Evaluate your organization's HIPAA compliance status
| Implementation Specification | Standard Type | Question | Response |
|---|---|---|---|
| Risk Analysis | |||
| Risk Analysis | Required | Has the organization ever conducted a security analysis of its network using a network scanning program? | |
| Risk Management | Required | Has the organization evaluated its computer system(s) to verify that appropriate security measures are in place? | |
| Risk Management | If either answer above is "No", has the organization identified and selected security features to implement? | ||
| Risk Management | Does the organization have any custom programming on the system that was not created by the original vendor? | ||
| Risk Management | Best Practice | Does the organization have sanction policies to deal with workforce members who do not comply with security policies and procedures? | |
| Information Systems Activity Review | |||
| Information Systems Activity Review | Best Practice | Does the organization have a written security policy describing the organization's plans, procedures, and sanctions with respect to all security components of its ePHI-related computer systems? | |
| Information Systems Activity Review | Has the organization tested its computer system to determine that the appropriate security features are working correctly and are adequate for the organization's computer system? | ||
| Information Systems Activity Review | Does the organization guard data integrity using access controls (who is permitted to log in), audit control (managers can see who logged in), authorization control (robust passwords periodically changed), and data authentication (passwords not shared or written down)? | ||
| Information Systems Activity Review | Is there a regular audit of the organization's computer system records? | ||
| Workforce Security | |||
| Workforce Training | Addressable | Is security training provided to all members of the practice workforce? | |
| Workforce Supervision | Addressable | Is an individual or a team responsible for problems and issues with hardware and software, access to and maintenance of servers, software training, and technical problems with the organization's workstations? | |
| Workforce Supervision | Is an individual assigned responsibility to supervise control of access to PHI? | ||
| Workforce Supervision | Are temporary passwords assigned to contract and/or temporary workers who have access to PHI? | ||
| Appropriate Workforce Clearance | Addressable | Are security levels assigned to workers based on job responsibilities to ensure only necessary access? | |
| Access Termination Procedures | Addressable | Are there clear policies and procedures in place to effectively and promptly terminate access to workforce members who leave the organization? For example, are passwords terminated, keys and keycards returned immediately upon termination of employment? | |
| Information Access Management | |||
| Access Authorization | Addressable | Does the organization have a written procedure on how employees and other authorized users access the systems? | |
| Access Authorization | Are any of the following techniques used to confirm identity and authorize access? | ||
| Access Authorization | Passwords? | ||
| Access Authorization | Biometrics? | ||
| Access Authorization | PINs? | ||
| Access Authorization | Telephone callback for remote access? | ||
| Access Establishment or Modification | Addressable | Does the organization limit the individuals authorized to access, test and change these access controls? | |
| Access Establishment or Modification | Does the organization have a designated employee or vendor who installs new or upgraded software to the systems and/or workstations? | ||
| Access Establishment or Modification | Is the work network used for file sharing internally with the facility? | ||
| Access Establishment or Modification | Is the work network used for file sharing externally with other healthcare entities? | ||
| Access Establishment or Modification | Are access logins and passwords issued to outside contractors? | ||
| Access Establishment or Modification | Does the organization allow remote access to the system by employees from non-work locations using Citrix, PC Anywhere or direct access? | ||
| Access Establishment or Modification | If the answer to any of the previous four questions is Yes, does your organization have written procedures establishing rules for accessing the protected electronic information? | ||
| Access Establishment or Modification | Does the organization have a process to increase or decrease the level of access of each authorized individual to protected electronic information? | ||
| Security Awareness and Training | |||
| Security Reminders | Addressable | Does your organization supply the workforce with periodic updates and information reminders on security issues? | |
| Protection from Malicious Software | Addressable | Does the organization have software installed on the system to detect and eliminate malware? | |
| Protection from Malicious Software | If Yes, are their written procedures on the use of anti-malware programs? | ||
| Protection from Malicious Software | Is anti-malware software updated on a regular, periodic basis? | ||
| Protection from Malicious Software | Are written policies on management of information and software downloads to the system? | ||
| Protection from Malicious Software | Are there written procedures on the downloading of information from other media such as DVDs, or CDs? | ||
| Log In Monitoring and Password Management | Addressable | Is the Internet accessible from the organization's system computers? | |
| Log In Monitoring and Password Management | If Yes, are their Internet firewalls installed in these devices? | ||
| Log In Monitoring and Password Management | Does the organization's systems have tracking methods to determine which employees have accessed the software? | ||
| Log In Monitoring and Password Management | Does the organization monitor who is accessing the system remotely? | ||
| Log In Monitoring and Password Management | Does the system provide generation of written access logs? | ||
| Log In Monitoring and Password Management | Are passwords required to access the network? | ||
| Log In Monitoring and Password Management | Are passwords required to access electronic personal health information (EPHI)? | ||
| Log In Monitoring and Password Management | Are there emergency procedures to access EPHI? | ||
| Log In Monitoring and Password Management | Are there any situations where login names and passwords are shared among employees? (Temp. workers, contractors, etc.) | ||
| Log In Monitoring and Password Management | Is there a mechanism to password protect documents transmitted to other entities? | ||
