“Covered Entities” are required by law to conduct annual HIPAA Risk Assessments

The VRBNC HIPAA Compliance Risk Assessment includes:
  1. a Comprehensive Network Assessment;
  2. a Network Security and Vulnerability Assessment;
  3. PLUS our comprehensive HIPAA Risk Assessment:
    • On-Site Surveys and Interviews
      • Investigation and documentation of physical and technical security
    • HIPAA Policy and Procedures Document
      • Best practices to comply with the technical requirements of the HIPAA Security Rule
    • HIPAA Risk Analysis
      • One of the primary requirements of the HIPAA Security Rule’s Administrative Safeguards
      • Helps identify the locations of ePHI; what protections are in place; and where more protection is needed
      • Produce a list of items that must be remediated to ensure the security and confidentiality of ePHI
    • HIPAA Management Plan
      • Using Risk Scoring, prioritizes the remediation recommendations for uncovered issues
      • A Risk Management Plan defines the strategies with tasks required to minimize, avoid, and respond to risks
    • Evidence of HIPAA Compliance
      • Includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities
      • Documentation must be kept for six years

These core documents, along with all supporting documentation will help “Covered Entities” and “Business Associates” meet their responsibility of having the HIPAA Risk Assessment conducted.

All Periodic Assessments may be performed on a monthly, quarterly, semi-annually, or annual basis as per agreement.  Our ‘Best Practice’ recommendation is to always conduct Periodic Assessments after a significant change to your network has occurred (hardware, software, or change of personnel).  Periodic Assessments include ‘Change Reporting’ from the prior Assessment.

Please note that the minimum required periodic HIPAA Risk Assessment should be performed on an annual basis by law.  Best practice is to have a HIPAA Risk Assessment performed at regular intervals to ensure that the organization is not only compliant at the time of the Risk Analysis (or after the completion of the Remediation Project), but that it remains compliant at all times.

Please use the Inquiry Form on the Network Assessment page for more information or to schedule a consultation.


HIPAA & HITECH Reference InfoLinks: