HIPAA SECURITY RISK ASSESSMENT:
WHAT WE’RE IMPROVING

FROM THE CEO:

“Transparency is paramount in all that we do.”

To our community,

At LifeWays, protecting the privacy and security of the individuals we serve is a responsibility we take seriously every day. As part of that commitment, we recently completed an independent, third-party HIPAA Security Risk Assessment to evaluate how well our systems, policies, and practices align with federal requirements for safeguarding sensitive health information.

The results of this assessment reflect a strong foundation. LifeWays achieved an overall compliance score of 79%, demonstrating that key administrative, physical, and technical safeguards are in place to protect electronic protected health information.

As with any comprehensive assessment, the review also identified opportunities for improvement. These findings were primarily related to strengthening internal processes—such as policy governance, access management, and monitoring practices—to ensure consistency, accountability, and long-term sustainability of our security program.

Importantly, this assessment did not identify any breaches or misuse of information. Instead, it provides a clear and actionable roadmap to further enhance our systems and reduce potential risk.

We are already actively addressing each of the identified areas through a structured 90-day remediation plan. Many of these improvements were underway at the time of the assessment, reflecting our ongoing commitment to continuous improvement.

Transparency remains paramount in all that we do. We are sharing the results of this assessment, along with our corrective actions, so our community can clearly see both where we stand and how we are strengthening our practices moving forward.

LifeWays remains committed to protecting the confidentiality, integrity, and availability of the information entrusted to us. We will continue to invest in strong safeguards, clear processes, and accountability at every level of our organization.

Thank you for your continued trust.


Cassandra Watson

CEO, LifeWays

ASSESSMENT RESULTS

LifeWays completed an independent, third-party HIPAA Security Risk Assessment evaluating compliance with the HIPAA Security Rule (45 CFR Part 164, Subpart C).

  • Overall Compliance Score: 79%

  • Total Gaps Identified: 10

  • Assessment Period: December 2025 – February 2026

  • Scope: Systems, applications, policies, procedures, and safeguards related to electronic protected health information (ePHI)

The assessment found that LifeWays has a strong foundational security posture, with many required administrative, physical, and technical safeguards already in place.

  • LifeWays’ HIPAA Security Risk Assessment reflects a point-in-time evaluation of how well our systems, policies, and practices align with federal HIPAA Security Rule requirements.

    An overall score of 79% indicates that LifeWays has a solid foundation of safeguards in place to protect sensitive health information, including appropriate controls related to access, security awareness, and system protections.

    The assessment also identified 10 specific gaps, primarily related to:

    • Policy and documentation consistency

    • Access management processes

    • Audit logging and monitoring practices

    • Data and device handling procedures

    These findings do not indicate a breach or misuse of data, but rather highlight areas where processes and controls can be strengthened to reduce risk and improve long-term compliance.

    Importantly, several of these improvements were already in progress at the time of the assessment, demonstrating ongoing efforts to enhance our security program.

  • LifeWays is actively implementing a structured 90-day remediation plan to address all identified gaps and strengthen our overall security posture.

    The plan prioritizes actions based on risk, focusing first on areas that have the greatest impact on protecting sensitive information.

    Immediate Priorities (0–30 Days)

    • Strengthen audit logging and incident response processes

    • Improve access controls and account management

    • Establish clear timelines for removing system access

    Near-Term Improvements (31–60 Days)

    • Implement data and device disposal procedures

    • Strengthen documentation of risk assessments

    • Enhance integration of cybersecurity response into disaster recovery planning

    Ongoing Improvements (61–90 Days)

    • Standardize policy review processes

    • Update and align documentation across systems

    • Strengthen governance and oversight practices

    This phased approach ensures that higher-risk items are addressed first, while also building a more sustainable and consistent compliance framework over time.

CORRECTIVE ACTION PLAN

LifeWays has developed a comprehensive corrective action plan based on the findings of this assessment. The plan aligns with the third-party recommended 90-day remediation roadmap, which outlines specific actions, timelines, and accountability measures for each identified gap.

This roadmap is designed not only to resolve current findings, but to strengthen long-term security practices, improve audit readiness, and ensure continued protection of the individuals we serve.

LifeWays has been awarded the highest level of accreditation by CARF International.

LifeWays is also held to the highest level of care by our overseeing organization,
Mid-State Health Network (MSHN)