UW–⁠Madison Information Technology
Connecting & supporting our digital campus

HIPAA Risk Assessment Program

In order to remain in compliance with Federal regulations, the UW–‍Madison Office of Cybersecurity has implemented a HIPAA risk analysis process. This process is designed to allow anyone at UW–‍Madison with access to HIPAA data to work with the Cybersecurity team on assessing their HIPAA data IT environment and then implementing appropriate controls to protect the data.

The Federal Government requires the protection of ePHI. The U.S. Department of Health & Human Services delineated security standards in HIPAA which employ the protections covered in the Privacy Rule to protect ePHI. These standards legally require organizations to complete a HIPAA security risk analysis through the HIPAA Security Section 45 Code of Federal Regulations §164.308(a)(1)(ii)(A). This section requires UW–‍Madison to conduct an analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it holds.

HIPAA Risk Assessment Process

1

Work with IT Tech team to determine if components of checklist are met.

2

Reach out to Office of Cybersecurity for risk analysis consult.

3

Follow through the phases in the risk analysis cycle.

Process details for all steps

Step 1: Work with IT tech team to determine if components of checklist are met

This checklist provides the generalized requirements for building and maintaining a HIPAA compliant information system to store and manage data.

  • Implement access limiting controls to system and data to individuals affiliated with the ePHI project.
  • Ensure staff is informed of security risks and methods to reduce risk.
  • Implement audit controls to record/report unlawful or unauthorized ePHI access.
  • Document inventory of information systems assets and their security configurations.
  • Identify/maintain inventory of staff with access to information to support project.
  • Follow the UW–‍Madison Incident Reporting Policy and Procedure KB doc for reporting any potential compromises.
  • Create/maintain a process to manage lifecycle of info systems in electronic Protected Health Information (PHI) project.
    • Patches to applications and servers.
    • Have data disposal plan.
  • Control physical access to media assets with HIPAA.
    • Limit access to HIPAA authorized users and destroy media with HIPAA before disposal or reuse.
  • Conduct background checks when onboarding new staff with ePHI access and remove access on off-boarding.
  • Restrict physical access to organizational information systems.
    • These spaces should be monitored.
  • Conduct periodic risk assessments.
  • Monitor information system.
  • Create review and update policies and procedures above.

Step 2: Reach out to Office of Cybersecurity for risk analysis consult

Contact Us

Step 3: Perform the risk analysis cycle

  1. Planning
    1. Project manager responsible for tasks such as resource UW–‍Madison HIPAA risk analysis process requests and scheduling.
    2. Phase ends when organization and project manager agree to terms of the assessment.
  2. Inventory
    1. Preliminary material requests and introductory meetings occur during this phase.
    2. Ends when complete inventory has been clearly defined.
  3. Discovery
    1. Begins once inventory has been established, Project managers are supposed to develop a test plan and schedule based on the available materials that the department provides to the researchers.
    2. This phase ends when test plan has been clearly defined and risk analysts have authorized testing.
  4. Testing
    1. Begins when risk analysts have authorization and a test plan. The analysts make sure that all technical, administrative, and physical security controls are in accordance with the test plan.
    2. Verify Information submitted in Inventory phase with non intrusive NMAP scan.
  5. Risk Rating & Plan of Action and Milestones Creation
    1. The analysis of the test results occur in this phase to determine the risk rating for each individual risk and for each risk category.
    2. When all items have been accounted for and their risk levels assessed, a plan of action and milestones document will be written with assistance from Office of Cybersecurity.
    3. Risk analysts write executive summary of gaps identified in analysis.
    4. Cybersecurity team available for consultation and follow up that may arise in mitigation process.
    5. Risk rating = (Impact)*(Likelihood)
  6. Risk Reporting
    1. Tell your department about the plan of action and milestones.
  7. Project Review
    1. Project manager must conduct reviews on processes and procedures.
    2. Ends the risk analysis cycle.
  8. Mitigating
    1. Can begin at any point on the risk analysis circle. Responsibility of the department staff and typically occurs when the risk reporting phase is complete.
    2. Project manager and risk analyst review their cyber threat mitigation steps for data that was above the campus risk tolerance threshold.

Questions about the risk assessment program?

Contact us