RISK ANALYSIS & RISK MANAGEMENT PLAN
1/7/2016

Practice Name: Your Practice

Address: Your Address

Boulder

CO

80307

Phone number: (866) 611-6748


Contact: Richard Williams

Users

Richard Williams

Richard Williams

Associates

Asset Inventory

Administrative
0
23
41
Physical
0
20
23
Technical
0
14
29
Combined
0
60
93
  • High
  • Medium
  • Low
Table View
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A01
§164.308(a)(1)(i)Yes 
Low
Yes. We use this outline and have documentation customized to our practice, roles and corresponding access authorities. N/A[RCW]1/6/2016 2:28:53 am
A02
§164.308(a)(1)(i)Yes 
Low
N/A[RCW]1/1/2016 1:04:22 pm
A04
§164.308(a)(1)(ii)(A)Yes 
Low
Done when a breach has been suspected, when new applications or equipment is purchased and periodically on updates of applications or systems. N/A[RCW]1/3/2016 1:05:16 am
A05
§164.308(a)(1)(ii)(B)Yes 
Medium
We use this risk assessment tool at least annually and when there is an addition or change to our technology infrastructure.N/A[RCW]1/4/2016 10:08:09 am
A07
§164.308(a)(1)(ii)(B)Yes 
Low
Yes. This is done at the completion of the audit/risk assessment to all employees. N/A[RCW]1/4/2016 10:14:18 am
A08
§164.308(a)(1)(ii)(B)Yes 
Low
Security plan is completed and available for review to all employees. Copies are made available to those with security responsibilities only. N/A[RCW]1/4/2016 10:17:24 am
A14
§164.308(a)(2)Yes 
Medium
This role is defined but currently filled by the practice principal. Qualifications are minimal but sufficient.N/A[RCW]1/4/2016 10:19:07 am
A57
§164.308(a)(8)Yes 
Medium
Policies and procedures are documented and include this risk assessment process. Riska assessment/audits are done once a year or when major changes occur. N/A[RCW]1/4/2016 10:21:35 am
A58
§164.308(a)(8)Yes 
Medium
This is done at least annually or when a significant change occurs as part of our risk assessment/security audit.N/A[RCW]1/4/2016 10:22:24 am
A59
§164.308(a)(8)Yes 
Medium
This security officer role is defined but is being filled by the practice principal at this time. N/A[RCW]1/4/2016 10:23:08 am
PO01
§164.316(a)Yes 
Medium
Policies and procedures are evaluated by a security consultant who helps us assess risks, recommend risk mitigiating procedures based on current standards of practice and available technology.N/A[RCW]1/4/2016 10:24:58 am
PO02
§164.316(b)(1)(i)Yes 
Medium
Practice principal reviews and makes changes as necessary. A consultant is engaged when it is considered necessary. N/A[RCW]1/4/2016 10:27:36 am
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A03
§164.308(a)(1)(ii)(A)Yes 
Low
N/A[RCW]1/4/2016 11:50:51 am
A20
§164.308(a)(3)(i)Yes 
Low
Yes. This is maintained by the person doing the security officer role. N/A[RCW]1/4/2016 11:53:27 am
A21
§164.308(a)(3)(i)Yes 
Low
1. Educated self to understand access controls 1. If another staff member joins, I will manage acces controls for joint case work files.N/A[RCW]1/1/2016 2:16:24 pm
PH10
§164.310(a)(2)(ii)Yes 
Low
Yes. It is both electronic and in paper form. N/A[RCW]1/4/2016 10:47:49 am
PH11
§164.310(a)(2)(ii)Yes 
Low
Training and periodic reviews of compliance are done. N/A[RCW]1/4/2016 10:48:18 am
PH19
§164.310(b)Yes 
Low
Yes. This is part of the risk assessment / audit done annually or when there is a significant change. This inventory is updated at the time of the addition or change of a device. N/A[RCW]1/4/2016 11:51:56 am
PH20
§164.310(b)Yes 
Yes. Currently all workstations are used only in the office. N/A[RCW]1/4/2016 11:49:36 am
PH25
§164.310(c) Yes 
Medium
Yes Policies for protecting these devices is in our policy and procedure manual. N/A[RCW]1/4/2016 11:52:57 am
PO03
§164.316(b)(1)(ii)Yes 
Low
All documentation is kept by the security officer in electronic form. Paper form is offered for review by other employees. N/A[RCW]1/4/2016 10:28:34 am
PO04
§164.316(b)(2)(i)Yes 
Low
Yes. Electronic versions are stored in our archives at each revision. N/A[RCW]1/4/2016 10:29:52 am
PO05
§164.316(b)(2)(ii)Yes 
Medium
Yes. All documenation is available for review in paper form. Training is provided as required for each defined role. N/A[RCW]1/4/2016 10:46:39 am
PO06
§164.316(b)(2)(iii)Yes 
Low
An annual review is scheduled with risk assessment/audit. Additional reviews are doen when significant changes occur. N/A[RCW]1/4/2016 10:47:28 am
T25
§164.312(b)Yes 
Medium
Yes. This is part of the annual risk assessment and audit. N/A[RCW]1/4/2016 11:50:18 am
T37
§164.312(d)Yes 
This is maintained as part of the confidential data assigned to security officer. N/A[RCW]1/4/2016 11:50:46 am
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A23
§164.308(a)(3)(ii)(A)No 
Low
I am the only employee but have definition for various roles if consultant or employee is hired. Practice Size[RCW]1/4/2016 11:54:21 am
A24
§164.308(a)(3)(ii)(A)Yes 
Low
This is maintained by the security officer. N/A[RCW]1/4/2016 2:54:17 pm
A25
§164.308(a)(3)(ii)(A)Yes 
Low
I am the only one who can access by userid and non-trivial password. I have installed protection from access by others on the PC or through the network. N/A[RCW]1/1/2016 4:44:31 pm
A26
§164.308(a)(3)(ii)(B)Yes 
Low
Principal is the only one accessing data at this time. However, a policy and procedures have been developed that describe processes and tasks that could be assigned to a receptionist and billing clerk. Within these processes, there are descriptions of the data that could be accessed and for what purpose. Access would not need supervision for these tasks. N/A[RCW]1/5/2016 9:41:51 pm
A28
§164.308(a)(3)(ii)(C) Yes 
Medium
Security officer role manages this. N/A[RCW]1/4/2016 2:54:41 pm
A29
§164.308(a)(3)(ii)(C) Yes 
Low
I am the only member, but I do have a successor policy should I die or close the business. I do have a policy for closing BAAs.N/A[RCW]1/2/2016 9:34:47 am
A30
§164.308(a)(4)(i)Yes 
Low
Described in security plan. N/A[RCW]1/4/2016 3:00:00 pm
A31
§164.308(a)(4)(ii)(B)Yes 
Low
I am the only workforce member. For BAAs I do this by sending encrypted copies of materials to BAAs.N/A[RCW]1/2/2016 10:40:35 am
A32
§164.308(a)(4)(ii)(C) Yes 
Low
I am the only workforce member, but my policy includes receptionist and billing clerk roles and how these roles segregate authorities. N/A[RCW]1/2/2016 10:46:35 am
A33
§164.308(a)(4)(ii)(C) Yes 
Low
Roles are defined. Processes and authorities are assigned to those roles. Each database in our digital records is assigned an access authority and these are offered to each role that has a need to know. Physical files are also segregated and locked such that this is also true for physical files. N/A[RCW]1/5/2016 8:13:42 am
PH13
§164.310(a)(2)(iii)Yes 
Low
Currenty I am the only workforce member. I am the only one with access. However, there are contingencies for receptionist and billing clerk access. N/A[RCW]1/2/2016 11:11:27 am
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
PH14
§164.310(a)(2)(iii)Yes 
Low
I am the only workforce member, however I have security profiles that allow for receptionist and billing clerk roles. Data is segregated based on the definitions of these roles and the data they require access to. Access profiles for data includes these roles and the data each role would have to access to perform those jobs. All of these roles are assigned to me at this time. N/A[RCW]1/2/2016 11:16:10 am
PH21
§164.310(b)Yes 
Low
This is documented under our security plan. Workstatons are not shared. N/A[RCW]1/5/2016 8:21:36 am
PH22
§164.310(c) Yes 
Medium
All workstations time out when not in use and require a re-logon to re-access the computer. N/A[RCW]1/2/2016 10:08:20 pm
PH29
§164.310(c) Yes 
Low
Allowed under extraordinary conditions. Complete protocol for network use, maintaining physical possession and limiting access to authorized personnel is specified. N/A[RCW]1/5/2016 8:23:27 am
T01
§164.312 (a)(1)Yes 
Low
This is documented in our security policy.N/A[RCW]1/5/2016 8:23:50 am
T02
§164.312 (a)(1)Yes 
Low
Yes. Each user profile contains the list of ePHI items and programs they may use. N/A[RCW]1/2/2016 10:46:41 pm
T03
§164.312 (a)(1)Yes 
Low
System analysis was done for roles of therapist, receptionist and billing clerk. Future roles will have a similar analysis done. N/A[RCW]1/2/2016 10:48:35 pm
T04
§164.312 (a)(1)Yes 
Medium
Security settings were established as required for security. These are set as recommended on each device and application. A record of these settings and a back up of the initial system with applications was made for reference and to be restored in an emergency. N/A[RCW]1/2/2016 10:52:02 pm
T05
§164.312(a)(2)(i)Yes 
Low
Yes. This is assigned by the owner. It is generally the first letter of the first name and full last name. If a duplication were to occur, the first letter of the middlename would be included. If this is still not unique, a number would be appended to the id. N/A[RCW]1/2/2016 10:56:13 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A06
§164.308(a)(1)(ii)(B)Yes 
Low
Risk assessment is done annually or at an incident or significant change, with the goal of reducing the likelihood of incidents and limiting the extent of data exposed. N/A[RCW]1/5/2016 8:29:24 am
T06
§164.312(a)(2)(i)Yes 
Low
As specified in our security policy, each user has a unique identifier or userid and a privately set password. The security officer sets up these userids. N/A[RCW]1/5/2016 8:26:01 am
T17
§164.312 (a)(2)(iii)Yes 
Low
This is documented in our security policy section for unattended computers.. N/A[RCW]1/5/2016 8:27:07 am
T18
§164.312 (a)(2)(iii)Yes 
Low
These are contained in the security settings recommendations and restorable system image. N/A[RCW]1/2/2016 11:00:28 pm
T19
§164.312 (a)(2)(iii)Yes 
Low
See previous answers... N/A[RCW]1/2/2016 11:02:31 pm
T20
§164.312 (a)(2)(iv)Yes 
Low
All ePHI must be encrypted and be inaccessible from computers other than the creating computer and not by users other than authorized users. N/A[RCW]1/3/2016 12:44:50 am
T21
§164.312 (a)(2)(iv)Yes 
Low
Yes all are AES-256 capable.N/A[RCW]1/3/2016 12:47:22 am
T22
§164.312 (a)(2)(iv)Yes 
Low
Files are encrypted with custom user encryption keys (certificates) using Windows EFS. N/A[RCW]1/5/2016 8:27:38 am
T32
§164.312(c)(1)Yes 
Medium
These authorities are catalogued appropriately for each role profile. N/A[RCW]1/3/2016 12:47:54 am
T34
§164.312(d)Yes 
Low
Yes. Currently userid and non-trivial password. More biometrics or secret questions will be used when implemented by operating system. Fingerprint verification is preferred for newly purchased computers. N/A[RCW]1/3/2016 12:29:42 am
T35
§164.312(d)Yes 
Low
Each machine and application is catalogued with this information. N/A[RCW]1/3/2016 12:35:54 am
T36
§164.312(d)Yes 
Low
We use recommendations based on false negatives and false positives reported by providers of the devices or applications employed by the practice. N/A[RCW]1/3/2016 12:42:51 am
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
PH30
§164.310(d)(1)Yes 
Medium
Security policy and procedures document describes storage and destruction of unused devices that might have stored ePHI. N/A[RCW]1/5/2016 7:48:51 pm
PH31
§164.310(d)(1)Yes 
Medium
Security policy and procedures document describes storage and destruction of unused devices that might have stored ePHI. N/A[RCW]1/5/2016 7:49:12 pm
T33
§164.312(c)(2)Yes 
Low
Auditing of files is turned on for critical files. Physical files are locked and should be signed out when used. An independent inventory of physical files is maintained and a periodic audit is done to determine if physical files are missing. N/A[RCW]1/5/2016 10:04:14 am
T38
§164.312(e)(1)Yes 
Low
VPN is used for all offsite connections to office servers. Secure email is used for receipt and delivery of e-Faxes, emails with ePHI and secure IM/text is used for delivery of text messages with ePHI. This is documented in the security plan.N/A[RCW]1/5/2016 10:07:34 am
T39
§164.312(e)(1)Yes 
Low
See previous comment. BAAs are in place for all sending, transmission and retrieval mechanisms. N/A[RCW]1/5/2016 10:08:46 am
T40
§164.312(e)(2)(i)Yes 
Medium
Tools for encryption are provided to every workforce member. Training and procedures document their appropriate use. N/A[RCW]1/5/2016 7:28:43 pm
T41
§164.312(e)(2)(i)Yes 
Medium
The security policy and procedures document describes steps to be taken for various transmission modalities N/A[RCW]1/5/2016 7:33:28 pm
T42
§164.312(e)(2)(i)Yes 
Low
Security policy and procedure manual specifies the appropriate methods for transmission on possible modalities. Encryption in one form or another is used. N/A[RCW]1/5/2016 7:44:58 pm
T43
§164.312(e)(2)(ii)Yes 
Low
Security policy and procedure manual specifies the appropriate methods for transmission on possible modalities. Encryption in one form or another is used. N/A[RCW]1/5/2016 7:45:25 pm
T44
§164.312(e)(2)(ii)Yes 
Low
Security policy and procedure manual specifies the appropriate methods for transmission on possible modalities. Encryption in one form or another is used. N/A[RCW]1/5/2016 7:45:37 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
PH01
§164.310(a)(1)Yes 
Low
Yes. Security officer maintains a list of all equipment. N/A[RCW]1/5/2016 8:34:05 pm
PH02
§164.310(a)(1)Yes 
Low
Security policy and procedures document specifies the physical access protection for the office. N/A[RCW]1/5/2016 8:35:01 pm
PH03
§164.310(a)(1)Yes 
Low
Security policies and procedures are reviewed and updated annually or when changes occur. N/A[RCW]1/5/2016 8:39:48 pm
PH04
§164.310(a)(1)Yes 
Low
Cameras and locks are in place.N/A[RCW]1/5/2016 8:41:28 pm
PH08
§164.310(a)(2)(ii)Yes 
Medium
Security policy and procedures document describes physical access controls in place. N/A[RCW]1/5/2016 8:42:58 pm
PH09
§164.310(a)(2)(ii)Yes 
Medium
Security policy and procedures document describes physical access control procedures. N/A[RCW]1/5/2016 8:43:20 pm
PH12
§164.310(a)(2)(iii)Yes 
Medium
Security policy and procedures document describes physical access controls in place. N/A[RCW]1/5/2016 8:43:36 pm
PH32
§164.310(d)(1)Yes 
Low
Inventories and audits of equipment is done with annual risk assessment and audit. Records from this audit are kept updated. N/A[RCW]1/5/2016 7:47:59 pm
PH33
§164.310(d)(1)Yes 
Medium
Security policy and procedures document describes storage and destruction of unused devices that might have stored ePHI. N/A[RCW]1/5/2016 7:49:28 pm
PH34
§164.310(d)(2)(i)Yes 
Low
Security policy and procedures document describes process for preparing equipment for offsite/ unsupervised maintenance. N/A[RCW]1/5/2016 8:02:45 pm
PH35
§164.310(d)(2)(ii)Yes 
Low
Security policy and procedures document describes storage, cleaning and preparation for media that has stored ePHI. N/A[RCW]1/5/2016 8:03:55 pm
PH38
§164.310(d)(2)(iv)Yes 
Medium
Security policy and procedures document describes storage and movement of devices that might store ePHI. N/A[RCW]1/5/2016 8:04:54 pm
T10
§164.312(a)(2)(ii)Yes 
Medium
Policy and procedures document backup procedures for devices that might have stored ePHI. N/A[RCW]1/5/2016 8:06:37 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A09
§164.308(a)(1)(ii)(C) Yes 
Medium
This is in the Employee Handbook offered to all employees. N/A[RCW]1/6/2016 10:14:05 pm
A10
§164.308(a)(1)(ii)(C) Yes 
Low
Discipline and termination are the consequences of improprieties with security. This is part of the training of each new employee and is posted with security awareness info on the office intranet and physically on the wall. N/A[RCW]1/6/2016 10:15:10 pm
A13
§164.308(a)(2)Yes 
Low
Security officer role is defined. N/A[RCW]1/5/2016 8:45:32 pm
A15
§164.308(a)(2)Yes 
Low
This is in the Security policy and procedure document. N/A[RCW]1/6/2016 10:15:32 pm
A16
§164.308(a)(2)Yes 
Low
This is contained in the current version of the security policy and procedures guide. N/A[RCW]1/6/2016 2:35:40 am
A17
§164.308(a)(3)(i)Yes 
Low
Security officer role maintains this list and updates it as this role also provides access to information systems and electronic devices. N/A[RCW]1/6/2016 2:31:28 am
PH16
§164.310(a)(2)(iii)Yes 
Medium
Cameras are in place. Other monitoring equipment does not seem necessary at this time. However policies and procedures are reviewed annually when incidents or changes occur. N/A[RCW]1/5/2016 8:44:57 pm
PH18
§164.310(a)(2)(iv)Yes 
Low
Log of changes to physical access controls are managed by security officer role. N/A[RCW]1/5/2016 8:46:28 pm
PH23
§164.310(c) Yes 
Medium
Security policy and procedures document describes eavesdropping and screen peeking prevention controls. N/A[RCW]1/5/2016 8:49:24 pm
PH24
§164.310(c) Yes 
Low
Receptionist role would use a workstation in the reception area. Limits to the infromation availble to the receptionist are specified in the security policy adn procedures documents. N/A[RCW]1/5/2016 8:51:56 pm
PH26
§164.310(c) Yes 
Medium
Security policy and procedures document describes physical protections for workstations. N/A[RCW]1/5/2016 8:52:23 pm
PH27
§164.310(c) Yes 
Medium
Risk assessment and audit is done annually or when there are changes or incidents. N/A[RCW]1/5/2016 8:53:08 pm
PH28
§164.310(c) Yes 
Low
This is documented in the Security Policy and Procedure document.N/A[RCW]1/6/2016 10:18:36 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A16
§164.308(a)(2)Yes 
Medium
This is contained in the current version of the security policy and procedures guide. N/A[RCW]1/6/2016 2:36:08 am
A19
§164.308(a)(3)(i)Yes 
Low
This is addressed in the Security Policy and Procedures.N/A[RCW]1/6/2016 2:34:19 am
A22
§164.308(a)(3)(ii)(A)Yes 
Low
This is specified in the roles and access profile definitions section of the security policy and procedures document. N/A[RCW]1/6/2016 2:35:13 am
A27
§164.308(a)(3)(ii)(B)Yes 
Low
This is included in the Employee Handbook.N/A[RCW]1/6/2016 10:16:02 pm
A34
§164.308(a)(5)(i)Yes 
Medium
This is provided by the security officer. N/A[RCW]1/6/2016 2:36:56 am
A35
§164.308(a)(5)(i)Yes 
Medium
The risk assessment and audit is done annually and when there are significant changes. This is part of that assessment.N/A[RCW]1/6/2016 2:37:52 am
A36
§164.308(a)(5)(i)Yes 
Low
In-services are done frequently and in response to reports of threats. N/A[RCW]1/6/2016 2:38:33 am
A37
§164.308(a)(5)(i)Yes 
Medium
Employee orientation includes security training. This is tailored to role. N/A[RCW]1/6/2016 2:39:16 am
A38
§164.308(a)(5)(i)Yes 
Medium
Security officer maintains this list. N/A[RCW]1/6/2016 2:39:44 am
A39
§164.308(a)(5)(ii)(A)Yes 
Low
Security policy and procedure specify an area where physical notices are kept and intranet postings are placed. N/A[RCW]1/6/2016 6:59:21 pm
A40
§164.308(a)(5)(ii)(B)Yes 
