Risk Assessment › Administrative Safeguards
Security Management Process
 |
1. Has your organization developed, disseminated, reviewed/updated, and trained on your Risk Assessment policies and procedures? |
|
2. Does your organization's risk assessment policy address: purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, training and compliance? |
|
3. Has your organization disseminated your Risk Assessment policies and procedures? |
|
4. Has your organization disseminated its Risk Assessment procedures to the work staff/offices with the associated roles and responsibilities? |
|
5. Has your organization defined the frequency of your Risk Assessment policy and procedures reviews and updates? |
|
6. Has your organization reviewed and updated your Risk Assessment policy and procedures in accordance with your defined frequency? |
|
7. Has your organization identified the types of information and uses of that information and has the sensitivity of each type of information been evaluated? |
|
8. Has your organization identified all information systems that house ePHI? |
|
9. Does your organization inventory include all hardware and software that are used to collect, store, process, or transmit ePHI, including Excel spreadsheets, Word tables, and other like data storage? |
|
10. Are all the hardware and software, for which your organization is responsible, periodically inventoried, including Excel spreadsheets, Word tables, and other like data storage? |
|
11. Has your organization identified all hardware and software that maintain or transmit ePHI, including Excel spreadsheets, Word tables, and other similar data storage, and included it in your inventory? |
|
12. Does your organization's inventory include removable media, remote access devices, and mobile devices? |
|
13. Is the current information system configuration documented, including connections to other systems, both inside and outside your firewall? |
Implementation Specifications: Security Management
|
1. Has your organization reviewed all processes involving ePHI, including creating, receiving, maintaining, and transmitting it? |
|
2. Has your organization reviewed the risk analysis and other implementation specifications for the security management process? |
|
3. Does your organization have any prior risk assessments, audit comments, security requirements, and/or security test results? |
|
4. Does your organization have current and planned controls formally documented? What are they? |
|
5. Has your organization assigned responsibility to check all hardware and software, including hardware and software used for remote access, to determine whether selected security settings are enabled? |
|
6. Does your organization have an analysis of current safeguards and their effectiveness relative to the identified risks? |
|
7. Are any of your organization's facilities located in a region prone to any natural disasters, such as earthquakes, floods, or fires? Others? |
Risk Management
|
1. Does your organization have policies and procedures in place for security? |
|
2. Do your organization's current safeguards ensure the confidentiality, integrity, and availability of all ePHI? |
|
3. Do your organization's current safeguards protect against reasonably anticipated uses of ePHI that are not permitted by the HIPAA Privacy Rule? |
|
4. Has your organization protected against all reasonably anticipated threats or hazards to the security and integrity of ePHI? |
|
5. Does your organization have a formal and documented system security plan? |
|
6. When your organization creates new security controls, do you make sure that they will work with your organization's existing IT architecture? |
|
7. Does your organization have a formal and documented contingency plan? |
|
8. Does your organization have a communication plan or a process for communicating policies and procedures to your appropriate workforce members and offices? |
|
9. Does your organization review and update your policies, procedures and standards as needed and when appropriate? |
|
10. Has your organization assured compliance with all policies and procedures by all your staff and workforce? |
|
11. Has your organization developed a training schedule for your Risk Management Program? |
Sanction Policy
|
1. Does your organization have in place a formal and documented process, plus policy and procedures that address system misuse, abuse, and any fraudulent activities with your organization's ePHI? |
|
2. Has your organization made all your staff, employees, and workforce aware of your processes, policy and procedures (concerning sanctions for inappropriate access, use, disclosure, and transmission of ePHI)? |
|
3. Does your organization have a tiered structure of sanctions that takes into consideration the magnitude of harm to your organization and the individual whose ePHI is at risk, and the possible types of inappropriate disclosures? |
|
4. Does your organization have a process, procedure or communication plan for how and when your managers and staff, employees and workforce will be notified of suspected inappropriate activity? |
Information System Activity Review
|
1. Does your organization have a formal, documented systems activity process and procedures? |
|
2. Does your organization have someone or an office/department that is responsible for overall systems activity process, procedures and results? Who or what office? |
|
3. Does your organization review your information systems activity periodically? How often? What are the exceptions to the process that change the review period? |
|
4. Does your organization analyze your systems activity reviews/reports periodically? How often? |
|
5. Does your organization review exception reports and logs? |
|
6. Does your organization use mechanisms and measures to assess the effectiveness of your review process? What mechanisms and measures do you use? |
|
7. Does your organization file electronic and/or paper monitoring reports, and how are these reports monitored? |
|
8. Does your organization have a sanction policy for staff, employee or workforce violations? |
Assigned Security Responsibility
|
1. Does your organization have a complete Security Officer job description that accurately reflects the security duties and responsibilities? Does it include all areas outlined and spoken of in the questions outlined for this security standard? |
|
2. Have all your organization's staff, employees, workforce, offices and departments been notified of the name and office to contact with a security problem? |
Workforce Security
|
1. Has your organization implemented policies and procedures to ensure that any and all staff, employees, and workforce members have appropriate, and only appropriate, access to ePHI; and to prevent the staff, employees, and workforce members who do not have access to ePHI from obtaining access to ePHI? |
Implementation Specifications: Workforce Security
|
1. Has your organization reviewed the workforce security implementation specifications? |
Authorization and/or Supervision
|
1. Has your organization implemented procedures for authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed? |
|
2. Has your organization defined roles and responsibilities for all job functions? |
|
3. Has your organization assigned appropriate levels of security level oversight, training and access to each role? |
|
4. Does your organization have a documented list detailing who has the business need and permission to view, alter, retrieve, and store ePHI, as well as the times, circumstances and purposes that permit the individual's access and use of ePHI? |
|
5. Does your organization have written job descriptions that correlate with appropriate levels of access? |
|
6. Does your organization have an established set of qualifications for each job description? |
|
7. Does your organization check a candidate's qualifications against a specific job description? |
|
8. Has your organization determined that each candidate for a specific position can perform the tasks for that position? |
|
9. Has your organization established chains of command and lines of authority for workforce security? |
|
10. Has your organization established a process for maintenance personnel authorization and maintained a current list of authorized maintenance organizations and personnel? |
|
11. Has your organization made your work staff aware of the identity and roles of their supervisors? |
|
12. Has your organization provided staff, employees, and workforce members with a copy of their job descriptions, informed of the access granted to them, as well as the conditions by which this access can be used? |
Workforce Clearance Procedure
|
1. Does your organization do background checks, such as a Criminal Offender Record Information (CORI) check, if appropriate in the circumstances? |
|
2. Does your organization check an applicant's employment and educational references, if this is reasonable for such a job description? |
|
3. Does your organization have a process and strategy that supports your organization's authorities who are permitted to designate and grant access to ePHI? |
|
