The Scope of a HIPAA Risk Assessment
-Risk analysis procedures & demonstration of a risk management process.
-Policies & procedures relevant to operational security, including business associate security requirements.
-Evidence of periodic technical & non-technical reviews.
-Information access restriction requirements & controls.
-Incident response procedures & disaster recovery plan.
-Physical access controls, such as building access and appropriate record keeping.
-Policies & procedures for workstation security.
-Proper usage, storage, & disposal of data storage devices.
-Auditing & audit procedures.
-Using encryption devices & tools if deemed appropriate.
-Implementation of technology to ensure ePHI integrity confidentiality, & availability
After determining your gaps, you will then have to remediate & track the outcome. Knowledge & expertise of the rules is essential when performing this process.