| Log In Monitoring and Password Management | Is the organization capable of disabling passwords and other security features in the event a laptop or device is stolen or lost? | ||
| Log In Monitoring and Password Management | Are there procedures and enforcement measures in place to regularly change passwords? | ||
| Log In Monitoring and Password Management | Are network user logs regularly checked against authorized user lists? | ||
| Security Incident Procedures | |||
| Response and Reporting | Required | Does the organization document security incidents? | |
| Response and Reporting | Do such incidents result in planning for prevention of future incidents? | ||
| Contingency Planning | |||
| Data Backup Plan | Required | Are there written policies and procedures on backing up data on the network? | |
| Data Backup Plan | Are all servers routinely backed up? | ||
| Data Backup Plan | Is there a designated employee or vendor who conducts the backup? | ||
| Data Backup Plan | Does the organization keep a log of backups? | ||
| Data Backup Plan | Are backup copies stored offsite? | ||
| Disaster Recovery Plan | Required | Is there a designated employee or vendor who conducts the recovery re-install? | |
| Emergency Mode Operation | Required | Does the organization maintain a written disaster recovery plan to respond to computer system emergencies or failures? | |
| Testing and Revision of Contingency Plans | Addressable | Does the organization and/or the vendor routinely review and test the entire contingency plan to ensure accurate data preservation? | |
| Applications and Data Criticality Analysis | Addressable | Do the servers have an emergency power supply? | |
| Applications and Data Criticality Analysis | Does the organization have a plan to provide access to ePHI while in emergency mode? | ||
| Applications and Data Criticality Analysis | Has the organizations performed an analysis to determine which systems are considered critical to running the organization? | ||
| Evaluation | |||
| Periodic technical and non-technical evaluations of security | Required | Does the organization perform regular audits of security? | |
| Periodic technical and non-technical evaluations of security | Are all security policies and procedures periodically reviewed? | ||
| Periodic technical and non-technical evaluations of security | Is this Security Checklist periodically reviewed and updated? | ||
| Business Associate Agreements | |||
| Written Contracts | Required | Does the organization have up-to-date BAAs in place with any entity that has access to electronic ePHI? | |
| Written Contracts | Has the organization confirmed with computer hardware vendors that upgrades and replacements do not harm the security of protected data? | ||
| Facility Access Controls | |||
| Contingency Operations | Addressable | Is there a written contingency plan in place to respond to absence of computer capability due to theft or natural disaster? | |
| Contingency Operations | Is the organization's main computer server on site? | ||
| Contingency Operations | If the organization has remote locations, are there remote servers at these locations? | ||
| Facility Security Plan | Addressable | Is the organization housed in a facility shared with other occupants? | |
| Facility Security Plan | Does the organization (or the landlord) have a plan for protection of unauthorized physical access? | ||
| Access Control and Validation | Addressable | Is there a Security Guard onsite? | |
| Access Control and Validation | Are there visitor sign-in procedures in effect for shared space? | ||
| Maintenance Records | Addressable | Does the organization keep a log of physical repairs in the facility that may affect physical access (key replacements, lock repairs, alarm repairs, etc.) | |
| Workstation Use and Security | |||
| Use and Security | Required | Does the workforce share computer workstations among themselves or with temporary employees? | |
| Use and Security | Do workforce members remove software from the facility (flash drives, portable devices, etc.)? | ||
| Use and Security | Are portable devices (laptops, tablets, handhelds) available for shared use? | ||
| Use and Security | Are workstations locked and secure when not in use? | ||
| Device and Media Controls | |||
| Disposal | Required | Does the organization have written policies and procedures for destruction of ePHI? | |
| Disposal | Is there a formal system of tracking and logging receipt, transmission, storage and destruction of ePHI data no longer needed? | ||
| Disposal | Does the organization have processes to ensure that ePHI is not destroyed by unauthorized individuals? | ||
| Media Re-use | Required | Are there written policies and procedures for bringing in new and/or used hardware or software? | |
| Media Re-use | Are there written policies and procedures for connecting new hardware or installing new software to network computers? | ||
| Media Re-use | Does the organization re-use disks, tapes, CDs, hard drives, etc.? | ||
| Accountability | Addressable | Does the organization maintain logs of maintenance operations on system hardware or software? | |
| Accountability | Does the organization maintain a written inventory of its workstations? | ||
| Accountability | Are employees allowed to bring computer devices from home to connect to the network? | ||
| Accountability | Are employees allowed to dial in remotely from personal computers to connect to the network? | ||
| Accountability | Are there written policies and procedures governing employees using personal equipment or access from home? | ||
| Data Backup and Storage | Addressable | Are routine backups performed on the data retained on workstations, laptops, etc.? | |
| Access Controls | |||
| Unique User ID | Required | Does each workforce member have a unique user identifier? | |
| Unique User ID | Does the organization have written policies and procedures to minimize the amount of access each user has based on HIPAA guidelines? | ||
| Emergency Access Procedure | Required | Is the organization able to access ePHI in an emergency using a master login and password? | |
| Automatic Logoff Procedure | Addressable | Does the organization's computer system have an automated process to logoff a user after a specified time of inactivity? | |
| Automatic Logoff Procedure | Are workstations equipped with password protected screensavers or other information shielding technology? | ||
| Encryption & Decryption Technology | Addressable | Does the organization transmit ePHI over a communications network? | |
| Encryption & Decryption Technology | Does the organization use technology to encrypt outbound messages and decrypt inbound messages? | ||
| Encryption & Decryption Technology | Does the organization test the process to ensure that messages sent match messages received? | ||
| Encryption | Addressable | Does the organization have Fax capabilities directly from their computers? | |