IT Consulting »

HIPAA Risk Assessment

HIPAA Risk Assessment
HIPAA Risk Assessment and IT consulting

HIPAA Risk AssessmentSince the HIPAA Omnibus Rule was unveiled in 2013 there has been an ever increasing amount of healthcare organizations and individuals that are required by law to comply with new IT security rules and procedures many of these businesses, organizations and medical practices are located in NY's Hudson Valley and Northern New Jersey. Because of the confusing nature of a lot of these new IT security requirements you would be much better off with using an experienced IT Company who is HIPAA compliant and specialization in HIPAA Hitech Security rule to help you navigate these complicated new requirements. Conducting a HIPAA Risk Assessment is a mandatory and crucial requirement for these organizations known as "Covered Entities" 

The following is a short list of the types of Covered Entities that are required to comply with these new HIPAA Security Rules:

Health Care Provider

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

Health Insurance Plans

  • Health Insurance Companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

Health Care Clearinghouse

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.


In addition to the above so-called "Covered Entities" there is an estimated 2,000,000 additional "HIPAA Business Associates" that are exposed – or have access to -- protected information making them also subject to HIPAA regulations. A HIPAA Business associate is any of the following types of businesses that has one or more Covered Entities as a customer or client:

  • IT Service Providers
  • Medical Billing Companies
  • Document Shredding Companies
  • Documents Storage Companies
  • Accountants
  • Collection Agencies
  • EMR Companies
  • Data Centers, Online Backup companies, Cloud vendors
  • Insurance Agents
  • Revenue Cycle Management vendors
  • Contract Transcriptionists

EVERY Business Associate, and all of their subcontractors, must have proof of a HIPAA Risk Analysis under the law. Even if they wanted to, most of these organizations do not have the staff, resources or expertise to do it themselves.  HIPAA audits and investigations require evidence that required tasks have been carried out and completed by covered entities and documentation of this must be kept for six years.

What You Can Expect From a HIPAA Risk Assessment from DCS:

Evidence of Compliance includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. When all's said and done, the proof to proper documentation is accessibility and the detail to satisfy an auditor or investigator are included in this report.

  • Evidence of Compliance including log-in files, patch analysis, user & computer information, and other source material to support your compliance activities
     
  • Pinpoint organizational threats and vulnerabilities
     
  • Identify controls and protections in place and any gaps in those controls
     
  • Calculate risk ratings and where the organization should focus its remediation efforts
     
  • Prioritize controls needed to protect highly sensitive ePHI
     
  • Includes a Findings, Observations and Recommendations Report

After a Risk Assessment DCS can implement needed IT fixes and help clients with implementing procedures that are designed to allow authorized access and deny unauthorized access, to and within facilities, to limit access to devices that can access or store ePHI.