Purpose
In this assignment, you will be provided a scenario in which you need to prepare for a HIPAA audit using materials found on the healthIT.gov website and using a government-provided online or downloadable tool to perform a risk assessment.
Assignment Instructions
You are the IT and Security Manager for a small five-physician medical practice that uses electronic medical records (EMR) but has never performed a HIPAA security risk assessment. You need to prepare for the upcoming HIPAA Audit, and the healthIT.gov site recommends performing a security risk assessment using their Security Risk Assessment (SRA) tool (downloadable or paper).
Based on the scenario above, review the questions in the Administrative Safeguards portion of the tool. This private practice has many written policies, but the policies are often not updated, and training new personnel on HIPAA requirements is a bit haphazard and poorly coordinated. The practice does not have a formally appointed security contact, although the office general manager is the one that most people go to. The one-person IT professional tries to protect the patient’s information and access to that information as best that is possible, but people that leave the organization are often not immediately removed from having that access. Physical access to the building does require a key card access, but the building entrance is not monitored by cameras or the need to sign in. The company has not formally documented and mapped relevant business associates and has not secured business associate agreements related to patient information security. Although the receptionist area has a high counter, and patients typically cannot see the receptionist’s computer screen, patients can hear the phone conversations in the receptionist area. Access to the medical records is password protected but not encrypted, and not all computer screens have automatic locks when the screens are idle.
- Identify at least 10 Administrative Safeguard questions from the tool that are particularly relevant to this organization. Identify each by number and the specific wording of the question.
- Discuss at least five identified threats or vulnerabilities and discuss the likelihood and overall impact of each of these vulnerabilities in a table like the one below for each threat/vulnerability (you should have five tables).
Likelihood
Impact
Low
Medium
High
Low
Low Risk
Low Risk
Low Risk
Medium
Low Risk
Medium Risk
Medium Risk
High
Low Risk
Medium Risk
High Risk
- For each threat/vulnerability, describe one or more safeguards that could be implemented against the threat/vulnerability. Suggested safeguards can be found in the SRA tool.
- Write a summary that discusses what you learned by participating in this exercise. Discuss how difficult and costly completing this assessment might be for the small medical practice described in this case. Recommend possible solutions to make this assessment process possible for this small practice.
Assignment Requirements
- 5–6 pages of content (exclusive of cover sheet and references page), using Times New Roman font style, 12 point, double-spaced, using correct APA formatting, and include a cover sheet, table of contents, abstract, and reference page(s)
- At least 1 credible source cited and referenced
- No spelling errors
- No grammar errors
- No APA errors
SRA
| SRA Tool | |
| Excel Workbook | |
| Version 3.4 | |
| See the SRA Tool User Guide available for download on HealthIT.gov for more detailed instructions and FAQs. | |
| Instructions for Use: | |
| This Excel based version of the SRA Tool contains the same content that can be found in the latest version of the Windows based SRA Tool (3.4). The content is broken down into seven sections. Each section is contained in its own sheet of this workbook. Some elements of this workbook contain dropdown validation allowing the user to select a response. The "Response Indicator" column can be used to check a response for a given question. Responses which indicate risk will automatically be highlighted in yellow. Select one response per question. The check mark can be cleared by using backspace or delete. The "Likelihood" and "Impact" columns in the Threats and Vulnerabilities section of each sheet can be used to rate likelihood and impact as "Low", "Medium", or "High". Likelihood and impact ratings will automatically combine to form a Risk Score. These can also be cleared using backspace or delete. NOTE: This workbook contains risk calculation logic (formulas) and conditional formatting that will break if disturbed. Responses where risk is indicated will be highlighted in yellow. | |
| The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website. | |
| NOTE: The NIST and HICP standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool. | |
| Last Updated: 8/24/2023 | |
https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
Section 1
| Section 1 – SRA Basics | ||||||||||||
| Question # | Question Text | Response Indicator | Question Responses | Guidance | Risk | Risk Indicated | Required? | Reference | ||||
| Section Questions | ||||||||||||
| 1 | Has your practice completed a security risk assessment (SRA) before? | |||||||||||
| Yes. | Continuing to complete security risk assessments will help safeguard the confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability scan to improve your risk assesment. | 1 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 7, 10 | §164.308(a)(1)(ii)(A) | 2 | 1 | |||||
| No. | Performing a security risk assessment periodically will help safeguard the confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability scan to improve your risk assesment. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 7, 10 | §164.308(a)(1)(ii)(A) | 5 | 0 | |||||
| I don't know. | Performing a security risk assessment periodically will help safeguard the confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability scan to improve your risk assesment. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 7, 10 | §164.308(a)(1)(ii)(A) | 5 | 0 | |||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the "Flagged Questions" report. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 7, 10 | §164.308(a)(1)(ii)(A) | 5 | 0 | |||||
| Notes | §164.308(a)(1)(ii)(A) | 3 | 1 | |||||||||
| 2 | Do you review and update your SRA? | §164.308(a)(1)(ii)(A) | 4 | 0 | ||||||||
| Yes. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. Document requirements to periodically update your risk assessment. You may also periodically conduct vulnerability scans. | 1 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(A) | 4 | 0 | |||||
