Annual HIPAA Risk Assessment

Another major service we perform is facilitation of the Annual HIPAA risk assessment and other audits and risk assessments performed by vendor audit firms. The HIPPA risk assessment is a major initiative for the UMIT Security Audit. Not only it’s completion necessary for UM to comply with the HIPPA regulation but it also affords UMIT the unique opportunity assess security controls and compliance for all UM ePHI applications in one project. In the 2015 assessment, 85 UM ePHI applications were assessed in this one project. Although the risk assessment component of the HIPAA risk assessment is performed by third party we play a critical role in realization of benefits and risk management by working collaboratively with the UM Office of HIPPA Privacy and Security, the vendor and IT application owners and application business owners to:

  • Perform vendor management including validation of accuracy of risk findings and rating, ensure all deliverables are provided as per the contract, and all deliverables are decipherable by the business and are of acceptable quality and usefulness
  • Identify and ensure full understanding of vendor risk observations
  • Help the business determine which risks should be remediated to derive and acceptable risk level based on risk appetite
  • Write and publish reports of observations and risk management response
  • Develop or consult on risk management/remediation plans for identified high risk areas and applications.

For more information on how we choose audits to perform, audit focus areas, and the services we perform please see our approved Fiscal 2017 Audit Plan.