Free HIPAA Risk Assessment Pre-Check

Scope is the hipaa risk assessment pre-check control area that defines expected configuration, ownership, supporting evidence, and review cadence. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For scope, the relevant evidence usually includes identify systems that create, receive, maintain, or transmit ePHI; review audit logs, access lists, BAAs, encryption, and remediation tracking. Review the related HIPAA Security Rule, ePHI, access controls, audit controls, integrity controls, transmission security, BAAs, risk analysis evidence, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include EHR admin console, firewall/VPN logs, M365 audit logs, backup reports, HIPAA risk register, vendor contract file.

Safeguards are the operating area where policy, configuration, monitoring, and support records need to agree with the actual environment. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For safeguards, the relevant evidence usually includes identify systems that create, receive, maintain, or transmit ePHI; review audit logs, access lists, BAAs, encryption, and remediation tracking. Review the related HIPAA Security Rule, ePHI, access controls, audit controls, integrity controls, transmission security, BAAs, risk analysis evidence, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include EHR admin console, firewall/VPN logs, M365 audit logs, backup reports, HIPAA risk register, vendor contract file.

Evidence is the technical and administrative control set used to prove this part of the environment is configured, maintained, and reviewed. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For evidence, the relevant evidence usually includes collect current-state screenshots or exports for evidence, plus ownership, exception, and change records. Review the related control objective, evidence trail, exception handling, review cadence, owner accountability, validation record, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include admin console, ticketing system, monitoring platform, configuration export, documentation repository.

Remediation is the hipaa risk assessment pre-check control area that defines expected configuration, ownership, supporting evidence, and review cadence. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For remediation, the relevant evidence usually includes identify systems that create, receive, maintain, or transmit ePHI; review audit logs, access lists, BAAs, encryption, and remediation tracking. Review the related HIPAA Security Rule, ePHI, access controls, audit controls, integrity controls, transmission security, BAAs, risk analysis evidence, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include EHR admin console, firewall/VPN logs, M365 audit logs, backup reports, HIPAA risk register, vendor contract file.

Documentation is the operating area where policy, configuration, monitoring, and support records need to agree with the actual environment. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For documentation, the relevant evidence usually includes sample recent tickets and changes, verify approval and rollback records, compare documentation against production, and confirm named owners. Review the related SLA, RACI, change advisory review, rollback plan, runbook accuracy, configuration management, evidence repository, operational KPIs, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include ticketing system, documentation portal, change calendar, asset inventory, monitoring alerts, configuration exports.

Monitoring is the technical and administrative control set used to prove this part of the environment is configured, maintained, and reviewed. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For monitoring, the relevant evidence usually includes inspect zone changes, resolver paths, DHCP scope utilization, alert thresholds, log retention, NTP synchronization, and monitoring coverage gaps. Review the related forwarders, secure dynamic updates, DHCP failover, reservations, lease scope utilization, syslog, SNMP, NetFlow, SIEM correlation, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include DNS/DHCP consoles, SIEM, syslog server, network monitoring dashboards, packet captures, availability reports.

Ownership is the hipaa risk assessment pre-check control area that defines expected configuration, ownership, supporting evidence, and review cadence. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For ownership, the relevant evidence usually includes sample recent tickets and changes, verify approval and rollback records, compare documentation against production, and confirm named owners. Review the related SLA, RACI, change advisory review, rollback plan, runbook accuracy, configuration management, evidence repository, operational KPIs, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include ticketing system, documentation portal, change calendar, asset inventory, monitoring alerts, configuration exports.

Testing is the operating area where policy, configuration, monitoring, and support records need to agree with the actual environment. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For testing, the relevant evidence usually includes sample recent tickets and changes, verify approval and rollback records, compare documentation against production, and confirm named owners. Review the related SLA, RACI, change advisory review, rollback plan, runbook accuracy, configuration management, evidence repository, operational KPIs, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include ticketing system, documentation portal, change calendar, asset inventory, monitoring alerts, configuration exports.