Scribd Logo
Upload

Welcome to Scribd!

  • HIPPA Assessment Checklist v1.5

    Uploaded by

    Manju Devaraj
    25 views1 page
    The document provides a checklist for HIPAA compliance that includes administrative, physical, and technical requirements. The administrative requirements section includes items like performing a risk analysis, designating privacy/security officers, implementing access controls and audit logs. The physical requirements address facility security, device and media disposal procedures. The technical requirements involve assigning unique user IDs, implementing automatic logoffs, and encrypting/decrypting electronic protected health information. The checklist indicates whether each requirement has a control or procedure that is available.

    Original Description:

    Original Title

    HIPPA Assessment checklist v1.5

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides a checklist for HIPAA compliance that includes administrative, physical, and technical requirements. The administrative requirements section includes items like performing a risk analysis, designating privacy/security officers, implementing access controls and audit logs. The physical requirements address facility security, device and media disposal procedures. The technical requirements involve assigning unique user IDs, implementing automatic logoffs, and encrypting/decrypting electronic protected health information. The checklist indicates whether each requirement has a control or procedure that is available.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    25 views1 page

    HIPPA Assessment Checklist v1.5

    Uploaded by

    Manju Devaraj
    The document provides a checklist for HIPAA compliance that includes administrative, physical, and technical requirements. The administrative requirements section includes items like performing a risk analysis, designating privacy/security officers, implementing access controls and audit logs. The physical requirements address facility security, device and media disposal procedures. The technical requirements involve assigning unique user IDs, implementing automatic logoffs, and encrypting/decrypting electronic protected health information. The checklist indicates whether each requirement has a control or procedure that is available.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    People and organizations who seek compliance with HIPAA should consider:

    HIPPA Assessment Checklist Document Owner : Manju Devaraj

    HIPAA Administrative RequirementHIPAA Administrative Requirements Control Availability


    1 Risk Analysis: (R) Perform and document a risk analysis to see where PHI is being used and stored and to determine what all
    possible ways HIPAA could be violated are ☐ Yes ☐No
    2 Risk Management: (R) Implement measures sufficient to reduce these risks to an appropriate level ☐ Yes ☐No
    3 Sanction Policy: (R) Implement sanction policies for employees who fail to comply ☐ Yes ☐No
    4 Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc ☐ Yes ☐No
    5 Officers: (R) Designate HIPAA Security and Privacy Officers ☐ Yes ☐No
    6 Employee Oversight: (A) Implement procedures to authorize and supervise employees who work with PHI, and for granting
    and removing PHI access to employees ☐ Yes ☐No
    Ensure that an employee’s access to PHI ends with termination of employment ☐ Yes ☐No
    7 Multiple Organizations: (R) Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not
    authorized for access ☐ Yes ☐No
    8 ePHI Access: (A) Implement procedures for granting access to ePHI and which document access to ePHI or to services and
    systems which grant access to ePHI ☐ Yes ☐No
    9 Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees ☐ Yes ☐No
    10 Protection against Malware: (A) Have procedures for guarding against, detecting, and reporting malicious software ☐ Yes ☐No
    11 Login Monitoring: (A) Institute monitoring of logins to systems and reporting of discrepancies ☐ Yes ☐No
    12 Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords ☐ Yes ☐No
    13 Response and Reporting: (R) Identify, document, and respond to security incidents ☐ Yes ☐No
    14
    Contingency Plans: (R) Ensure there are accessible backups of ePHI and that there are procedures for restore any lost data ☐ Yes ☐No
    15 Contingency Plans Updates and Analysis: (A) Have procedures for periodic testing and revision of contingency plans ☐ Yes ☐No
    Assess the relative criticality of specific applications and data in support of other contingency plan components ☐ Yes ☐No
    16 Emergency Mode: (R) Establish (and implement as needed) procedures to enable continuation of critical business processes
    for protection of the security of electronic protected health information while operating in emergency mode ☐ Yes ☐No
    17 Evaluations: (R) Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA
    compliance procedures ☐ Yes ☐No
    18 Business Associate Agreements: (R) Have special Omnibus-compliant contracts with business partners who will have access to
    your PHI to ensure that they will be compliant ☐ Yes ☐No
    Choose partners that have similar agreements with any of their partners to which they are also extending access

    HIPAA Physical Requirements Control Availability


    1
    Contingency Operations: (A) Establish (and implement as needed) procedures that allow facility access in support of
    restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency ☐ Yes ☐No
    ☐ Yes ☐No
    2 Facility Security: (A) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized
    physical access, tampering, and theft ☐ Yes ☐No
    3 Access Control and Validation: (A) Implement procedures to control and validate a person’s access to facilities based on their
    role or function, including visitor control, and control of access to software programs for testing and revision ☐ Yes ☐No
    4 Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical
    components of a facility which are related to security ☐ Yes ☐No
    5 Workstations: (R) Implement policies governing what software can/must be run and how it should be configured on systems
    that provide access ePHI ☐ Yes ☐No
    Safeguard all workstations providing access to ePHI and restrict access to authorized users ☐ Yes ☐No
    6 Devices and Media Disposal and Re-use: (R) Create procedures for the secure final disposal of media that contain ePHI and for
    the reuse of devices and media that could have been used for ePHI ☐ Yes ☐No
    7 Media Movement: (A) Record movements of hardware and media associated with ePHI storage ☐ Yes ☐No
    Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment ☐ Yes ☐No
    5 Workstations: (R) Implement policies governing what software can/must be run and how it should be configured on systems
    that provide access ePHI ☐ Yes ☐No
    Safeguard all workstations providing access to ePHI and restrict access to authorized users ☐ Yes ☐No
    6 Devices and Media Disposal and Re-use: (R) Create procedures for the secure final disposal of media that contain ePHI and for
    the reuse of devices and media that could have been used for ePHI ☐ Yes ☐No
    7 Media Movement: (A) Record movements of hardware and media associated with ePHI storage
    Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment Control Availability
    ☐ Yes ☐No
    HIPAA Technical HIPAA Technical Requirements Requirements ☐ Yes ☐No
    1 Unique User Identification: (R) Assign a unique name and/or number for identifying and tracking user identity ☐ Yes ☐No
    Emergency Access: (R) Establish (and implement as needed) procedures for obtaining necessary electronic protected health
    2
    information during an emergency ☐ Yes ☐No
    Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of
    3
    inactivity ☐ Yes ☐No
    Encryption and Decryption: (A) Implement a mechanism to encrypt and decrypt electronic protected health information when
    4
    deemed appropriate ☐ Yes ☐No
    Audit Controls: (R) Implement hardware, software, and/or procedural mechanisms that record and examine activity in
    5
    information systems that contain or use electronic protected health information ☐ Yes ☐No
    ePHI Integrity: (A) Implement policies and procedures to Protect electronic protected health information from improper
    6
    alteration or destruction ☐ Yes ☐No
    Authentication: (R) Implement procedures to verify that a person or entity seeking access to electronic protected health
    7
    information is the one claimed ☐ Yes ☐No
    Transmission Security: (A) Implement technical security measures to guard against unauthorized access to electronic
    8
    protected health information that is transmitted over an electronic communications network ☐ Yes ☐No

    You might also like