HIPAA Risk Assessment and Security Rule Compliance (HIPAA-C)

Illumant's HIPAA-C service is a straightforward solution for addressing the compliance and security risk analysis requirements of the HIPAA Security Rule and the HITECH Act, and for addressing a core objective of "Meaningful Use".

Why do you need Illumant’s HIPAA-C Service?

HHS and CMS security audits are on the rise. Non-compliance means costly fines, lost incentives, and damaging security breaches. Illumant’s HIPAA-C service brings HIPAA security knowledge, experience and expertise to your team to address compliance, earn incentives; and head off security exposures and breaches.

We Help You Address Compliance, Avoid Penalties and Earn Incentives

Entities that handle and maintain electronic protected health information (ePHI) are required to perform a security risk assessment to evaluate the security of ePHI at the organization, including compliance with the HIPAA Security Rule and the HITECH Act, which require certain security safeguards and breach notification measures to be addressed and implemented.

Protection of ePHI is also a core objective of Stage 1 Meaningful Use which entitles a health care provider to EHR incentive payments. Entities that do not comply and that experience security incidents can be subject to lost incentives and stiff monetary penalties.

Illumant has developed a straight forward risk assessment model and data gathering protocols that have been refined to meet the objectives of the HIPAA/HITECH security risk assessment and compliance requirements. Illumant leverages its risk assessment methodology to streamline this analysis for its clients in an efficient way that minimizes disruption to internal resources while achieving compliance and security objectives.

Head Off Security Breaches AND Meet Compliance Requirements

Our service identifies existing vulnerabilities and exposures to head off cyber-attacks and security breaches. The HIPAA-C service includes optional technical vulnerability analysis, technical and physical penetration testing, and social engineering to assess the effectiveness of implemented safeguards in protecting networks, systems and ePHI, and to assess compliance with the required and addressable safeguards of the HIPAA Security Rule

Related HIPAA Risk Analysis and Evaluation Services (technical security, application security):

  • Perimeter Security Assessment & Penetration Testing (PSA) ‐ The HIPAA security rule requires the protection of ePHI. The PSA provides assurance and validation that Internet-facing networks and systems, and ePHI are protected from hackers/malware (aka the hacker's perspective). {Read more}
  • Critical Asset Security Assessment (CASA) ‐ Covered entities have numerous applications and systems that process, store, and transact ePHI and sensitive data. The CASA evaluates the security and risk posture of these internal assets. Include internal vulnerability analysis and penetration testing of critical assets that store ePHI and sensitive info, including healthcare applications, application servers, database servers, as well as routers, and switches. {Read more}
  • Data Loss Prevention Assessment (DLPA) ‐ Identifies unprotected transmission and non-compliant storage of ePHI and other sensitive data that could result in unwanted disclosure or data loss and the potential for costly breach notification and response. {Read more}
  • See more Related Risk Analysis and Evaluation Services {Read more}

Educate Management, Share Accountability, Drive Security Initiatives

Our HIPAA-C service includes interviews with stakeholders to assess compliance as well as to educate and inform about compliance requirements, which increases cross-departmental responsibility and accountability, and helps drive security initiatives. You control who should be involved in the interview process.

Illumant Reduces the Burden and Minimizes the Confusion of Compliance

Illumant's HIPAA-C service leverages a proven methodology which shifts much of the burden of compliance away from you, distributes responsibility for compliance with other stakeholders, and adds clarity to the process – what needs to be done to comply, what needs to be fixed to avoid penalties, and what needs to be remediated to avoid a security breach or exposure.


  • Interview, inspection and observation-based process
  • Critical application (ePHI) risk analysis
  • Business Associate/vendor risk analysis
  • Identification of threats and vulnerabilities
  • Assessment of current security measures
  • Assessment of compliance with Security Rule
  • Vulnerability assessment and penetration testing
  • Social engineering
  • Review of policies and procedures
  • Review of breach notification programs
  • Assessment of likelihood/impact of threat occurrence
  • Determination of level of risk
  • Actionable risk analysis report


