Skip to the main content.

HIPAA Risk Assessment

Avoid being another breach-report statistic 

 

 

Managing HIPAA requirements 

 

The HIPAA Security and Privacy Rules helps organizations safeguard the confidentiality, integrity, and availability (CIA) of ePHI (electronic Protected Health Information). All HIPAA-regulated entities must comply with the requirements of the Security and Privacy Rules which apply to the following regulated entities: 

  • Covered Healthcare Providers: Any provider of medical or health care services organization who supplies or transmits health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard. This includes Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes and Pharmacies.
  • Health Plans: Any individual or group plan that provides or pays the cost of medical care (e.g., Health insurance companies, HMOs, Company health plans, Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans' health care programs).
  • Healthcare Clearinghouses: A public or private entity that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
  • Business Associates:  A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to a covered entity. A member of the covered entity’s workforce is not a business associate. A business associate is liable for their own HIPAA violations. 

The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against anticipated threats, hazards, and impermissible uses and/or disclosures.

 

 

HIPAA Risk Assessment

 

A HIPAA risk assessment is designed to evaluate the applicability, likelihood and impact of threats to the privacy and security of PHI/ePHI, of a threats applicable to a specific environment to determine whether existing policies, procedures, and effective security controls are implemented to reduce risk to a reasonable and appropriate level.

The objectives of a HIPAA security risk assessment are outlined in the General Rules (CFR 45 § 164.306) and include:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
  • Ensure compliance with this subpart (the HIPAA Security Rule) by its workforce. 

There are many automated tools which can be used to perform risk analysis against existing polices, procedures and controls but no tool has the ability to verify the effectiveness of implemented security controls including physical or logical. 

This is where our technical expertise can maximize your investment in conducting effective HIPAA risk assessments with meaningful and actionable results. 

 

 

Areas of Expertise

 

We understand that the market is saturated with automated tools and checklists promising effortless HIPAA risk analyses at minimal cost, but although they can be useful to an extent, these tools fail to validate your implemented controls effectively. In order to conduct an effective and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information per 164.308(a)(1)(ii)(A), your risk analysis effort must assess and verify the effectiveness of implemented security measures.

Our experience evaluating organizational security controls go beyond using off-the-self risk management software and standard checklists. 

Areas covered in our service offering include:

  • Risk Analysis: Conduct a thorough assessment of the potential risks, threats and vulnerabilities that applicable to your environment. 
  • Penetration Testing: Perform external and internal penetration testing to validate the security posture of your infrastructure (e.g., Internal/External, Web Applications, Cloud environment). 
  • Physical security analysis: evaluate the effectiveness of physical security controls including badging systems, surveillance and fire suppression. 
  • OSINT (Open Source INTelligence): conduct an analysis of your Internet footprint and dark web to identify instances of sensitive data leakage, misconfigurations, malicious references etc.
  • Firewall Analysis: Perform an analysis of your firewall including rule inspection, policy enforcement and filtering through active testing. 
  • Incident Response: Evaluate the effectiveness of your Incident Response plan through adversarial scenario emulation.

 

 

Why Choose Palindrome Technologies? 

 

Our team has been on the forefront of Cyber security since 1995 and supporting commercial and government organizations with securing high-assurance environments and emerging technologies. In addition to our extensive experience we participate in key industry initiatives to provide thought leadership and contributions to help improve Cyber security standards and frameworks, including FCC, NIST, ISACA, IEEE, GSMA, CTIA, and ISA standards.

 

 

 

Start Securing ePHI effectively   

 

Leaving your physical, logical and human assets vulnerable can lead to financial penalties and impact your reputation.  

Palindrome Technologies can help you not only meet regulatory requirements but also demonstrate the highest levels of assurance to stakeholders and your commitment to keep your customer's data secure.