At Nesbitt & Associates we provide detailed HIPAA risk assessment packages for healthcare facilities. Did you know that HIPAA requires a risk assessment to be done every three years and/or when a triggering event occurs? Also a risk management plan is required if sufficient risk is found during the HIPAA Risk Assessment.

The regulatory environment surrounding HIPAA can be quite confusing. Our staff relieve the stress surrounding one of the biggest non-compliance pieces found in the latest HIPAA audit. 85% of businesses were found to be in non-compliance with HIPAA because they had not conducted a HIPAA Risk Assessment.

Though HIPAA requires a risk assessment it does not detail how one should be made. This was decided to allow companies to determine how they would conduct a HIPAA risk assessment. Even if you have purchased HIPAA policies those policies often only outline how to conduct a risk assessment and therefor one would need to complete it to be in compliance.

What is included in the HIPAA risk assessment:

Our HIPAA Risk Assessment includes all the addressable and required pieces outline within the HIPAA regulations. During the assessment process we will look at three major types of risk items.

Physical Security Assessment

Our HIPAA physical security assessment covers the many safeguards that should be in place around any protected health information pieces. This includes:

  • Doors and Locks
  • Access controls and employee tracking
  • Windows and line-of-sight risks
  • Man-traps and other security safeguards
  • Vehicle access & Audit controls
  • Exfiltration safeguards
  • Printer physical access
  • Network equipment physical access
  • Kiosk and computer terminal access

Digital Security Assessment

Training Assessment

Risk Management Plan

All of our HIPAA Risk assessment services come with a recommended risk management plan. This plan will outline the key risk areas and offer solutions to mitigate those risks. While not all suggestions will need to be completed to be in compliance with HIPAA it is good practice to mitigate as many risks to lessen the threat of a breach.

Cyber Security Insurance

While many healthcare facilities have the required funds to mitigate risks Nesbitt & Associates often suggests that cyber security insurance be purchased on top of risk mitigations. Cyber security insurance can give you a greater piece of mind that in the event of a suspected breach that you have the resources to investigate properly.

Cyber Security insurance policy review and recommendations

At Nesbitt & Associates we often find the current cyber security insurance policies have clauses that exclude certain risk factors that are very prominent. We will also review your policies and inform you of what they do and what they do not cover. Many policies state that if the intrusion to the network occurred because of social engineering then the policy does not or will not pay out. Since social engineering is roughly 85% of the way attackers gain access to computer systems that means you are only covered for 15% of the cases that may happen.

We do not have preferred insurance providers but rather can assist you in creating a request for proposal to many providers and advise you on what our experts deem the best solution.

Copyright Nesbitt & Associates 2019