Practice Name:
Risk Assessment Performed in 2017 2018 2019
©HMC/Promedsyn
Location Address:
Risk Assessment Answer Guide
ID
Question
Y/N
Reason for No Answer 1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
Status of Remediation
Flag for Follow Up
A01
Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A02
Does your practice have a process for periodically reviewing its risk analysis policies and procedures and making updates as necessary?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A04
Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of a significant event or change in your business organization or environment?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A05
Does your practice have a formal documented program to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A07
Does your practice document the results of its risk analysis and assure the results are distributed to appropriate members of the workforce who are responsible for mitigating the threats and vulnerabilities to ePHI identified through the risk analysis?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A08
Does your practice formally document a security plan?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A14
Is your practice’s security point of contact qualified to assess its securityprotections as well as serve as the point of contact for security policies, procedures, monitoring, and training?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A57
Does your practice maintain and implement policies and procedures for assessing risk to ePHI and engaging in a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of your practice’s ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A58
Does your practice periodically monitor its physical environment, business operations, and information system to gauge the effectiveness of security safeguards?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A59
Does your practice identify the role responsible and accountable for assessing risk and engaging in ongoing evaluation, monitoring, and reporting?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PO01
Do your practice’s processes enable the development and maintenance of policies and procedures that implement risk analysis, informed risk-based decision making for security risk mitigation, and effective mitigation and monitoring that protects the privacy, confidentiality, integrity, and availability of ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PO02
Does your practice assure that its policies and procedures are maintained in a manner consistent with other business records?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PO03
Does your practice assure that its other security program documentation is maintained in written manuals or in electronic form?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PO04
Does your practice assure that its policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PO05
Does your practice assure that its policies, procedures and other security program documentation are available to those who need it to perform the responsibilities associated with their role?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PO06
Does your practice assure that it periodically reviews and updates (when needed) its policies, procedures, and other security program documentation?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH10
Do you have a written facility security plan?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH11
Do you take the steps necessary to implement your facility security plan?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH20
Has your practice developed and implemented workstation use policies and procedures?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T25
Does your practice categorize its activities and information systems that create, transmit or store ePHI as high, moderate or low risk based on its risk analyses?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T37
Does your practice protect the confidentiality of the documentation containingaccess control records (list of authorized users and passwords)?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A03
Does your practice categorize its information systems based on the potential impact to your practice should they become unavailable?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH19
Does your practice keep an inventory and a location record of all of its workstation devices?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH25
Does your practice use laptops and tablets as workstations? If so, does your practice have specific policies and procedures to safeguard these workstations?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A20
Does your practice have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A21
Has your practice chosen someone whose job duty is to decide who can access ePHI (and under what conditions) and to create ePHI access rules that others can follow?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A23
Does your practice have policies and procedures for access authorization that support segregation of duties?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A24
Does your practice implement procedures for authorizing users and changing authorization permissions?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A25
Do your practice’s policies and procedures for access authorization address the needs of those who are not members of its workforce?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A26
Does your organization have policies and procedures that authorize members of your workforce to have access to ePHI and describe the types of access that are permitted?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A28
Does your practice have policies and procedures for terminating authorized access to its facilities, information systems, and ePHI once the need for access no longer exists?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A29
Does your practice have formal policies and policies and procedures to support when a workforce member’s employment is terminated and/or a relationship with a business associate is terminated?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A30
Do your practice’s policies and procedures describe the methods it uses to limit access to its ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A31
Does your practice have policies and procedures that explain how it grants access to ePHI to its workforce members and to other entities (business associates)?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A32
Do the roles and responsibilities assigned to your practice’s workforce members support and enforce segregation of duties?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A33
Does your practice’s policies and procedures explain how your practice assigns user authorizations (privileges), including the access that are permitted?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH13
