Whether this is your first time using Compliance Manager’s Risk Assessment or you’re a seasoned professional, we recommend taking a few minutes to familiarize yourself with the Definitions and Additional Resources listed below. These will help you and your team complete your assessment accurately and confidently. If you need additional support while conducting your assessment, please contact our Client Success team at 877.777.9963 or support@healthicity.com, Monday through Friday, from 7 AM to 5 PM MT.
Definitions
45 CFR § 160.103 - Definitions
Workforce: Refers to employees, volunteers, trainees, and other individuals whose actions, while performing work for a covered entity or business associate, are directly controlled by that entity or associate. This applies regardless of whether they are paid by the entity or associate.
Risk analysis (Required): Perform a detailed and accurate assessment of potential risks and vulnerabilities regarding the confidentiality, integrity, and availability of electronic protected health information maintained by the covered entity or business associate.
45 CFR § 164.306 - Security standards: General rules
Standard: Covered entity or business associate must comply with applicable standards in the section.
Required: Covered entity or business associate must implement the specified implementation specifications.
Addressable: Covered entity or business associate must evaluate whether each implementation specification is a reasonable and appropriate safeguard in its environment; and implement the specification if it is reasonable and appropriate, or document why it is not reasonable and appropriate to do so; and implement an alternative measure that is equivalent if it is reasonable and appropriate.
Additional Resources
eCFR: Many Compliance Professionals prefer the eCFR site when looking at the language of the law compared to the PDF references found in various locations. As you complete the HIPAA Security Risk Assessment “(SRA),” you will find many links to the eCFR site for easy reference while working on your SRA. Additionally, some users may prefer the user experience of the Cornell Law site, which you can find here: https://www.law.cornell.edu/cfr/text/45/part-164
NIST SP 800-53 Rev. 5 - Website: Updated version 5 was released on September 23, 2020, and NIST has done a great job creating, defining, and communicating the Cybersecurity Control framework.
NIST SP 800-53 Rev. 5 – Document: We recommend downloading NIST SP 800-53 Rev. 5 PDF document before starting the assessment, familiarize yourself with the document layout, specifically the Controls Table. Version 5 is user-friendly, allows the user to search for controls, and has internal PDF hyperlinks to the related controls and control families. The SRA Assessor need not read the entire document, but understand its use definitions and navigation to the controls, when determining your organization’s measurement against the defined set of controls and control families.
NIST Cybersecurity Framework: NIST website dedicated to communicating all aspects of the NIST CSF.
NIST Cybersecurity Framework Core Excel Download: Downloadable spreadsheet, a great tool to reference the Cybersecurity framework and enhance documentation and communication between Compliance and IT Security.
NIST Cybersecurity Online Learning: Great resource to familiarize yourself with and share with your team the concepts of NIST cybersecurity.
© Healthicity, LLC
Comments
0 comments
Please sign in to leave a comment.