Essential Risk Assessment’s

Essential Privacy and Security Assessment’s.

The HIPAA Act requires all healthcare organizations to conduct an annual Risk Assessment with quarterly reviews.  Our Essential Privacy and Security Assessments are geared towards smaller practices with one or two doctors and we preferably meet at your main location.  It does not include the in-depth policy and procedure review, or site walk throughs.

Bruce Miller is the resident auditor and has been affiliated with MDTS for over ten years.  He has over 25 years of Health Care Information Technology experience in a managerial role for two health systems providing guidance and oversite.

  • We will require a comprehensive inventory of all equipment that could have confidential or ePHI.
    • This includes PC’s, laptops, tablets, smart phones, and printing/faxing devices.
  • The first phase of the assessment will be for discovery as we perform a practice summary identifying all key stake holders and systems.
  • We will then move into a detailed list of 36 screening questions where we will address each line with: if it has been addressed, partially addressed or not addressed, people/processes and technology.
  • Followed by responding to 26 control analysis questions.
    • It helps if you have documentation, logs, and screen shots that will help validate.
  • Then we will review the Technology Steps when we respond to 20 questions that identify the Asset Management Categories,
    • existing controls in place, what is the controls effectiveness
    • followed by the exposure potential, likelihood, impact and risk rating.
  • The next step is the High and Medium Risk Findings and Remediation where we respond to 57 questions pertaining to the risk, existing control measures,
    • Recommended control measures
    • Who is responsible
    • The steps to be taken to remediate the risk and expected target date to comply that the practice is comfortable with.
  • We will review your server/network closet or location where your infrastructure is located.   We will look at power, cooling, neatness, backup systems, data wiring, and security.

The final process will be performed offsite for a detailed final review and summation report to be generated for the practice. and followed by an onsite wrap up meeting.

MDTS is also available to provide assistance with policy & procedure creation/ maintenance, Disaster Recovery/Business Continuity and or HIPAA related training as a project add on at an additional cost.  We also have a full range of manager services available including network, server, desktop & backup/recovery solutions.  Please refer to our website for more information at, or send an email to  We thank you for your time and consideration and look forward to working with your organization.