Do I need my HIPAA Security Plan Evaluated?

It is important for Covered Entities (CEs) and Business Associates (BAs) to know if their security plans and procedures continue to adequately protect their electronic protected health information (ePHI). To accomplish this, CEs and BAs must implement and monitor your Evaluation Plan.

CEs and BAs must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments.

The Evaluation standard, § 164.308(a)(8), has no separate implementation specification. The standard requires CEs and BAs to:

“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”

The purpose of the evaluation is to establish a process for CEs and BAs to review and maintain reasonable and appropriate security measures to comply with the Security Rule. Initially the evaluation must be based on the security standards implemented to comply with the Security Rule.

Subsequent periodic evaluations must be performed in response to environmental or operational changes that affect the security of your ePHI. On-going evaluations should also be performed on a scheduled basis, such as annually or every two years. The evaluations must include reviews of the technical and non-technical aspects of your security program.

Sample questions for CEs and BAs to consider:

  1. How often should an evaluation be done? For example, are additional evaluations performed if security incidents are identified, changes are made in the organization, or new technology is implemented?
  2. Is an internal or external evaluation, or a combination of both, most appropriate for the CE or BA?
  3. Are periodic evaluation reports and the supporting materials considered in the analysis, recommendations, and subsequent changes fully documented?

On-going evaluations of security measures is the best way to ensure all ePHI is adequately protected.

Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?

Evaluation Plan



For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.