• arrow_drop_downGeneral Factors
    • arrow_drop_downOrganizaton Type
      Legal classification of the Assessed party.
    • arrow_drop_downEntity Type
      Type of organization as interpreted by HIPAA.
  • arrow_drop_downOrganizational Factors
    • arrow_drop_downNumber of Records that are currently held
      Count of sensitive records within the scope of the Assessment.
    • arrow_drop_downNumber of Individual Records that are processed annually
      Count of sensitive records received or transmitted yearly within the scope of the Assessment.
    • arrow_drop_downNumber of Covered Lives (Payer)
      Count of individuals enrolled in health insurance plans.
    • arrow_drop_downNumber of Admitted Patients annually (Hospital)
      Count of people that were provided care for in the past year.
    • arrow_drop_downNumber of Licensed Beds (Hospital)
      Count of hospital beds available within the facilicites of the scope.
    • arrow_drop_downNumber of Prescriptions Filled Annually (Pharmacy)
      Count of prescription orders fulfilled yearly.
    • arrow_drop_downNumber of Patient Encounters Annually (Physician Practice)
      Count of people that were provided care for in the past year.
    • arrow_drop_downNumber of Physicians on Staff (Physician Practice)
      Count of Physicians employed by the Assessed organization.
    • arrow_drop_downNumber of transactions received and sent annually (HIE)
      Count of sensitive transactions processed yearly.
    • arrow_drop_downTotal Terabytes of Data Held (IT)
      Count of TBs of sensitive data stored.
    • arrow_drop_downVolume of Data Exchanged Annually (Non-IT)
      Count of MBs of sensitive data processed yearly.
  • arrow_drop_downGeographic Factors
    • arrow_drop_downGeographic Factors
      Geographic reach of the systems and facilities being Assessed.
  • arrow_drop_downTechnical Factors
    • arrow_drop_downDoes the system(s) store, process, or transmit PHI?
      Information systems that store, process, or transmit any protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA).
    • arrow_drop_downIs the system(s) accessible from the Internet?
      An information system connected to a public network such as the Internet, which generally requires an account to be authenticated and authorized for use.
    • arrow_drop_downIs the system(s) accessible by a Third Party?
      Information system access that is provided to third parties, e.g., customers, business partners or vendors (including the provider of the information system, applications, etc., for the purpose of operation, administration, or maintenance).
    • arrow_drop_downDoes the system(s) transmit or receive data with a third party/business partner?
      Conducts transactions with a third party, e.g., customers, business partners, or vendors.
    • arrow_drop_downIs the system(s) accessible from a public location?
      Generally an information system or application that is presenting information to the public without specifically identifying the end user.
    • arrow_drop_downAre Mobile devices used in the environment?
      Laptops, mobile phones, tablets, and similar devices that store sensitive information and/or have access to information systems containing sensitive information.
    • arrow_drop_downConnects with or exchanges data with a Health Information Exchange (HIE)
      Connects with or otherwise conducts transactions with or through an HIE, where a transaction is defined as the electronic movement of health-related information among organizations according to nationally recognized standards, e.g., X12 EDI or HL7.
    • arrow_drop_downNumber of interfaces to other systems
      The number of interfaces between a defined information system, application, or service with another, separately defined information system, application or service.
    • arrow_drop_downNumber of users of the system(s)
      The number of users that have access to an information system, application or service.
    • arrow_drop_downNumber of transactions per day
      The average number of transactions per day (i.e., a 24-hour period), computed annually, where a transaction is defined as an exchange of information between two parties to carry out financial, operational, or administrative activities.
  • arrow_drop_downAuthoritative Factors
    • arrow_drop_downSubject to PCI Compliance
      Applicable when the scope of the assessment includes the processing (use, storage, transmission, etc.) of payment card (“credit card”) information.
    • arrow_drop_downSubject to FISMA Compliance
      Generally applies to Federal Agencies; NIST SP 800-53 control requirement MAY also apply to Federal contractors if the contract specifies adherence to FISMA security requirements, NIST control requirements, and/or requires a System Security Plan (contact your contract’s contracting officer representative, COR, for more information).
    • arrow_drop_downSubject to FTC Red Flags Rule
      Required if the organization, in the regular course of business, obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with a credit transaction, or advances funds to or on behalf of a person, in certain cases.
    • arrow_drop_downSubject to the State of Massachusetts Data Protection Act
      According to 201 CMR 17.01(2), the provisions of this regulation apply to all persons that own or license personal information about a resident of the Massachusetts Commonwealth.
    • arrow_drop_downSubject to the State of Nevada Security of Personal Information Requirements
      Applicable to “data collectors” in the State of Nevada, which according to Chapter 603.030 includes any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information (e.g., name, SSN, medical ID number; see NRS 603A.040).
    • arrow_drop_downSubject to the State of Texas Medical Records Privacy Act
      Applies to all “covered entities,” which according to TX Health & Safety Code Title 2, Subtitle I, § 181.001(2) includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site in the State of Texas; or any person that (1) comes into possession of protected health information of a Texas resident; (2) obtains or stores protected health information of a Texas resident under this chapter; or (3) is an employee, agent, or contractor of an entity or person so described.
    • arrow_drop_downSubject to Joint Commission Accreditation
      Applies to many types of health care organizations, including hospitals, doctor offices, nursing homes, office-based surgery centers, behavioral health treatment facilities, and providers of home care services that are accredited by the Joint Commission or seek to become accredited by the Joint Commission.
    • arrow_drop_downSubject to CMS Minimum Security Requirements (High-Level Baseline)
      Generally applies to Federal Agencies; NIST SP 800-53 control requirement MAY also apply to Federal contractors if the contract specifies adherence to FISMA security requirements, NIST control requirements, and/or requires a System Security Plan (contact your contract’s contracting officer representative, COR, for more information).
    • arrow_drop_downSubject to MARS-E Requirements
      Applies only to Health Insurance Exchanges (HIXs) and requires compliance with the Minimum Acceptable Risk Safeguards for Health Insurance Exchanges (MARS-E).
    • arrow_drop_downSubject to FTI Requirements
      Applies to recipient agencies, agents, or contractors of Federal Tax Information (FTI); generally applies to organizations that use personal tax information to determine benefits or subsidies (e.g., welfare agencies, Health insurance Exchanges (HIXs)).
    • arrow_drop_downSubject to the State of California Civil Code § 1798.81.5(a)(1)
      Is intended to apply to any profit or non-profit organization located anywhere in the world that collects personal information about a California resident; supports the CA Attorney General’s interpretation of “reasonable security” as, at a minimum, meeting the requirements specified in the Center for Internet Security (CIS) Critical Security Controls (CSC).
    • arrow_drop_downSubject to the HITRUST De-ID Framework Requirements
      Generally used to assess the protections afforded a de-identified data set in its intended use environment (e.g., processed, stored, transmitted) based on the criteria outlined in the HITRUST De-identification Framework.
    • arrow_drop_downSubject to EHNAC Accreditation
      Applies to organizations such as, but not limited to, electronic health networks, hospitals, physicians, financial services firms state regulators, and vendors that are accredited or seeking to become accredited by the Electronic Healthcare Network Accreditation Commission (EHNAC).
    • arrow_drop_downSubject to CRR V2016
      Applies to organizations that are evaluating the operational resilience and cybersecurity capabilities within Critical Infrastructure and Key Resources sectors, as well as State, Local, Tribal, and Territorial governments.
    • arrow_drop_downSubject to Banking Requirements
      Applicable to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations that must assess their level of information security risk and evaluate the adequacy of controls and applicable risk management practices.
    • arrow_drop_downSubject to FedRAMP Certification
      Applies to cloud providers that are required to obtain a security assessment from a third-party assessment organization (3PAO) to sell government cloud services to a federal agency; may also be used voluntarily by cloud services providers and other entities that use their services to demonstrate a minimum level of due care and due diligence.
    • arrow_drop_downSubject to 21 CFR Part 11
      Applies to records required for clinical investigations of medical products that are maintained in electronic format in place of paper format, including all records that are necessary for FDA to reconstruct a study; records required for clinical investigations of medical products that are maintained in electronic format and where the electronic record is relied on to perform regulated activities; records for clinical investigations submitted to FDA in electronic format under predicate rules, even if such records are not specifically identified in FDA regulations; and electronic signatures required for clinical investigations intended to be the equivalent of handwritten signatures, initials, and other general signings.
    • arrow_drop_downSubject to EU GDPR
      Applies to all organizations processing the personal data of data subjects residing in the European Union, regardless of the organization’s location.
    • arrow_drop_downSubject to 23 NYCRR 500
      Applicable to all companies within the state of New York that are operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.