Do you periodically review and approve a Facility User Access List and authorization privileges, removing from the Access List personnel no longer requiring access?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH14
Does your practice have procedures to control and validate someone’s access to your facilities based on that person’s role or job duties?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH21
Has your practice documented how staff, employees, workforce members, and non-employees access your workstations?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH22
Does your practice have policies and procedures that describe how to prevent unauthorized access of unattended workstations?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH29
Do your policies and procedures set standards for workstations that are allowed to be used outside of your facility?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T01
Does your practice have policies and procedures requiring safeguards to limit access to ePHI to those persons and software programs appropriate for their role?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T02
Does your practice have policies and procedures to grant access to ePHI based on the person or software programs appropriate for their role?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T03
Does your practice analyze the activities performed by all of its workforce and service providers to identify the extent to which each needs access to ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T04
Does your practice identify the security settings for each of its information systems and electronic devices that control access?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T05
Does your practice have policies and procedures for the assignment of a unique identifier for each authorized user?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T06
Does your practice require that each user enter a unique user identifier prior to obtaining access to ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T17
Does your practice have policies and procedures that require an authorized user’s session to be automatically logged-off after a predetermined period of inactivity?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T18
Does a responsible person in your practice know the automatic logoff settings for its information systems and electronic devices?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T19
Does your practice activate an automatic logoff that terminates an electronic session after a predetermined period of user inactivity?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T22
Does your practice control access to ePHI and other health information by using encryption/decryption methods to deny access to unauthorized users?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T34
Does your practice have policies and procedures for verification of a person or entity seeking access to ePHI is the one claimed?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T35
Does your practice know the authentication capabilities of its information systems and electronic devices to assure that a uniquely identified user is the one claimed?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T36
Does your practice use the evaluation from its risk analysis to select the appropriate authentication mechanism?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A06
Does your practice assure that its risk management program prevents against the impermissible use and disclosure of ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T20
Does your practice have policies and procedures for implementing mechanisms that can encrypt and decrypt ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T21
Does your practice know the encryption capabilities of its information systems and electronic devices?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T32
Does your practice have policies and procedures for protecting ePHI from unauthorized modification or destruction?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T33
Does your practice have mechanisms to corroborate that ePHI has not been altered, modified or destroyed in an unauthorized manner?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T38
Does your practice have policies and procedures for guarding against unauthorized access of ePHI when it is transmitted on an electronic network?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T39
Do your practice implement safeguards, to assure that ePHI is not accessed while en-route to its intended recipient?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T40
Does your practice know what encryption capabilities are available to it for encrypting ePHI being transmitted from one point to another?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T41
Does your practice take steps to reduce the risk that ePHI can be intercepted or modified when it is being sent electronically?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T42
Does your practice implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted from one point to another?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T43
Does your practice have policies and procedures for encrypting ePHI when deemed reasonable and appropriate?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T44
When analyzing risk, does your practice consider the value of encryption for assuring the integrity of ePHI is not accessed or modified when it is stored or transmitted?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH30
Does your practice have security policies and procedures to physically protect and securely store electronic devices and media inside your facility(ies) until they can be securely disposed of or destroyed?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH31
Do you remove or destroy ePHI from information technology devices and media prior to disposal of the device?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH32
Do you maintain records of the movement of electronic devices and media inside your facility?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH33
Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH34
Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH35
Do you have procedures that describe how your practice should remove ePHI from its storage media/ electronic devices before the media is re-used?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH38
Does your organization create backup files prior to the movement of equipment or media to ensure that data is available when it is needed?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T10
Does your practice back up ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage, such as a cloud environment?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH01
Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH02
Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility.
