This entry is part 10 of 60 in the series HIPAA Security Risk Analysis Tips


One of the sub-steps, if you will, in completing the Risk Determination step as part of doing a HIPAA Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)) is to Document Present Security Controls.  Here’s today’s big tip — Use the security controls bible!  Read more…

For each Information Asset identified in your Inventory Asset Inventory process, (e.g., systems, databases, major hardware, network equipment, operating systems, and application software), you need to document what present safeguards and controls are in place.  Read HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals  for more on completing a HIPAA Security Risk Analysis.

We recommend you work through this process, asset-by-asset as it can be very detailed and time-consuming work.

Starting with your first Asset, list any and all security controls that you believe to be in place for this Asset.  In other words, describe how the confidentiality, integrity and availability of this Asset are being protected presently.  This work should include consideration of all administrative, physical and technical safeguards.

Reference the security controls bible: NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations as an aid / guide / memory prompt.

The Clearwater HIPAA Security Risk Analysis ToolKit™ includes a worksheet from which you copy/paste relevant security controls from the “SP800-53 Controls” worksheet into the “Risk Determination and Remediation” worksheet.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< Clearwater Risk Analysis ToolKitHIPAA Security Risk Analysis Tips – What’s a Threat Again? >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.