GA HITREC Risk Assessment - based on NIST 800-30 Management Guidelines

HIPAA Administrative Safeguards require a Risk Assessment to be performed at least once a year.

A Risk Assessment is the building block from which HIPAA Compliance begins. Here are the key components in this process.

HIT Risk Assessment Step #1: Inventory what creates, stores, receives, processes or transmits ePHI


Inventory all technology assets in your organization: Hardware - Software - Devices.

Consider whether or not the asset processes ePHI.

  • Hardware, Software, Devices and processes that handle ePHI
  • How is data created, received, processed, or transmitted that contains ePHI
  • The assets may be used in an operational or administrative capacity
  • Any software or computer program which processes, transmits or stores ePHI
  • We can help you identify a wide range of hardware and processes to include in the assessment
HIT Risk Assessment Step #2: Identify Threats, Vulnerabilities and their impact on your ePHI


Identify Threats, Vulnerabilities and their impact on your ePHI.

  • Identify realistic threats and potential vulnerabilities
  • Vulnerability Scans and Penetration Testing are utilized
  • Assess current security controls and safeguards
  • Assess probability of a threat attacking your ePHI intentionally or unintentionally
  • Determine the likelihood and impact of a threat exploiting a vulnerability
HIT Risk Assessment Step #3: Improve your organizations policies and security controls to prevent 
                                possible exposure or compromise of your ePHI


Improve the policies, procedures and safeguards that process and protect your ePHI and control access to it.

  • Draft and update policies to improve data safeguards and security control enforcement
  • Prioritize improvements to address safeguards that are required
  • Prioritize improvements to correct vulnerabilities that are most pressing within the current availability of resources
  • Prevention is the opportunity for your organization to consider and document any additional measures you wish to take to address and reduce risk
  • We help you manage your need -vs- budget condsiderations to then implement "reasonable and appropriate improvements"