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH03
Do you regularly review your physical and environmental policies and procedures and update them as necessary to address vulnerabilities created by the presence of physical security or environmental factors?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH04
Do you have physical protections in place to manage physical security risks, such as a) locks on doors and windows and b) cameras in nonpublic areas to monitor all entrances and exits?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH08
Do you have policies and procedures for the protection of keys, combinations, and similar physical access controls?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH09
Do you have policies and procedures governing when to re-key locks or change combinations when, for example, a key is lost, a combination is compromised, or a workforce member is transferred or terminated?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH12
Do you have a Facility User Access List of workforce members, business associates, and others who are authorized to access your facilities where ePHI and related information systems are located?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH16
Has your practice determined whether monitoring equipment is needed to enforce your facility access control policies and procedures?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH18
Do you have a process to document the repairs and modifications made to the physical security features that protect the facility, administrative offices, and treatment areas?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH23
Does your practice have policies and procedures that describe how to position workstations to limit the ability of unauthorized individuals to view ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH24
Have you put any of your practice's workstations in public areas?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH26
Does your practice have physical protections in place to secure your workstations?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH27
Do you regularly review your workstations’ locations to see which areas are more vulnerable to unauthorized use, theft, or viewing of the data?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH28
Does your practice have physical protections and other security measures to reduce the chance for inappropriate access of ePHI through workstations? This could include using locked doors, screen barriers, cameras, and guards.
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A09
Does your practice have a formal and documented process or regular human resources policy to discipline workforce members who have access to your organization’s ePHI if they are found to have violated the office’s policies to prevent system misuse, abuse, and any harmful activities that involve your practice's ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A10
Does your practice include its sanction policies and procedures as part of its security awareness and training program for all workforce members?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A13
Does your practice have a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A15
Does your practice have a job description for its security point of contact that includes that person's duties, authority, and accountability?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A16
Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A17
Does your practice have a list that includes all members of its workforce, the roles assigned to each, and the corresponding access that each role enables for your practice’s facilities, information systems, electronic devices, and ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A19
Does your practice clearly define roles and responsibilities along logical lines and assures that no one person has too much authority for determining who can access your practice’s facilities, information systems, and ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A22
Does your practice define roles and job duties for all job functions and keep written job descriptions that clearly set forth the qualifications?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A27
Do your practice’s policies and procedures require screening workforce members prior to enabling access to its facilities, information systems, and ePHI to verify that users are trustworthy?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A16
Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A34
Does your practice have a training program that makes each individual with access to ePHI aware of security measures to reduce the risk of improper access, uses, and disclosures?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A35
Does your practice periodically review and update its security awareness and training program in response to changes in your organization, facilities or environment?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A36
Does your practice provide ongoing basic security awareness to all workforcemembers, including physicians?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A37
Does your practice provide role-based training to all new workforce members?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A38
Does your practice keep records that detail when each workforce member satisfactorily completed periodic training?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A39
As part of your practice’s ongoing security awareness activities, does your practice prepare and communicate periodic security reminders to communicate about new or important issues?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A40
Does your practice’s awareness and training content include information about the importance of implementing software patches and updating antivirus software when requested?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A41
Does your practice’s awareness and training content include information about how malware can get into your systems?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A42
Does your practice include log-in monitoring as part of its awareness and training programs?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A43
Does your practice include password management as part of its awareness and training programs?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A18
Does your practice know all business associates and the access that each requires for your practice’s facilities, information systems, electronic devices, and ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A60
Does your practice identify the role responsible and accountable for making sure that business associate agreements are in place before your practice enables a service provider to begin to create, access, store or transmit ePHI on your behalf?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A61
Does your practice maintain a list of all of its service providers, indicating which have access to your practice’s facilities, information systems and ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A62
Does your practice have policies and implement procedures to assure it obtains business associate agreements?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A63
If your practice is the business associate of another covered entity and your practice has subcontractors performing activities to help carry out the activities that you have agreed to carry out for the other covered entity that involve ePHI, does your practice require these subcontractors to provide satisfactory assurances for the protection of the ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A64
Does your practice execute business associate agreements when it has a contractor creating, transmitting or storing ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
O1
Does your practice assure that its business associate agreements include satisfactory assurances for safeguarding ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
O2
