(206) 441-5042

Before We Begin

We need a little more information.

First Name*:
Last Name*:

Risk Assessment

Page 1 of 6

1. Approximately, how many employees do you have?

2. Does your organization maintain its own servers, either onsite or with an offsite hosting company in which you have control of the servers?

3. Does your organization take credit cards as a means of payment?

4. Does your organization collect any sensitive Personally Identifiable Information over the internet, an intranet, a website or any other means?

5. Does your organization have a formal Information Security Policy that provides a description of the methods used to protect sensitive information?

Risk Assessment

Page 2 of 6

6. Does your organization have an Acceptable Use Policy or other document that defines appropriate means for using resources such as the internet and email?

7. Does your organization maintain an Employee Handbook with which all employees must comply?

8. Does your organization have a Chief Information Security Officer, Chief Privacy Officer or some other position whose job function includes the protection of the organization's information security?

9. Are individual employees required to sign organizational policies in order to acknowledge understanding and a willingness to abide by the policy?

10. Does your organization have a formal Information Security Policy that provides a description of the methods used to protect sensitive information?

Risk Assessment

Page 3 of 6

11. Does your organization maintain formal classification guidelines, whereby the organization's information and assets are labeled according to sensitivity?

12. When an employee leaves your organization, do you have a policy that dictates how soon their access credentials are revoked or suspended

13. Does your organization perform any form of pre-employment screening? (Background checks, credit checks, etc...)

14. Does your organization require that employees sign any type of formal confidentiality agreement or other non-competition agreement?

Risk Assessment

Page 4 of 6

15. If you have a server room, do you keep your data center or server room locked at all times?

16. How does your organization backup critical data?

17. Does your organization test backup media on a regular basis to ensure the integrity of backup data?

18. Does your organization store any personal information on laptop computers?

Risk Assessment

Page 5 of 6

19. If your organization processes credit cards, describe how you process credit cards:

20. Are your users required to change passwords on a regular basis?

21. Do you allow remote connections to your network? If so, are users required to use authentication such as a username and password or other credentials to log in?

22. Does your organization maintain a formal incident response plan to be used should a breach occur?

23. Do you have Payment Card Industry (PCI) Certification? Have you performed a scan of your IP address required by PCI in the last 12 months?

Risk Assessment

Page 6 of 6

24. Do you send electronic patient health information via e-mail? If yes, are your e-mails sent via encrypted software? (Note: if you use a service like gmail or yahoo, these services do not automatically encrypt electronic patient information).

Thank You. Your Risk Assessment is Completed and Submitted for Review.

A Security Advisor will be contacting you to schedule a review of your results.
This review should not take more than 30 minutes.

Thank you.

Be Safe!

Risk Analysis Requirements under the Security Rule

The Security Management Process standard in the Security Rule (45 C.F.R. § 164.308(a)(1) requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.


The HITECH ACT expanded both the civil and criminal penalties for breach of HIPAA's Privacy and Security Rules. Effective as of February 17, 2009, civil money penalties are tiered and increased for different levels of HIPAA violations, and those penalties apply directly to Business Associates as well as Covered Entities. The minimum fine is $100 and the maximum fine is $50,000 per individual violation. The maximum annual civil penalties for multiple violations range from $25,000 to $1.5 million. In addition, state attorneys general are now authorized to bring a civil action for HIPAA violations to enjoin privacy or security violations, or to obtain damages on behalf of state residents.

Important Resources

Please provide the following information to receive your FREE :

Practice Name*: