HIPAA Security Risk Assessment
MedConsult AI - Protected Health Information Security Analysis
Assessment Date: _________________ | Conducted By: _________________
1. Organization Information
2. PHI Inventory
Identify all systems, applications, and locations where Protected Health Information (PHI) is created, received, maintained, or transmitted.
| System/Application | PHI Types | Location | BAA in Place? |
|---|---|---|---|
| MedConsult AI Platform | Patient names, diagnoses, treatment plans | Vercel Cloud / Neon Database | ☐ Yes ☐ No |
| OpenAI API | Consultation text for AI processing | OpenAI servers | ☐ Yes ☐ No |
| Resend Email Service | Patient emails, follow-up summaries | Resend servers | ☐ Yes ☐ No |
| ☐ Yes ☐ No | |||
| ☐ Yes ☐ No |
3. Technical Safeguards Assessment
| Safeguard | Status | Notes / Gaps |
|---|---|---|
Access Control - Unique User IDs Each user has unique login credentials | ☐ Yes ☐ No ☐ Partial | |
Access Control - Automatic Logoff Sessions timeout after 15 minutes of inactivity | ☐ Yes ☐ No ☐ Partial | |
Audit Controls All PHI access is logged with user, timestamp, action | ☐ Yes ☐ No ☐ Partial | |
Data Integrity Controls Checksums or other integrity verification | ☐ Yes ☐ No ☐ Partial | |
Transmission Security - Encryption TLS 1.2+ for all data in transit | ☐ Yes ☐ No ☐ Partial | |
Encryption at Rest Database encryption for stored PHI | ☐ Yes ☐ No ☐ Partial | |
Authentication - MFA Multi-factor authentication enabled | ☐ Yes ☐ No ☐ Partial | |
Emergency Access Procedures Documented procedures for emergency PHI access | ☐ Yes ☐ No ☐ Partial |
4. Administrative Safeguards Assessment
| Safeguard | Status | Notes / Gaps |
|---|---|---|
Security Management Process Formal security policies and procedures | ☐ Yes ☐ No ☐ Partial | |
Assigned Security Responsibility Designated Privacy/Security Officer | ☐ Yes ☐ No ☐ Partial | |
Workforce Training HIPAA training for all users | ☐ Yes ☐ No ☐ Partial | |
Sanction Policy Documented consequences for policy violations | ☐ Yes ☐ No ☐ Partial | |
Contingency Plan Data backup and disaster recovery procedures | ☐ Yes ☐ No ☐ Partial | |
Business Associate Agreements BAAs with all vendors handling PHI | ☐ Yes ☐ No ☐ Partial | |
Incident Response Plan Documented breach response procedures | ☐ Yes ☐ No ☐ Partial |
5. Risk Analysis Matrix
For each identified risk, assess the likelihood and impact to determine priority.
| Risk Description | Likelihood | Impact | Risk Level | Mitigation Plan |
|---|---|---|---|---|
| Unauthorized access to patient records | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| Data breach via third-party vendor | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| Phishing attack on workforce member | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| Loss of data due to system failure | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| Improper disposal of PHI | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | ||
| ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High | |||
| ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High |
Risk Level: Likelihood × Impact. High/High = Critical, High/Med or Med/High = High, etc.
6. Action Items & Remediation Plan
| # | Action Item | Responsible Party | Target Date | Status |
|---|---|---|---|---|
| 1 | ☐ Open ☐ In Progress ☐ Complete | |||
| 2 | ☐ Open ☐ In Progress ☐ Complete | |||
| 3 | ☐ Open ☐ In Progress ☐ Complete | |||
| 4 | ☐ Open ☐ In Progress ☐ Complete | |||
| 5 | ☐ Open ☐ In Progress ☐ Complete | |||
| 6 | ☐ Open ☐ In Progress ☐ Complete | |||
| 7 | ☐ Open ☐ In Progress ☐ Complete | |||
| 8 | ☐ Open ☐ In Progress ☐ Complete |
7. Assessment Sign-Off
By signing below, I certify that this risk assessment has been conducted in accordance with HIPAA Security Rule requirements (45 CFR 164.308(a)(1)(ii)(A)) and accurately reflects the current state of our organization's security posture.
Privacy/Security Officer:
Signature / Date
Management Representative:
Signature / Date