hipaa security rule compliance audit tool
The following is a tool to be used to assess compliance with the requirements of the HIPAA Security Rule by the [Name of Entity]. The checklist is intended to be used to document compliance, as well as to identify areas where additional measures must be implemented.
Overview of the Security Rule
Under the Security Rule, [Name of Entity] must take steps to (i) ensure the confidentiality, integrity and availability of electronic Protected Health Information or “EPHI” created, received, maintained or transmitted by [Name of Entity]; (ii) protect against reasonably anticipated threats or hazards to the security or integrity of EPHI; (iii) protect against any reasonably anticipated uses or disclosures of such EPHI that are not permitted under HIPAA; and (iv) ensure compliance with the Security Rule by its workforce members. The Security Rule contains numerous standards designed to further these objectives. That said, it is important to emphasize that the Security Rule’s requirements do not apply to all of the information maintained by [Name of Entity], but rather only to the EPHI that [Name of Entity] creates, receives and stores. However, [Name of Entity] may determine that, as a practical matter, the standards contained herein should apply to all “sensitive” information in [Name of Entity]’s possession.
Many of the Security Rule’s standards incorporate “implementation specifications” to better describe the actions that either must or should be taken to ensure compliance with each standard. Some, but not all, of these implementation specifications are required; the rest of the implementation specifications are termed “addressable.” Addressable implementation specifications represent approaches to meeting a specific standard, any of which may or may not be reasonable or appropriate depending on [Name of Entity]’s environment. Regardless whether an implementation specification is labeled as “required” or as “addressable,” the standard to which it pertains must be met. If an addressable implementation specification is not reasonable and appropriate for [Name of Entity] (when analyzed against the degree to which the specification will likely protect [Name of Entity]’s EPHI), [Name of Entity] must either document why this is so and implement a documented equivalent alternative measure to satisfy the relevant standard, or document how the measures it has in place already meet the standard, such that taking any additional measures would be unnecessary.
The factors to be considered in evaluating the reasonableness and appropriateness of measures used to achieve a particular standard or implementation specification (whether required or addressable) include the following:
1.The size, complexity and capabilities of [Name of Entity].
2.[Name of Entity]’s technical infrastructure, hardware and software security capabilities.
3.The costs of security measures.
4.The probability and criticality of potential risks to EPHI.
Definitions The following are definitions of terms used in this audit tool:
Electronic PHI or EPHI: Individually identifiable health information,including demographic information, which is created or received by [Name of Entity] in the course of representing health care providers, health care clearinghouses or group health plans, and relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to anindividual and which is transmitted by or maintained in electronic media.
Information Systems: The systems, including servers, electronic media and computers within [Name of Entity] that store, receive, maintain, transmit or provide access to EPHI.
Approved Personnel: Those workforce members of [Name of Entity] who are authorized to access, use and disclose EPHI in the course of day-to-day business.
Security Incident: The attempted or successful unauthorized access, use, disclosure, modification or destruction of EPHI, or interference with systems operations in the Information Systems.
Instructions
To facilitate the assessment process, the audit tool is organized in the same manner as the Security Rule. The standards are organized as Administrative Safeguards, Physical Safeguards and Technical Safeguards, and are set forth as written in the Security Rule. Following each standard are its implementation specifications, if any. The implementation specifications are marked to reflect whether each one is “required” or “addressable.” Note that some of the standards do not have specific implementation specifications. For those standards without implementation specifications, [Name of Entity] must consider those action items and/or measures listed below the standard and evaluate them against the measures it has in place that address the requirements contained in the standard.
Following those standardscontaining implementation specifications are also action items and/or measures to help [Name of Entity] assess compliance with the relevant standard. Review each item and check the box to indicate whether the action item and/or measure has been taken. As discussed above, evaluate each action item and/or measure to determine if it is reasonable and appropriate in order to achieve the standard or implementation specifications. Consider items 1-4 on page 1, above, when conducting such evaluation. Document the rationale and basis for any decisions regarding compliance with an action item or measure in the “Comments” section that follow.
ADMINISTRATIVE SAFEGUARDS
A.Standard: Security management process. [Name of Entity] must implement policies and procedures to prevent, detect, contain, and correct security violations. The following steps must be taken.
1.Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI.
Within the last two years, [Name of Entity] has conducted a comprehensive analysis of threats to the Information Systems. Yes No
Comments:
As part of the risk analysis, [Name of Entity] identified all electronic systems that store, receive, maintain or transmit EPHI.
Yes No
Comments:
The risk analysis included an assessment of hardware and software, as well as the physical environment surrounding the Information Systems, any connections between the Information Systems and the information systems of external organizations, and any off-site storage of EPHI.
Yes No
Comments:
The risk analysis identified Approved Personnel, as well as anyother [Name of Entity] personnel, having access to the Information Systems, the types of EPHI stored, maintained, received or transmitted by the Information Systems and the EPHI transmitted to other organizations.
