I'm going to guess that based on some comments by folks both onlist and offlist, these folks have not gone through the tool from start to finish to include the questionnaire and then the associated risk analysis tool that also incorporates questionnaire responses. It's also obvious that some folks also don't understand the purpose of the toolkit though the purpose is clearly stated in the user's manual.
The tool is not a risk analysis tool and risk management tool in terms of the implementation specifications for these two requirements, this is evident and also not the intent of its structure.
However, it provides in my opinion an exceptional assessment tool for a small to medium (even larger sized) covered entities to use to assess their overall level of alignment and compliance with the Security Rule while also helping to develop an familiarity and understanding of the Rule's requirements.
Yesterday I walked through the tool with the Privacy and Security Officers of a multi specialty clinic and they both agreed that the tool and the resultant reports provided an excellent inventory of their current state with respect to HIPAA.
Other high points that folks have not mentioned:
- help documents that essentially can be used to create policies for each assessed section
- ability to add comments and link info to policies and procedures as needed
- ability to access the tool from any internet enabled computer (portability when doing multiple site assessments)
- simple to use
So now we are going to embark on a risk analysis and risk management assignment (often referred to as a risk assessment on list servs) and the information we obtained through the use of the tool will be very important in helping us get this done easily, quickly, and completely. To make it even easier, we are going to use the HIPAA Cow toolkit which is a risk analysis and risk management toolkit.
I am thinking of making the use of this CA tool a preliminary step with future clients because of the value it adds in walking folks through a basic assessment of where a covered entity (or business associate) has gaps that need to be addressed which may exist based on current policies and procedures.
Take this California tool and combine it with the HIPAA Cow Risk Analyssis and Risk Management toolkit and you have a winning combination.
Show Original Message