Shopping Cart
Your Cart is Empty
There was an error with PayPalClick here to try again
CelebrateThank you for your business!You should be receiving an order confirmation from Paypal shortly.Exit Shopping Cart

Risk Analysis/Mock OCR Audit

SHC will conduct an onsite analysis that will be a thorough assessment of your businesses potential risks and vulnerabilities. Any risk that may affect the confidentiality, integrity, or availability of your clients ePHI will be identified on a comprehensive report.

A simple checklist does not satisfy the analysis requirements under HIPAA or NIST,

but the documentation provided to you by SHC does. This is the first step in creating a risk management plan and will create a path for your organization to begin filling any gaps you may have in your security.

All of the following standards will be addressed:

Physical Safeguards

The Security Rule’s Physical Safeguards are the physical measures, policies and procedures to protect electronic information systems, buildings and equipment. These standards and implementation specifications will help protect ePHI from natural and environmental hazards, as well as unauthorized intrusion.

1) Facility Access Controls

a. Contingency Operations (A)

b. Contingency Operations (A)

c. Facility Security Plan (A)

d. Facility Security Plan (A)

2) Workstation Use (R)

3) Workstation Security (R)

4) Device and Media Control

a. Disposal (R)

b. Accountability (A)

c. Media Reuse (R) 

d. Data Backup and Storage (A)

Technical Safeguards

The Security Rule Technical Safeguards are the technology and related policies and procedures that protect all ePHI and control access to it.

1) Access Control

a. Unique User ID (R)

b. Automatic Logoff (A)

c. Emergency Access (R)

d. Encryption & Decryption (A)

2) Audit Controls (R)

3) Integrity

a. Mechanism to Authenticate ePHI (A)

4) Person or Entity Authentication (R)

5) Transmission Security

a. Integrity Controls (A)

b. Encryption (A)

Administrative Safeguards

Administrative Safeguards refer to administrative functions, such as policy and procedures that must be in place for management and execution of security measures. These include performance of security management process, assignment or delegation of security responsibility, training requirements, and evaluation and documentation of all decisions.

1) Security Management Process

a. Risk Analysis (R)

b. Sanction Policy (R)

c. Risk Management (R)

d. IT Activity Review (R)

2) Assigned Security Responsibility (R)

3) Workforce Security

a. Authorization and/or Supervision (A)

b. Workforce Clearance (A)

c. Termination Procedures (A)

4) Information Access Management

a. Isolating Health Care Clearinghouse Functions (R)

b. Access Authorization (A)

c. Access Establishment and Modification (A)

5) Security Awareness and Training

a. Security Reminders (A)              

b. Log-in Monitoring (A)

c. Protection from Malware (A)    

d. Password Management (A)

6) Security Incident Procedures

a. Response and Reporting

7) Contingency Plan

a. Data Backup Plan (R)                 

b. Disaster Recovery Plan (R)

c. Emergency Mode Plan (R)        

d. Testing/Revision Process (A)

e. Applications & Data Criticality Analysis (A)

8) Evaluation (R) 

(Periodic assessment of security policies and procedures)

9) Business Associates Contracts

a. Written Contract or other Arrangement (R)


1) System Characterization

2) Threat Identification

3) Vulnerability Identification

4) Control Analysis

5) Likelihood Determination

6) Impact Analysis

7) Risk Determination

8)Control Recommendations

9) Results Documentation

The HIPAA/NIST Risk Analysis is the foundation for the entire HIPAA compliance and IT security program. The Risk Analysis identifies what protections are in place and where there is a need for more. The Analysis results in a list of items that must be remediated to ensure the security and confidentiality of ePHI at rest and/or during its transmission.

Contact Information


(540) 508-4863


Monday-Thursday: 9:00am - 5:00pm

Friday: 9:00am - 12:00pm
Saturday-Sunday: Closed

                                              © 2020 Shenandoah HIPAA Consultants, LLC Stephens City, Virginia