| No. | Consider reviewing and updating your security risk assessment periodically. Document requirements to periodically update your risk assessment. You may also periodically conduct vulnerability scans. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(A) | 4 | 0 | |||||
| I don't know. | Consider reviewing and updating your security risk assessment periodically. Document requirements to periodically update your risk assessment. You may also periodically conduct vulnerability scans. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 10 | ||||||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the "Flagged Questions" report. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(A) | 4 | 1 | |||||
| Notes | §164.308(a)(1)(ii)(A) | 4 | 0 | |||||||||
| 3 | How often do you review and update your SRA? | §164.308(a)(1)(ii)(A) | 4 | 0 | ||||||||
| Periodically and in response to operational changes and/or security incidents. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. | 1 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice #10 | §164.308(a)(1)(ii)(A) | 4 | 0 | |||||
| Periodically but not in response to operational changes and/or security incidents. | An accurate and thorough security risk assessment should be reviewed and updated periodically, or in response to operational changes, or security incidents. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice #10 | §164.308(a)(1)(ii)(A) | 4 | 0 | |||||
| Only in response to operational changes and/or security incidents. | An accurate and thorough security risk assessment should be reviewed and updated periodically, or in response to operational changes, or security incidents. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice #10 | §164.308(a)(1)(ii)(A) | 4 | 0 | |||||
| Ad hoc, without regular frequency. | An accurate and thorough security risk assessment should be reviewed and updated periodically, or in response to operational changes, or security incidents. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice #10 | ||||||||
| I don't know. | Consider looking into whether your organization reviews and/or updates your SRA periodically, or in response to operational changes, or security incidents. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice #10 | ||||||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the "Flagged Questions" report. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(A) NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP, RS.MI HICP: TV1 – Practice #10 | N/A | 6 | 1 | |||||
| Notes | N/A | 6 | 0 | |||||||||
| 4 | Do you include all information systems containing, processing, and/or transmitting ePHI in your SRA? | N/A | 6 | 0 | ||||||||
| Yes. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. A comprehensive security risk assessment should include all information systems that contain, process, or transmit ePHI. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | 1 | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1 – Practice #4, 5 | N/A | 6 | 0 | |||||
| No. | Include all information systems that contain, process, or transmit ePHI in your security risk assessment. In addition, document your systems in a complete inventory. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | 0 | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1 – Practice #4, 5 | N/A | 6 | 0 | |||||
| I don't know. | Include all information systems that contain, process, or transmit ePHI in your security risk assessment. In addition, document your systems in a complete inventory. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | 0 | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1 – Practice #4, 5 | ||||||||
| Other. | Include all information systems that contain, process, or transmit ePHI in your security risk assessment. In addition, document your systems in a complete inventory. Maintain a complete and accurate inventory of the IT assets in your organization to facilitate the implementation of optimal security controls. This inventory can be conducted and maintained using a well-designed spreadsheet. | 0 | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1 – Practice #4, 5 | §164.308(a)(1)(ii)(B) | 0 | ||||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the "Flagged Questions" report. | 0 | N/A | HIPAA: N/A NIST CSF: ID.RA, PR. DS, ID.AM HICP: TV1 – Practice #4, 5 | §164.308(a)(1)(ii)(B) | 0 | ||||||
| Notes | §164.308(a)(1)(ii)(B) | 0 | ||||||||||
| 5 | How do you ensure you are meeting current HIPAA security regulations? | §164.308(a)(1)(ii)(B) | 0 | |||||||||
| We review our practice's Security Policies and Procedures and compare to current regulations. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(B) | 0 | ||||||
| We review the current regulations and do our best to meet them. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(B) | 0 | ||||||
| We try to follow the best practices for securing our ePHI but we are not sure we're meeting all the HIPAA security regulations. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: TV1 – Practice # 10 | ||||||||
| I don't know. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(A) | 7 | 1 | |||||
| Other. | An accurate and thorough security risk assessment should be performed, reviewed and updated periodically, or in response to operational changes, security incidents, or the occurrence of a significant event. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(A) | 7 | 0 | |||||
| Flag this question for later. | This question will be marked as an area for review and will be included in the "Flagged Questions" report. | 0 | Required | HIPAA: §164.308(a)(1)(ii)(B) NIST CSF: ID.GV, ID.RM HICP: TV1 – Practice # 10 | §164.308(a)(1)(ii)(A) | 7 | 0 | |||||
| Notes | §164.308(a)(1)(ii)(A) | 7 | 0 | |||||||||
| 6 | What do you include in your SRA documentation? | §164.308(a)(1)(ii)(A) | 7 | 0 | ||||||||
| Our SRA documentation includes possible threats and vulnerabilities which we assign impact and likelihood ratings to. This allows us to determine severity. We develop corrective action plans as needed to mitigate identified security deficiencies according to which threats and vulnerabilities are most severe. | This is the most effective option to protect the confidentiality, integrity, and availability of ePHI. Establish a data classification policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant to each category. Organizational policies should address all user interactions with sensitive data and reinforce |