Medium
Security policy and procedures and training emphasizes this. Updates are encouraged to be automatic and AV software has been chosen and made available for all workstations in the office. N/A[RCW]1/6/2016 7:01:08 pm
A41
§164.308(a)(5)(ii)(B)Yes 
Medium
Training includes this and general ideas are posted both in the office and on the office intranet. N/A[RCW]1/6/2016 10:17:13 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A18
§164.308(a)(3)(i)Yes 
Medium
This is tracked by the security officer. This is reviewed at risk assessment and audit opportunities at least. N/A[RCW]1/6/2016 7:29:49 pm
A42
§164.308(a)(5)(ii)(C) Yes 
Medium
Security policy and procedure document describes several systems that can be used for this. All PCs are part of a single group. On the group profile, is a program that records logins and logoffs in a group shared file. Security officer has a program with only read/write/modify access to create, list and refresh the log. Every other PC sharing the file has write only access. Users cannot modify their share options or group membership. N/A[RCW]1/6/2016 7:28:44 pm
A43
§164.308(a)(5)(ii)(D)Yes 
Medium
Training includes this. N/A[RCW]1/6/2016 7:29:04 pm
A60
§164.308(b)(1)Yes 
Low
Security officer has to sign off on all such changes and procedure insists on signoff before it can be placed on PCs. N/A[RCW]1/6/2016 7:32:25 pm
A61
§164.308(b)(1)Yes 
Low
Security officer maintains this list. There are no outside service has access to facilities or information systems. Many carry ePHI. N/A[RCW]1/6/2016 7:33:34 pm
A62
§164.308(b)(1)Yes 
Low
Security officer obtains these before signing off on product installs. No product is installed without this signoff. N/A[RCW]1/6/2016 7:38:50 pm
A63
§164.308(b)(2)No 
Low
All contractors must sign subcontractor agreement which includes assurances and insurance to cover ePHI exposures and disclosures. Practice is not at this time allowed to offer BAAs to other entities by policy. Alternate Solution[RCW]1/6/2016 7:42:55 pm
A64
§164.308(b)(3)Yes 
Low
Security policy and procedures specifies when BAAs are to be used. This includes this condition. N/A[RCW]1/6/2016 8:36:20 pm
O1
§164.314(a)(1)(i)Yes 
Medium
Security policy and procedures specifies the terms of BAAs. N/A[RCW]1/6/2016 8:37:02 pm
O2
§164.314(a)(2)(i)Yes 
Medium
This is covered in our template BAA contained in the Security policy and procedures document. N/A[RCW]1/6/2016 8:37:46 pm
O3
§164.314(a)(2)(iii)Yes 
Medium
This is included in template BAAN/A[RCW]1/6/2016 8:38:21 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A49
§164.308(a)(7)(i)Yes 
Medium
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:15:47 pm
A50
§164.308(a)(7)(i)Yes 
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:15:56 pm
A51
§164.308(a)(7)(i)Yes 
Medium
This is reviewed annually or when services, equipment or facilities change. N/A[RCW]1/6/2016 9:16:44 pm
A52
§164.308(a)(7)(ii)(A)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:17:48 pm
A53
§164.308(a)(7)(ii)(B)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:18:02 pm
A54
§164.308(a)(7)(ii)(C) Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:18:15 pm
A55
§164.308(a)(7)(ii)(D)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document and is done annually or when there are significant changes to servics, equipment, or facilities. N/A[RCW]1/6/2016 9:19:07 pm
A56
§164.308(a)(7)(ii)(E) Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:36:30 pm
PH05
§164.310(a)(2)(i)Yes 
Low
This process in documented in audit procedures of the Security policy and procedures document. N/A[RCW]1/6/2016 9:39:14 pm
PH06
§164.310(a)(2)(i)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:39:45 pm
PH07