  • Electronic Protected Health Information (ePHI)
  • Electronic health/medical record (EHR/EMR) systems/applications
  • Required and addressable safeguards
  • Administrative, technical, physical safeguards
  • Policies and procedures
  • Business associate agreements
  • Servers, firewalls, routers, and workstations
  • External and internal systems
  • Network segmentation
  • Wireless networks

security risk analysis required addressable administrative technical physical safegaurds security measures policies procedures business associate BAA vulnerability assessment penetration testing social engineering breach notification

ePHI EMR electronic medical records EHR electronic health records applications servers routers firewalls physical security awareness data centers server rooms telco closets workstations

HIPAA security rule HIPAA security risk analysis HITECH act meaningful use best practices

Detailed Description

The HIPAA-C addresses the compliance concerns of healthcare organizations (and covered entities) with respect the required and addressable safeguards prescribed in the HIPAA security rule, the breach notification guidelines per the HITECH act, and to satisfy the Stage 1 Meaningful Use core objective of protecting ePHI. This service also measures conformance with respect to best-practices to ensure that the organization's security posture is robust.

Failure to adequately protect ePHI may lead to potentially sizeable civil monetary penalties:

Tier Penalty
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation. $100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.
2. The HIPAA violation had a reasonable cause and was not due to willful neglect. $1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period. $10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.
4. The HIPAA violation was due to willful neglect and was not corrected. $50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.

At the same time, documenting a compliance HIPAA security risk analysis is a core objective of Stage 1 Meaningful Use, which could entitle an eligible healthcare provide to receive payments through Medicare and Medicaid incentive programs.

Wading through HIPAA security by one-self is equal parts confusing and time consuming. The HIPAA-C helps covered entities demonstrate compliance with the security portions of HIPAA, HITECH and Meaningful Use, as painlessly as possible, minimizing uncertainty and preserving the availability of internal resources

Illumant will guide a client through a security risk assessment that addresses the requirements prescribed by the regulations and guidelines. Through interviews, documentation reviews, and through various technical, physical and social engineering assessments Illumant will perform the following:
  • Scoping and data collection: Document all the applications, systems and places where ePHI is processed or handled and in what quantities, with what risk
  • Identification and documentation of reasonably anticipated threats to ePHI: Organizations must identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of ePHI. Illumant has a comprehensive threat model, assembled from the state-of-the-art in cyber-security risk management
  • Assessment of current security/protection measures: The HIPAA security rule prescribes required and addressable safeguards for protecting ePHI. This part of the risk analysis documents compliance with the security rule and incorporates an assessment of an organization’s technical, administrative and physical safeguards
  • Vulnerability assessment, penetration testing and social engineering (optional): To properly identify vulnerabilities and assess safeguards, Illumant performs technical vulnerability assessments, technical and physical penetration tests, physical inspections, and social engineering exercises (to test the awareness of employees to phishing attacks and other social engineering vectors). The results are documented in actionable reports detailing security issues and vulnerabilities along with remediation recommendations
  • Assessment of likelihood/impact of threat occurrence: Based on the assets, threats and vulnerabilities, above Illumant will use its purpose-built risk assessment model to assess and compare the likelihood of any security threat successfully impacting the organization, and the potential magnitude of the impact such a threat could have.
  • Determination of the level of risk: Given the likelihoods and potential impacts of security threats to the organization, Illumant provide a determination of the overall risk to the organization and a ranking of the most dangerous threat and vulnerabilities and the most-at-risk assets. Furthermore, Illumant provide cost-benefit analysis on remediation activities, in terms of best use of resources to mitigate risk – which activities mitigate the most risk per unit of cost.
  • Illumant also analyzes breach notification processes, required by the HITECH act, and other documented policies and procedures to ensure that they are in line with de facto practices at the organization, best-practices, and HIPAA requirements. vReporting: Finally, Illumant documents the risk analysis and security assessment in actionable reports that provide executive level summaries, as well as full technical details and remediation recommendations. These reports can be used to assert compliance.
The entire assessment can be performed remotely through interviews, document and artifact inspection, and all technical testing can performed remotely vis-à-vis an on-site appliance to minimize disruption to the client (the sole exception is option physical assessment – physical pen testing and inspection).

In summary, Illumant will identify and perform necessary assessments and tests to assess the organization protection of ePHI against security threats to meet the compliance requirements for HIPAA, HITECH, and Meaningful Use and to prevent security breaches.