HIPAA Security
Self-Assessment Questionnaire
Information Section
System Name: / System and data criticality (see table 1): / High Medium LowHardware: / System and data sensitivity (see table 2): / High Medium Low
Software: / Comments:
Type of Data:
Person who supports:
Purpose of system:
Assessor’s Name:
Instructions:
This self-assessment questionnaire should be completed for any system, application, spreadsheet, database, tracking document, scheduler, billing system, etc. that is used to record, update, calculate, or store patient information. If in doubt, complete this questionnaire. Complete this questionnaire from the perspective of the department completing the assessment, not from the perspective of the application or system (i.e. if the system is not maintained physically by the department using the system physical access control questions can be answer with NA providing details in the comments section).
Step1: Complete each item in the Information section to the best of your ability; use the comments field to record extra information.
Step 2: Complete the risk assessment section. For the risk assessment, some information has already been provided, complete the provided information and add more risk and vulnerability items as deemed necessary for each system being assessed (risks may vary by department depending on how the system is used). The value of the risk assessment increases with more individualized information provided in each area.
Definitions for the likelihood and Impact rankings can be found at the end of the document. For each risk factor, calculate the risk ranking and write/enter the number in the box provided. To calculate the Overall Risk Ranking, add up all the individual risk rankings and divide by the number of risk factors calculated. Write the average in the box provided; using the risk scale, place a check mark in the associated box.
Step 3: Assess the system for HIPAA compliance. For each Implementation Specification use the boxes in the corresponding row to provided appropriate assessment of compliance. Explanation of each column can be found in the Table 6 and the end of this document.
When the questionnaire has been completed, back copy (either hardcopy or softcopy) and return one copy to the Security Department.
Risk Assessment Section
Risk AssessmentRisk-Source / Risk/Vulnerability / Risk Action / Likelihood
(see table 3) / Impact
(see table 4) / Risk Rating
(see table 5)
Disgruntled Employee / Access rights never disabled. / Unauthorized user accessing/disclosing confidential information. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Unauthorized Users / Lack of a firewall or firewall configuration allows unauthorized users access to server. / Hackers break into a server that contains ePHI. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Unauthorized Users / Patches, hot fixes, or service packs have not been installed to patch existing vulnerabilities. / Hackers take advantage of a pre-existing vulnerability and access ePHI or prevent legitimate use of ePHI. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Unauthorized Users / Access controls are non-existent or poorly configured. / Unauthorized users access ePHI. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Thieves / Physical access controls to hardware are poor or non-existent. / The hardware that stores ePHI is stolen or damaged in a manner that prevents legitimate use of ePHI. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Authorized Users / Data entry controls are weak and could allow data entry errors. / The data becomes corrupt or unreliable from data entry errors. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Unauthorized Users / Authorized users are tricked into divulging ID/Password. / Unauthorized users use social engineering tactics to gain access to ePHI. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Authorized Users / Lack of training allows for the spread of viruses and worms. / Viruses and worms infects prevent legitimate uses of the systems. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Unauthorized Users / Passwords are posted on sticky notes in easy to find locations. / Unauthorized users access/disclose confidential information. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Risk-Source / Risk/Vulnerability / Risk Action / Likelihood
(see table 3) / Impact
(see table 4) / Risk Rating
(see table 5)
Natural Disaster / Tornado destroys data center. / Systems cannot be recovered in timely manner. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Malicious Software / Protective measures are not installed or not available. / The malicious software corrupts, destroys, or steals ePHI. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Authorized Users / Consumption of a disproportionate amount of bandwidth that prevents the access to legitimate files. / Access is ePHI is denied. / High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
High (1.0)
Medium (0.5)
Low (0.1) / High (100)
Medium (50)
Low (10) / 0
(Likelihood x Impact)
Overall Risk Ranking
Risk Scale: High (>50 to 100);Medium (>10 to 50); Low (1 to 10) / 0
(Average of above rankings)
High
Medium
Low
HIPAA Security Assessment Section
Standard/Implementation Specification / Yes/No/NA / Written Policies / Associated procedures for complying with policies / Implemented / Tested / Integrated into departmental processes / Risk Based Decision Made / CommentsAdministrative Safeguards
Security Management Process
Are you or any person in your organization responsible for overseeing the prevention, detection, containment, and correction of security violations for this system? If so, process the next 4 questions; otherwise answer the questions with NA and skip down to WorkforceSecurity.
