HIPAA RISK ASSESSMENT

(1)

HIPAA RISK ASSESSMENT

PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION)

Practice Name:

Address:

City, State, Zip:

Phone:

E-mail:

We anticipate that your Meaningful Use training and implementation will take approximately 30 days. Most of your training will be done by attending courses at SammyUniversity.com. If, after you attend Sammy University you feel that you need additional on-on-one training, we will certainly make ourselves available to help you!

Register for Meaningful Use ASAP! SammyEHR’s CMS EHR Certification ID is 30000001SVAKEAS. http://www.cms.gov/EHRIncentivePrograms/

HIPAA Compliance

 ICS has made me aware of the HIPAA security requirements. I decline ICS’ offer to assist me in becoming HIPAA compliant.

 Please assist me in becoming HIPAA compliant. I have completed the attached questionnaire. I will send it back to ICS completed to the best of my ability including payment ($399 for 1 office, $199 for each additional)

Please make check payable and remit to: ICS Software, Ltd., 3720 Oceanside Road West, Oceanside, NY 11572

If paying by credit card, please include your information below: MasterCard Visa Amex Discover

Card Number: __________________________________ Expiration: ___/___ Signature: __________________________________

(2)

As part of the requirement for meaningful use the practice is required to perform a risk

assessment. The types of risks that need to be addressed include Physical, Administrative and

Technical Risks. This document is the risk assessment. If you do not understand what is being

asked for in any given location, please leave it blank.

PHYSICAL RISKS

Loss of Power

Loss of Power not only results in the inaccessibility of data on practice computer systems, but improper shutdown of computer systems due to power outages can result in damage not only to hardware but to loss of the data on those computer systems. An assessment of the possibility of loss of power and implementation of measures to mitigate potential damage by this event is necessary.

1. How many times in the past year have you lost power? _____________________________ 2. Do you have a Backup Generator? __Yes __No

3. Do you have UPS (Battery Backup) on all critical technology devices? __Yes __No

Critical devices can include computers, networking equipment, and phone systems. Your server would be a critical computer, NOT all workstations are critical devices, but at least one should have a UPS installed.

4. Do you have phones that can plug directly into the wall and do not require a power source?

Loss of Internet Connectivity

Use of the internet is required for connection to Health Information Exchanges, remote offices, and other data sources. This connectivity may be necessary to insure that the patient data is available. The more data that is located off premises, the greater impact a loss of connectivity will be to your practice. The needs of the practice for connectivity, will determine the severity of a loss of connectivity and the steps required to mitigate a loss of connectivity.

1. How many times in the past two years have you lost internet connectivity? _____________ 2. How many of these were accompanied by a loss of electricity? __________________________ 3. Do you have multiple connections from multiple internet carriers? __Yes __ No

4. Do you have a wireless internet connection such as a laptop edge card in case of a service outage? __Yes __ No

5. Is your database located at this location or is it offsite location? __This location __Offsite 6. Do satellite offices need to be able to connect to this location?

7. If your data is offsite it is located:  In your other office

(3)

Other (please specify)

______________________________________________________________________________ ______________________________________________________________________________

Loss of Premises due to Fire

In addition to the risks that fire poses to computer systems, fire poses a significant risk to the health and safety of the practice patients and workforce. The primary goal of a fire risk assessment and risk

mitigation is to insure the safety of the people who are at the premises. With proper implementation of fire protection, it is possible to minimize damage to computer systems due to fire. In case of damage due to fire or other disaster, it may be necessary to implement the practice disaster recovery plan which is addressed in the HIPAA Security Manual.

1. Do you have fire extinguishers? __Yes __ No Please mark the locations of all fire extinguishers on your practice floor plan. 2. Do you have sprinklers at your location? __Yes __ No

Please mark the locations of sprinklers on your practice floor plan.

3. Do you have smoke detectors? __Yes __ No Please mark the locations of all smoke detectors on your floor plan.

4. Do you have fire alarms? __Yes __ No Please mark the locations of all fire alarms on your floor plan.

5. Do you have central station monitoring for fires? __Yes __ No Please mark the location of all fire extinguishers on your floor plan.

Loss due to Theft

Theft of computer systems and data represents a significant risk to the practice. Theft of computer systems or of data is a major HIPAA violation. There are multiple methods of theft, including theft of data and theft of physical computers and media. Here we will discuss risks posed by theft of physical devices.

