Health system strives to maintain data security working with Baker Tilly to conduct a HIPAA security risk assessment

Baker Tilly specialists have years of experience in healthcare. They understand it – they comprehend health organization processes, workflows and systems as well as how the technology department of a hospital operates. This matters when conducting assessments and providing recommendations to manage risk.

Our client’s need

A large integrated delivery system consisting of four hospitals, fourteen ambulatory clinics and home health services requested assistance in evaluating their organization’s state of compliance with HIPAA security requirements. Besides being mandated by HIPAA legislation and a requirement to attest for meaningful use of electronic health records, the system wanted to demonstrate their state of compliance with business associates. HIPAA compliance for the health system is protecting the security and confidentiality of its patient information, along with satisfying the information needs of healthcare organizations for whom they provide technology support services.   Further, it is a means of protecting their brand in an ever competitive healthcare landscape.

Baker Tilly’s solution

Baker Tilly healthcare technology and HIPAA specialists conducted a risk-based qualitative and quantitative analysis against the HIPAA security rule. They assessed threat sources, impact and likelihood of vulnerabilities to calculate risk. Identified risks were ranked as critical, high, medium or low to define the urgency for remediation. The assessment was conducted using an industry standard toolkit and recommendations provided by the Office of Civil Rights (OCR).

Results achieved

Baker Tilly developed a report identifying and prioritizing compliance gaps by risk rating and recommended remediation activities for inclusion in their overall risk management plan. The risk ratings were based on likelihood and impact for each vulnerability finding. Remediation activities were then integrated into the overall technology risk management plan.