The completion of a risk assessment is a requirement of the HIPAA compliance process. The risk assessment identifies the current level of risk to ePHI data in use, at rest or in transmission. Completing this process is one of the most critical steps in identifying controls used to mitigate risks to ePHI – and the effectiveness of the control in reducing the risk to ePHI. This process can also be leveraged in the identification of other requirements for data privacy.
Assessing and implementing the necessary safeguards for HIPAA compliance can be enhanced greatly by an assessment team with extensive technical capability and experience, as well as audit skills. The mix of these skills allows efficient communications with highly technical IT departments while simultaneously providing understandable technical requirements and remediation strategies to management and internal audit departments. This combination of technical expertise and the ability to translate IT terms and processes for various audiences is typically one of our IT audit team’s most complemented attributes.
“…The Auditwerx team provided us with the necessary guidance, tools and knowledge allowing us to improve the overall process concerning both system’s security and privacy, as well as support to implement better controls that are a hard requirement in our sector…We would highly recommend Auditwerx services to organizations of all sizes and requirement complexities. “
The Auditwerx IT audit team defines the system boundaries and completes an ePHI risk assessment based on the ePHI data flow, and the risks associated with ePHI data at rest in transit and in use. During a HIPAA security assessment, each of the four areas listed below of the HIPAA security standards will be assessed.
The nine standards in this area outline the process infrastructure needs for effective security of electronic Protected Health Information. These standards address:
The approach for assessing administrative safeguards will involve reviewing policies, procedures and processes, and interviewing responsible personnel, with respect to information security responsibility.
A SOC 1 report could help demonstrate the IT general controls and business process controls in place to achieve control objective statements.