Yes No
Comments:
The risk analysis identified those components, if any, of the Information Systems that store, maintain, receive or transmit data that is not EPHI, and the security measures designed to safeguard the EPHIthat is also stored, maintained, received or transmitted via that system.
Yes No
Comments:
The risk analysis included a comprehensive identification of threats to the availability, integrity and confidentiality of EPHI, including threats by natural disaster, as well as human threats, such as errors in data entry, or unauthorized access and unauthorized transmission, or Information Systems failures due to loss of power.
Yes No
Comments:
The risk analysis included an assessment of the threats that [Name of Entity] identified and a determination regarding any vulnerabilities to the Information Systems. The risk assessment also identified controls or measures that have already been implemented to mitigate or limit the potential damage a vulnerability in the Information Systems could create.
Yes No
Comments:
The risk analysis identified threats or vulnerabilities to EPHI for which additional controls, measures or actions are needed in order to decrease risk.
Yes No
Comments:
The risk analysis prioritized those identified threats and/or vulnerabilities based on the probability of their occurrence and the potential degree to which they could adverselyimpact EPHI.
Yes No
Comments:
The risk analysis identified and recommended controls, measures or actions to help decrease the risk of those threats to,and/or vulnerabilities associated with, EPHI having the highest priority.
Yes No
Comments:
2.Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to achieve the following (including access levels, information restrictions, password protection, user training, etc.):
(a)Ensure the confidentiality, integrity, and availability of all EPHI[Name of Entity]creates, receives, maintains or transmits.
(b)Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(c)Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Privacy Rule.
(d)Ensure compliance with the Security Rule by Approved Personnel.
Does [Name of Entity] have a documented plan which sets forth the measures and action items it has implemented to help to reduce the security risks to EPHI to an acceptable level? Yes No
Comments:
Does the risk management plan document instances where the cost of measures needed to mitigate a risk to EPHI are greater than the cost posed by the risk?
Yes No
Comments:
Is there a process for ongoing assessment of security risks to EPHI, including identifying and responding to new risks?
Yes No
Comments:
3.Sanction policy (Required). Apply appropriate sanctions againstApproved Personnelwho fail to comply with security policies and procedures.
Does [Name of Entity] have policies that provide for sanctions against Approved Personnel who fail to comply with [Name of Entity]’s security-related policies and procedures? Yes No
Comments:
Are the types of sanctions appropriate given the nature and severity of a violation?
Yes No
Comments:
Are the sanctions policies communicated to Approved Personnel?
Yes No
Comments:
4.Information system activity review (Required). Implement procedures to regularly review records of Information Systems activity, such as audit logs, access reports, and Security Incident tracking reports.
Does [Name of Entity] have a written process in place pursuant to which the Security Official reviews Information System activity at regularly scheduled intervals? Yes No
Comments:
Does [Name of Entity] have a written process in place pursuant to which the Security Official reviews reports of security incidents at regularly scheduled intervals?
Yes No
Comments:
Does [Name of Entity] have a written process in place to provide that security incidents that present a high degree of risk are escalated for immediate review by the Security Official?
Yes No
Comments:
B.Standard: Assign security responsibility. [Name of Entity] must identify a security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule.
Has [Name of Entity] designated a Security Official? Yes No
Comments:
Is there a written job description for the Security Official that sets forth the Security Official’s responsibilities and authority?
Yes No
Comments:
Does the Security Official have sufficient knowledge and authority to review Information Systems activity and to enforce security-related policies and procedures?
Yes No
Comments:
C.Standard: Workforce security. [Name of Entity] must implement policies and procedures to ensure that all Approved Personnelhave the appropriate access to EPHI, and to prevent those who do not have authorized accessfrom obtaining access to EPHI.
The implementation specifications under this standard are “addressable,” which means that [Name of Entity] must address each one to determine if it is reasonable and appropriate for [Name of Entity]. If an addressable specification is determined to be reasonable and appropriate, it must be implemented. If [Name of Entity] determines that an addressable specification is not reasonable and appropriate for [Name of Entity], then the rationale supporting that determination must be documented. In addition, [Name of Entity] must document whether it meets the above standard because it has implemented an equivalent alternative measure, or how it otherwise already meets the above standard such that implementation of an alternative measure would not be reasonable or appropriate. Please review each addressable specification and the corresponding action items and/or measures below, and in the “Comments” section, where applicable, document the rationale behind not implementing an addressable specification.
1.Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of Approved Personnel who work with EPHI or work in locations where EPHImight be accessed.
Does [Name of Entity] have policies and procedures to define those employees of [Name of Entity]who will be considered Approved Personnel? Yes No
Comments:
Is each Approved Personnel member’s authorityto access EPHI limited so that he or she can only access the EPHI required to perform his or her job function?
Yes No
Comments:
Is there a process whereby the non-Approved Personnel employees of [Name of Entity] who have the opportunity to access EPHI, e.g., maintenance personnel working with or near computer equipment, receive appropriate supervision?
Yes No
Comments:
2.Workforce clearance procedures (Addressable). Implement procedures to determine that the access of Approved Personnel to EPHI is appropriate.