Do the terms and conditions of your practice’s business associate agreements state that the business associate will implement appropriate security safeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the practice and timely report security incidents to your practice?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
O3
If your practice is the business associate of a covered entity do the terms and conditions of your practice’s business associate agreements state that your subcontractor (business associate) will implement appropriate securitysafeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the covered entity?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A49
Does your practice know what critical services and ePHI it must have available to support decision making about a patient’s treatment during an emergency?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A50
Does your practice consider how natural or man-made disasters could damage its information systems or prevent access to ePHI and develop policies and procedures for responding to such a situation?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A51
Does your practice regularly review/update its contingency plan as appropriate?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A52
Does your practice have policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A53
Does your practice have policies and procedures for contingency plans to provide access to ePHI to continue operations after a natural or human-made disaster?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A54
Does your practice have an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A55
Does your practice have policies and procedures for testing its contingency plans on a periodic basis?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A56
Does your practice implement procedures for identifying and assessing the criticality of its information system applications and the storage of data containing ePHI that would be accessed through the implementation of its contingency plans?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH05
Do you plan and coordinate physical (facilities) and technical (information systems, mobile devices, or workstations) security-related activities (such as testing) before doing such activities to reduce the impact on your practice assets and individuals?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH06
Have you developed policies and procedures that plan for your workforce (and your information technology service provider or contracted information technology support) to gain access to your facility and its ePHI during a disaster?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH07
If a disaster happens, does your practice have another way to get into your facility or offsite storage location to get your ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T07
Does you practice have policies and procedures to enable access to ePHI in the event of an emergency?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T08
Does your practice define what constitutes an emergency and identify the various types of emergencies that are likely to occur?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T09
Does your practice have policies and procedures for creating an exact copy of ePHI as a backup?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T11
Does your practice have back up information systems so that it can access ePHI in the event of an emergency or when your practice’s primary systems become unavailable?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T12
Does your practice have the capability to activate emergency access to its information systems in the event of a disaster?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T13
Does your practice have policies and procedures to identify the role of the individual accountable for activating emergency access settings when necessary?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T14
Does your practice designate a workforce member who can activate the emergency access settings for your information systems?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T15
Does your practice test access when evaluating its ability to continue accessing ePHI and other health records during an emergency?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T16
Does your practice effectively recover from an emergency and resume normal operations and access to ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A11
Does your practice have policies and procedures for the review of information system activity?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A12
Does your practice regularly review information system activity?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH15
Do you have procedures to create, maintain, and keep a log of who accesses your facilities (including visitors), when the access occurred, and the reason for the access?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH17
Do you have maintenance records that include the history of physical changes, upgrades, and other modifications for your facilities and the rooms where information systems and ePHI are kept?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH36
Does your practice maintain a record of movements of hardware and media and the person responsible for the use and security of the devices or media containing ePHI outside the facility?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
PH37
Do you maintain records of employees removing electronic devices and media from your facility that has or can be used to access ePHI?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T23
Does your practice have policies and procedures identifying hardware, software, or procedural mechanisms that record or examine information systems activities?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T24
Does your practice identify its activities that create, store, and transmit ePHI and the information systems that support these business processes?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T26
Does your practice use the evaluation from its risk analysis to help determine the frequency and scope of its audits, when identifying the activities that will be tracked?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T27
Does your practice have audit control mechanisms that can monitor, record and/or examine information system activity?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T28
Does your practice have policies and procedures for creating, retaining, and distributing audit reports to appropriate workforce members for review?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T29
Does your practice generate the audit reports and distribute them to the appropriate people for review?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T30
Does your practice have policies and procedures establishing retention requirements for audit purposes?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
T31
Does your practice retain copies of its audit/access records?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A44
Does your practice have policies and procedures designed to help prevent, detect and respond to security incidents?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A45
Does your practice have incident response policies and procedures that assign roles and responsibilities for incident response?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A46
Does your practice identify members of its incident response team and assure workforce members are trained and that incident response plans are tested?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A47
Does your practice’s incident response plan align with its emergency operations and contingency plan, especially when it comes to prioritizing system recovery actions or events to restore key processes, systems, applications, electronic device and media, and information (such as ePHI)?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes
A48
Does your practice implement the information system’s security protection tools to protect against malware?
Yes No
1 - Cost 2 - Practice Size 3 - Complexity 4 - Alternate Solution
1-In Progress 2-Solution Needed 3-Other-See Notes Box