4. Does your organization have formal and documented procedures for obtaining the necessary and appropriate sign-offs within your organizational structure to both grant and terminate access to ePHI? |
Termination Procedures
|
1. Does your organization have a standard set of procedures to recover access control devices, including identification badges, keys and access cards from staff, employees and workforce members when their employment ends? |
|
2. Does your organization have procedures for deactivating computers and other electronic tools, accessing accounts and disabling user IDs and passwords? |
|
3. Does your organization need and have separate termination procedures for voluntary termination, including retirement, promotion, transfer, or change of employment internal to your organization, versus involuntary termination, including for cause, reduction in force, involuntary transfer, and criminal or disciplinary actions? |
|
4. Does your organization have a standard checklist of action items for completion when a staff, employee, or workforce member leaves your employment, such as: requiring the return of all access devices and other electronic tools, like computers, PDAs and cellphones; deactivating logon accounts, including remote access; and retrieving any data/information from under the control of the staff, employee or workforce member? |
Information Access Management
|
1. Has your organization implemented policies and procedures that authorize your staff, employees and workforce members access to ePHI to provide protection for the use and disclosure of the ePHI? |
Isolating Health Care Clearinghouse Functions
|
1. Does your organization have a component that functions as a health care clearinghouse? |
|
2. Has your organization formally documented your finding that one part of your organization is a health care clearinghouse? |
|
3. Has your organization reviewed the isolating clearinghouse functions implementation specifications? |
|
4. Has your organization's health care clearinghouse developed and implemented policies and procedures that protect the clearinghouse ePHI from unauthorized access by the other parts of your organization? |
|
5. Does your organization's clearinghouse share hardware or software with your larger organization of which it is part? |
|
6. Does your organization's clearinghouse share staff or physical space with staff from a larger organization? |
|
7. Has your organization established a separate network or subsystem for your organization's clearinghouse? |
|
8. Has your organization's clearinghouse staff, employees, and workforce been trained to safeguard ePHI from disclosure to your larger organization? |
Access Authorization
|
1. Has your organization formally documented how access to ePHI will be granted to your staff, employees, and workforce members? |
|
2. Has your organization formally documented the basis for restricting access to ePHI? |
|
3. Has your organization formally documented your ePHI access control method(s)? Does your organization use identity-based, role-based, biometric-based, proximity-based, other means of access, or a combination of access methods? |
|
4. Do your organization's job descriptions accurately reflect assigned duties, responsibilities and enforcement of segregation of duties? |
|
5. Does your organization grant your staff, employees and workforce members remote access to ePHI? |
|
6. Has your organization determined if direct access to ePHI will be granted to third parties external to your organization, including business partners, other providers, health plans, patients and members to their own ePHI, and others? |
|
7. Do your organization's IT systems have the capacity to set access controls? |
|
8. Does your organization use stronger access controls for sensitive data? |
Access Establishment and Modification
|
1. Has your organization formally documented the standards you use to grant a staff, employee, workforce member user access to a workstation, laptop, transaction, program, process, and other tools and mechanisms? |
|
2. Does your organization have security access controls policies and procedures? Are they updated regularly? |
|
3. Does your organization provide formally written and documented authorization from the appropriate manager before granting access to sensitive information? |
|
4. Are your organization's staff, employees and workforce members' duties separated so that only the minimum necessary ePHI, based on the specific job description, is made available upon request? |
|
5. Does your organization have authentication mechanisms to verify the identity of the user accessing the system? |
|
6. Does your organization's management regularly review the list of access authorizations, including remote access authorizations, to verify that the list is accurate and has not been inappropriately altered? |
Security Awareness and Training
|
1. Has your organization formally determined and documented your security training needs? |
|
2. Does your organization interview key staff when assessing your security training needs? |
|
3. Did your organization's assessment include the security training needs of sensitive data and other similar information? |
|
4. Has your organization determined what awareness, training and education programs are needed, and which programs will be required? |
|
5. Has your organization outlined content and audience training priorities? |
|
6. Have you conducted a training program assessment? |
|
7. Have you documented the findings of your training program assessment? |
|
8. Does your organization's training strategy and plan include an outline of your organization's specific policies and procedures that require security awareness and training? |
|
9. Does your organization's training strategy and plan include scope of the awareness and training program? |
|
10. Does your organization's training strategy and plan include your goals? |
|
11. Does your organization's training strategy and plan include your target audience(s)? |
|
12. Does your organization's training strategy and plan include learning objectives? |
|
13. Does your organization's training strategy and plan include deployment methods? |
|
14. Does your organization's training strategy and plan include evaluation of the training through designated measurement techniques? |
|
15. Does your organization's training strategy and plan include the frequency of training? |
|
16. Does your organization's training strategy and plan include a consideration of compliance dates and the HITECH Act Updates? |
|
17. Does your organization have a process and/or procedure in place to ensure that everyone in your organization receives security awareness training? |
|
18. Does your organization have a plan in place for training to address specific technical topics based on job descriptions and responsibilities? |
|
19. Does your organization train your non-employees, such as contractors, interns, volunteers, and others? |
|
20. Has your organization selected topics to be included in your training content, materials and methods? |
|
21. Does your organization incorporate new information from email advisories, daily news web sites, periodical, and other sources into your training content and materials when reasonable and appropriate? |
|
22. Does your organization use different types of media and venues for your security awareness training? What types and how many different types of media and venues does your organization use for security awareness training, such as computer based training, on-site training, electronic and paper publications, others? Please name them. |
|
23. Has your organization given each staff, employee, and workforce member a copy of your security policies and procedures, and do they know where to find them on your internal web or server or other place? |
|
24. Do your organization's staff, employees and workforce members know whom to contact in case of a security incident and the procedures to handle the incident? |
|
25. Do your organization's staff, employees and workforce members know and understand the consequences of their noncompliance with your organization's security policies and procedures? |
|
26. Do your organization's staff, employees and workforce members know how to handle physical security and information security issues with a laptop, PDA, tablet, smartphone, and/or other similar tools? |
|
27. Does your organization continuously research security issues and security training? Do you update your security training content, materials and evaluation with the new information? |
|
28. Has your organization scheduled and conducted the training outlined in your training strategy and plan, and how often has your organization done security training since the publication of the HIPAA Security Rule? |
|
29. Does your organization have sanctions to impose on staff, employees and workforce if they do not complete the required security training? |
|
30. Does your organization keep your security awareness and training program current by updating it periodically? What is the review and update period? |
|
31. Does your organization conduct new or additional security training whenever changes occur in either technology or practices? |
|
32. Does your organization have a new hire security awareness, technology and information systems training plan? |