Are there policies and procedures that set forth the qualifications of [Name of Entity]employees to be Approved Personnel? Yes No
Comments:
Is there a process in place such that [Name of Entity] employees are not designated as Approved Personnel and given access to EPHI until the Privacy Official has approved each employee’s credentials and proposed job function?
Yes No
Comments:
3.Termination procedures (Addressable). Implement procedures for terminating access to EPHIwhen the employment of anApproved Personnelmember ends or when a Approved Personnel member’s access level is changed.
Does [Name of Entity] have written procedures in place to terminate anApproved Personnel member’s access to EPHI if such access is no longer required by his or her job function? Yes No
Comments:
Does [Name of Entity] have written procedures to be followed in the event anApproved Personnel member’s employment with [Name of Entity] is terminated to prevent that individual from accessing the facility housing EPHI, the Information Systems or any EPHI, or from otherwise sabotaging or destroying EPHI?
Yes No
Comments:
D.Standard: Information access management. [Name of Entity] must implement policies and procedures for authorizing access to EPHIthat are consistent with applicable requirements of the HIPAA Privacy Rule.
The implementation specifications under this standard are “addressable,” which means that [Name of Entity] must address each one to determine if it is reasonable and appropriate for [Name of Entity]. If an addressable specification is determined to be reasonable and appropriate, it must be implemented. If [Name of Entity] determines that an addressable specification is not reasonable and appropriate for [Name of Entity], then the rationale supporting that determination must be documented. In addition, [Name of Entity] must document whether it meets the above standard because it has implemented an equivalent alternative measure, or how it otherwise already meets the above standard such that implementation of an alternative measure would not be reasonable or appropriate. Please review each addressable specification and the corresponding action items and/or measures below, and in the “Comments” section for each, document, where applicable, the rationale behind not implementing an addressable specification.
1.Access authorization (Addressable). Implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism.
Has [Name of Entity] implemented policies and procedures that govern the granting of access to Information Systems? Yes No
Comments:
Do the policies and procedures provide for methods to restrict access to Information Systems containing EPHI, such as use of passwords, user IDs, etc.?
Yes No
Comments:
2.Access establishment and modification (Addressable). Implement policies and procedures based upon the access authorization policies which document, review and modify a user’s right to access a workstation, transaction, program, or process.
Are the policies governing the provision of appropriate access to EPHI followed and implemented? Yes No
Comments:
Does [Name of Entity] have policies and procedures that provide for review and modification of a Approved Personnel member’s access to EPHI, as necessary, based on job function or changes to job function?
Yes No
Comments:
E.Standard: Security awareness and training. [Name of Entity] must implement a security awareness and training program for all Approved Personnel, including those in management positions.
Certain of the following implementation specifications for the above standard are “addressable,” which means that [Name of Entity] must address such specifications to determine if they are reasonable and appropriate for [Name of Entity]. If an addressable specification is determined to be reasonable and appropriate, it must be implemented. If [Name of Entity] determines that an addressable specification is not reasonable and appropriate for [Name of Entity], the rationale supporting that determination must be documented. In addition, [Name of Entity] must document whether it meets the above standard because it has implemented an equivalent alternative measure, or how it otherwise already meets the above standard such that implementation of an alternative measure would not be reasonable or appropriate. For each addressable specification and the corresponding action items and/or measures below, please document in the “Comments” section, where applicable, the rationale behind not implementing an addressable specification.
1.Security Awareness and Training(Required).
Has [Name of Entity] developed a security awareness and training program for Approved Personnel (including management) that covers the requirements of the Security Rule? Yes No
Comments:
Is there a process in place for Approved Personnel to receive Security Rule awareness and training?
Yes No
Comments:
2.Security reminders (Addressable). Provide periodic security updates.
Is there a procedure whereby Approved Personnelreceive timely notification of changes or updates to Information Systems and/or [Name of Entity]’ssecurity-related policies and procedures? Yes No
Comments:
Do Approved Personnel periodically receive updates about [Name of Entity]’ssecurity procedures and practices?
Yes No
Comments:
3.Protection from malicious software (Addressable). Procedures for guarding against, detecting and reporting malicious software (including computer viruses and worms, unauthorized installation of software, Internet intrusions, or any other malicious intrusion).
DoApproved Personnelreceive training regarding the risks of malicious software, including the effects of installing unauthorized software on Information Systems, and receiving and opening e-mails and attachments containing viruses and worms? Yes No
Comments:
Does [Name of Entity] have a procedure for Approved Personnel to follow to report malicious software?
Yes No
Comments:
Is there updated anti-virus software on workstations and servers that access or contain EPHI?
Yes No
Comments:
4.Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
Does [Name of Entity] have a procedure for monitoring log-in attempts to Information Systems? Yes No
Comments:
DoApproved Personnelreceive training on appropriate log-in to Information Systems?
Yes No
Comments:
Does [Name of Entity] have procedures to follow for investigating unsuccessful log-in attempts to Information Systems?
Yes No
Comments:
5.Password management (Addressable). Procedures for creating, changing and safeguarding passwords.