• Document: HIPAA Privacy and Security Risk Assessment and Action Planning
  • Size: 77.25 KB
  • Uploaded: 2018-12-08 23:08:44
  • Status: Successfully converted


Some snippets from your converted document:

HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: ___________________________________ Participants: ___________________________________ Date: ___________________________________ ___________________________________ MU Stage: ___________________________________ ___________________________________ EHR Vendor: ___________________________________ ___________________________________ Access Control DESCRIPTION STATUS / RISK LEVEL Analysis / Action Plan Items Unique ID Each user is assigned a unique name and/or Yes Risk: Low Med High and PW number and password in order to access the No N/A for Users EHR? (TVS016) Role Based Access to the EHR is configured based on the Yes Risk: Low Med High Access user’s role within the Practice and privileges No (TVS023) N/A restricted to those roles? Account Applications accessing PHI are set to lock out Yes Risk: Low Med High Lockout user after multiple failed login attempts? No Now set to ____________ times, Should be set to_____________ times N/ A Password EHR restricts use of previously used Yes Risk: Low Med High History passwords,how often can a PW be reused? No Now set to ____________ times, Should be set to _____________ times N/ A Password The EHR password is set to expire on a Yes Risk: Low Med High Change regular basis, i.e. after 90 days? No Now set to ____________ months, Should be set to _____________ months N/ A Should be_____________ months Password Do applications accessing e-PHI require a Yes Risk: Low Med High Length and long, complex password – eg >8 characters No N/ A Complexity and containing >3 occurences of: Upper Case, Now set to __________________________ Lower Case, Numbers, Special Characters - ? Should be set to ___________________________ Emergency Are procedures in place for obtaining e-PHI Yes Risk: Low Med High Access remotely or in an emergency through a secure No (TVS015, TVS026) link? Audit Logs Audit logs are maintained for e-PHI programs Yes Risk: Low Med High (TVS014, and they are reviewed regularly. No TVS017, TVS019) Sys/Net Logs Audit: _______________________ Aplctn Logs Audit: ________________________ HIPAA Privacy and Security Assessment – v.pp.Jun-26-2014 Page 1 e-PHI Hosting DESCRIPTION STATUS / RISK LEVEL Analysis / Action Plan Items Infrastructure Cloud, Responsibility for techinical aspects of practice Risk: Low Med High Hosted operations are outsoursed to vendors deemed ePHI is hosted by Cloud / ISP Server, or knowledgeable and reliable in providing Locally technology services. ISP/ Cloud Name: ______________________________ Hosted ePHI is hosted Locally Tech Support Provided By: ___________________________________________ __________________________________________ Firewall The firewall has appropriate configuration and Yes Risk: Low Med High Review security - Access Cntl Lists, VPN’s, Certs, No (TVS0019) Maintained by Professional ISP / HOST Vendor upd

Recently converted files (publicly available):