top of page

HIPAA Assessment

What type of HIPAA Assessment do you need?


Maintaing compliance requires a lot of effort. To obtain compliance or remain compliant an organization must a least annually review its compliance status, strategies, training, policies and procedures and assess whether or not there are risks, threats or vulnerabilities to protecting the confidentiality, integrity and availability of protected health information (PHI).  Caris has assisted organizations in their assessments for Privacy, Security Risk Analysis and Security Evaluations for more than 10 years. See more about these assessments below.

Privacy Assessment - PHI Trail


The key to all assessments is identifying how the organization is using and disclosing protected health information (PHI).  This is the first layer of the "onion" so to speak.


Within the Caris PHI Trail, we create a map to identify:

  • The patients experience at your facility or organization;

  • How PHI is used and disclosed throughout the patient experience;

  • What systems or processes are used to create, modify, access, receive, store, transmit or maintain PHI in paper or electronic format;

  • Business Associates or subcontractors that are used to conduct covered functions and activities for or on your behalf involving the use or disclsoure of PHI;

  • Business Associate or subcontractor agreements that are in place or are required; and

  • The supporting controls, documents, policies and procedures that have been developed, implemented and trained to integrate compliance into daily activities.

Security Risk Analysis

Both a technical and non-technical Security Risk Analysis is required on an annual basis by all covered entities and business associates.  Caris partners with industry leading technology firms to complete the technical risk analysis that is required under 164.308 (a)(1) of the HIPAA Security Rule.  Services can include:

  • Non-Technical Assessment-the review of each Security standard and implementation specification to identify the existing controls, policies and procedures and whether or not there are risks, threats or vulnerabilities to protecting the confidentiality, integrity and availability of electronic protected health information (e-PHI). This does not include a test of the actual controls inplace.

  • Technical Assessment - the review of the controls, systems and/or applications in place to secure the data at rest, data in use or data in motion.  CARIS partners with industry leaders for technical review of the systems used, vulnerability testing and penetration testing.

Call Caris to schedule your assessment today at (920) 639-6615.

Call Caris for your Assessment today at

(920) 639-6615.


Once the initial technical and non-technical evaluation has occurred via the assessment described above in Security Risk Analysis, 164.308 (a)(8) Evaluation requires subsequent reviews to be completed in response to environmental or operational changes affecting the security of e-PHI, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requriements of this subpart.


Caris has created an excel workbook to mirror the Office of Civil Rights documentation for an audit or review to document the:

  • HIPAA Security standard;

  • Implementation specifications (addressable and required);

  • Intent behind the rule itself based on comments, responses and industry knowledge;

  • Results and findings from the completed assessment;

  • Status of compliance for the requirement, met or deficient;

  • Controls already in place;

  • Modifications that may be needed to existing controls;

  • Policies or procedures to support the standard or implementation specification;

  • Prioritization of risk (high, medium and low) based on level of exposure for non-compliance, risk to confidentiality, integrity or availability of e-PHI and existing controls to mitigate the risk;

  • Prioritization for implementation (high, medium and low) based on prioritization of risk, resources available (people, budget and technology) to cure the risk or non-compliance.

bottom of page