Asureti's HIPAA Risk Assessment methodology is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments. This includes:
The assessment considers processing, storage, and transmission of ePHI within the environment. The assessment procedures incorporate surveys and interviews / facilitated discussions with members of business and IT management to identify the threats and vulnerabilities to ePHI stored and processed by organization as well as controls to in place mitigate the identified concerns.
To determine compliance with defined safeguards and requirements, Asureti conducts interviews with key personnel, and inspects documentation including policy and procedures and specific other documentation items to assist in assessing the controls in place within the organization to meet HIPAA Security Rule requirements. Components include:
This compliance assessment identifies gaps between current policies, procedures, systems, and applications relative to HIPAA Security Rule requirements. Assessment efforts also provide recommendations to assist with the remediation efforts required to achieve HIPAA compliance.
A HIPAA Privacy Assessment is performed across functions/teams and based on the NIST Privacy Framework and Privacy Risk Assessment Methodology (PRAM). Asureti utilizes a survey approach to understand the following components across key operational functions/teams. Review, analysis, and discussion of results and follow-up can be a deep dive or a lighter touch, depending on client preference.
Leveraging appropriate tools can provide for streamlined processes and reporting for HIPAA Compliance programs. Asureti can provide program operations with internal client tools or through the LogicGate RiskCloud platform. Inclusion of a GRC technology:
Inclusion of a GRC technology: