Having technical issues? We’re here for you.
Frequently Asked Questions
HIPAA One Software
Follow the instructions below to answer common questions about the HIPAA Risk Assessment.
I forgot my HIPAA One Password
Navigate to https://login.hipaaone.com —> Click “forgot?”
Enter your email address and Captcha phrase on the Account Recovery page
Click on the secured link (i.e. only works once) to navigate to the Change Password entry page for access into HIPAA One
The secured link can only be used once! If you still have issues, ensure your Firewall has hipaaone.com white-listed (your IT person will know what to do). If you see the below screen when you click on the email link to reset your password, repeat the above process for a new secured email and link
Self-Help Overview Video
HIPAA One Software Instructional Video
Adding Reviewers to my SRA
Once the risk analysis is completed and the final report has been signed, the main Sponsor must add any participants back to the report as a “Reviewer” to access the Action Plan and work on risk items
Click on the competed assessment from the main menu. Three buttons will appear for the Sponsor, click “Reviewers” option (third green arrow below)
Click “Add Reviewer”
Click “Add Reviewers” to add each participant that needs to access the report. The Sponsor may also delete any participants here. Enter the participants’ name and email address
The participant will receive an email with an invitation link, check “junk folder” if the email does not appear in the inbox. The link in the email expires after 14 days
Customizing Auto Reminders
Update organization’s reply-to email address by following these steps
Click on the globe icon while in Organizations
Enter desired email address in the Proposed Value field then click “Update Organization” as displayed below
Upon adding the email address successfully, the screen should have a 3 wide grid with a variety of fields (Admin Name, Legal Name, Address, etc.)
Changing my email and login ID
If the Main Menu bar on the left portion of the screen doesn’t show up, click on the “Door” icon located on the top-right hand corner of the screen. Next, select the “My Profile” Icon to open your profile information
Change the email address(es) associated with this user account/profile by clicking the “Email Address(es)” link
Next, to add an email address, click the “Add Address” link. Enter in your email address twice to verify correct spelling
After clicking the “Save” button, the system will send you an email to the newly-entered email address. This email contains a verification Code. Use the code from your email to verify your email address. Enter your code in the HIPAA One profile
Now make the new email address the default email for the HIPAA One system. This means any subsequent emails will be sent to the “default” email address. Set the default email address Optional: You may delete the previous email. For example, if you do not want to reference the old email any longer (i.e. departed employee, voluntary change, etc.) you can delete the old email address(es). Once you click on the link the email will be removed the address without confirmation.
To change the user account used to login to HIPAA One, click on the “Security Settings” link
The below screen pop-ups up when you click on the change username link, you may choose an existing email address (recommended), or create your own username that is not an email address
Recommended: Change the password associated with this login account. You may use the change password link to enter, confirm and save your new password
Accessing questions after the assessment
Yes! You can access questions through the historical checklist.
Login to HIPAA One and click the assessment name
Once the assessment is open, select “Historical Checklist (click to expand)” located below the compliance seal.
Click “Perform Interviews” to access the roles and questions of your completed assessment.
Watch the videos linked below to learn how to set-up/manage your training account.
Getting Started Admin Tutorial
In this video we will walk you through the four steps of setting up your HIPAA One training account. In each step, we highlight important features and settings.
Setting up Sublicenses
Sublicenses are commonly used to help organizations manage content for multiple locations, groups, or departments. It is important to set up your Sublicenses before inviting your learners.
In the video below, we will walk you through how to set up and manage sublicenses for your HIPAA One training account. Sublicenses are commonly used to help manage content for multiple locations, groups, or departments. After you have set up your sublicenses, you can import learners and assign them to sublicenses. When you create sublicenses reporting and analytics are automatically generated for each group and can be viewed separately or together.
Seat count comes out of the total account seats purchased for the organization
Learners will need to be added to the appropriate sublicense after sublicenses have been created.
If a user/learner is added to more than one sublicense it will be counted as multiple seats.
Editing Learner Content
In each training course there is a section that highlights information about a HIPAA Security Officer (HSO) and/or HIPAA Privacy Officer (HPO). Within each course, you have the ability to edit these sections to include your organization’s HSO and HPO contact information.
In the video below, we will walk you through how to customize your training course by modifying editable material. For example, you can add the name of your HIPAA Security or Privacy Officer, along with their contact information, to facilitate reporting in the event of a breach, incident or violation. watch this video to learn how to make your training course information specific to your organization.
Editable Page: Select a course and find the editable page indicated with an asterisk.
Add Information: Add your organization’s HSO and HPS contact information.
Getting Started Learner Tutorial
This video illustrates how to navigate the HIPAA One Knowledge Center. It walks through how to manage your account, training, and available resources.