Risk Analysis
For this application, do you have policies or procedures to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (by completing this assessment you can answer yes)?
Risk Management
For this application, do you have policies or procedures to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with section 164.306(a) which is listed below:
(1) Ensuring the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protecting against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protecting against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensuring compliance with this subpart by its workforce.
For example, a process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.
Sanction Policy
For this application, do you have policies or procedures to apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity (for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment, and contract penalties).
Information System Activity Review
For this application, do you have policies or procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Assigned Security Responsibility / Y / The University has assign HIPAA responsibilities to the University’s Information and Network Security Office reporting to the VP of IT.
Workforce Security
Are you or any person in your organization responsible for granting appropriate access and preventing inappropriate access to electronic protected health information for this system? If so, process the next 3 questions; otherwise answer the questions with NA and skip down to Information Access Management.
Authorization and/or Supervision
For this application, do you have policies or procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed (for example, formal, documented procedures for determining the access level to be granted to users working on, or near, health information).
Workforce Clearance Procedure
For this application, do you have policies or procedures to determine that the access of a workforce member to electronic protected health information is appropriate (for example, formal, documented procedures to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances).
Termination Procedures
For this application, do you policies or procedures for terminating access to electronic protected health information when the employment of a workforce member ends?
Information Access Management
Do you or any person in your organization authorize and maintain access to the electronic protected health information of this system? If so process the next 2 questions, otherwise answer the questions with NA and skip to Security Awareness and Training.
Access Authorization
For this application, do you have policies or procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism (for example, procedures that establish the rules for granting access to a terminal, transaction, program, process)?
Access Establishment and Modification
For this application, do you have policies or procedures that authorization, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process (for example, procedures that determine an user’s initial right of access and the types of, and reasons for, modification to an user’s established right of access, to a terminal, transaction, program, process)?
Security Awareness and Training
Are you or any person in your area responsible for password maintenance, updates, and incident reporting of this system? If so, process the next 4 questions; otherwise answer the questions with NA and skip to Security Incident Procedures.
Security Reminders
For this application, do you have policies or procedures to distribute periodic security updates (for example, employees, agents, and contractors are made aware of security concerns on an ongoing basis)?
Protection from Malicious Software
For this application, do you have policies or procedures for guarding against, detecting, and reporting malicious software (for example, user awareness training in regards to the potential harm that can be caused by a virus, how to prevent the introduction of a virus to a computer system, and what to do if a virus is detected)?
Log-in Monitoring
For this application, do you have policies or procedures for monitoring log-in attempts and reporting discrepancies (for example, user training in the importance of monitoring log-in success or failure and how to report discrepancies)?
Password Management
For this application, do you have policies or procedures for creating, changing, and safeguarding passwords (for example, user training in regards to creating and changing passwords, and the need to keep them confidential)?
Security Incident Procedures
Response and Reporting
For this application, do you have policies or procedures to identify and respond to suspected or knownsecurity incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the coveredentity; and document security incidents and their outcomes?
Contingency Plan
Is the electronic protected health information in this system critical enough to your operations that any loss due to responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems would disrupt operations or compromise the data? If so process the next 5 questions, otherwise answer the questions with NA and skip to Evaluation?
Data Backup Plan
For this application, do you have policies or procedures to create and maintain retrievable exact copies of electronic protected health information?
Disaster Recovery Plan
For this application, do you havepolicies or procedures to restore any loss of data?
Emergency Mode Operations Plan
For this application, do you have policies or procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode?
Testing and Revision Procedures
For this application, do you have policies or procedures for periodic testing and revision of contingency plans?
Applications and Data Criticality Analysis
For this application, do you have a policy or procedure to assessthe relative criticality of specific applications and data in support of other contingency plan components?
Evaluation
Perform a periodic security evaluation
For this application, do you have a policy or procedure to perform a periodic technical and non-technical evaluationthat establishes the extent to which an entity’s security policies and procedures meet the requirements?
Business Associate Contracts
Are you or any person in your area responsible forcontractual obligations associated with this application? Do you have a contract with a business associate to create, receive, maintain, or transmit electronic protected health information on your behalf? If so answer the next question, otherwise answer the next question with NA and skip down to Facility Access Controls.
