Security Risk Assessments

Completed Security Risk Assessment

The requirement to havea  completed HIPAA Risk Assessment has been in place since the original HIPAA Privacy Rule was issued in 2003.  However, very few healthcare organizations do them.  But the Office of Civil Rights (OCR) is now aggressively pursuing HIPAA violations and penalties are steep.  

Expert HIPAA Risk Assessment

Corporate Software Management (CSM) can perform a HIPAA Risk Assessment.  


Even if you do them internally, an outside review can be more thorough, and the advice you receive might help you see current practices and procedures in a new light.  Dont risk the fines and negative publicity associated with a privacy breach, or other missteps in today's Elevated Focus on HIPAA at OCR.  

Find out more

 CSM can help your organization comply with Current HIPAA Regulations and set up systems that will help protect you for years to come.    

HIPAA, HITECH, and Meaningful Use

The HITECH Act of 2009 updated the HIPAA law, introduced several additional safeguards, and the Meaningful Use criteria for certified EHR technology includes a specific requirement to perform a HIPAA Risk Assessment in order to qualify for the HITECH Act incentives for adopting EHR technology.  There are two requirements for performing a HIPAA Risk Assessment:


1. The original requirement in the HIPAA Privacy Rule.

2. For healthcare organizations applying for HITECH Act EHR Meaningful Use incentives, the requirement to complete a HIPAA Risk Assessment as part of certifying the organization's use of certified EHR technology.  

Proper completion of your HIPAA risk assessment must include both Privacy and Security Rules The HIPAA Privacy Rule refers to those standards that protect individuals’ medical records and other personal health information (PHI).  They require appropriate safeguards intended to protect the privacy of PHI, and give patients rights over their health information.  

SRA FAQs - What should I cover?

The HIPAA Security Rule includes standards intended to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate (1) administrative, (2) physical, and (3) technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.  


  • Worker Training, Published Policies and Sanctions
  • Staff Security Responsibilities 
  • Workforce Clearance/Termination Procedures 
  • Authorization and Supervision of Access to ePHI 
  • Isolation Health Clearinghouse Functions 
  • Log-in Monitoring and Password Management
  • Security Incidents Management and Response
  • End point Malware Protection
  • Security Awareness Training/security Reminders
  • Risk Analysis/Vulnerability Assessment
  • Contingency Planning
  • Data Backup Plan and Disaster Recovery Plan
  • Emergency Mode Operation Plan  Testing and Revision Procedures
  • Applications and Data Critical Analysis
  • Facility Access Controls; recommend changes/updates
  • Facility Security Plan, including access controls and maintenance/repair
  • Workstation Use/Security Policies and practices
  • Policies and Procedures for Device and Media Controls Disposal/Reuse/Accountability)
  • Technical (admin) policies to manage PHI access (User ID, Emergency Access, Auto Log-off, Encryption)
  • Audit Controls, Integrity,   Authentication (PHI and Person)Transmission Security (Integrity and Encryption)
  • Breach Notification  Plan/Procedures.

Contact Us