Your review or other use of the documents or other information or services on the HIPAA COW web site (collectively, the “Documents”) will be governed by the terms and conditions stated below. For the purposes of these terms and conditions, if the user is not an individual, then “You” or “you” will include the user’s company, its practitioners, officers, employees, members, agents, successors and assignees. As used below, “HIPAA COW” refers to HIPAA Collaborative of Wisconsin.

HIPAA COW may amend these terms and conditions at any time by posting the amended terms on HIPAA COW’s Web site.

HIPAA COW holds the Copyright to these Documents. HIPAA COW retains full copyright ownership, rights and protection in all material contained in the Documents. You may use these Documents for your own non-commercial purposes. They may be redistributed in their entirety only if (i) the copyright notice is not removed or modified, and (ii) Documents are provided to the recipient free of charge. If information is excerpted from these Documents and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). Documents may not be sold for profit or used in commercial documents or applications. These Documents are provided “as is” without any express or implied warranty. These Documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to these Documents. Therefore, these Documents may need to be modified in order to comply with Wisconsin/State law.

Though HIPAA COW believes reasonable efforts have been made to ensure the accuracy of the information contained in the Documents, it may include inaccuracies or typographical errors and may be changed or updated without notice. It is intended for discussion and educational purposes only and is provided “AS IS” WITHOUT WARRANTY OF ANY KIND AND RELIANCE ON ANY INFORMATION PRESENTED IS AT YOUR OWN RISK. HIPAA COW AND ITS CONTRIBUTORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, AND ANY AND ALL PRODUCTS, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. In no event shall HIPAA COW be liable for any direct, indirect, punitive, incidental, special, or consequential damages or damages for loss of profits, revenue, data, down time, or use, arising out of or in any way connected with the use of these Documents or performance of any services, whether based on contract, tort, negligence, strict liability or otherwise. If you are dissatisfied with any portion of the Documents, or with any of these terms of use, your sole and exclusive remedy is to discontinue using the Document. If this limitation of liability or the exclusion of warranty is held inapplicable or unenforceable for any reason, then HIPAA COW’s maximum liability for any type of damages shall be limited to U.S. $100.00. This agreement shall be construed in accordance with the laws of the State of Wisconsin without regard to its conflict-of-law provisions. You hereby irrevocably consent to the exclusive jurisdiction and venue of courts in Dane County, Wisconsin for all disputes arising out of or relating in any way to the use of these Documents.

The listing of an organization or a Web link on the HIPAA COW web site does not imply any endorsement and HIPAA COW takes no responsibility for the products, tools, and Internet sites listed. Documents may contain links to other sites over which HIPAA COW has no control. The inclusion of any link does not imply endorsement by HIPAA COW of the site or the site’s contents or owner. By using any Documents to search for or link to another site, you agree and understand that you may not make any claim against HIPAA COW for any damages or losses, whatsoever, resulting from your use of the Web site to obtain search results or to link to another site. The information and content provided by HIPAA COW is for informational purposes only. HIPAA COW disclaims any responsibility to update any information, including with respect to any new legal, business, or technology developments. The information is not intended to and does not constitute legal, financial, or other professional advice. HIPAA COW is not licensed to practice law in any jurisdiction and the accuracy, completeness, adequacy, or currency of the information is not warranted or guaranteed and any use of it is at your own risk. If you require legal advice, you should consult with an attorney.

HIPAA COW may terminate these terms and conditions and your use of these Documents at any time if you violate any provision of these terms and conditions. Termination of these terms and conditions will not affect any obligations that accrued before the termination. If you understand and accept these conditions of use, click “I Accept” to enter the HIPAA COW Sample Documents Portal page.



Accept Decline

HIPAA COW Risk Analysis & Risk Management Toolkit:

HIPAA COW is pleased to provide you with this HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit). Please note that this Toolkit is a work in progress. More documents will be added to further assist organizations in their efforts to complete a Risk Analysis, Risk Assessment, and their Risk Management strategy. Please contact us with any recommendations, questions, or special requests.

The following Toolkit documents are currently available:

1) Start Here: This Guide provides a summary of all the tools in this Toolkit (listed below) as well as ideas on how to use them to complete a risk analysis, risk assessment, and develop and implement a risk management strategy. It also includes a list of references reviewed and used while developing this Toolkit.

2) NIST Risk Assessment Steps

3) HIPAA COW Risk Assessment Template (Updated 6/19/17)  Content Changed in this updated version: Updated questions and recommended controls to include content from the April 2016 OCR Audit Protocol – Phase 2.

This document contains several worksheets, including:

  • Example Security
  • P&P List
  • Security Questions
  • Threat Source List
  • Inventory Asset List
  • Risk Mitigation
  • Implementation Plan

4) NIST Threat Overview

5) Network Diagram Example

6) NIST Risk Definitions & Calculations

7) NIST Risk Mitigation Activities

8) HIPAA COW Risk Analysis Report Template

9) Risk Management Policy – This may be used by your organization as a template to create a Risk Management Policy.  The policy was updated on 1/16/13 to better align with the HIPAA COW Risk Analysis & Risk Management toolkit.

10) OCR Phase 2 Audit Protocol – This is simply a copy/paste of the OCR Phase 2 Audit Protocol that was posted in April 2016 HERE.

11) HIPAA COW OCR Audit Protocol – June 2012 – This OCR HIPAA Audit Protocol, with the last column added by HIPAA COW on the Security and Privacy & Breach worksheets, includes the question numbers that currently are believed to cover some or all of the audit protocol requirements for each specific item. The HIPAA COW Risk Management Networking Group reviewed the established performance criteria and audit procedures in the OCR HIPAA Audit Program and enhance the HIPAA Security questions and recommended controls on the HIPAA COW Risk Assessment Template spreadsheet.  This project was completed in August of 2013.

12) OCR Audit Protocol – June 2012:   2013 Cross Reference to the HIPAA COW Risk Assessment Changes Made

13) NIST SP 800-30 v2002 – This Toolkit is based on many of the methodologies described in this document.

Disclaimers: The HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit) documents are Copyright by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). They may be freely redistributed in their entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. They may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Guide and the Toolkit documents are provided “as is” without any express or implied warranty. This Guide and the Toolkit documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Guide and the Toolkit documents. Therefore, these documents may need to be modified in order to comply with Wisconsin/State law. The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all measures needed to secure your patients’ electronic protected health information (ePHI). It is not meant to be construed as a one-size-fits all Toolkit. As previously stated, this includes only an example method to complete a HIPAA Security Risk Assessment. The HIPAA Security Rule requires this be completed on an ongoing basis, but does not prescribe how to accomplish this. The authors of these documents carefully considered and included information that are believed to be of most importance, based on legal requirements, known HIPAA Security incident history, and personal experiences. With that said, it may include items not required by your organization, exclude items required, and/or items that you need tailor to your organization’s needs. Contact Us: Please forward any questions, comments, enhancements or ideas for improvement about this Risk Toolkit to: admin2@hipaacow.org. We welcome your feedback.