearinghouse
Function
(R) If a health care clearinghouse is part of a larger
organization, the clearinghouse must implement policies
and procedures that protect the electronic protected health
information of the clearinghouse from unauthorized
access by the larger organization.
Not Applicable
Access
Authorization
(A) Implement policies and procedures for granting access to
electronic protected health information, for example,through access to a workstation, transaction, program,
process, or other mechanism.
Access
Establishment
and Modification
(A) Implement policies and procedures that, based upon the
entity's access authorization policies, establish, document,
review, and modify a user's right of access to a
workstation, transaction, program, or process.
Implementation
164.308
(a)(2)
Security Management Process
Implement policies and
procedures to prevent, detect,
contain, and correct security
violations.
164.308
(a)(1)
Workforce Security
Implement policies and
procedures to ensure that all
members of its workforce have
appropriate access to electronic
PHI, as provided under paragraph
(a)(4) of this section, and to
prevent those workforce members
who do not have access under
paragraph (a)(4) of this section
from obtaining access to
electronic PHI.
164.308
(a)(3)
Information Access
Management
Implement procedures for
terminating access to electronic
PHI when the employment of a
workforce member ends or as
required by determinations madeas specified in paragraph
(a)(3)(ii)(B) of this section.
Administrative Safeguards
164.308
(a)(4)
The administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (PHI) and to manage the
conduct of the covered entity's workforce in relation to the protection of that information.
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 9 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 10/12
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition Possible Grading Scale for Required Safeguards *
Security (A) Periodic security updates.
Protection from
Malicious
(A) Procedures for guarding against, detecting, and reporting
malicious software.Log-in
Monitoring
(A) Procedures for monitoring log-in attempts and reporting
discrepancies.
Password
Management
(A) Procedures for creating, changing, and safeguarding
passwords.
Security Incident Procedures
Implement policies and
procedures to address security
incidents.
164.308
(a)(6)
Response and
Reporting
(R) Identify and respond to suspected or known security
incidents; mitigate, to the extent practicable, harmful
effects of security incidents that are known to the covered
entity; and document security incidents and their
outcomes.
A. Response team in place and effective. All incidents documented and followed up.
B. Response team in place and effective. Incidents documented and some followed up.
C. Response team designated but less than effective. Sporadic documentation and followup
D. No response team, documentation or followup – minor consequences of failure
F. No response team, documentation or followup – major consequences of failure
Data Backup Plan (R) Establish and implement procedures to create and
maintain retrievable exact copies of electronic protected
health information.
A. Plan is completed and full implemented. Staff well trained to follow plan.
B. Plan is completed and full implemented. Still some gaps in training.
C. Plan is completed. Implementation and training not well developed.
D. Plan may be started but not completed or approved. Minor consequences if a failure.
F. Plan not written and/or implemented. Major consequences if a failure.
Disaster Recovery
Plan
(R) Establish (and implement as needed) procedures to restore
any loss of data.
Same as Data Backup Plan
Emergency Mode
Operation Plan
(R) Establish (and implement as needed) procedures to enable
continuation of critical business processes for protection
of the security of electronic PHI while operating in
emergency mode.
Same as Data Backup Plan
Testing and
Revision
(A) Implement procedures for periodic testing and revision of
contingency plans.
Applications and
Data Criticality
(A) Assess the relative criticality of specific applications and
data in support of other contingency plan components.
Evaluation (R) Perform a periodic technical and non-technical evaluation, based
initially upon the standards implemented under this rule and
subsequently, in response to environmental or operational
changes affecting the security of electronic PHI, that establishes
the extent to which an entity's security policies and procedures
meet the requirements of this subpart.
A. Technical and non/tech evaluations conducted after all major environmental or operational changes.
B. Technical and non/tech evaluations conducted after some major environmental or operational changes.
C. Evaluations conducted sporadically.
D. Evaluations not conducted. Minor consequences of not conducting.
F. Evaluations not conducted. Major consequences of not conducting.
Business Associate Contracts
and Other Arrangement
164.308
(b)
Written Contract
or Other
Arrangements
(R) A covered entity, in accordance with Sec. 164.306, may permit a
business associate to create, receive, maintain, or transmit
electronic protected health information on the covered entity's
behalf only if the covered entity obtains satisfactory assurances,
in accordance with Sec. 164.314(a) that the business associate
will appropriately safeguard the information.