Implementation specifications: Security Reminders
|
1. Has your organization reviewed the security reminder implementation specifications? |
Security Reminders
|
1. Does your organization provide periodic security updates to your staff, employees, workforce, business associates and contractors/vendors? |
|
2. Does your organization already have methods in place or that you use to keep your staff, employees, workforce, business associates and contractors/vendors updated and aware of security updates? What are those methods? |
|
3. Does your organization provide security awareness training with all new hires before they are given access to ePHI? |
Protection from Malicious Software
|
1. Has your organization trained your staff, employees, and workforce members in procedures for: guarding against, detecting and reporting malicious software; monitoring log-in attempts and reporting discrepancies; and, creating changing and safeguarding passwords? |
Security Incident Procedures
|
1. Has your organization implemented policies and procedures for any security incidents? |
Implementation Specification: Response and Reporting
|
1. Has your organization documented incident response procedures that can provide your organization with a single point of reference to guide the day-to-day operations of the incident response team? |
|
2. Has your organization determined how it will respond to a security incident? Is there a formally documented policy and procedure? |
|
3. Has your organization incorporated your staff, employees and workforce members’ jobs and job descriptions roles and responsibilities in: guarding against, detecting, and reporting malicious software; monitoring log-in attempts and reporting discrepancies; and creating, changing and safeguarding passwords in your security awareness training efforts? |
|
4. Has your organization reviewed incident response procedures with the staff, employees, and workforce members whose roles and responsibilities are related to incident response? Do you and your workforce members solicit suggestions for improvement and make changes to reflect input that is reasonable and appropriate? |
|
5. Do your organization's staff, employees and workforce members know the importance of timely application of system patching to protect against malicious software and exploitation of vulnerabilities? |
|
6. Does your organization monitor log-in attempts? Do your staff, employees and workforce members know of this monitoring? |
|
7. Has your organization analyzed the incidents and created a mitigation plan that is working to decrease risks and vulnerabilities? |
|
8. Does your organization have a process, procedure for reporting and handling security incidents? |
|
9. Has your organization prioritized your key functions to determine what would need to be restored first in the event of a disruption? |
|
10. Does your organization update the incident response procedures when your organization needs or experiences a change? |
|
11. Has your organization told your staff, employees and workforce members how to and where to report a security incident? |
|
12. Has your organization developed standard incident reporting templates to ensure that all necessary information related to an incident is documented and investigated? |
|
13. Has your organization determined if a standing incident response team is required? |
|
14. Has your organization determined what information and when data will be disclosed to the media? |
|
15. Does your organization have an identified list of both internal and external persons, and their contact information, who should be informed if a security incident has occurred? |
|
16. Does your organization have mitigation options for security incidents? |
|
17. Do your organization's staff, employees, and workforce members know where and to whom to report log-in discrepancies? |
|
18. Has your organization named an individual, or several individuals, to speak for your organization to the media, law enforcement, clients, business partners and others? |
|
19. Do your organization's staff, employees, and workforce members understand their roles and responsibilities in selecting a password of appropriate strength, changing the password periodically as required, and safeguarding their password? |
|
20. Does your organization review your current procedures and determine if they were adequate and appropriate to respond to this particular security incident? And make updates and changes as necessary? |
|
21. Does your organization's incident response team or individual keep documentation of security incidents, their outcomes, including weaknesses exploited and how access to information was gained? |
|
22. Does your organization employ malicious code protection mechanisms at information system entry and exit points and at workstations servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means? |
Contingency Plan
|
1. Has your organization defined your overall contingency objectives? Does it include a listing of all areas that use ePHI? |
|
2. Has your organization established your organization's contingency plan framework, roles and responsibilities? |
|
3. Does your organization's contingency policy and plan address scope, resource requirements, training, testing, plan maintenance and backup requirements? |
|
4. Does your organization's policy and plan outline what critical services must be provided within specific time frames? |
|
5. Does your organization's policy and plan identify and outline cross-functional dependencies to determine how failure in one system impacts other system(s)? |
|
6. Has your organization outlined scenarios and identified preventive measures, measures you can do now, for each scenario that could result in the loss of a critical service involving the use of ePHI? |
|
7. Has your organization brainstormed and outlined alternatives for continuing operations for your organization if you lose a critical function or a critical resource? Remember there are physical resources like offices, desks, copiers and paper; electronic recourses like computers, servers, a connection to the Internet and phones; and human resources. Have you brainstormed what Human Resources would need if they are going to do manual chores instead of electronic chores and are going to operate 24/7? |
|
8. Has your organization researched the cost of preventive measures being considered? |
|
9. Are the preventive measures you are considering affordable and practical for the environment? |
|
10. Does your organization have an emergency coordinator who manages, maintains and updates the contingency plan? |
|
11. Do your organization's staff, employees, and workforce members know who your emergency coordinator is and how to contact him or her? |
|
12. Does your organization have an emergency call list and has it been distributed to all staff, employees, and workforce members? |
|
13. Does your organization have a determination of when your contingency plan needs to be activated? Is it triggered by anticipated duration of outage, loss of capability, or impact on service delivery? Other? |
|
14. Does your organization have plans, procedures, and agreements initiated or in place if the preventive measures need to be implemented? |
|
15. Has your organization finalized a set of contingency procedures that can be invoked for all identical impacts, including emergency mode of operation? |
|
16. Does your organization have documented procedures related to recovery from emergency or disastrous events? |
Implementation Specifications: Data Backup and Disaster Recovery Plans
|
1. Has your organization reviewed the data backup plan and disaster recovery plan implementation specifications? |
Data Backup Plan
|
1. Does your organization's contingency plan address disaster recovery and back up? |
|
2. Has your organization established and implemented procedures to create and maintain retrievable exact copies of ePHI? |
|
3. Has your organization established and implemented procedures to restore any loss of ePHI? |
|
4. Has your organization documented all your data backup procedures and made them available to all your staff, employees, and workforce members? |
|
5. Does your organization have individuals, or an office, named and responsibilities assigned to conduct backup activities? |
Emergency Mode Operation Plan
|
1. Has your organization established and implemented, when needed, procedures to enable continuation of critical business processes for the security of ePHI while your organization is operating in emergency mode? |
|
2. Has your organization identified your key activities and developed procedures to continue these key activities during an emergency? |
|
3. Has your organization also identified critical functions that use ePHI? |
|
4. During an emergency, would different staff/employees, facilities or systems be needed to perform these critical functions? |
|
5. Can your organization assure the security of the ePHI in the alternative mode(s) operation? |
Testing and Revision Procedures - Contingency Plan
|
1. Has your organization established and implemented as needed periodic testing procedures for the revision of your organization's contingency plan? |
