Versions Compared

Old Version 1

changes.mady.by.user Alexander Withers

Saved on

compared with

New Version 2

changes.mady.by.user Alexander Withers

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A risk assessment will be performed every year with coordination of periodically by the NCSA Security Office and the NCSA HIPAA Liaison. Exceptions to this include (i) substantial infrastructure/environment changes that would require a new impact analysis and (ii) a security incident that warrants reevaluation of risks.

...

A risk assessment is conducted as per the documented NCSA Risk Assessment and Mitigation procedure. Risks will be recorded in the NCSA risks register, and risk assessments will be saved for 6 years or from the inception of the NCSA Health Care Componentindefinitely.

NCSA implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:

  1. Ensure the confidentiality, integrity, and availability of all ePHI the organization creates, receives, maintains, and/or transmits,NCSA computational resources and
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI,
  3. Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required, and
  4. Ensure compliance by workforce membersNCSA's data.

Risk Management Process


The risk assessment is part of an on-going process to understand and manage risk. The broader process contains the following steps as per the documented NCSA Risk Assessment and Mitigation procedure:

  • A risk assessment performed.
  • Findings are submitted to the NCSA Security Office within 30 days, and the Security Office forwards it to the HIPAA Liaisonsenior management.
  • The NCSA Security Office works with the project(s) to remediate vulnerabilities and mitigate risks within 90 days of finishing the assessment. If this is not possible for all risks, an exemption must be requested in writing to the Security Office and HIPAA Liaison.
  • Remediation activities are documented in a remediation plan.
  • The remediation plan is sent to the Security Office, who sends it to the HIPAA Liaisonsenior management.

Privacy

All data from the risk assessment is kept confidential and not shared without written approval from the NCSA Security Office and HIPAA Liaison.

Consequences

All workforce members are expected to fully cooperate with all persons charged with doing risk management work.  Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation according to the University of Illinois HIPAA Directive Sanction policy.