1. Do you have an anti-theft system such as a burglar alarm? __Yes __ No 2. Do you have central station monitoring? __Yes __ No

3. Who is alerted if the alarm is triggered? _____________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ 4. Is there video surveillance and recording of the premises? __Yes __ No

5. Do you have motion detectors? __Yes __ No 6. Are all external windows alarmed? __Yes __ No

a. If not, please describe why not: _________________________________________________ ___________________________________________________________________________ 7. Are all external doors alarmed? __Yes __ No

(4)

8. Are any internal windows or doors alarmed? __Yes __ No Please mark location of all alarmed access points on your office floor plans.

9. Are you tracking who has access to the premises using keys / keypad access? __Yes __ No 10. Are all computers in secure areas? __Yes __ No

Please mark the location of each computer on your floor plan. Indicate which rooms that store computers have locks installed.

COMPUTER INVENTORY FORM

List all computers, devices and media containing e-PHI on the inventory sheet. Include details on who is responsible for mobile devices and media. Please give each device an ID. This ID will be utilized when documenting all of your installed software. Be sure to list the Make, Model and Serial Number of each device, and additionally the operating system and antivirus software (if any) on each computer or mobile device.

Digital Printers and Copiers often have hard drives. If you have digital imaging devices such as printers, copiers, or scanners that contain hard drives you must have an inventory form for each of those devices.

Please fill out one form for each workstation, laptop, server and PDA used in your practice. Please photocopy that form and keep a blank one available, you will need to add a Computer Inventory Form to your HIPAA manual each time you buy a new computer.

Computer Name

(please name each computer) Computer Make

(eg Dell, HP etc) Computer Model

How Many Hard Drives are in the Computer

Are any of the Drives Encrypted Please provide details

Operating System

(Be Specific eg Windows XP Professional)

Location of Computer

(Front Desk, Treatment Room 1, Mobliel Kiosk) What Antivirus Software is installed?

Is the computer connected to a Battery Backup? If yes please list make and model of Battery Backup

(5)

Media Destruction Documentation

Hard Drive Make / Model Date Destroyed

Replaced with

You will notice a section titled Media Destruction Documentation on each of the Computer Inventory Forms. Each of these inventory forms will become part of your HIPAA manual and you need to track all media that your practice uses to store E-PHI. When media is retired the data on the media needs to be irreversible destroyed. This can be accomplished by using software that wipes the media, or by

physically destroying the disks.

Please describe the methods you use to irreversibly destroy all E-PHI from your retired media. You need to be specific. If you do not have a method we recommend utilizing Iron Mountain which provides hard disk shredding purposes.

(6)

_____________________________________________________________________________________

OTHER PHYSICAL DAMAGE

If your office is at risk of damage due to factors not addressed earlier in this questionnaire please detail those risks here. Risks could include but are not limited to Floods, Hurricanes, Earthquakes, or other natural disasters. _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________ _____________________________________________________________________________________

(7)

BACKUP AND RESTORATION

In the event of a loss of equipment and or data, it is important to be able to access critical patient data. This is accomplished by having data backups, contingency plans, and disaster recovery plans all of which are addressed in your HIPAA Security Manual. In order for these plans to function certain steps need to be taken on a regular basis to insure the integrity and availability of data.

1. Do you backup data to local media? __Yes __ No

2. If yes what type of media is utilized? _____________________________________________ 3. Is the media stored off site? __Yes __ No

4. Do you have a fireproof safe at your practice location? __Yes __ No 5. Do you have a fireproof safe at an offsite location? __Yes __ No

6. How often to you back up your data? ____________________________________ 7. How often do you test your backups? ____________________________________ 8. How many days of backup to you retain locally? ____________________________________ 9. Do you utilize remote backup services? __Yes __ No

10. How often do you back up data remotely? __Yes __ No

11. What type of media is utilized? ____________________________________ 12. How often to you test your remote backup? ____________________________________ 13. How many days of backup to you retain remotely? ______________________________ 14. What offsite backup company do you use? ____________________________________

Please attach a copy of the BAA with your offsite backup service to your HIPAA manual. 15. Do you have copies of all installation disks? __Yes __ No

(8)

VENDORS SUPPLIERS, CONSULTANTS AND SUPPORT

In the case of a disaster you will need the assistance of your hardware vendors, software vendors, and consultants. The details of disaster recovery are listed in your HIPAA Security Manual. Please list your vendors and consultants in this section. Include information on the Operating Systems and Anti-Virus Software. If you have multiple copies of software installed on multiple computers, please fill out information for each instance separately. Attach additional pages as necessary.