§164.310(a)(2)(i)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:39:54 pm
T07
§164.312(a)(2)(ii)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:40:04 pm
T08
§164.312(a)(2)(ii)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:40:19 pm
T09
§164.312(a)(2)(ii)Yes 
Medium
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:40:41 pm
T11
§164.312(a)(2)(ii)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:40:52 pm
T12
§164.312(a)(2)(ii)Yes 
Low
This is described in the Disaster Recovery Policy and Procedure document. N/A[RCW]1/6/2016 9:41:16 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A11
§164.308(a)(1)(ii)(D)Yes 
Medium
Security officer has this authority and duty to review audit logs, login/logoff reports and incident reports. N/A[RCW]1/6/2016 10:00:44 pm
A12
§164.308(a)(1)(ii)(D)Yes 
Medium
There is an annual risk assessment and audit that reviews activity for the year. The security officer more frequently reviews I/T audits for suspicious activity. N/A[RCW]1/6/2016 3:12:22 am
PH15
§164.310(a)(2)(iii)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:03:39 pm
PH17
§164.310(a)(2)(iv)Yes 
Medium
These are kept by the Security officer. N/A[RCW]1/6/2016 10:03:03 pm
PH36
§164.310(d)(2)(iii)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:03:53 pm
PH37
§164.310(d)(2)(iii)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:04:01 pm
T13
§164.312(a)(2)(ii)Yes 
Low
Security policy identifies that the Security Officer has this authority. N/A[RCW]1/6/2016 10:01:31 pm
T14
§164.312(a)(2)(ii)Yes 
Low
The Security Officer has this authority. N/A[RCW]1/6/2016 10:01:12 pm
T15
§164.312(a)(2)(ii)Yes 
Medium
During the annual risk assessment and audit process, this is tested. N/A[RCW]1/6/2016 9:57:37 pm
T16
§164.312(a)(2)(ii)Yes 
Low
Per initial audit and periodic audits, this capability is tested. N/A[RCW]1/6/2016 9:59:28 pm
T23
§164.312(b)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:04:19 pm
T24
§164.312(b)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:04:46 pm
T26
§164.312(b)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:05:28 pm
T27
§164.312(b)Yes 
Medium
These are described in the Security policy and procedures document. N/A[RCW]1/6/2016 10:05:59 pm
T28
§164.312(b)Yes 
Low
Procedures for this are documented in the Security Policy and Procedure document. Security officer manages review and requests the assistance of staff as needed. N/A[RCW]1/6/2016 10:06:36 pm
IDCitationAnswerFlaggedRisk LevelCurrent ActivitiesNotesRemediationReasonLast Edit
A44
§164.308(a)(6)(i)Yes 
Medium
Policies and procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:08:33 pm
A45
§164.308(a)(6)(ii)Yes 
Low
Procedures for this are documented in the Security Policy and Procedure document. The Security Officer manages all incidents that do not pertain to his/her role. N/A[RCW]1/6/2016 10:09:00 pm
A46
§164.308(a)(6)(ii)Yes 
Low
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:09:18 pm
A47
§164.308(a)(6)(ii)Yes 
Low
This is reviewed and audited at any risk assessment review and audit. N/A[RCW]1/6/2016 10:09:55 pm
A48
§164.308(a)(6)(ii)Yes 
Medium
Procedures for implementation are documented in the Security Policy and Procedure document. Successful implementation is audited at intial and periodic risk assessments at least annually.N/A[RCW]1/6/2016 10:11:08 pm
T29
§164.312(b)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. N/A[RCW]1/6/2016 10:06:52 pm
T30
§164.312(b)Yes 
Medium
Procedures for this are documented in the Security Policy and Procedure document. This is included in training. N/A[RCW]1/6/2016 10:07:36 pm
T31
§164.312(b)Yes 
Low
Procedures for this are documented in the Security Policy and Procedure document. This includes transfer and retention periods. N/A[RCW]1/6/2016 10:08:13 pm