HIPAA Security Risk Assessment

Has your practice completed a formal Security Risk Analysis in the past 12 months?

§164.308(a)(1)(ii)(A)

Do you have a documented risk management plan to address identified vulnerabilities?

§164.308(a)(1)(ii)(B)

Is there a designated Security Officer responsible for HIPAA security compliance?

§164.308(a)(2)

Is there a designated Privacy Officer responsible for your practice's privacy policies?

§164.530(a)(1)

Do workforce members receive HIPAA security training upon hire?

§164.308(a)(5)

Do workforce members receive HIPAA security training annually?

§164.308(a)(5)

Do you have a written sanctions policy for workforce members who violate security policies?

§164.308(a)(1)(ii)(C)

Do you have a documented schedule and defined process for reviewing system activity logs?

§164.308(a)(1)(ii)(D)

Do you have written procedures for granting and revoking access to ePHI systems?

§164.308(a)(3)

Do you have written procedures for identifying and responding to security incidents (e.g., suspected breaches, unauthorized access, malware)?

§164.308(a)(6)(i)

Do you have a contingency/disaster recovery plan for your ePHI systems?

§164.308(a)(7)

Do you test your contingency plan at least annually?

§164.308(a)(7)(ii)(D)

Do you perform regular encrypted backups of ePHI data, stored separately from your primary systems?

§164.308(a)(7)(ii)(A)

Does your practice have written password policies (complexity requirements, regular changes, prohibition on sharing)?

§164.308(a)(5)(ii)(D)