|
2. Has your organization tested its contingency plan on a predefined cycle? |
|
3. Has your organization trained your staff/employees with defined plan responsibilities in their roles? |
|
4. Does your organization include external entities, including vendors, alternative site and service providers, in your testing exercises? |
|
5. Has your organization determined how the plan will be tested? Will it be a tabletop exercise, a real operational scenario or some other method? |
|
6. Does your organizational testing lend itself to phased testing based on the assessment of business impact and acceptability of sustained loss of service? |
|
7. Does your organization test during normal business hours? |
|
8. Does your organization's testing take place during off hours? |
|
9. Does your organization test your plan periodically? How frequently does your organization test its plan? |
|
10. Does your organization have a timeline on when the contingency plan should be revised? |
Applications and Data Criticality Analysis
|
1. Has your organization identified the critical services or operations, and the manual and automated processes that support them, involving ePHI? |
|
2. Has your organization determined what hardware and software and personnel are critical to your organization's daily business operations? |
|
3. Has your organization determined the impact on desired service levels if these critical assets are not available? |
|
4. Has your organization outlined what the nature and degree of impact on your operations will be if any of the critical resources are not available? |
|
5. Has your organization determined the amount of time your organization can tolerate disruption to these operations, materials and/or services? |
|
6. Has your organization determined what, if any, support is or can be provided by external providers, including ISPs, utilities, or contractors? |
|
7. Has your organization established cost-effective strategies for recovering these critical services, resources, or processes? |
Evaluation
|
1. Does your organization have any existing reports or documentation that you had previously prepared or created that address compliance, integration, or maturity of a particular, or any security safeguard(s) deployed to protect ePHI that your can leverage for this evaluation? |
|
2. Has your organization established a frequency for security evaluations, and disseminated this information to your entire organization? |
|
3. Do your organization's security policies specify that security evaluations will be repeated when environmental and operational changes, such as technology updates, are made that affect the security of ePHI? |
|
4. Does your organization's frequency of security evaluation policies reflect any and all federal laws, regulations, and guidance documents that impact environmental or operational changes affecting the security of ePHI? |
|
5. Does your organization's corporate, legal, and regulatory compliance staff, employees, or workforce members participate when you conduct your analysis? |
|
6. Has your organization considered management, operational, and technical issues in your evaluation? |
|
7. Has your organization performed a periodic technical and nontechnical evaluation, based initially upon the standards implemented? |
|
8. Has your organization decided if your evaluation will be conducted by your internal staff and resources or by external consultants, or by a combination of internal and external resources? |
|
9. Do any of your organization's staff, employees or workforce members have the technical experience to evaluate your systems? |
|
10. Do your staff, employees, or workforce members have the training necessary on security technical and non-technical issues? |
|
11. Has your organization outlined the necessary factors to be considered in selecting an outside vendor, including credentials and experience? |
|
12. Does your organization use a strategy and tool that considers all the elements of the HIPAA Security Rule, including all standards and implementation specifications? |
|
13. Do the elements of each of your organization's evaluation procedures, including questions, statements and other components, address individual, measurable security safeguards of ePHI? |
|
14. Has your organization determined which security procedures must be tested in more than one system? |
|
15. Has your organization determined in advance what departments and staff, employees, and/or workforce members will participate in your security evaluation? |
|
16. Does your organization have senior management support for your security evaluation, and have they stated the need for everyone within your organization to participate in and support your security evaluation? |
|
17. Has your organization included staff, employees, or workforce members with IT knowledge in your security evaluation team and used them during your evaluation? |
|
18. Has your organization collected and documented all information needed for your security evaluation, by interviews, surveys, and output of automated tools, for example, audit logging tools, results of penetration testing? |
|
19. Has your organization conducted penetration testing? |
|
20. Has your organization formally communicated your security evaluation process to your staff, employees, and workforce members who have assigned roles and responsibilities in your evaluation process? |
|
21. Does your organization use automated tools to collect data and otherwise support your organization's evaluation process? |
|
22. Does your organization's evaluation process support the development of security recommendations? |
|
23. Has your organization documented each security evaluation finding, outlined mediation options and recommendations, and remediation decisions? |
|
24. Has your organization documented the known security gaps after your security evaluation between the known risks and your mitigating security controls, and any acceptance of risk, including your organization's justification? |
|
25. Has your organization developed a security program with established priorities and targets for continuous security improvement? |
|
26. In determining the best way to display evaluation results, has your organization's written reports highlighted key findings and recommendations to be considered? |
|
27. Does your organization circulate your final report to key staff, employees, and workforce members? |
|
28. Do you have a process and/or procedures in place to make sure that the document is available only to those designated to receive it? |
Business Associate Contracts and Other Arrangements.
|
1. Does your organization have business associates? |
|
2. Does your organization have business associate contracts? |
|
3. Do your organization's business associate agreements (as written and executed) contain sufficient language to ensure that required information types are protected? Including the 2009, 2010, and 2011 HITECH Act updates and inclusions? |
|
4. Has your organization identified the individual or department who is responsible for coordinating the execution of your organization's business associate agreements and other such agreements? |
|
5. Does your organization periodically review and reevaluate your list of business associates to determine who has access to ePHI in order to assess whether your list is complete and current? |
|
6. Has your organization named your systems and functions covered by the contract/agreement? |
|
7. Are your organization's outsourced functions also covered by contracts/agreements? |
|
8. Are your organization's off-shore functions also covered by contracts/agreements? |
|
9. Has your organization executed new and updated existing agreements or arrangements when necessary and appropriate? |
|
10. Do your organization's agreements and other arrangements include your business associate(s) roles and responsibilities for the ePHI? |
|
11. Does your organization's agreements and other arrangements include security requirements that address confidentiality, integrity and availability of ePHI? |
|
12. Do your organization's agreements and other arrangements include security requirements that meet all the HIPAA Security Rule requirements per the HITECH Act? |
|
13. Do your organization's agreements and other arrangements include the appropriate training requirements, as necessary? |
|
14. Do your organization's agreements and other arrangements specify how ePHI is to be transmitted to and from the business associate? |
|
15. Do your organization's agreements and other arrangements specify necessary security controls? |
|
16. Does your organization conduct periodic security reviews on your business associates or covered entities? |
|
17. Has your organization established criteria for measuring contract performance? |
|
18. Does each of your organization's contracts or agreements include what service is being performed by the business associate? |
|
19. Do each of your organization's contracts or agreements include expected outcomes by the business associate? |
|
20. Does your organization have in place a process for reporting security incidents related to the agreement? |
|
21. Does your organization have in place a process to periodically evaluate the effectiveness of the business associate's security controls? |
|
22. Does your organization have a process in place for terminating the contract, and has the business associate been advised what conditions would warrant termination? |
|
23. If your organization's business associate is a federal, state, or local government entity you may use a Memorandum of Understanding (MOU) to share ePHI. Do you have or need to create an MOU? And if so, does your MOU state all required safeguards for sharing ePHI? |
|
24. Does your organization know all the laws and regulations governing the use of ePHI by the governmental business associate? |
Risk Assessment › Physical Safeguards
Facility Access Controls
|
1. Does your organization have facility access controls, policies and procedures? |
|
2. Does your organization have policies and procedures regarding access to and use of your facilities and equipment? |
|
3. Has your organization developed, disseminated, and periodically reviewed/updated a formal, documented physical and environmental protection policy that addresses the purposes, scope, roles, responsibilities, management commitment, coordination among organizational entities and functions, and compliance? |
|
4. Does your organization have formal, documented procedures to facilitate implementation of the physical and environmental protection policy and associated physical and environmental controls? |
|
5. Does your organization have an inventory of your facilities? |
|
6. Have you identified the vulnerabilities in your current physical security capabilities and assigned degrees of significance to each identified vulnerability? |
|
7. Has your organization determined which types of locations require access controls to safeguard ePHI, such as: data centers, peripheral equipment centers, IT staff offices, workstation locations, and others? |
|
8. Does your organization have locks and cameras in nonpublic areas and are these reasonable and appropriate security controls? |
|
9. Are all your organization's workstations protected from public access and viewing? |
|
10. Are all your organization's entrances and exits that lead to locations with ePHI secured? |
|
11. Do normal and usual physical protections exist, such as locks on doors and windows? |
|
12. Has your organization identified and assigned responsibility for the measures and activities necessary to correct deficiencies and ensure that proper access is allowed? |
|
13. Has your organization developed and deployed policies and procedures to ensure that repairs, upgrades and/or modifications are made to your buildings and offices while ensuring that only proper access is allowed? |
|
14. Does your organization need to update your facility access control policies and procedures? |
|
15. Has your organization trained your staff, employees, and workforce members in your facility access controls and procedures? |
|
16. Do your organization's staff, employees, and workforce members need facility access controls and procedures refresher training? |
|
17. Does your organization document your correction measures decisions and actions? How? |
|
18. Has your organization developed and kept a current list of personnel with authorized access to the facility where the information systems reside? |
|
19. Does your organization issue authorization credentials, such as badges, identification cards or smart cards, for the facilities where the information systems reside? |
|
20. Does your organization periodically review and approve the access list and authorization credentials, removing from the access list personnel no longer requiring access? |
|
21. Does your organization enforce physical access authorization for all physical access points, including designated entry/exit points, to the facility where the information system resides? |
|
22. Does your organization verify individual access authorization before granting access to the facility? |
|
23. Is another workforce member other than the Security Officer responsible for your organization's facility and physical security? |
|
24. Does your organization control entry to the facility containing the information system using physical access devices and/or guards? |
|
25. Does your organization periodically inventory physical access devices? |
|
26. Does your organization change combinations and keys periodically and when keys are lost, combinations compromised, or individuals are transferred or terminated? |
|
27. Does your organization control physical access to information system distribution and transmission lines, including locked wiring closets, disconnected or locked spare jacks, and protection of cabling by conduit and cable trays? |
Contingency Operations
|
1. Does your organization have a contingency operations plan? |
|
2. Has your organization determined who needs access to your facilities and offices in the event of a disaster? |
|
3. Has your organization named in your contingency plan who is responsible for access to ePHI during a disaster? Who is that individual? |
|
4. Has your organization named who is responsible for implementing the contingency plan for access to ePHI in each department, unit, and other office designation? Who is that individual? |
|
5. Will your organization's contingency plan be appropriate for all types of potential disasters, such as fire, flood, and earthquake? |
|
6. Will your organization contingency plan be appropriate for all your facilities? |
|
7. Does your organization have a backup plan for access to your facility and/or the ePHI? |
Facility Security Plan
|
1. Has your organization implemented measures to provide physical protection for the ePHI in your possession? |
|
2. Does your organization have documentation of your facility inventory, physical maintenance records, the history of physical changes, upgrades, and other modifications? |
|
3. Does your organization's inventory identify points of access to your facilities and the existing security controls used in these areas? |
|
4. Does your organization have procedures for securing your facilities, including the exterior, the interior, and your equipment? |
|
5. Is a workforce member of your organization other than the Security Officer responsible for the facility plan? |
|
6. Does your organization have a facility security plan in place, under revision, or under development? |
|
7. Does your organization periodically review your security plan for the information system? |
Access Control and Validation Procedures
|
1. Does your organization have policies and procedures in place for controlling and validating access to your facilities by staff, employees, workforce members, visitors, and probationary employees? |
|
2. Does your organization monitor physical access to the information system to detect and respond to physical security incidents? |
|
3. Does your organization periodically review physical access logs? |
Maintenance Records
|
1. Has your organization developed and implemented policies and procedures to document repairs and modifications to the physical components of your facilities specifically related to security? |
|
2. Has your organization developed, disseminated, and periodically reviewed and updated your formal, documented information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organization entities, and compliance? |
|
3. Does your organization have formal, documented procedures to facilitate the implementation of your information system maintenance policy and associated system maintenance controls? |
|
4. Does your organization maintain records of repairs to hardware, walls, doors, and locks? |
|
5. Has your organization assigned responsibility to an individual or office for the maintenance of repair and modification records? |
|
6. Does your organization control all maintenance activities, whether performed on-site or remotely and whether the equipment is serviced on-site or removed to another location? |
|
7. Does your organization require that the designated official explicitly approve the removal of the information system or system components from your organization's facilities for off-site maintenance or repairs? |
|
8. Does your organization sanitize equipment to remove all information from associated media prior to removal from your organization's facilities for off-site maintenance? |
|
9. Does your organization obtain support and/or spare parts for your organization's security critical information systems components or key information technology components within a designated time period of failure? |
Workstation Use
|
1. Does your organization have workstation use policies and procedures? |
|
2. Has your organization developed and implemented policies and procedures for proper use and performance of all types of workstations, including for day-to-day operations? |
|
3. Does your organization have an inventory of workstation types and locations within your organization? |
|
4. Has your organization included all types of computing devices in your inventory of workstations, such as laptops, PDAs, tablets (iPads), smartphones, and others? |
|
5. Has your organization named an individual or office responsible for this inventory and its maintenance? |
