HIPAA COW Risk Analysis & Risk Management Toolkit:

HIPAA COW is pleased to provide you with this HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit). Please note that this Toolkit is a work in progress. More documents will be added to further assist organizations in their efforts to complete a Risk Analysis, Risk Assessment, and their Risk Management strategy. Please contact us with any recommendations, questions, or special requests.

The following Toolkit documents are currently available:

1) Start Here: This Guide provides a summary of all the tools in this Toolkit (listed below) as well as ideas on how to use them to complete a risk analysis, risk assessment, and develop and implement a risk management strategy. It also includes a list of references reviewed and used while developing this Toolkit.

2) NIST Risk Assessment Steps

3) HIPAA COW Risk Assessment Template (Updated 6/10/16)  Content Changed in this updated version: Continued to incorporate key information from the NIST HIPAA Security Toolkit questions (v2011: http://scap.nist.gov/hipaa/) into the Security Questions worksheet for these subject “categories”:  BAA and Facility Access.  The BAA section was updated to include final omnibus rule changes.

This document contains several worksheets, including:

  • Example Security
  • P&P List
  • Security Questions
  • Threat Source List
  • Inventory Asset List
  • Risk Mitigation
  • Implementation Plan

4) NIST Threat Overview

5) Network Diagram Example

6) NIST Risk Definitions & Calculations

7) NIST Risk Mitigation Activities

8) HIPAA COW Risk Analysis Report Template

9) Risk Management Policy – This may be used by your organization as a template to create a Risk Management Policy.  The policy was updated on 1/16/13 to better align with the HIPAA COW Risk Analysis & Risk Management toolkit.

10) OCR Phase 2 Audit Protocol – This is simply a copy/paste of the OCR Phase 2 Audit Protocol that was posted in April 2016 HERE.

11) HIPAA COW OCR Audit Protocol – June 2012 – This OCR HIPAA Audit Protocol, with the last column added by HIPAA COW on the Security and Privacy & Breach worksheets, includes the question numbers that currently are believed to cover some or all of the audit protocol requirements for each specific item. The HIPAA COW Risk Management Networking Group will be reviewing the established performance criteria and audit procedures in the OCR HIPAA Audit Program and enhance the HIPAA Security questions and recommended controls on the HIPAA COW Risk Assessment Template spreadsheet.

12) OCR Audit Protocol – June 2012:   2013 Cross Reference to the HIPAA COW Risk Assessment Changes Made

13) NIST SP 800-30 v2002 – This Toolkit is based on many of the methodologies described in this document.

Disclaimers: The HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit) documents are Copyright by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). They may be freely redistributed in their entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. They may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Guide and the Toolkit documents are provided “as is” without any express or implied warranty. This Guide and the Toolkit documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Guide and the Toolkit documents. Therefore, these documents may need to be modified in order to comply with Wisconsin/State law. The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all measures needed to secure your patients’ electronic protected health information (ePHI). It is not meant to be construed as a one-size-fits all Toolkit. As previously stated, this includes only an example method to complete a HIPAA Security Risk Assessment. The HIPAA Security Rule requires this be completed on an ongoing basis, but does not prescribe how to accomplish this. The authors of these documents carefully considered and included information that are believed to be of most importance, based on legal requirements, known HIPAA Security incident history, and personal experiences. With that said, it may include items not required by your organization, exclude items required, and/or items that you need tailor to your organization’s needs. Contact Us: Please forward any questions, comments, enhancements or ideas for improvement about this Risk Toolkit to: admin2@hipaacow.org. We welcome your feedback.