HIPAA Compliance

If your organization handles individually identifiable health information, the Health Insurance Portability and Accountability Act (HIPAA) has a number of requirements that SimpleRisk can help you with.  In fact, our open source SimpleRisk Core product can be downloaded for free and can be used to check each of the following requirements off your list:

  • Requirement §164.306(b): Does the covered entity comply with Security Rule accounting for Size, Technical Infrastructure, and Cost, as well as the probability of potential risks to electronic protected health information in accordance with the established criterion?
  • Requirement §164.308(a) (1)(ii)(A): Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?
  • Requirement §164.308(a) (1)(ii)(B): Does the entity have policies and procedures in place regarding a risk management process sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
  • Requirement §164.308(a) (4)(ii)(C): Does the entity have policies and procedures in place to authorize access and document, review, and modify a user's right of access to a workstation, transaction, program, or process as well as practice these policies and procedures?
  • Requirement §164.308(a) (8): Does the entity have policies and procedures in place to perform periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes or newly recognized risk affecting the security of ePH?
  • Requirement §164.316(b) (1): Does the entity have policies and procedures to maintain written policies and procedures related to the security rule and written documents of (if any) actions, activities, or assessments required of the security rule?
  • Requirement §164.316(b) (2) (ii): Does the entity have policies and procedures in place requiring that documentation be made available to the workforce members responsible for implementing applicable Security Rule policies and procedures?
  • Requirement §164.530(j): Does the entity maintain all required policies and procedures, written communication, and documentation in written or electronic form and are such documentations retained for the required time period?

Getting started with SimpleRisk is incredibly easy! You can download SimpleRisk from our website and install it on your own servers or we offer a free 30 day trial of our SimpleRisk Hosted solution Once you have your SimpleRisk instance up and running, we highly recommend registering your SimpleRisk instance. This is a requirement if you decide you need any of our paid-for SimpleRisk Extras, but it also gives you access to our free Upgrade Extra, which provides a one-click backup and upgrade solution, as well as our free ComplianceForge SCF Extra, which incorporates the Secure Controls Framework directly into SimpleRisk. You can register and download these by going to the Configure -> Register & Upgrade page in your SimpleRisk instance. Once downloaded, select Configure -> Extras, and click on "No" in the Enabled column of the ComplianceForge SCF Extra. Click to "Activate" the Extra and you should see a list of all of the frameworks that have been mapped into the Secure Controls Framework:

ComplianceForge SCF Extra

As you can see in the screenshot, there are four different framework mappings in the Secure Controls Framework for HIPAA depending on your practice size. Find your appropriate HIPAA standard in the list and then click the ">" button to move it to the Enabled list. Now, click on the "Governance" menu in SimpleRisk and you will see your selected framework in the list of active frameworks:

SimpleRisk Active Frameworks

Click on the "Controls" tab and select your framework name from the "Control Framework" dropdown list. Currently, there are controls in the Secure Controls Framework that have been mapped directly to USHIPAA, 81 controls mapped to HIPAA - HICP Small Practice, 133 controls mapped to HIPAA HICP Medium Practice, and 227 controls mapped to HIPAA - HICP Large Practice.

Now, several of the HIPAA requirements are centered around ensuring that your policies and procedures are documented, in use, and known to all parties. SimpleRisk handles this through the "Document Program" menu under "Governance". Here you can define all of your Policies, Guidelines, Standards, and Procedures. You can tie each one back to the frameworks and controls that you've defined in Governance and set review dates. SimpleRisk can even track versions of these documents as they change. Of course, the HIPAA requirement is to ensure that all of your users have access to these documents, so go to Configure -> Role Management in your SimpleRisk instance and create a new role with the "Allow Access to Governance Menu" checked. Under Configure -> Settings, you can set this as your Default Role. You could even use our Custom Authentication Extra to integrate SimpleRisk with your Single Sign-On provider through SAML so that user accounts will be automatically provisioned with this default role upon login. How simple is that?

Because there will always be exceptions to your defined policies, SimpleRisk can even be used to track exceptions, justifications, approvers, and approval dates. To assist with automating all of this, with our Email Notification Extra, you have the ability to receive messages notifying you of when these exceptions are due for a re-review.

Lastly, HIPAA specifically requires the creation of a formal risk assessment and management process. Based on the NIST 800-30 framework for risk management, it has always been at the core of what SimpleRisk has to offer. Click on the "Risk Management" menu in SimpleRisk and you'll see the capability to Submit a Risk, Plan a Mitigation, and Perform a Review. Not sure how to get started with your risk assessment? Click on the "Assessments" menu at the top and then select the "HIPAA (April 2016)" assessment from the list.

PCI DSS 3.2 Assessment

This questionnaire will walk you through each of the HIPAA requirements, one-by-one, and your answers will be used to create pending risks, which can be added into SimpleRisk with the click of a button!

With our Import-Export Extra, you even have the ability to suck in lists of assets and vulnerabilities from tools such as Rapid7 Nexpose and Tenable.io. Those assets can be tagged to reflect their association with "PCI" and you can set an asset valuation to help move the needle on your risk assessment practices from qualitative to quantitative scoring and then leverage our Risks and Assets report to get at the Maximum Quantitative Loss value for a risk:

Risks and Assets Report

As you've seen, our free and open source SimpleRisk Core product can be used to handle a ton of the HIPAA requirements around documenting your policies and procedures, maintaining an inventory of assets, and managing your risks. Those spreadsheets left behind by the auditors typically get filed away on a network share somewhere and seldom get looked at. Wouldn't you rather be using a system where you can manage and interact with your risks as part of an ongoing process? No credit card is required for you to get started today with a free trial or schedule a demo with us to learn more!