HIPAA Security Risk Analysis

Blue Goat Cyber’s HIPAA SRA High-Level Objective:

Assist you in meeting the requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule 45 C.F.R. Section 164.308(a)(ii)(A) regulation as well to meet the requirement for a security risk analysis (SRA) under the Centers for Medicare and Medicaid Services (CMS) Incentive Programs, Medicare Access and CHIP Reauthorization Act (MACRA) and, Merit-Based Incentive Payments System (MIPS), as applicable.

Service Description:

Blue Goat shall do each of the following:

• Conduct a Kickoff Meeting with the Client’s Team (e.g., Security, Privacy, Compliance official, IT, HR, Legal, Facilities) who will be involved with the engagement. The purpose of the meeting is to explain the SRA process, expectations, roles, and timeline. 
• Review the Client’s existing policies and procedures documentation (up to forty-nine artifacts) that correlates to the 49 HIPAA Security Rule regulations, if any, before the Checkpoint Meeting. Policies and procedures that partially meet the regulatory requirements or are missing will be identified. Blue Goat can provide a spreadsheet that the Client’s Team can use to cross-reference their documentation if it does not annotate or footnote the relevant Security Rule regulation section (e.g., §164.308(a)(8)) each policy is addressing in the documentation.
• Guide the Client’s Team in identifying and documenting where HIPAA-covered ePHI data exists (e.g., on servers, workstations, portable devices, medical devices, or with Business Associates, etc.) and the security controls in place to protect the data. Blue Goat will provide a formatted spreadsheet to document the ePHI inventory, instructions on filling out the columns, and a completed sample inventory for reference.
• Conduct a Checkpoint Meeting with the Client’s Team to offer initial feedback regarding the policies and procedures documentation that was provided and review the ePHI inventory that was documented. If the ePHI inventory was not documented before the Checkpoint Meeting, then the meeting time will be used to document as much of the inventory as possible with your team. 
• Conduct a Compliance Review Meeting with the Client’s Team to assess the existing controls in place for each of the Security Rule regulations, determine whether evidence is being maintained to support the organization’s compliance with the regulations, assess the organization’s preparedness for various natural, man-made and malicious threats, and note the findings (i.e. compliance risks) and recommendations (i.e. corrective actions) to be included in the Security Risk Analysis Report. The Client’s Team will be strongly urged to acknowledge and discuss areas needing security improvements during the meeting. The findings and recommendations are dependent on sharing information.
• Document the preliminary risk findings and recommendations based on the Compliance Review Meeting discussions and provide this draft information to the Client’s team for review. 
• Provide the Client’s team with an opportunity to send feedback and proposed language changes to the preliminary risk findings and recommendations, if any, to Blue Goat Cyber within five business days to confirm the information reflects the Compliance Review Meeting discussions. If no changes are received by the end of the five-business-day review period, the next step will be to prepare and send the final engagement documents. 
• Deliver a final Security Risk Analysis Report (i.e., one report) which contains the following sections:
• 1.0 Overview
• 2.0 Executive Summary
• 3.0 Assessment Methodology
• 4.0 Qualitative Analysis
• 5.0 Findings
• 5.1 ePHI Inventory
• 5.2 Criticality of ePHI Applications
• 5.3 Threat Matrix
• 5.4 Risk Matrix
  • 5.4.1 Very High Risk
  • 5.4.2 High Risk
  • 5.4.3 Medium Risk
  • 5.4.4 Low Risk
  • 5.4.5 Very Low Risk
• 5.5 Site Review
• 5.6 Best Security Practices
• 6.0 Next Steps
• 7.0 Final Thoughts
• Appendix A – Security Rule Compliance Matrix
• Appendix B – ePHI Inventory Table
• Appendix C – Criticality of ePHI Applications Table
• Appendix D – Threat Matrix Table
• Appendix E – Policies & Procedures Documentation Compliance Table, if applicable
• Appendix F – Facility Walk-Through Checklist, if applicable
• Appendix G – Disclaimer
• Deliver a Risk Management Plan that includes the risk findings and recommendations documented in the SRA Report to plan and track remediation progress against each risk annually and serves as evidence of the Client Team’s remediation efforts in the event of an audit. Corrective actions the Client’s Team plans or implements once the Compliance Review Meeting has been conducted are documented in the Risk Management Plan.   
• Deliver a presentation of the significant SRA Report findings and recommendations to the organization’s Executive/IT management, if requested.
• Deliver a comprehensive set of HIPAA Security Rule policies and procedures “master document” templates to the client for the purpose of integrating their standard operating procedures into the templates, if requested.
• The Statement of Work describes all the services to be performed. Risk remediation services are not included as part of the SRA engagement. However, once the final engagement documents are delivered, Blue Goat Cyber may be able to assist with remediation efforts of the risks identified in the SRA Report through a new Statement of Work.
• The SRA engagement will be performed on a remote basis. Onsite engagements involve one day, up to three days, at the client’s location, and travel expenses are incurred.
• The SRA engagement ends when the final engagement documents are delivered, or a final meeting is conducted.