HIPAA Risk Assessment Report

A HealthFirst compliance trainer will create and email this report to your main office email address. It is federally required to be completed annually.
Download or print and save in your preferred method when completed.
A copy of this will also be available in the top navigation bar of your HIPAA program when completed.
Click on the link provided in the HIPAA RISK ASSESSMENT REPORT email. You will be required to customize these areas of your report:

List all of your Vendors that have signed the required HIPAA Business Associate Agreement. (BAA). These are vendors that “see or use” your Patient Protected Health Information (PHI), in the course of providing service to your office. Reference the bottom of page 176 in your 2024 HIPAA Manual to see an explanation of specific vendors. You can create your initial list on page 176, then re-enter those same vendors in the first section of your online Risk Assessment Report.

This part of the report requires that you list by Location, Serial Number, and Manufacturer all electronic devices that “accesses or stores” electronic Protected Health Information (ePHI). (i.e.: computers, laptops, tablets, copiers, fax machine, etc). Please ask your IT Tech for a listing of your facilities Serial Numbers or you can use the attached INSTRUCTIONS FOR FINDING SERIAL NUMBERS. (PDF)

3. Employees
This will be a list of Employees who handle ePHI: As you have your team members login to OnTraq this section will fill in with their names as they enter them. Make sure all team members that handled ePHI are all listed as well.