HIPAA COW Risk Analysis & Risk Management Toolkit:
NEW: Risk Analysis and Risk Management Toolkit Revisions: 9/13/13 Items #1 & #3 were updated. Items #11 & 12 were added.
The HIPAA COW Risk Management Networking Group has spent most of their meeting time over the past few months making updates to the Toolkit. They reviewed the OCR Audit Protocol and added information to the HIPAA COW Risk Assessment Security Questions (and supporting information on that document). The HIPAA COW Security Assessment spreadsheet was also updated to include a formula so the risk levels and vulnerability/threat pair auto-populate into the Risk Mitigation Implementation plan. Finally, the password to unlock the spreadsheet was removed.
The following document was also created: The OCR Audit Protocol 2013 Cross Reference to the HIPAA COW Risk Assessment Changes Made (see #11 below). Changes made to the Security Assessment spreadsheet are reflected and referenced in columns E-J on the Security worksheet and E-G on the Privacy worksheet.
HIPAA COW is pleased to provide you with this HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit). Please note that this Toolkit is a work in progress. More documents will be added to further assist organizations in their efforts to complete a Risk Analysis, Risk Assessment, and their Risk Management strategy. Please contact us with any recommendations, questions, or special requests.
The following Toolkit documents are currently available:
1) Start Here: This Guide provides a summary of all the tools in this Toolkit (listed below) as well as ideas on how to use them to complete a risk analysis, risk assessment, and develop and implement a risk management strategy. It also includes a list of references reviewed and used while developing this Toolkit.
3) HIPAA COW Risk Assessment – Template (Updated 11/14/14). Content Changed in this updated version: Incorporated key information from the NIST HIPAA Security Toolkit questions (v2011: http://scap.nist.gov/hipaa/) into the Security Questions worksheet for these subject “categories”: Risk Management, Contingency Plan, & Data Management. This document contains several worksheets, including:
- Example Security
- P&P List
- Security Questions
- Threat Source List
- Inventory Asset List
- Risk Mitigation
- Implementation Plan
9) Risk Management Policy – This may be used by your organization as a template to create a Risk Management Policy. The policy was updated on 1/16/13 to better align with the HIPAA COW Risk Analysis & Risk Management toolkit.
10) HIPAA COW OCR Audit Protocol – This OCR HIPAA Audit Protocol, with the last column added by HIPAA COW on the Security and Privacy & Breach worksheets, includes the question numbers that currently are believed to cover some or all of the audit protocol requirements for each specific item. The HIPAA COW Risk Management Networking Group will be reviewing the established performance criteria and audit procedures in the OCR HIPAA Audit Program and enhance the HIPAA Security questions and recommended controls on the HIPAA COW Risk Assessment Template spreadsheet.
12) NIST SP 800-30 v2002 – This Toolkit is based on many of the methodologies described in this document.
Disclaimers: The HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit) documents are Copyright by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). They may be freely redistributed in their entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. They may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Guide and the Toolkit documents are provided “as is” without any express or implied warranty. This Guide and the Toolkit documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Guide and the Toolkit documents. Therefore, these documents may need to be modified in order to comply with Wisconsin/State law. The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all measures needed to secure your patients’ electronic protected health information (ePHI). It is not meant to be construed as a one-size-fits all Toolkit. As previously stated, this includes only an example method to complete a HIPAA Security Risk Assessment. The HIPAA Security Rule requires this be completed on an ongoing basis, but does not prescribe how to accomplish this. The authors of these documents carefully considered and included information that are believed to be of most importance, based on legal requirements, known HIPAA Security incident history, and personal experiences. With that said, it may include items not required by your organization, exclude items required, and/or items that you need tailor to your organization’s needs. Contact Us: Please forward any questions, comments, enhancements or ideas for improvement about this Risk Toolkit to: firstname.lastname@example.org. We welcome your feedback.