HIPAA RISK ASSESSMENT

Transcription

1 HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: We anticipate that your Meaningful Use training and implementation will take approximately 30 days. Most of your training will be done by attending courses at SammyUniversity.com. If, after you attend Sammy University you feel that you need additional on-on-one training, we will certainly make ourselves available to help you! Register for Meaningful Use ASAP! SammyEHR s CMS EHR Certification ID is SVAKEAS. HIPAA Compliance ICS has made me aware of the HIPAA security requirements. I decline ICS offer to assist me in becoming HIPAA compliant. Please assist me in becoming HIPAA compliant. I have completed the attached questionnaire. I will send it back to ICS completed to the best of my ability including payment ($399 for 1 office, $199 for each additional) Please make check payable and remit to: ICS Software, Ltd., 3720 Oceanside Road West, Oceanside, NY If paying by credit card, please include your information below: MasterCard Visa Amex Discover Card Number: Expiration: / Signature: Please send this form back to ICS via fax ( ), (support@icssoftware.net) or mail.

2 As part of the requirement for meaningful use the practice is required to perform a risk assessment. The types of risks that need to be addressed include Physical, Administrative and Technical Risks. This document is the risk assessment. If you do not understand what is being asked for in any given location, please leave it blank. PHYSICAL RISKS Loss of Power Loss of Power not only results in the inaccessibility of data on practice computer systems, but improper shutdown of computer systems due to power outages can result in damage not only to hardware but to loss of the data on those computer systems. An assessment of the possibility of loss of power and implementation of measures to mitigate potential damage by this event is necessary. 1. How many times in the past year have you lost power? 2. Do you have a Backup Generator? Yes No 3. Do you have UPS (Battery Backup) on all critical technology devices? Yes No Critical devices can include computers, networking equipment, and phone systems. Your server would be a critical computer, NOT all workstations are critical devices, but at least one should have a UPS installed. 4. Do you have phones that can plug directly into the wall and do not require a power source? Loss of Internet Connectivity Use of the internet is required for connection to Health Information Exchanges, remote offices, and other data sources. This connectivity may be necessary to insure that the patient data is available. The more data that is located off premises, the greater impact a loss of connectivity will be to your practice. The needs of the practice for connectivity, will determine the severity of a loss of connectivity and the steps required to mitigate a loss of connectivity. 1. How many times in the past two years have you lost internet connectivity? 2. How many of these were accompanied by a loss of electricity? 3. Do you have multiple connections from multiple internet carriers? Yes No 4. Do you have a wireless internet connection such as a laptop edge card in case of a service outage? Yes No 5. Is your database located at this location or is it offsite location? This location Offsite 6. Do satellite offices need to be able to connect to this location? 7. If your data is offsite it is located: In your other office In your computer at a data center In the cloud at an ASP

3 Other (please specify) Loss of Premises due to Fire In addition to the risks that fire poses to computer systems, fire poses a significant risk to the health and safety of the practice patients and workforce. The primary goal of a fire risk assessment and risk mitigation is to insure the safety of the people who are at the premises. With proper implementation of fire protection, it is possible to minimize damage to computer systems due to fire. In case of damage due to fire or other disaster, it may be necessary to implement the practice disaster recovery plan which is addressed in the HIPAA Security Manual. 1. Do you have fire extinguishers? Yes No Please mark the locations of all fire extinguishers on your practice floor plan. 2. Do you have sprinklers at your location? Yes No Please mark the locations of sprinklers on your practice floor plan. 3. Do you have smoke detectors? Yes No Please mark the locations of all smoke detectors on your floor plan. 4. Do you have fire alarms? Yes No Please mark the locations of all fire alarms on your floor plan. 5. Do you have central station monitoring for fires? Yes No Please mark the location of all fire extinguishers on your floor plan. Loss due to Theft Theft of computer systems and data represents a significant risk to the practice. Theft of computer systems or of data is a major HIPAA violation. There are multiple methods of theft, including theft of data and theft of physical computers and media. Here we will discuss risks posed by theft of physical devices. 1. Do you have an anti-theft system such as a burglar alarm? Yes No 2. Do you have central station monitoring? Yes No 3. Who is alerted if the alarm is triggered? 4. Is there video surveillance and recording of the premises? Yes No 5. Do you have motion detectors? Yes No 6. Are all external windows alarmed? Yes No a. If not, please describe why not: 7. Are all external doors alarmed? Yes No a. If not, please describe why not:

4 8. Are any internal windows or doors alarmed? Yes No Please mark location of all alarmed access points on your office floor plans. 9. Are you tracking who has access to the premises using keys / keypad access? Yes No 10. Are all computers in secure areas? Yes No Please mark the location of each computer on your floor plan. Indicate which rooms that store computers have locks installed. COMPUTER INVENTORY FORM List all computers, devices and media containing e-phi on the inventory sheet. Include details on who is responsible for mobile devices and media. Please give each device an ID. This ID will be utilized when documenting all of your installed software. Be sure to list the Make, Model and Serial Number of each device, and additionally the operating system and antivirus software (if any) on each computer or mobile device. Digital Printers and Copiers often have hard drives. If you have digital imaging devices such as printers, copiers, or scanners that contain hard drives you must have an inventory form for each of those devices. Please fill out one form for each workstation, laptop, server and PDA used in your practice. Please photocopy that form and keep a blank one available, you will need to add a Computer Inventory Form to your HIPAA manual each time you buy a new computer. Computer Name (please name each computer) Computer Make (eg Dell, HP etc) Computer Model How Many Hard Drives are in the Computer Are any of the Drives Encrypted Please provide details Operating System (Be Specific eg Windows XP Professional) Location of Computer (Front Desk, Treatment Room 1, Mobliel Kiosk) What Antivirus Software is installed? Is the computer connected to a Battery Backup? If yes please list make and model of Battery Backup If this is a mobile device who is responsible for this computer?

5 Media Destruction Documentation Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with You will notice a section titled Media Destruction Documentation on each of the Computer Inventory Forms. Each of these inventory forms will become part of your HIPAA manual and you need to track all media that your practice uses to store E-PHI. When media is retired the data on the media needs to be irreversible destroyed. This can be accomplished by using software that wipes the media, or by physically destroying the disks. Please describe the methods you use to irreversibly destroy all E-PHI from your retired media. You need to be specific. If you do not have a method we recommend utilizing Iron Mountain which provides hard disk shredding purposes.

6 OTHER PHYSICAL DAMAGE If your office is at risk of damage due to factors not addressed earlier in this questionnaire please detail those risks here. Risks could include but are not limited to Floods, Hurricanes, Earthquakes, or other natural disasters. In case of a disaster you may need to reinstall all programs, including operating systems. The installation disks should be stored at a location that is offsite. Where do you store your installation disks?

7 BACKUP AND RESTORATION In the event of a loss of equipment and or data, it is important to be able to access critical patient data. This is accomplished by having data backups, contingency plans, and disaster recovery plans all of which are addressed in your HIPAA Security Manual. In order for these plans to function certain steps need to be taken on a regular basis to insure the integrity and availability of data. 1. Do you backup data to local media? Yes No 2. If yes what type of media is utilized? 3. Is the media stored off site? Yes No 4. Do you have a fireproof safe at your practice location? Yes No 5. Do you have a fireproof safe at an offsite location? Yes No 6. How often to you back up your data? 7. How often do you test your backups? 8. How many days of backup to you retain locally? 9. Do you utilize remote backup services? Yes No 10. How often do you back up data remotely? Yes No 11. What type of media is utilized? 12. How often to you test your remote backup? 13. How many days of backup to you retain remotely? 14. What offsite backup company do you use? Please attach a copy of the BAA with your offsite backup service to your HIPAA manual. 15. Do you have copies of all installation disks? Yes No 16. Where are these disks stored? 17. How do you test your backup?

8 VENDORS SUPPLIERS, CONSULTANTS AND SUPPORT In the case of a disaster you will need the assistance of your hardware vendors, software vendors, and consultants. The details of disaster recovery are listed in your HIPAA Security Manual. Please list your vendors and consultants in this section. Include information on the Operating Systems and Anti-Virus Software. If you have multiple copies of software installed on multiple computers, please fill out information for each instance separately. Attach additional pages as necessary. Hardware Vendor: Contact Name: Phone Number(s) : address: Hardware Vendor: Contact Name: Phone Number(s) : address: Hardware Vendor: Contact Name: Phone Number(s) : address:

9 SOFTWARE VENDORS COMPLETE FOR EACH SOFTWARE VENDOR Software Vendor: Software Product and Version: Software License Information: Contact Name: Phone Number(s): address: 1. Does the software support encryption? Yes No 2. What type of encryption is implemented? 3. Does the software support auditing of use and access? Yes No 4. Does the software require a login? Yes No If the software requires a login: a. Does the software support or require strong passwords? Yes No b. Is this implemented? Yes No c. Does the software support or require regular password changes? Yes No d. Is this implemented and how often are passwords required to be changed? Yes No 5. Are automatic updates available with this software product? Yes No 6. Are automatic updates enabled? Yes No 7. If the automatic updates require annual renewal, when does the current update license expire?

10 TECHNICAL MEASURES Technical measures need to be implemented to insure security of your computer network. These technical measures are detailed in the HIPAA Security Manual. In order to properly answer these questions, you will probably need the assistance of your hardware and software vendors. 1. Do you have auditing software installed on your computer network? Yes No 2. What Auditing Software is utilized? 3. How often are the Audit Logs reviewed? 4. Is there an intrusion detection system installed on your computer network? Yes No 5. Does the computer network support a Login Threshold? Yes No 6. What is that threshold? 7. What happens if that threshold is exceeded? 8. Does the computer network support strong Passwords? Yes No 9. Is that implemented? Yes No 10. Please describe the password policy that is implemented on the computer. NETWORK SECURITY 1. Do you have a wireless network? Yes No 2. What type of firewall is installed (Make and Model)? 3. What type of router is installed (Make and Model)? Note that your Wireless Access Point and your router are often the same device. Please answer the following questions for each of your Wireless Access Points: Make and Model: Is MAC address security enabled? Yes No What type of wireless security is enabled? None WEP WPA WPA2/Personal WPA2/Enterprise Other please specify:

11 AUDITING SOFTWARE If your computer has any auditing software installed or your EMR software has built in Auditing please describe it here. STAFF ROSTER As part of the HIPAA security policies each staff member needs to receive annual HIPAA training and receive regular HIPAA reminders. We provide regular HIPAA training to your staff via webinars and regular updates via . We therefore require a separate valid address for each of your staff members. As part of the workforce authorization process it may be appropriate to perform background check on your employees. Staff Member name Address If you have done background checks, they should be attached to and made part of your HIPAA manual. Your HIPAA manual will have blank pages for each staff member (photocopy as needed) which should be filled out for each existing employee and each new employee. They contain information that needs to be filled out when each employee leaves your practice.

12 ASSIGNED RESPONSIBILITY HIPAA requires that you assign staff members to various security / privacy posts within your practice please let us know who is: Practice Security Officer: This is the person responsible for implementing all of the security provisions detailed in this HIPAA manual, testing of the security procedures and making necessary changes to your manual should they be required. This person will be in charge of your Security Incident Response Team in case of a HIPAA breach Practice Privacy Officer: This is the person responsible for communicating with your patients should they have any questions or issues regarding HIPAA privacy in your office. In case of a breach they will work with the Security Officer and be on the Security Incident Response Team to mitigate any breaches. Practice Compliance Officer: This is the person who is responsible for monitoring the employees of your practice to insure that they are following your HIPAA policy, and this person will be responsible for insuring that the logs in the HIPAA manual are updated as appropriate. BUSINESS ASSOCIATE AGREEMENTS Provide a list of all companies having access to any patient information for any purpose and any individuals who have remote access. This includes orthotic labs if you put patient names on the orthotic Rx, but not doctors to whom you send and from whom your receive referrals. Ex: Accountants, practice consultants, transcription services, billing companies, etc. Do NOT list employees of your practice. Please attach copies of the Business Associate Agreements with each of the entries above.

13 FLOOR PLAN Please draw a floor plan of your practice. Each of the following must be marked: Doors Windows Computers Fire Theft If the door has a lock please indicate If the door is alarmed please indicate If the window has a lock please indicate If the window is alarmed please indicate Mark where each computer is located Please name each computer (see inventory sheet) Please mark locations of Fire Detectors and Fire Extinguishers Please mark location of motion detectors, video cameras and keypads Attach your floor plan to this questionnaire.

14 REMOTE ACCESS Does anybody access your practice computers remotely? Yes No Please describe the security that has been implemented for each remote user.