HIPAA 164.308(a)(1)(ii)(B)—Risk Management

The Health Insurance Portability and Accountability Act (HIPAA) Security Audit reports show available documentation and compliance artifacts that help you demonstrate compliance with requirements of the HIPAA Security Rule, as outlined in the HIPAA Audit Protocol.

This report provides information on security measures that reduce risk and vulnerabilities to a reasonable and appropriate level to help you demonstrate compliance with HIPAA 164.308(a)(1)(ii)(B).

To access the HIPAA 164.308(a)(1)(ii)(B) report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under HIPAA Security Audit, click VIEW.
  4. Click HIPAA 164.308(a)(1)(ii)(B) - Risk Management.

To refine your findings, you can filter your report by date range and customer account.

By default, Alert Logic includes (All) filter values in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

The report summary page displays two columns. HIPAA Audit Protocol lists each audit protocol inquiry for testing the selected HIPAA Security Rule requirement. Available Documentation and Artifacts describes, and contains links to, the documentation and compliance artifacts that this report can generate for each protocol.

Available documentation and artifacts

This report provides documentation and artifacts that help you demonstrate that you have security measures implemented. These measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA 164.306(a).

This report includes links for quick access to pages in the Alert Logic console, where you can access threat responses, vulnerability assessment findings, and threat risk index findings.

Policy and procedures related to risk management

This HIPAA Audit Protocol requires a review of the policies and procedures related to risk management to evaluate and determine if the documents identify the risk management process, define what are considered acceptable levels of risks, state frequency of reviews for ongoing risks, and identify roles.

Alert Logic does not provide data for this testing procedure. You must provide the policy and procedure documents for this audit.

Security measures implemented

This HIPAA Audit Protocol requires a review of the documentation that demonstrate the security measure implemented, or in the process of being implemented, as a result of the risk analysis or assessment. You must evaluate and determine whether the implemented security measures appropriately respond to threats and vulnerabilities identified in the risk analysis, according to the risk rating, and that the security measures are sufficient to mitigate or remediate identified risks to an acceptable level.

This section provides you with the following links for quick access to appropriate pages in the Alert Logic console:

  • Threat responses in the Incidents page to review security incidents detected in your environment, and the actions taken in response.
  • Vulnerability assessment findings in the Vulnerabilities group of the Reports page to review summary, distribution, and trending data for vulnerabilities identified in your environment.
  • Threat risk index findings in the Risk group of the Reports page to review summary and trending data for the threat risk index scores for the deployments and networks in your environment.