School/Business Unit

2009 HIPAA Risk Assessment Inventory

Purpose:

The purpose of this document is to identify and capture relevant inventory information for Emory systems that store, process, or transmit ePHI. This may include servers, workstations, devices (such as mobile phones, PDA’s, lab equipment, medical devices, etc.), and infrastructure components that play a significant role in controlling access to ePHI (such as firewalls, LDAP authentication servers, Active Directory Servers, etc.)

A HIPAA Risk Assessment of each identified system (or group of like systems) will be required following the completion of the 2009 HIPAA Risk Assessment Inventory process. Systems that will not continue to store, process, or transmit ePHI after5/31/2009 will not be required to complete a HIPAA Risk Assessment in 2009, however they should still be included in this inventory.

Complete this table once for each individual submitting an Inventory
School/Business Unit: / <List the school or Business Unit for which this inventory is being completed>
Assessor: / <Identify the individual completing this inventory>
Responsible Party: / <Identify the individual responsible for HIPAA compliance of the systems identified in this inventory>
Please complete one table for each server, workstation, or device that stores, processes, or transmits ePHI. Also complete one table for each infrstrusture component that plays a significant role in controlling access to ePHI. This table may be completed once for multiple systems of the same type that are essentially identical (same hardware, same applications installed, same services running, etc.) as long as the System Name, IP address, Location, Network Jack, and Network Zone are identified uniquely for each system.
Workstations
System Name: / List all DNS names, Netbios names, and any other aliases or assigned names>
IP Address: / List all IPaddresses assigned to this system>
Location(site): / Identify the physical site where this system resides>
Network Jack: / List all network jacks utilized by this system>
Network Zone: / <Identify the network zone within which this system resides>
Purpose: / Describe the purpose of this system and all applications installed>
Description: / <Provide a brief description of the system>
Hardware Make and Model (Virtual or Physical): / <List the make and model of all major hardware components of the system.>
Operating System(s): / <List the operating system name, version, and major patch revision level (e.g. Windows 2003 Server – service pack 2)>
Operating System services running: / <List the native operating system services running on the system>
Applications installed: / List all applications installed on the system. Applications could include web servers, database servers, web applications, client/server applications, antivirus software, remote management software, etc. Applications may be internally developed custom applications or commercial off the shelf software>
Business Owner: / <Identify the Business Owner the system. See Role Definitions below.>
System Owner: / <Identify the System Owner for the system. See Role Definitions below.>
Technical Owner: / <Identify the Technical Owner for the system. See Role Definitions below.>
System Administrator: / Identify the System Administrator for the System. If appropriate, different systems administrators may be identified for different components of the system (e.g. Hardware, OS). See Role Definitions below.>
Application Administrator: / Identify the Application Administratorfor each application installed on the system. See Role Definitions below.>
System Criticality: / <Choose from Mission Critical (Critical), Mission Important (Important), or Mission Supportive (Valued). See definitions below.>
Disaster Recovery Required: / <yes/no>
Disaster Recover Window: / <If DR is required, enter the timeframe within which this system must be fully recovered in the event of a disaster.>
Emergency Mode Operations Required: / <yes/no>
Last Risk Assessment Date: / <Identify the date of the last risk assessment for this system>
Will system continue to house ePHI after 5/31/2009? / <yes/no>
For each site in your survey other than the datacenters in NDB and 1599 please provide the following information:
Site / <Provide the name of the site>
Address / <Provide the address of the site>
Building / <Provide the building name where the site is located>
Floor / <Provide the floor where the site is located>
Room / <Provide the room number of the site>
Person responsible for space / <Provide the name, telephone number,and email address of the individual responsible for the site>
Facility manager / Provide the name, telephone number, and email address of the facility manager for the site>

Role Definitions:

Application Administrator – the application administrator is the individual responsible for the proper operational configuration, management, and functioning of one or more applications. This role is usually a staff level IT or functional position within the business unit.

Business Owner – The business owner is the business executive or leader who is accountable for the primary business functions performed by the system. This role will usually be a director level or higher role within the institution.

System Administrator – The system administrator is the individual responsible for the proper operational configuration, management, and functioning of one or more information technology components of the system such as an operating system, server, database, etc. This role is usually a staff level IT position within either the functional unit or central IT.

System Owner – The system owner is the functional unit leader who is responsible for the system and its proper functioning. This role is responsible for ensuring that the System meets the business needs of the institution, including complying with relevant institutional policies. The System Owner is also responsible for determining appropriate roles and permissions for users of the system, and for ensuring appropriate use of the system. This role will usually be a director or manager level position within the functional unit responsible for the business functions performed by the system.

Technical Owner – The technical owner is the individual who is responsible for ensuring that the technical information technology components of the system are properly implemented and managed effectively. Information Technology components may include operating systems, servers, applications, databases, networks, etc. This role is usually a manager or director level IT staff member within either the functional unit or central IT.

System Criticality Definitions:

Mission Critical – Automated information resources whose failure would preclude the unit from accomplishing its core business operations.

Mission Important – Automated information resources whose failure would not preclude the unit from accomplishing core business processes in the short term (few hours), but would cause failure in the mid to long term (few hours to few weeks).

Mission Supportive – Automated information resources whose failure would not preclude the unit from accomplishing core business operations in the short to long term (few hours to few weeks), but would have an impact on the effectiveness or efficiency of day-to-day operations.

Attestation:

I, the undersigned, attest that the information provided within this HIPAA Risk Assessment Inventory is truthful and accurate to the best of my knowledge. I further understand that any intentional misrepresentation is punishable by disciplinary action, up to and including termination of employment.

Name (printed): ______Signature: ______Date: ______

Assessor

Name (printed): ______Signature: ______Date: ______

Responsible Party