HIPAA Policies & Procedures

Policy & Procedures describe the best practices to comply with the requirements of the HIPAA Security Rule. The policies spell out what your organization does.  The procedures detail how you do it referencing HIPAA code sections.

HIPAA Risk Analysis

The HIPAA security framework mandates a risk assessment as a primary document requirement of the Administrative Safeguards. In fact, a Risk Analysis is the foundation for the entire security program.

HIPAA Risk Profile

Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that pop-up.

HIPAA Management Plan

The Management Plan prioritizes issues resolution based upon risk score with tasks required to minimize, avoid, or respond to risks. The Risk Management plan defines the strategies and tactics the organization uses to address its risks.

Evidence of HIPAA Compliance

Crucial Evidence of Compliance includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. The details included in this report are necessary to satisfy an auditor or investigator.

External Network Vulnerability Scan

Detailed reports show security holes and warnings, informational items including CVSS scores as scanned from outside the target network.

HIPAA Compliance PowerPoint

Use the HIPAA PowerPoint presentation to clearly deliver your findings. Summary information with risk and issue score are presented and include specific recommendations and next steps.

HIPAA On-Site Survey

The On-site Survey is an extensive list of questions about physical and technical security that cannot be gathered automatically. The survey ranges from how facility doors are locked to firewall information, and whether servers are on-site, in a data center, or in the Cloud and more.

Disk Encryption Report

Encryption is so effective at protecting data that if an encrypted device is lost, it does not have to be reported as a data breach. The Disk Encryption Report identifies each drive and volume across the network, whether it is fixed or removable, and if Encryption is active.

File Scan Report

This report is useful to identify local data files that may not be protected. Based on this information, the risk of a breach could be avoided if the data was moved to a more secure location, or mitigated by encrypting the device to protect the data and avoid a data breach investigation.

User Identification Worksheet

The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who are terminated, should have their access terminated. Also, identify generic logins, such as Nurse@ or Billing@ which are not permitted by HIPAA.

Computer Identification Worksheet

The Computer Identification Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption.

Network Share Identification Worksheet

The Network Share Identification Worksheet takes the list of network shares gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption.

HIPAA Supporting Worksheets

A set of additional documents provides detailed information and the raw data that backs up the Evidence of Compliance. These includes the various interviews and worksheets, as well as detailed data collections on shares and login analysis.