|
6. Has your organization developed and implemented policies and procedures for each type of workstation device, including accommodating their unique issues? |
|
7. Has your organization classified your workstations based on their capabilities, and defined the tasks commonly performed on a given workstation or type of workstation? |
|
8. Has your organization identified key operational risks that could result in a breach of security from all types of workstations, and trained your staff, employees, and workforce members on predictable breaches? |
|
9. Does your organization have policies and procedures that will prevent unauthorized access of unattended workstations, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed? |
|
10. Has your organization trained your staff, employees or workforce members in the security requirements for ePHI use in their day-to-day jobs? |
|
11. Does your organization document allowed methods for remote access to the information system? |
|
12. Does your organization monitor for unauthorized remote access to the information system? |
|
13. Does your organization authorize remote access to the information system prior to the connection? |
|
14. Does your organization establish usage restrictions and implementation guidance for organization-controlled mobile devices? |
|
15. Does your organization monitor for unauthorized connections of mobile devices to your organization's information system? |
|
16. Does your organization issue specifically configured mobile devices to individuals traveling to locations that your organization deems to be of significant risk in accordance with organizational policies and procedures? |
Workstation Security
|
1. Does your organization have workstation security physical safeguards in place? |
|
2. Has your organization documented the different ways workstations are accessed by staff, employees, workforce members, and non-employees? |
|
3. Are any of your organization's workstations located in public areas? |
|
4. Does your organization use laptops and tablets (iPads) as workstations? Do you have specific policies and procedures for such workstations? |
|
5. Has your organization determined which type(s) of access holds the greatest threat to security? |
|
6. Has your organization reviewed the areas of your workstations to determine which areas are more vulnerable to unauthorized use, theft, or viewing of the data? Do you do this review periodically? |
|
7. Has your organization implemented physical safeguards and other security measures to minimize the possibility of inappropriate access of ePHI through workstations, including locked doors, screen barriers, cameras, and guards? |
|
8. Does your organization protect information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures? |
Device and Media Controls
|
1. Does your organization have device and media controls, policies and procedures? |
|
2. Does your organization protect and control your defined types of digital and non-digital media during transport outside of controlled areas using your organizational security measures? |
|
3. Does your organization maintain accountability for information system media during transport outside of controlled areas? |
|
4. Does your organization restrict the activities associated with transport of such media to authorized personnel? |
Disposal
|
1. Does your organization have disposal policies and procedures? |
|
2. Does your organization have disposal policies and procedures for PHI on paper and any other non-electronic mediums? |
|
3. Has your organization developed and implemented policies and procedures that address the disposal of ePHI and/or the hardware and electronic media on which it is stored, including the appropriate methods to dispose of hardware, software and the data itself? |
|
4. Does your organization have a process to ensure that ePHI is properly destroyed and cannot be recreated? |
|
5. Does your organization keep ePHI on removable devices such as CDs, DVDs, zip drives and/or tablets (iPads)? If you have removable media, do you have policies and procedures for data disposal on these tools? |
Media Re-use
|
1. Does your organization have procedures for the removal of ePHI from electronic media before the media are made available for reuse, including assuring that ePHI is properly destroyed and cannot be recreated? |
|
2. Does your organization have one individual or department responsible for coordinating data disposal and reuse of hardware and software across your enterprise? |
|
3. Does your organization train your staff, employees, and workforce members on the security and risks of ePHI destruction and reuse of software and hardware? |
Accountability
|
1. Does your organization keep a record of the movement of hardware and software both inside your organization and when it leaves your facility, and do you have an individual or office responsible for this task? |
|
2. Does your organization have an inventory of the type of media that are used to store ePHI, and is it updated periodically? |
|
3. Does your organization permit your staff, employees, and workforce members to remove electronic media that contains or can be used to access ePHI; does your organization have procedures to track the media externally? |
Data Backup and Storage
|
1. Does your organization create an exact copy of ePHI if needed before you move the equipment? |
|
2. Does your organization maintain backup files off-site to assure data availability in the event that data is lost while transporting or moving electronic media containing ePHI? |
|
3. Does your organization have an inventory of what business process(es) would be impacted and for how long if data were unavailable while media was being moved? |
Risk Assessment › Technical Safeguards
Access Control
|
1. Does your organization have access to technical policies and procedures? |
|
2. Has your organization identified all applications, systems, servers and other electronic tools that hold and use ePHI? |
|
3. Has your organization outlined the user roles for the applications, systems, servers and other electronics identified to hold and use ePHI? |
|
4. Has your organization determined where the ePHI supporting electronic tools are currently housed (i.e. laptop, network, etc.)? |
|
5. Are any of your organization's systems, networks, or data accessed remotely? |
|
6. Has your organization identified an approach for access control? |
|
7. Has your organization determined the access capabilities of all your electronic tools that hold and create ePHI, such as viewing data, modifying data, deleting data, and creating data? |
Unique User Identification
|
1. Does your organization have a formal access control policy that guided the development of access control procedures? |
|
2. Has your organization developed and implemented access control procedures? |
|
3. Does your organization's access control procedures include: 1) initial access, 2) increased access, 3) access to different systems and applications that the user currently has? |
|
4. Has your access control policy, including the rules of user behavior, been communicated to your system users? |
|
5. Has your organization outlined how user compliance with your access control policy will be enforced? |
|
6. Has your organization determined who will manage the access control procedures? |
|
7. Does your organization train your users in access control procedures and management? |
|
8. Does your organization train new employees/users in your access control policy and procedures, and other instructions for protecting ePHI? |
|
9. Does your organization have procedures for new employee/user access to your data and systems? |
|
10. Does your organization have procedures for reviewing and, as appropriate, modifying access authorization for existing users? |
|
11. Has your organization determined how a user identifier should be established, such as length and content, and communicated this information to your staff, employees, and workforce members? |
|
12. Has your organization determined if the user-identifier should be self-selected or randomly generated and whether or not it changes for different types of data? |
|
13. Can your organization trace all system activity, viewing, modifying, deleting and creating of ePHI, to a specific user? |
|
14. Does your organization record each time ePHI is viewed, modified, deleted or created in an audit tool to support audit and other business functions? |
Emergency Access Procedure
|
1. Does your organization have procedures for obtaining necessary access to ePHI during an emergency? |
|
2. Does your organization have a policy on when access procedures should be activated? |
|
3. Does your organization policy name the person/role/office that makes the decision to activate your emergency access procedures? |
|
4. Does your organization have procedures and a method for supporting continuity of operations when normal access procedures are disabled or unavailable due to system problems? |
|
5. Will your organization's systems automatically default to settings and functionalities that will enable the emergency access procedures or will it need to be activated by a system's administrator/authorized individual? |
