GA HITREC Risk Assessment - based on NIST 800-30 Management Guidelines

HIPAA Administrative Safeguards require a Risk Assessment to be performed at least once a year. A Risk Assessment is the building block from which HIPAA Compliance begins. Here are the key components in this process.



Inventory all technology assets in your organization: Hardware - Software - Devices.

Consider whether or not the asset processes ePHI.
  • Hardware, Software, Devices and processes that handle ePHI
  • How is data created, received, processed, or transmitted that contains ePHI
  • The assets may be used in an operational or administrative capacity
  • Any software or computer program which processes, transmits or stores ePHI
  • We can help you identify a wide range of hardware and processes to include in the assessment



Identify Threats, Vulnerabilities and their impact on your ePHI.

  • Identify realistic threats and potential vulnerabilities
  • Vulnerability Scans and Penetration Testing are utilized
  • Assess current security controls and safeguards
  • Assess probability of a threat attacking your ePHI intentionally or unintentionally
  • Determine the likelihood and impact of a threat exploiting a vulnerability



Improve the policies, procedures and safeguards that process and protect your ePHI and control access to it.

  • Draft and update policies to improve data safeguards and security control enforcement
  • Prioritize improvements to address safeguards that are required
  • Prioritize improvements to correct vulnerabilities that are most pressing within the current availability of resources
  • Prevention is the opportunity for your organization to consider and document any additional measures you wish to take to address and reduce risk
  • We help you manage your need -vs- budget condsiderations to then implement "reasonable and appropriate improvements"