A. Business associate contracts exist for all entities. BA’s audited periodically.
B. Business associate contracts exist for all entities. BA’ s audited by exception only.
C. Business associate contracts exist for some entities. BA’ s not audited.
D. Business associate contracts do not exist. Minor consequences likely.
F. Business associate contracts do not exist. Major consequences likely.
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
Security Awareness and
Training
Implement a security awarenessand training program for all
members of its workforce
(including management).
164.308
(a)(5)
Administrative Safeguards (continued)
(2) Implement an equivalent alternative measure if reasonable and appropriate.
Implementation
Contingency Plan
Establish (and implement as
needed) policies and procedures
for responding to an emergency or
other occurrence (for example,
fire, vandalism, system failure,
and natural disaster) that damages
systems that contain electronic
PHI.
164.308
(a)(7)
164.308
(a)(8)
Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.
Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health
information; and
(ii) As applicable to the entity--
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate--
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of RegentsPage 10 of 12
http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 11/12
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition Possible Grading Scale for Required Safeguards *
Contingency
Operations
(A) Establish (and implement as needed) procedures that
allow facility access in support of restoration of lost data
under the disaster recovery plan and emergency mode
operations plan in the event of an emergency.
Facility Security
Plan
(A) Implement policies and procedures to safeguard the
facility and the equipment therein from unauthorized
physical access, tampering, and theft.
Access Control
and Validation
Procedures
(A) Implement procedures to control and validate a person's
access to facilities based on their role or function,
including visitor control, and control of access to software
programs for testing and revision.
Maintenance
Records
(A) Implement policies and procedures to document repairs
and modifications to the physical components of a facility
which are related to security (for example, hardware,
walls, doors, and locks).
Workstation Use (R) Implement policies and procedures that specify the proper
functions to be performed, the manner in which those
functions are to be performed, and the physical attributes
of the surroundings of a specific workstation or class of
workstation that can access electronic PHI.
A = Policy and procedure in place that address the following for workstations that access electronic
PHI: proper workstation functions, manner in which those functions are to be performed and physical
surroundings of workstation.
B = Draft policy and procedure being revised.
C = Determining proper workstation functions, end-user behavior and physical surroundings for
workstation. Evaluating resources to reach intended outcome.
D = Workgroup charged to develop Workstation Use Policy.
F = No efforts towards Workstation Use Policy.Workstation Security (R) Implement physical safeguards for all workstations that
access electronic PHI, to restrict access to authorized
users.
Similar to Workstation Use
Disposal (R) Implement policies and procedures to address the final
disposition of electronic PHI, and/or the hardware or
electronic media on which it is stored.
A = Policy and procedure in place to address the final disposition of electronic PHI
and/or the hardware or electronic media on which it is stored.
B = Draft policy and procedure being revised.
C = Determining scope of devices require disposition of PHI electronic data.
Evaluating methods to reach intended outcome.
D = Workgroup charged to develop Device and Media Control Disposal Policy.
F = No efforts towards Device and Media Control Disposal Policy.
Media Re-use (R) Implement procedures for removal of electronic PHI from
electronic media before the media are made available for
re-use.
Similar to Disposal.
Accountability (A) Maintain a record of the movements of hardware and
electronic media and any person responsible therefore.
Data Backup and
Storage
(A) Create a retrievable, exact copy of electronic protected
health information, when needed, before movement of
equipment.
The physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
Physical Safeguards
Facility Access Controls
Implement policies and
procedures to limit physical
access to its electronic
information systems and the
facility or facilities in which they
are housed, while ensuring that
properly authorized access is
allowed.
164.310
(a)
164.310
(b)
Implementation
Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.
164.310
(c)
Device and Media Controls
Implement physical safeguards
for all workstations that access
electronic PHI, to restrict access
to authorized users.