Automatic Logoff
|
1. Does your organization have an electronic procedure that automatically terminates an electronic session after a predetermined time of activity? |
|
2. Has your organization inventoried your electronic tools for automatic logoff capabilities? |
|
3. Has your organization determined the period of activity prior to triggering the automatic logoff? |
|
4. Has your organization determined if the period of inactivity prior to triggering the automatic logoff is different for specific parts of your organization? |
|
5. Has your organization developed and built in-house tool(s) that have automatic logoff capabilities or can they be modified to include automatic logoff capabilities? |
Audit Controls
|
1. Has your organization determined the appropriate scope of audit controls that are necessary to protect your information systems and tools that contain ePHI, based on your risk assessment? |
|
2. Has your organization determined what data will need to be captured by your audit controls and in your audit logs like user IDs and event type/date/time? |
|
3. Has your organization determined where your ePHI is at risk within your organization and when you transmit it outside your organization? |
|
4. Does your organization have an inventory of what systems, applications, processes, servers, laptops, PDAs, tablets (iPads) and other electronic tools make data vulnerable to unauthorized or inappropriate tampering, uses or disclosures of ePHI? |
|
5. Will your audit controls monitor: the creating, reviewing, updating and deleting of ePHI? Any others? |
|
6. Has your organization evaluated your existing system’s capabilities in the last 12 months and determined if any changes or upgrades are necessary? |
|
7. Does your organization have tools in place for auditing data review, creation, deletion and updates, as well as for firewall system activity and other similar activities? |
|
8. Has your organization determined what are the most appropriate monitoring tools for your organization, such as third party tools, freeware, operating-system provided, or home-grown? |
|
9. Does your organization's evaluation include determination of what changes and upgrades to your monitoring tools are reasonable and appropriate? |
|
10. Does your organization have a process and communication plan to tell your staff, employees, and workforce members about your organization's decisions to re-audit and review their use of ePHI? |
|
11. Has your organization named a person, role or office as the responsible party for your overall audit process and its results? |
|
12. Has your organization determined the period when audits will be performed? |
|
13. Has your organization determined the type of audit trail data it will need, and the monitoring procedures to derive exception reports, other reports? |
|
14. Has your organization determined how your exception reports and logs will be reviewed? |
|
15. Will your organization file and maintain your monitoring reports? Where? |
|
16. Does your organization have a formal, documented process in place to address your systems and tools misuse, abuse, and fraudulent activity? |
|
17. Does your organization have a plan to notify your managers and other staff, employees, and workforce members regarding suspect activity? |
|
18. Is your audit system activated on all your systems, servers, network(s), tools, and other similar areas? |
|
19. Has your organization begun your logging and auditing procedures? |
|
20. Has your organization determined the period, how often, the audit results will be analyzed? |
|
21. Has your organization implemented mechanisms to assess the effectiveness of your audit process and what metrics are being used? What are they? |
|
22. Does your organization have a plan to revise your audit process when needed? |
Integrity
|
1. Does your organization have integrity policies and procedures? |
|
2. Does your organization have a list of all your organization users who are authorized to access ePHI? |
|
3. Has your organization established a basis for assigning specific individuals (roles) access to ePHI based on need, such as necessary for job task? |
|
4. Has your organization identified all approved users with the ability to alter or destroy data? |
|
5. Have your organization's users been trained on how to use ePHI? |
|
6. Does your organization have audit trails established for all accesses to ePHI? |
|
7. Has your organization determined what can be done to protect the ePHI when it is at rest in your systems and tools? |
|
8. Does your organization have policies and procedures that are used to decrease or eliminate alteration of ePHI during transition, such as encryption? |
|
9. Does your organization have a formally documented set of integrity requirements that is based on your analysis of use, users and misuses of ePHI and your risk analysis? |
|
10. Has your integrity policy been communicated to the appropriate workforce members (ePHI users)? |
|
11. Are your organization's current audit, logging, and access control techniques and methods sufficient to address the integrity of ePHI? |
|
12. If your organization's current techniques and methods are not sufficient, are there additional techniques and methods that you can apply to check ePHI integrity, such as quality control process, transaction and output reconstruction? What are these additional techniques and methods? |
|
13. Can your organization provide additional training to decrease instances attributable to human errors? |
Implementation Specification: Mechanism to Authenticate ePHI
|
1. Does your organization have in place electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner? |
|
2. Does your organization use both electronic and non-electronic mechanisms to protect ePHI? |
|
3. Does your organization use authentication mechanisms, such as error-correcting memory, magnetic disc storage, digital signatures, and checksum technology? Others? |
|
4. Does your organization's information integrity process, as currently implemented, provide a high level of assurance that information integrity is being maintained? |
Person or Entity Authentication
|
1. Does your organization have person and entity authentication policies and procedures? |
|
2. Has your organization established formal, documented authentication policy and procedures and communicated them to your organization's staff, employees, and workforce members? |
|
3. Do your organization's authentication procedures include ongoing maintenance for your systems, applications, networks and tools, as well as updates for your authentication methods? |
|
4. Do your organization's identity methods corroborate that the person is the one claimed? |
|
5. Does your organization use authentication methods? What are they? |
|
6. Do your authentication methods require the validity of a transmission source and/or verifying an individual's claim of authorization privileges to ePHI? |
|
7. Does your organization have trained staff to maintain the system or is this work outsourced? |
|
8. Does your organization use passwords for individual access to ePHI? |
|
9. If your organization uses passwords for individual access to ePHI, are they unique by individual? |
|
10. Has/does your organization use outside third party vendor support to implement your organization's authentication methods? |
|
11. Has your organization implemented the selected authentication methods into your organization's systems, networks, applications, and tools? |
|
12. Has your organization completed user and support staff training on your Person and Entity Authentication policies and procedures? |
Transmission Security
|
1. Does your organization have transportation policies and procedures? |
|
2. Does your organization have formal, documented policies and procedures for transmission of ePHI, like an Internet and Email Use Policy, and have they been communicated to your staff, employees, and workforce members? |
|
3. Do your organization’s policies and procedures identify methods of transmission that will be used to safeguard ePHI? |
|
4. Do your organization policies and procedures identify tools and techniques that will be used to support the transmission security policy? |
|
5. Has your organization implemented procedures for transmitting ePHI using hardware or software? |
|
6. Does your organization have a formal, documented set of requirements for transmitting ePHI? |
|
7. Does your organization have measures in place to protect ePHI during transmission? What are those measures? |
|
8. Does your organization have in place an auditing process during transmission that verifies that the ePHI has been protected against unauthorized access? |
|
9. Does your organization have trained staff that monitor transmissions? |
|
10. Does your organization have integrity controls policies and procedures? |
|
11. Does your organization have measures planned or implemented to protect ePHI during transmission? |
|
12. Does your organization have assurance that the information is not altered during transmission? |
Encryption
|
1. Does your organization have a process/mechanism to encrypt and decrypt ePHI? |
|
2. Has your organization implemented encryption for ePHI transmission? |