(9)

SOFTWARE VENDORS – COMPLETE FOR EACH SOFTWARE VENDOR

Software Vendor: __________________________________________________________

Software Product and Version: __________________________________________________________

Software License Information: __________________________________________________________

Contact Name: __________________________________________________________

Phone Number(s): __________________________________________________________

Email address: __________________________________________________________

1. Does the software support encryption? __Yes __ No

2. What type of encryption is implemented? _______________________________________ 3. Does the software support auditing of use and access? __Yes __ No

4. Does the software require a login? __Yes __ No

If the software requires a login:

a. Does the software support or require strong passwords? __Yes __ No b. Is this implemented? __Yes __ No c. Does the software support or require regular password changes? __Yes __ No d. Is this implemented and how often are passwords required to be changed? __Yes __ No

_______________________________________________________________________

5. Are automatic updates available with this software product? __Yes __ No 6. Are automatic updates enabled? __Yes __ No

(10)

TECHNICAL MEASURES

Technical measures need to be implemented to insure security of your computer network. These technical measures are detailed in the HIPAA Security Manual. In order to properly answer these questions, you will probably need the assistance of your hardware and software vendors.

1. Do you have auditing software installed on your computer network? __Yes __No 2. What Auditing Software is utilized? _________________________________________________

______________________________________________________________________________ 3. How often are the Audit Logs reviewed? _____________________________________________

______________________________________________________________________________ 4. Is there an intrusion detection system installed on your computer network? __Yes __No 5. Does the computer network support a Login Threshold? __Yes __No 6. What is that threshold? __________________________________________________________ 7. What happens if that threshold is exceeded? _________________________________________ 8. Does the computer network support strong Passwords? __Yes __No

9. Is that implemented? __Yes __No

10. Please describe the password policy that is implemented on the computer.

______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________

NETWORK SECURITY

1. Do you have a wireless network? __Yes __No 2. What type of firewall is installed (Make and Model)? __________________________________

______________________________________________________________________________ 3. What type of router is installed (Make and Model)? ___________________________________ _____________________________________________________________________________

Note that your Wireless Access Point and your router are often the same device. Please answer the following questions for each of your Wireless Access Points:

Make and Model: _________________________________________________________________

Is MAC address security enabled? __Yes __No

What type of wireless security is enabled?

__ None __WEP __ WPA __ WPA2/Personal __WPA2/Enterprise

__ Other – please specify: _______________________________________________________________

(11)

AUDITING SOFTWARE

If your computer has any auditing software installed or your EMR software has built in Auditing please describe it here.

___________________________________________________________________

STAFF ROSTER

As part of the HIPAA security policies each staff member needs to receive annual HIPAA training and receive regular HIPAA reminders. We provide regular HIPAA training to your staff via webinars and regular email updates via email. We therefore require a separate valid email address for each of your staff members.

As part of the workforce authorization process it may be appropriate to perform background check on your employees.

Staff Member name Email Address

(12)

ASSIGNED RESPONSIBILITY

HIPAA requires that you assign staff members to various security / privacy posts within your practice please let us know who is:

Practice Security Officer: ___________________________________________

This is the person responsible for implementing all of the security provisions detailed in this HIPAA manual, testing of the security procedures and making necessary changes to your manual should they be required. This person will be in charge of your Security Incident Response Team in case of a HIPAA breach

Practice Privacy Officer: _______ ____________________________________

This is the person responsible for communicating with your patients should they have any questions or issues regarding HIPAA privacy in your office. In case of a breach they will work with the Security Officer and be on the Security Incident Response Team to mitigate any breaches.

Practice Compliance Officer: _______ ____________________________________

This is the person who is responsible for monitoring the employees of your practice to insure that they are following your HIPAA policy, and this person will be responsible for insuring that the logs in the HIPAA manual are updated as appropriate.

BUSINESS ASSOCIATE AGREEMENTS

Provide a list of all companies having access to any patient information for any purpose and any

individuals who have remote access. This includes orthotic labs if you put patient names on the orthotic Rx, but not doctors to whom you send and from whom your receive referrals. Ex: Accountants, practice consultants, transcription services, billing companies, etc. Do NOT list employees of your practice.

_____________________________________________________________________________________

(13)

FLOOR PLAN

Please draw a floor plan of your practice. Each of the following must be marked:

Doors

 If the door has a lock please indicate  If the door is alarmed please indicate Windows

 If the window has a lock please indicate  If the window is alarmed please indicate Computers

 Mark where each computer is located

 Please name each computer (see inventory sheet) Fire

 Please mark locations of Fire Detectors and Fire Extinguishers Theft

 Please mark location of motion detectors, video cameras and keypads

(14)

REMOTE ACCESS

Does anybody access your practice computers remotely? __Yes __No

Please describe the security that has been implemented for each remote user.