Free HIPAA tools and where to get them. Did you know there were free tools out there? I will let you know where to get some reputable tools, and how they can help you in your practice.

Tool # 1 – A new tool, developed by the National Institute of Standards and Technology (NIST) is offered for free, and can help you understand the requirements of the HIPAA Rule.

The free toolkit comes with a comprehensive User Guide and a self-contained, stand-alone software application that can run on Windows, Mac and Linux operating systems.

This is a great tool to promote efficiency in protecting the privacy and security of your electronic health information.

This self-assessment tool presents a series of questions in groups related to each of the HIPAA Security Rule standards and implementation specifications. For simplicity, the toolkit follows the established HIPAA structure of administrative, physical, technical safeguards, organizational requirements, and policies, procedures and documentation requirements.

It is available at http://scap.nist.gov/hipaa/

Tool #2 – The Department of Health and Human Services has a free SRA tool in the iTunes store, and you can download the app to your ipad or iphone.

The tool will help guide you through the process of how to keep your office safe and secure, and how to get your policies and procedures in order. It is basically meant to assist you in performing your assessment. It takes a little time, but once you get it in order, it is easy to maintain.

Self Assessments

There are many free HIPAA tools that offer self assessments. Be careful not to pay for an assessment that you end up doing yourself. A good company that offer assessments will do most the work for you. Yes, they will have many questions for you, but they will put together your policies and procedures, run reports, do a network diagram and create inventory lists. If you want to do the assessment yourself, you can ask your IT staff to provide you with:

1. A complete fixed asset list

2. A network diagram

3. Active Directory information, i.e. users that have not logged in, passwords that never expire, etc.

4. Copy of antivirus reports for all workstations

5. Proof of patch management

6. Failed login attempts

7. User behavior analysis

8. Vulnerability scans

9. Staff training

If you are non-IT person, you don’t have to analyze these reports. Your IT staff will do it for you. You just have to make sure you address any issues, and file the reports in your HIPAA binder.

When you do the HIPAA training, make sure all users sign a sheet of paper that states they were trained, and the date. Make sure you do the training each year, and upon hiring.

If you have any questions, please feel free to contact Tier3MD.