HIPAA Risk Management & Compliance

Demonstrate and monitor compliance with HIPAA Security and Privacy regulations in a streamlined and efficient program structure.


HIPAA Risk Assessment 

Asureti's HIPAA Risk Assessment methodology is based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments.  This includes:

  • Identification of natural, environmental, and human threats to the environment.
  • Identification of vulnerabilities which could be exploited by identified threats and associated likelihood.
  • Determination of risk associated with threat-vulnerability scenarios and impact associated with in-scope systems and operational processes.

The assessment considers processing, storage, and transmission of ePHI within the environment. The assessment procedures incorporate surveys, interviews, and facilitated discussions with business and IT management members. This helps identity threats and vulnerabilities to ePHI stored and processed by the organization. These procedures also work to identify controls to mitigate the identified concerns.

HIPAA Compliance Risk Assessment

Asureti conducts interviews with key personnel to determine compliance with defined safeguards and requirements. Together we inspect policy, procedures, and other types of documentation to assist in assessing the controls an organization has in place to meet HIPAA Security Rule requirements. Components include:

  • Assessment process for controls management and assessments across Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policy & Procedure Documentation Requirements.
  • Evidence request management.
  • Assessment efficiency: “Test Once / Use Many Methodology” for shared services operations.
  • Findings management & remediation recommendations for identified issues.
  • Detailed internal reporting.
  • Summary compliance reporting to share with customers and auditors, as needed.

This compliance assessment identifies gaps between current policies, procedures, systems, and applications relative to HIPAA Security Rule requirements. Assessment efforts also provide recommendations to assist with the remediation efforts required to achieve HIPAA compliance.

HIPAA Privacy Assessment

A HIPAA Privacy Assessment based on NIST Privacy Framework and Privacy Risk Assessment Methodology (PRAM) is performed across functions and teams. Asureti utilizes a survey approach to understand the following components across key operational functions/teams.  Review, analysis, and discussion of results and follow-up can be a deep dive or a lighter touch, depending on client preference. 

  • Section 1: Notice & Consent
  • Section 2: Collection and Location of PHI
  • Section 3: Systems Summary
  • Section 4: Hard Copy Records
  • Section 5: Uses and Disclosures of PHI
  • Section 6: Administrative & Organizational Requirements
  • Section 7: Change Considerations

HIPAA Program Operations

Leveraging appropriate tools can provide for streamlined processes and reporting for HIPAA Compliance programs. Asureti can provide program operations with internal client tools or through the Onspring GRC Platform. Inclusion of a GRC technology:

Inclusion of a GRC technology:

  • Establishes standard processes and master data repositories for controls, risks, systems, and issues.
  • Promotes transparency and accountability of program activities.
  • Provides consistent workflows for evidence requests and control audits/testing.
  • Automates reminders and notifications.
  • Promotes reporting flexibility: reporting in aggregate or by entity or operational unit.
  • Enables capture of assessment surveys and input from internal and external users.

Are you ready to discuss a HIPAA audit for your organization? Let's start with a HIPAA Risk Assessment today.