HIPAA Security Risk Assessment: Why your server set-up matters

Thank you for allowing us to run your HIPAA Security Risk Assessment.  

The HIPAA Security Rule mandates covered entities (CEs) to perform a security risk analysis as part of your security management process to enable you to implement policies and procedures to prevent, detect, contain, and correct security violations.  It is best practices to run a HIPAA Security Risk Assessment annually, since the Security Rule also mandates CEs to establish a plan for periodic technical and nontechnical evaluation of their policies and procedures, especially in response to environmental or operational changes that can affect the security of your electronic protected health information (e-PHI).

As part of your annual HIPAA Security Risk Assessment, we perform a technical evaluation of your security infrastructure.  Because your server is set-up in a work group versus (vs.) a domain environment, we were unable to assess your full network (i.e. surrounding workstations). As a result, our risk assessment will not be able to appropriately assess whether you have and apply reasonable and appropriate controls across your full network.    

Please note that the Security Rule requires CEs to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect e-PHI; therefore, you must decide if setting up your network as a domain is reasonable and appropriate for your practice.  However, in order to perform a full network assessment, we strongly urge you to set up your network as a domain, so that you are able to assess if your safeguards prevent, detect, contain, and correct security violations. 

In the alternative to setting up your server on a domain, you should have a local IT professional assess each individual.