HIPAA Compliance

Demonstrate and monitor compliance with HIPAA Security and Privacy regulations in a streamlined and efficient program structure.

Risk Assessment 

Asureti's HIPAA Risk Assessment methodology is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments.  This includes:

  • Identification of natural, environmental, and human threats to the environment.
  • Identification of vulnerabilities which could be exploited by identified threats and associated likelihood.
  • Determination of risk associated with threat-vulnerability scenarios and impact associated with in-scope systems and operational processes.

The assessment considers processing, storage, and transmission of ePHI within the environment. The assessment procedures incorporate surveys and interviews / facilitated discussions with members of business and IT management to identify the threats and vulnerabilities to ePHI stored and processed by organization as well as controls to in place mitigate the identified concerns.

Compliance Assessment

To determine compliance with defined safeguards and requirements, Asureti conducts interviews with key personnel, and inspects documentation including policy and procedures and specific other documentation items to assist in assessing the controls in place within the organization to meet HIPAA Security Rule requirements. Components include:

  • Assessment process for controls management and assessments across Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policy & Procedure Documentation Requirements.
  • Evidence request management.
  • Assessment efficiency: “Test Once / Use Many Methodology” for shared services operations.
  • Findings management & remediation recommendations for identified issues.
  • Detailed internal reporting.
  • Summary compliance reporting to share with customers and auditors, as needed.

This compliance assessment identifies gaps between current policies, procedures, systems, and applications relative to HIPAA Security Rule requirements. Assessment efforts also provide recommendations to assist with the remediation efforts required to achieve HIPAA compliance.

Privacy Assessment

A HIPAA Privacy Assessment is performed across functions/teams and based on the NIST Privacy Framework and Privacy Risk Assessment Methodology (PRAM). Asureti utilizes a survey approach to understand the following components across key operational functions/teams.  Review, analysis, and discussion of results and follow-up can be a deep dive or a lighter touch, depending on client preference. 

  • Section 1: Notice & Consent
  • Section 2: Collection and Location of PHI
  • Section 3: Systems Summary
  • Section 4: Hard Copy Records
  • Section 5: Uses and Disclosures of PHI
  • Section 6: Administrative & Organizational Requirements
  • Section 7: Change Considerations

Program Operations

Leveraging appropriate tools can provide for streamlined processes and reporting for HIPAA Compliance programs. Asureti can provide program operations with internal client tools or through the LogicGate RiskCloud platform. Inclusion of a GRC technology:

Inclusion of a GRC technology:

  • Establishes standard processes and master data repositories for controls, risks, systems, and issues.
  • Promotes transparency and accountability of program activities.
  • Provides consistent workflows for evidence requests and control audits/testing.
  • Automates reminders and notifications.
  • Promotes reporting flexibility: aggregate or by entity or operational unit.
  • Enables capture of assessment surveys and input from internal and external users.