|
3. Does your organization believe encryption is necessary to protect ePHI during transmission? |
|
4. Is encryption feasible and cost-effective for your organization? |
|
5. Are there any encryption algorithms and mechanisms available to your organization? What are they (if there are any)? |
|
6. Does your organization have staff skilled in the use of encryption? |
|
7. Does your organization have staff to maintain a process for encrypting ePHI during transmission? |
Risk Assessment › Organizational Requirements
Business Associate Contracts or Other Arrangements
|
1. Does your organization have any business associates? |
|
2. Does your organization have business associate agreements or other contracts with other health care entities? |
Business and Legal Documents [164.314(a)(1)(i)]
|
1. Do your organization's business associate agreements include mandated requirements? |
Business and Legal Documents [164.314(a)(1)(ii)]
|
1. Do your organization's business associate agreements include specified paragraphs on disclosures of business associates? |
Contract or Arrangement Termination
|
1. Do your organization's business associate agreements include specified paragraphs on termination of business associates? |
Infeasible Termination
|
1. Do your organization's business associate agreements include specified paragraphs, if termination of the business associate is not feasible, that say the issue is to be reported to the Office for Civil Rights? |
|
2. Does your organization include security functional requirements/specifications in your information acquisition contracts (BAAs or MOUs)? |
|
3. Does your organization include security related documentation requirements in your information acquisition contracts (BAAs or MOUs)? |
|
4. Does your organization include developmental and evaluation-related assurance requirements in your information acquisition contracts (BAAs or MOUs)? |
BAA Safeguards
|
1. Do your organization's business associate contracts provide that the business associates will implement administrative, physical and technical safeguards to protect the ePHI? |
|
2. Do your organization's business associate contracts address functions related to creating, receiving, maintaining, and transmitting ePHI? |
|
3. Do your organization's business associate contracts provide that the business associates conduct a risk assessment that addresses administrative, physical and technical risks? |
Business Associate and Subcontractor Safeguards
|
1. Do your organization's business associate contracts provide that any agent, including a subcontractor to whom the business associate provides ePHI or access to such ePHI, agrees to implement reasonable and appropriate safeguards to protect the ePHI? |
BA Security Incident Reporting
|
1. Do your organization's business associate contracts provide that the business associate will report any security incidents of which it becomes aware to the covered entity? |
|
2. Has your organization identified the key business associate staff/point of contact in the event of a security incident? |
|
3. Does your organization have in place a procedure including a reporting mechanism for reporting security incidents by a business associate? |
BAA Termination Authorization
|
1. Do your organization's business associate contracts include standards and thresholds for termination of the contracts? |
|
2. Do the conditions for termination within your organization's business associate contract include material breach of the contract, and that the breach cannot be cured? |
|
3. Does your organization's business associate contract include reporting the problem to Office for Civil Rights (OCR) if contract termination is not possible? |
Memorandum of Understanding (MOU)
|
1. Does your organization use memorandums of understanding (MOU) with certain business associates? |
|
2. If your organization and the organization you have a contract with are both governmental agencies do you use a memorandum of understanding (MOU)? |
|
3. Does your organization's MOU/agreement provide protection for the ePHI, equivalent to the protection provided in the HIPAA business associate contract? |
|
4. If your organization's MOU cannot be terminated, are other enforcement mechanisms in place that are reasonable and appropriate? |
|
5. If your organization has an MOU, have you made a good faith effort to obtain satisfactory assurances that the HIPAA Security Standards are met? |
|
6. Does your organization make the attempt to obtain satisfactory assurances, and if they can't be obtained, do you document the reasons that they can't? |
Other Laws Similar to BAA Requirements
|
1. Does your organization have other laws similar to business associate agreement requirements that must be implemented? |
Other Contract Termination Requirements
|
1. Does your organization or your contract partners have statutory obligations that require the removal of the termination requirement? |
Requirements for Group Health Plans
|
1. Is your organization a group health plan? |
|
2. Does your organization only share summary health information or disclose whether an individual is a participant or enrolled/unenrolled to the health plan sponsor? |
|
3. Does your organization have group health plan documents that include plan sponsor requirements? |
|
4. Does your organization amend your plan documents to incorporate provisions that require a health plan sponsor to implement administrative, physical and technical safeguards to protect the ePHI. Also, does the plan sponsor create, receive, maintain or transmit on your behalf? |
|
5. Does your organization's plan document ensure adequate separation between the group health plan and the plan sponsor, including sponsor's employees, classes of employees, or other persons who will be given access to the ePHI? |
|
6. Do your organization's plan documents include provisions to require that plan sponsor's agents, including subcontractors to whom it provides ePHI, agree to implement all reasonable and appropriate security measures to protect the ePHI? |
|
7. Do your organization's plan documents include provisions to require plan sponsors to report to the group health plan any security incidents of which it becomes aware? |
|
8. Does your organization have a procedure in place that includes a mechanism for reporting security incidents by a plan sponsor? |
|
9. Does your organization have a procedure in place that includes a reporting mechanism for responding to security incidents by a plan sponsor? |
Risk Assessment › Documentation Requirements
Policies and Procedures
|
1. Does your organization have policies and procedures for administrative safeguards, physical safeguards, and technical safeguards? |
|
2. Does your organization have in place reasonable and appropriate policies and procedures that comply with the standards and implementation specifications of the HIPAA Security Rule? |
|
3. Does your organization's security policies and procedures take into consideration: 1) your organization's size, complexity and the services you provide; 2) your organization's technical infrastructure, hardware and software capabilities; 3) the cost of your organization's security measures; 4) the potential risks to day-to-day operation including which functions and tools are critical to operations? |
|
4. Does your organization have procedures for periodic reevaluation of your security policies and procedures, and requirements for updating them when necessary? |
|
5. Does your organization change security policies and procedures at any appropriate time, and document the changes and implementation? |
Documentation
|
1. Does your organization have a documentation policy and procedures? |
|
2. Has your organization documented all security policies and procedures? |
|
3. Has your organization documented your decisions concerning security management, operational and technical controls, to mitigate your identified risks? |
|
4. Does your organization update your security documentation following breaches, security incidents, new acquisitions, change in technology and other similar times? |
|
5. Does your organization have an individual or office that maintains and is responsible for your HIPAA Security documentation? |
Data Retention
|
1. Does your organization have a data retention policy and procedure(s) that considers all HIPAA retention requirements? |
|
2. Has your organization aligned HIPAA documentation retention requirements with all other data retention policies? |
Availability
|
1. Has your organization communicated with all staff that require access to your security documentation where it is found? Does your organization's staff know where to access security documentation? |
|
2. Does your organization's education, training and awareness activities include the availability of your security documentation? |
|
3. Does your organization have a process in place to solicit input from the staff, employees, and workforce impacted, into your updates of your security policies and procedures? |
Updates
|
1. Does your organization have a version control for your procedure(s) and process for the verification of the timeliness of your security policies and procedures? |