3 Strategies for Eliminating HIPAA Location Sampling Risks

Healthcare organizations that have many locations often resort to making the difficult choice of sampling care delivery locations to manage cost and scope when performing their annual HIPAA Security Risk Assessment (SRA).

As our previous article on location sampling illustrates, organizations struggle to fully assess all locations due to the manual effort involved and the requirement that each separate entity with a tax ID is required to produce its own SRA even if the entity is wholly owned by a larger health system. 

Read the article for 3 strategies for eliminating SRA sampling risk without any additional burden on your team. 

Strategies for Eliminating Sampling Risk

The best way for an organization to eliminate sampling risk is by producing an SRA for each location that has a separate tax ID. Here are some strategies for doing this: 

1. Identify Global vs. Local Risks 

First, identify your global and local risks across your organization. Are all of your locations using the same EMR/EHR and other information systems? What is the network configuration and posture across all locations?  

Many clients we work with do have a core set of systems and technologies that are managed as a whole entity. If your systems are global and shared, this is one area of simplification and can be shared on the SRA for all entities. 

What kind of risks are local? A HIPAA SRA requires the assessment and remediation of technical, administrative, and physical safeguards. Beyond a shared IT footprint, what do all locations share for administrative and physical controls? 

2. Identify Major Systems Mapping Across Locations 

Discovering the shared administrative and physical controls across locations is usually where our clients find differences across their organizations. These different procedures (and potential risks) should be mapped across each location where they are used. Examples here include identity access management, onboarding, and offboarding employees, physical computer and file systems controls, facility location controls, and others.  

3. Map Out Global vs. Local Execution Strategies 

Once you have your global and local systems, procedures, and safeguards assessed, keep a clear mapping of these and how they are combined at the local level (including global systems from the corporate parent) and aggregated at the global level (including all relevant local risks that apply to the corporate parent SRA).  

Beyond your initial assessment of risk, both globally and locally, you will need to keep track of how these risks get addressed (or remediated) at each level and be able to see the global and local status at the same time. To do all of this effectively, it is helpful to have automated linking across global and local controls in a system that can then produce the appropriate global and local SRA output at any given point in time. 

Eliminating Sampling Risk: The Conclusion  

Sampling can leave your organization vulnerable to cybersecurity breaches. To avoid this risk, it’s not enough to simply aggregate all local risk information or push down all global risk information. You have to manage both local and global simultaneously where they apply to your corporate structure, and doing so can be time-consuming and complex. 

This is exactly what our HIPAAOne/Enterprise product family does. After completing 60,000 SRA’s for organizations of all sizes, we learned through experience that the best way to cover all locations fully is with automation that reduces effort and time by over 90% in many cases and improves assessment accuracy. The sheer expense of people and time pursuing a manual tracking effort for SRA will be prohibitively expensive or dangerously inaccurate.


Learn more about HIPAA One—schedule a demo with an expert today.