164.310
(d)
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate--
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
(ii) As applicable to the entity--
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 11 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html
7/29/2019 HIPAA Risk Assessment Inventory Workbook (166365507)
http://slidepdf.com/reader/full/hipaa-risk-assessment-inventory-workbook-166365507 12/12
HIPAA Security Regulation, and Some Possible Grading Scales for Risk
Standards Sec. Definition Possible Grading Scale for Required Safeguards *
Unique User
Identification
(R) Assign a unique name and/or number for identifying and
tracking user identity.
A. All users identified uniquely within organization, ultimately linked to UW ID
B. Few users accessing PHI but all uniquely identified within unit. No linkage to UW ID
C. Many users accessing PHI, all uniquely identified within unit only
D. Several users accessing PHI, identified by group or shared access
F. No unique way of identifying users
Emergency
Access Procedure
(R) Establish (and implement as needed) procedures for
obtaining necessary electronic protected health
information during an emergency.
A. Well documented step-by-step procedures in place to provide access to PHI in emergency such as
loss of power or environmental controls
B. Some procedures available for accessing PHI in emergency
C. No procedures in place for emergency access but no time-critical PHI
D. Contain some time-critical PHI with no procedure for emergency access
F. Contain large amounts of t ime-critical PHI with no procedure for emergency access
Automatic Logoff (A) Implement electronic procedures that terminate an
electronic session after a predetermined time of inactivity.
Encryption and
Decryption
(A) Implement a method to encrypt and decrypt electronic
protected health information.
Audit Controls (R) Implement hardware, software, and/or procedural
mechanisms that record and examine activity in
information systems that contain or use electronic
protected health information.
A. All PHI contained in database that supports full record-level logging of database access
B. File-level logging of all modifies and writes for any PHI
C. Small number of users or PHI and minimal logging of system activity such as log-ins
D. Large body of users and significant amounts of PHI with no mechanism in place to log account
activity such as log-ins
F. No mechanism in place to log access to any PHI
Integrity
Implement policies and
procedures to protect electronic
protected health information from
improper alteration or destruction.
164.312
(c)
Mechanism to
Authenticate
Electronic PHI
(A) Implement electronic mechanisms to corroborate that
electronic protected health information has not been
altered or destroyed in an unauthorized manner.
Person or Entity Authentication (R) Implement procedures to verify that a person or entity
seeking access to electronic protected health information
is the one claimed.
A. Two-level identification of individuals including some combination of passwords, ID cards,
biometrics and certificates
B. Widespread use of ID cards or specific policy in place to specify password useC. Policies requiring password use by all staff
D. General use of password authentication of individuals but no policy addressing password use
F. No procedures in place to authenticate individual users
Integrity Controls (A) Implement security measures to ensure that electronically
transmitted electronic protected health information is not
improperly modified without detection until disposed of.
Encryption (A) Implement a mechanism to encrypt electronic protected
health information whenever deemed appropriate.
Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.
164.312
(a)
164.312
(b)
164.312
(d)
Transmission Security
Implement technical security
measures to guard against
unauthorized access to electronic
protected health information that
is being transmitted over an
* These are simply suggestions that might be used as a starting point. Do not rely on these being representative of the regulation or the intent of the regulators.
(B) If implementing the implementation specification is not reasonable and appropriate--
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(A) Implement the implementation specification if reasonable and appropriate; or
Access Control
Implement technical policies and
procedures for electronic
information systems that maintain
electronic protected health
information to allow access only
to those persons or software
programs that have been granted
access rights as specified in Sec.
164.308(a)(4).
164.312
(e)
(2) Implement an equivalent alternative measure if reasonable and appropriate.
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
(ii) As applicable to the entity--
Implementation
The technology and the policy and procedures for its use that protect electronic protected health information (PHI) and control access to it.
Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--
Technical Safeguards
Printed: 9/7/2013HIPAA Risk Assessment Inventory
Copyright (c) 2003, University of Wisconsin Board of Regents
Page 12 of 12http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html