Written Contracts or Other Arrangements
For this application and associated processes is there a process to document the satisfactory assurancesrequired through a written contract or other arrangement with the business associate that meets the applicable requirements to appropriately safeguard the information.
Physical Safeguards
Facility Access Controls
Are you or any person in your area responsible forphysical access to its electronic informationsystems and the facility or facilities in which they are housed, if so answer the next 4 questions, otherwise answer NA and skip down to Workstation Use?
Contingency Operations
For this application, do you have policies or procedures that allow facility access insupport of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency?
Facility Security Plan
For this application, do you have policies and procedures to safeguard the facility and the equipmenttherein from unauthorized physical access, tampering, and theft?
Access Control and Validation Procedures
For this application, do you have policies and procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision?
Maintenance Records
For this application, do you have policies and procedures to document repairs and modifications to thephysical components of a facility which are related to security (for example, hardware, walls, doors, and locks)?
Workstation Use
For this application, do you have policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information?
Workstation Security
For this application, do you have policies or procedures to implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users?
Device and Media Controls
Do you or any person in your organization download or store ePHI from this system locally? If so process the next 2 questions, otherwise answer the questions with NA and ship down to the next question.
Media Disposal
For this application, do you have policies or procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored?
Media Re-use
For this application, do you havepolicies or procedures for removal of electronic protected health information from electronic media before the media are made available for re-use (i.e. procedures for degaussing disks, tapes, hard drives that previously stored ePHI)?
Are you or any person using this system downloading, recording, maintaining ePHI on any other hardware or media (i.e. PDA, laptop, diskette, etc). If so answer the next question, otherwise answer with NA and skip down to the next question.
Media Accountability
For this application, do you have policies or procedures to maintain a record of the movements of hardware and electronic media and any person responsible therefore?
Do you or any person in your organization have responsibility for physical access to the hardware that stores, processes, receives, or transmits ePHI? If so answer the next question, otherwise answer the question with NA and skip down to Access Controls.
Data Backup and Storage
For this application, do you have policies or procedures to create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment?
Technical Safeguards
Access Controls
Do you or someone in your organization administer a system that stores ePHI? If so, please answer the next 4 questions; otherwise answer with a NA and skip down to the next question.
Unique User Identification
For this application, do you have policies or procedures to ensure each user is assigned a unique name and/ or number for identifying and tracking user identity?
Emergency Access Procedures
For this application, do you have policies or procedures such as a clearly stated and widely understood “break the glass” procedure, for allowing access via alternate and/or manual methods in the event of an emergency requiring access to protected health information?
Automatic Logoff
For this application, do you have policies or procedures to implement electronic procedures that terminate an electronic session after a predetermined time of inactivity?
Encryption
For this application, do you have policies or procedures to implement a mechanism to protect ePHI while stored on a system such as encrypt and decrypt, or some other compensating control?
Audit Controls
Do you or someone in your organization administer a system that stores or processes ePHI? If so, please answer the next question; otherwise answer it with a NA and skip down to Integrity.
For this application, do you have policies or procedures to implement a mechanism to record and examine activity in systems that contain or use ePHI? The mechanism should record:
- Creation and removal of accounts;
- Assigning and changing of privileges;
- Installation, maintenance, and changing of software;
- Changes in hardware configurations.
- Logon and logoff, both successful and unsuccessful;
- Read, write, create, and delete actions at the file level;
- Individual user access to individual patient records;
- Attempts to access unauthorized data and/or services.
Integrity
Do you or someone in your organization administer a system that stores or processes ePHI? If so, please answer the next question; otherwise answer it with a NA and skip down to Personal or Entity Authentication.
Protect against improper alteration or destruction
For this application, do you have policies and procedures to protect electronic protected health information from improper alteration or destruction?
Person or Entity Authentication
Do you or someone in your organization administer a system that stores or processes ePHI? If so, please answer the next question; otherwise answer it with a NA and skip down to Transmission Security.
Entity Authentication
For this application, do you have policies or procedures to verify that a person or entity seeking access to ePHI is the one claimed?
Transmission Security
Do you or someone in your organization administer a system that stores or processes ePHI? If so, please answer the next question; otherwise you are done.
Integrity and Encryption Controls
For this application, do you have policies or procedures to guard against unauthorized access to ePHI that is being transmitted over an electronic communication network?
Table 1 – System and Data Criticality Level