What browsers are supported
We support the current and the previous major release of Chrome, Firefox, Safari, and Microsoft browsers. This currently includes Microsoft Edge and Internet Explorer. Each time a new browser version is released, we begin supporting that version and stop supporting the third most recent version.
Current and previous Android versions
Current and previous iOS versions
Need help? Below are common questions asked that we can help answer.
Accessing the LADMF
Question: What are the steps in submitting an access request for the Limited Access Death Master File?
Step One – Complete SRA
Individuals and entities are obligated to prove that the appropriate systems, facilities, and procedures are in place to safeguard information and maintain its confidentiality and security. You can do so by completing a HIPAA Security Risk Assessment.
Step Two – Pay the Fee
The US National Technical Information Service requires an annual payment of $2,390.00 for processing the LADMF Subscriber Certification Form. Additionally, every three years a processing fee is required to have access to the LADMF ACAB Systems Safeguards Attestation Form.
Step Three – Complete Subscriber Form
After the payment has been accepted, complete and submit the LADMF Subscriber Certification Form. Certification must be renewed each year.
Step Four – Order Number Assigned
Each organization is assigned a specific order number which will be used on the ACAB Systems Safeguard Attestation Form.
Step Five – Form Completed
HIPAA One will fill out the ACAB form free of charge and submit the form on behalf of the client.
Question: Do all risks found in the HIPAA Security Risk Analysis need to be remediated to submit an access request to the Death Master File?
Answer: No, you are not required to remediate all risks before requesting access to the LADMF.
Question: Is HIPAA One an Accredited Conformity Assessment Body? Can they help me access the Limited Access Death Master File
Answer: Yes, HIPAA One is an ACAB and we offer our services free of charge for clients that have completed their SRA using the HIPAA One software.
Question: How long is the NIST response time after submitting an access request to the LADMF
Answer: The National Institute of Standards and Technology responds typically within 48-hours with acceptance granting LADMF database access to the applicant or rejection with an explanation.
Use PNP or Employee Handbook
Use this guide to determine when to refer to the employee handbook and when to use formal policies as required on the questionnaire for completing the security risk analysis:
Employee Handbook – The handbook is written with employees as the intended audience. As such, the document has a straightforward layout for easy referencing of company policies and procedures. Additionally, it is a vehicle for familiarizing employees with basic company policies and benefit programs, as well as the general expectations of the company, including acceptable and unacceptable behavior and disciplinary measures.
Company Policies and Procedures – Different than the employee handbook, PnP’s are more comprehensive and include details on every aspect of how the company conducts business around standards and regulations. Some procedures might be more detailed regarding how to follow those policies as well as the documentation needed to complete each process. A PnP’s manual is essentially a reference tool for managers and supervisors, not for employees at large. This tool is much more complete in detail than the employee handbook and should be used as “back-up” when more information is needed to explain a policy or when a deeper understanding of a process is desired. As an added benefit for management, the manual can contain references to federal and state laws that correlate to each policy. Managers and supervisors then have access to the rationale for the policies, thus providing them with assistance for enforcement. It may include forms, checklists, and sample documents to show administrators and managers how to handle specific workplace policies and situations.
Penetration Test CS Vulnerability Scan
The difference between a penetration test and vulnerability scan can be difficult to understand. Whereas both are incredibly valuable in building a strong threat and vulnerability management program, penetration tests and vulnerability scans are often misunderstood and used interchangeably.
Penetration Test – A penetration test simulates the actions of an external or internal cyber attacker (AKA ethical hacker) that strives to breach the information security of an organization. Simply, it can be thought of as a person trying to bypass application controls and “break into” a network system to take data or seek further access to other internal databases. There are many different tools and techniques an ethical hacker can use as they attempt to exploit critical systems and gain access to sensitive data. By implementing penetration testing, organizations can identify gaps between possible threats and existing controls.
Vulnerability Scan – Unlike the manual practice of a penetration test, a vulnerability scan is a software tool designed to inspect the potential points of exploit on a computer or network to identify security holes. By checking internet facing devices against “known” Common Vulnerabilities and Exploits (CVEs) a vulnerability scan can detect and classify system weaknesses in computers, networks, and communications equipment. Vulnerability scans are configured for safety checks, meaning the scan will only identify known, unpatched security vulnerabilities for the external IP addresses provided and not conduct any denial of service (DOS). A free example of a vulnerability scan can be found at www.ssllabs.com and focuses on encryption and certificate exchange.
There are many software options that may be utilized for vulnerability scanning as certain tools are specific to the different types of computing infrastructure. It is important to understand that a vulnerability scanning tool is only as good as the CVE dictionary within the software and one tool may not be all an organization needs. It is fairly standard that a hacker(s) may use anywhere from 6-10 different software scans to speed-up the process of identifying easy ways of bypassing application and infrastructure security controls.