Your review or other use of the documents or other information or services on the HIPAA COW web site (collectively, the “Documents”) will be governed by the terms and conditions stated below. For the purposes of these terms and conditions, if the user is not an individual, then “You” or “you” will include the user’s company, its practitioners, officers, employees, members, agents, successors and assignees. As used below, “HIPAA COW” refers to HIPAA Collaborative of Wisconsin.

HIPAA COW may amend these terms and conditions at any time by posting the amended terms on HIPAA COW’s Web site.

HIPAA COW holds the Copyright to these Documents. HIPAA COW retains full copyright ownership, rights and protection in all material contained in the Documents.  Any HIPAA COW copyrighted document may be downloaded from the web, printed, and distributed in its entirety as long as: (i) the reproduced document contains the original HIPAA COW copyright and disclaimer and (ii) the document is provided free of charge. Any entity who wishes to adopt part or all of a document for its own internal compliance may do so without the copyright as long as the document is adopted solely for internal purposes and HIPAA COW is referenced as a source. Any other use of copyrighted material is prohibited without the express written permission of HIPAA COW. These Documents are provided “as is” without any express or implied warranty. These Documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to these Documents. Therefore, these Documents may need to be modified in order to comply with Wisconsin/State law.

Though HIPAA COW believes reasonable efforts have been made to ensure the accuracy of the information contained in the Documents, it may include inaccuracies or typographical errors and may be changed or updated without notice. It is intended for discussion and educational purposes only and is provided “AS IS” WITHOUT WARRANTY OF ANY KIND AND RELIANCE ON ANY INFORMATION PRESENTED IS AT YOUR OWN RISK. HIPAA COW AND ITS CONTRIBUTORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, AND ANY AND ALL PRODUCTS, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. In no event shall HIPAA COW be liable for any direct, indirect, punitive, incidental, special, or consequential damages or damages for loss of profits, revenue, data, down time, or use, arising out of or in any way connected with the use of these Documents or performance of any services, whether based on contract, tort, negligence, strict liability or otherwise. If you are dissatisfied with any portion of the Documents, or with any of these terms of use, your sole and exclusive remedy is to discontinue using the Document. If this limitation of liability or the exclusion of warranty is held inapplicable or unenforceable for any reason, then HIPAA COW’s maximum liability for any type of damages shall be limited to U.S. $100.00. This agreement shall be construed in accordance with the laws of the State of Wisconsin without regard to its conflict-of-law provisions. You hereby irrevocably consent to the exclusive jurisdiction and venue of courts in Dane County, Wisconsin for all disputes arising out of or relating in any way to the use of these Documents.

The listing of an organization or a Web link on the HIPAA COW web site does not imply any endorsement and HIPAA COW takes no responsibility for the products, tools, and Internet sites listed. Documents may contain links to other sites over which HIPAA COW has no control. The inclusion of any link does not imply endorsement by HIPAA COW of the site or the site’s contents or owner. By using any Documents to search for or link to another site, you agree and understand that you may not make any claim against HIPAA COW for any damages or losses, whatsoever, resulting from your use of the Web site to obtain search results or to link to another site. The information and content provided by HIPAA COW is for informational purposes only. HIPAA COW disclaims any responsibility to update any information, including with respect to any new legal, business, or technology developments. The information is not intended to and does not constitute legal, financial, or other professional advice. HIPAA COW is not licensed to practice law in any jurisdiction and the accuracy, completeness, adequacy, or currency of the information is not warranted or guaranteed and any use of it is at your own risk. If you require legal advice, you should consult with an attorney.

HIPAA COW may terminate these terms and conditions and your use of these Documents at any time if you violate any provision of these terms and conditions. Termination of these terms and conditions will not affect any obligations that accrued before the termination. If you understand and accept these conditions of use, click “I Accept” to enter the HIPAA COW Sample Documents Portal page.



Accept Decline

HIPAA COW Risk Analysis & Risk Management Toolkit:

HIPAA COW is pleased to provide you with this HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit). Please note that this Toolkit is a work in progress. More documents will be added to further assist organizations in their efforts to complete a Risk Analysis, Risk Assessment, and their Risk Management strategy. Please contact us with any recommendations, questions, or special requests.

The following Toolkit documents are currently available:

1) Start Here: This Guide provides a summary of all the tools in this Toolkit (listed below) as well as ideas on how to use them to complete a risk analysis, risk assessment, and develop and implement a risk management strategy. It also includes a list of references reviewed and used while developing this Toolkit.

2) NIST Risk Assessment Steps

3) HIPAA COW Risk Assessment Template Incorporated key information from the NIST 800-30 rev 1, September 2012 into the Current Threat List worksheet. Added Threat Type “header” descriptions. Also added Threat Event Description and Example Measures/Controls that May Reduce Likelihood, Impact, and/or Vulnerabilities columns to this worksheet.

This document contains several worksheets, including:

  • Example Security
  • P&P List
  • Security Questions
  • Threat Source List
  • Inventory Asset List
  • Risk Mitigation
  • Implementation Plan

4) NIST Threat Overview

5) Network Diagram Example

6) NIST Risk Definitions & Calculations

7) NIST Risk Mitigation Activities

8) HIPAA COW Risk Analysis Report Template

9) Risk Management Policy – This may be used by your organization as a template to create a Risk Management Policy.  The policy was updated on 1/16/13 to better align with the HIPAA COW Risk Analysis & Risk Management toolkit.

10) OCR Phase 2 Audit Protocol – This is simply a copy/paste of the OCR Phase 2 Audit Protocol that was posted in April 2016 HERE.

11) HIPAA COW OCR Audit Protocol – June 2012 – This OCR HIPAA Audit Protocol, with the last column added by HIPAA COW on the Security and Privacy & Breach worksheets, includes the question numbers that currently are believed to cover some or all of the audit protocol requirements for each specific item. The HIPAA COW Risk Management Networking Group reviewed the established performance criteria and audit procedures in the OCR HIPAA Audit Program and enhance the HIPAA Security questions and recommended controls on the HIPAA COW Risk Assessment Template spreadsheet.  This project was completed in August of 2013.

12) OCR Audit Protocol – June 2012:   2013 Cross Reference to the HIPAA COW Risk Assessment Changes Made

13) NIST SP 800-30 v2002 – This Toolkit is based on many of the methodologies described in this document.

HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this The HIPAA COW Risk Analysis & Risk Management Toolkit (“Toolkit”).  HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Toolkit. You may use this Toolkit for your own non-commercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Toolkit is provided to the recipient free of charge. If information is excerpted from this Toolkit and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). This Toolkit may not be sold for profit or used in commercial documents or applications. This Toolkit is provided “as is” without any express or implied warranty. This Toolkit is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Toolkit. Therefore, this Toolkit may need to be modified in order to comply with Wisconsin/State law.  The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all measures needed to secure your patients’ electronic protected health information (ePHI). It is not meant to be construed as a one-size-fits all Toolkit. As previously stated, this includes only an example method to complete a HIPAA Security Risk Assessment. The HIPAA Security Rule requires this be completed on an ongoing basis, but does not prescribe how to accomplish this. The authors of these documents carefully considered and included information that are believed to be of most importance, based on legal requirements, known HIPAA Security incident history, and personal experiences. With that said, it may include items not required by your organization, exclude items required, and/or items that you need tailor to your organization’s needs. Contact Us: Please forward any questions, comments, enhancements or ideas for improvement about this Risk Toolkit to: admin2@hipaacow.org. We welcome your feedback.