Skip to main content

Hybrid Entity Risk Assessments

Hybrid Entity Risk Assessments

The purpose

Rutgers Risk, Policy and Compliance Hybrid Entity Risk Assessment process analyzes identified hybrid entities under the Health Insurance Portability and Accountability Act (HIPAA) whose business activities include both covered and non-covered functions within the institution.

Rutgers Covered Entity: The collective term referring to all units, schools or departments that meet the definition of a “Covered Entity” as defined under 45 CFR 160.103 are required to follow HIPAA regulation, including the HITECH Act (2009), the Omnibus Rule (2013) and related state and federal law.

The process

The purpose of the hybrid risk assessment application is to understand the current framework and environment and to identify risks by evaluating the information/data obtained. All relevant information is considered by default and should include:

  • Appropriate review of current safety protocols, practices, guidelines and procedures.
  • Analyze assets’ threats and vulnerabilities, including their impacts and likelihood.
  • Map asset and vulnerability threats to help identify potential combinations of threats. A certain vulnerability or even multiple vulnerabilities may be associated with each threat. It is not a risk to a property unless a threat exploits a vulnerability.
  • Develop practical technical recommendations to address the vulnerabilities identified and reduce the level of security risk.
  • Produce and submit a risk assessment report.