This document outlines the criteria for a case study assignment on HIPAA and IT audits. It provides weighting and evaluation criteria for multiple sections involving analyzing HIPAA regulations, describing necessary network architecture and controls, and creating a network diagram. Students would be evaluated on creating an overview of HIPAA rules, analyzing common incident types, describing technical and non-technical controls, comparing hospital to non-medical compliance, listing IT audit steps, including references, and drawing a network diagram demonstrating a compliant architecture.

1. Points: 125
Case Study 2: HIPAA and IT Audits
Criteria
Unacceptable
Below 70% F
Fair
70-79% C
Proficient
80-89% B
Exemplary
90-100% A
Section 1: Written Paper
1a. Create an overview of the HIPAA Security Rule and Privacy
Rule.
Weight: 10%
Did not submit or incompletely created an overview of the
HIPAA Security Rule and Privacy Rule.
Partially created an overview of the HIPAA Security Rule and
Privacy Rule.
Satisfactorily created an overview of the HIPAA Security Rule
and Privacy Rule.
Thoroughly created an overview of the HIPAA Security Rule
and Privacy Rule.
1b. Analyze the major types of incidents and breaches that
occur based on the cases reported.
Weight: 10%
Did not submit or incompletely analyzed the major types of
incidents and breaches that occur based on the cases reported.
Partially analyzed the major types of incidents and breaches that
occur based on the cases reported.
Satisfactorily analyzed the major types of incidents and
breaches that occur based on the cases reported.
Thoroughly analyzed the major types of incidents and breaches
that occur based on the cases reported.

2. 1c. Analyze the technical controls and the non-technical
controls that are needed to mitigate the identified risks and
vulnerabilities.
Weight: 10%
Did not submit or incompletely analyzed the technical controls
and the non-technical controls that are needed to mitigate the
identified risks and vulnerabilities.
Partially analyzed the technical controls and the non-technical
controls that are needed to mitigate the identified risks and
vulnerabilities.
Satisfactorily analyzed the technical controls and the non-
technical controls that are needed to mitigate the identified
risks and vulnerabilities.
Thoroughly analyzed the technical controls and the non-
technical controls that are needed to mitigate the identified
risks and vulnerabilities.
1d. Analyze and describe the network architecture that is
needed within an organization, including a medium-sized
hospital, in order to be compliant with HIPAA regulations.
Weight: 10%
Did not submit or incompletely analyzed and described the
network architecture that is needed within an organization,
including a medium-sized hospital, in order to be compliant
with HIPAA regulations.
Partially analyzed and described the network architecture that is
needed within an organization, including a medium-sized
hospital, in order to be compliant with HIPAA regulations.
Satisfactorily analyzed and described the network architecture
that is needed within an organization, including a medium-sized
hospital, in order to be compliant with HIPAA regulations.
Thoroughly analyzed and described the network architecture
that is needed within an organization, including a medium-sized
hospital, in order to be compliant with HIPAA regulations.
1e. Analyze how a hospital is similar to and different from other
non-medical organizations in regards to HIPAA compliance.
Weight: 10%

3. Did not submit or incompletely analyzed how a hospital is
similar to and different from other non-medical organizations in
regards to HIPAA compliance.
Partially analyzed how a hospital is similar to and different
from other non-medical organizations in regards to HIPAA
compliance.
Satisfactorily analyzed how a hospital is similar to and different
from other non-medical organizations in regards to HIPAA
compliance.
Thoroughly analyzed how a hospital is similar to and different
from other non-medical organizations in regards to HIPAA
compliance.
1f. List the IT audit steps that need to be included in the
organization’s overall IT audit plan to ensure compliance with
HIPAA rules and regulations.
Weight: 10%
Did not submit or incompletely listed the IT audit steps that
need to be included in the organization’s overall IT audit plan
to ensure compliance with HIPAA rules and regulations.
Partially listed the IT audit steps that need to be included in the
organization’s overall IT audit plan to ensure compliance with
HIPAA rules and regulations.
Satisfactorily listed the IT audit steps that need to be included
in the organization’s overall IT audit plan to ensure compliance
with HIPAA rules and regulations.
Thoroughly listed the IT audit steps that need to be included in
the organization’s overall IT audit plan to ensure compliance
with HIPAA rules and regulations.
1g. 3 references
Weight: 5%
No references provided
Does not meet the required number of references; some or all
references poor quality choices.
Meets number of required references; all references high quality
choices.
Exceeds number of required references; all references high

4. quality choices.
1h. Clarity, writing mechanics, and formatting requirements
Weight: 10%
More than 6 errors present
5-6 errors present
3-4 errors present
0-2 errors present
Section 2: Network Architecture
2a. Create a network architecture diagram based on the
description of the network architecture that you defined above
for the organization to be compliant with HIPAA regulations.
Weight: 15%
Did not submit or incompletely created a network architecture
diagram based on the description of the network architecture
that you defined above for the organization to be compliant with
HIPAA regulations.
Partially created a network architecture diagram based on the
description of the network architecture that you defined above
for the organization to be compliant with HIPAA regulations.
Satisfactorily created a network architecture diagram based on
the description of the network architecture that you defined
above for the organization to be compliant with HIPAA
regulations.
Thoroughly created a network architecture diagram based on the
description of the network architecture that you defined above
for the organization to be compliant with HIPAA regulations.
2b. Include in the diagram the switches, routers, firewalls,
IDS/IPS, and any other devices needed for a compliant network
architecture.
Weight: 10%
Did not submit or incompletely included in the diagram the
switches, routers, firewalls, IDS/IPS, and any other devices
needed for a compliant network architecture.
Partially included in the diagram the switches, routers,
firewalls, IDS/IPS, and any other devices needed for a
compliant network architecture.

5. Satisfactorily included in the diagram the switches, routers,
firewalls, IDS/IPS, and any other devices needed for a
compliant network architecture.
Thoroughly included in the diagram the switches, routers,
firewalls, IDS/IPS, and any other devices needed for a
compliant network architecture.