Frequently Asked Questions

Help, I need somebody!

Most of the time, you just need a little push in the right direction. We hope our support page will help you get there. If not, feel free to Contact Us.

Click on the topics below for step-by-step instructions:
  • I Forgot My Password
    • Navigate to —> Click “forgot?”:
    • Enter your email address and Captcha phrase on the Account Recovery page:
    • Click on the above secured link (i.e. only works once) to navigate to the Change Password entry page for access into HIPAA One:
    • The secured link can only be used once!  If you still have issues, ensure your Firewall has white-listed (your IT person will know what to do).  If you see the below screen when you click on the email link to reset your password, repeat the above process for a new secured email and link.

  • I Cannot Find My Completed Risk Analysis
    • Once the risk analysis is completed and the final report has been signed, the main Sponsor must add any participants back to the report as a “Reviewer” to access the Action Plan and work on risk items.
    • Click on the competed assessment from the main menu. Three buttons will appear for the Sponsor, click “Reviewers” option (third green arrow below):

    • Click “Add Reviewer”:
    • Click “Add Reviewers” to add each participant that needs to access the report. The Sponsor may also delete any participants here. Enter the participants name and email address per below:

    • Participant will receive email with invitation link, check “junk folder” if email does not appear in inbox. Link in email expires after 14 days.

  • Auto Reminders: Customize the 'Reply To:' Email Address
    • Update organization’s reply-to email address by following these steps
    • Click on the globe icon while in Organizations:

    • Enter desired email address in the Proposed Value field then click “Update Organization” as displayed below:

    • Upon adding the email address successfully, screen should look like this:


  • Discussion: Using PnPs vs Employee Handbook in a Risk Analysis
    • Use this guide to determine when to reference the employee handbook and when to use formal policies as required on the questionnaire for completing the security risk analysis:
    • Employee Handbook – The handbook is written with employees as the intended audience. As such, the document has a straightforward layout for easy referencing of company policies and procedures. Additionally, it is a vehicle for familiarizing employees with basic company policies and benefit programs, as well as the general expectations of the company, including acceptable and unacceptable behavior and disciplinary measures.
    • Company Policies and Procedures – Different than the employee handbook, PnP’s are more comprehensive and include details on every aspect on how the company conducts business around standards and regulations. Some procedures might be more detailed regarding how to follow those policies as well as the documentation needed to complete each process. A PnP’s manual is essentially a reference tool for managers and supervisors, not for employees at large. This tool is much more complete in detail than the employee handbook and should be used as “back-up” when more information is needed to explain a policy or when a deeper understanding of a process is desired. As an added benefit for management, the manual can contain references to federal and state laws that correlate to each policy. Managers and supervisors then have access to the rationale for the policies, thus providing them with assistance for enforcement. It may include forms, checklists, and sample documents to show administrators and managers how to handle specific workplace policies and situations.

  • Accessing the Limited Access Death Master File
    • Question: When conducting a HIPAA Security Risk Analysis (SRA) for Limited Access Death Master File (LADMF) submission to the National Technology Information (NTIS), do I need to remediate all risks found during the SRA prior to requesting access to the LADMF?
    • Answer:  You do not need to remediate during the SRA however, the HIPAA One SRA will provide risks and detailed remediation steps on how, who and when to fix them upon completion.  LADMF is the database, managed by the Service (NTIS) containing the authoritative source of deceased individuals.  This information is typically used by payers to ensure claims for health care are not fraudulent.  HIPAA One, through its array of internationally-recognized professional designations is an Accredited Conformity Assessment Body (ACAB) who may submit the form attesting the applicant is who they say they are (i.e. not someone trying to access the LADMF to conduct fraud).
    • Here are the steps for reference – please see our blog for more information.
    • In our experience, the NTIS responds typically within 48-hours with acceptance granting LADMF database access to the applicant or rejection with an explanation.  It is also important to note the HIPAA SRA does need to be completed before the application will be accepted by the NTIS.
    • Pay the Fee– There is an annual fee of $1,575.00 for processing the LADMF Subscriber Certification Form, payment can be processed here: Additionally, every three years a processing fee of $525.00 to have access to the LADMF ACAB Systems Safeguards Attestation Form is required.
    • Complete Subscriber Form– After the payment has been accepted, complete and submit the LADMF Subscriber Certification Form at Certification must be renewed each year.
    • Order Number Assigned– Each organization is assigned a specific order number which will be used on the ACAB Systems Safeguard Attestation Form.
    • Form Completed– HIPAA One will fill out the ACAB form free of charge.
    • Form Submitted– HIPAA One will submit the form on behalf of the client.
  • Penetration Tests vs. Vulnerability Scans
    • The difference between a penetration test and vulnerability scan can be difficult to understand. Whereas both are incredibly valuable in building a strong threat and vulnerability management program, penetration tests and vulnerability scans are often misunderstood and used interchangeably.
    • Penetration Test – A penetration test simulates the actions of an external or internal cyber attacker (AKA ethical hacker) that strives to breach the information security of an organization. Simply, it can be thought of as a person trying to bypass application controls and “break into” a network system to take data or seek further access to other internal databases. There are many different tools and techniques an ethical hacker can use as they attempt to exploit critical systems and gain access to sensitive data. By implementing penetration testing, organizations can identify gaps between possible threats and existing controls.
    • Vulnerability Scan – Unlike the manual practice of a penetration test, a vulnerability scan is a software tool designed to inspect the potential points of exploit on a computer or network to identify security holes. By checking internet facing devices against “known” Common Vulnerabilities and Exploits (CVEs) a vulnerability scan can detect and classify system weaknesses in computers, networks and communications equipment. Vulnerability scans are configured for safe checks, meaning the scan will only identify known, un-patched security vulnerabilities for the external IP addresses provided and not conduct any denial of service (DOS).  A free example of a vulnerability scan can be found at and focuses on encryption and certificate exchange.
    • There are many software options that may be utilized for vulnerability scanning as certain tools are specific to the different types of computing infrastructure. It is important to understand that a vulnerability scanning tool is only as good as the CVE dictionary within the software and one tool may not be all an organization needs. It is fairly standard that a hacker(s) may use anywhere from 6-10 different software scans to speed-up the process of identifying easy ways of bypassing application and infrastructure security controls.