0% found this document useful (0 votes)

90 views80 pages

SRA Tool 3 5 Excel Workbook Final

Uploaded by

johnjbhoughton

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

90 views80 pages

SRA Tool 3 5 Excel Workbook Final

Uploaded by

johnjbhoughton

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 80

SRA Tool

Excel Workbook
Version 3.5

See the SRA Tool User Guide available for download on HealthIT.gov for more detailed instructio
Instructions for Use:
This Excel based version of the SRA Tool contains the same content that can be found in the latest version of the Wi
SRA Tool (3.5).

The content is broken down into seven sections. Each section is contained in its own sheet of this workbook. Some e
workbook contain dropdown validation allowing the user to select a response.

The "Response Indicator" column can be used to check a response for a given question. Responses which indicate r
automatically be highlighted in yellow. Select one response per question. The check mark can be cleared by using b
delete.

The "Likelihood" and "Impact" columns in the Threats and Vulnerabilities section of each sheet can be used to rate l
impact as "Low", "Medium", or "High". Likelihood and impact ratings will automatically combine to form a Risk Scor
also be cleared using backspace or delete.

NOTE: This workbook contains risk calculation logic (formulas) and conditional formatting that will break if disturb
where risk is indicated will be highlighted in yellow.

The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither requi
guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or
all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive
safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security R
the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST and HICP standards provided in this tool are for informational purposes only as they may reflect current best p
information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment
management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s s
circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Last Up
Section 1 - SRA Basics

Question # Question Text

Section Indicator Question Responses Education Risk Indicated Required? Reference
Questions
1 Has your practice completed a security risk assessment (SRA)
before?
Yes. Continuing to complete security risk assessments will help safeguard the Required HIPAA: §164.308(a)(1)(ii)(A)
confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
scan to improve your risk assessment. PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice # 7, 10

No. Performing a security risk assessment periodically will help safeguard the Review Required HIPAA: §164.308(a)(1)(ii)(A)
confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
scan to improve your risk assessment. PR.PS, RS.MI
✔ HPH CPG: 1
HICP: TV1 - Practice # 7, 10

I don't know. Performing a security risk assessment periodically will help safeguard the Required HIPAA: §164.308(a)(1)(ii)(A)
confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
scan to improve your risk assessment. PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice # 7, 10

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice # 7, 10

Notes
2 Do you review and update your SRA?
Yes. This is the most effective option to protect the confidentiality, integrity, and Required HIPAA: §164.308(a)(1)(ii)(A)
availability of ePHI. Include language in your policies and procedures to review and NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
update your risk assessment regularly. You may also conduct periodic vulnerability PR.PS, RS.MI
scans. HPH CPG: 1
HICP: TV1 - Practice # 10

No. Consider reviewing and updating your security risk assessment periodically. Include Required HIPAA: §164.308(a)(1)(ii)(A)
language in your policies and procedures to review and update your risk assessment NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
regularly. You may also conduct periodic vulnerability scans. PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice # 10

I don't know. Consider reviewing and updating your security risk assessment periodically. Include Required HIPAA: §164.308(a)(1)(ii)(A)
language in your policies and procedures to review and update your risk assessment NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
regularly. You may also conduct periodic vulnerability scans. PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice # 10

Notes
3 How often do you review and update your SRA?
Periodically and in response to operational changes This is the most effective option to protect the confidentiality, integrity, and Required HIPAA: §164.308(a)(1)(ii)(A)
and/or security incidents. availability of ePHI. NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice #10

Periodically but not in response to operational changes An accurate and thorough security risk assessment should be reviewed and updated Required HIPAA: §164.308(a)(1)(ii)(A)
and/or security incidents. periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice #10

Only in response to operational changes and/or security An accurate and thorough security risk assessment should be reviewed and updated Required HIPAA: §164.308(a)(1)(ii)(A)
incidents. periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice #10

Ad hoc, without regular frequency. An accurate and thorough security risk assessment should be reviewed and updated Required HIPAA: §164.308(a)(1)(ii)(A)
periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice #10
I don't know. Consider looking into whether your organization reviews and/or updates your SRA Required HIPAA: §164.308(a)(1)(ii)(A)
periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
PR.PS, RS.MI
HPH CPG: 1
HICP: TV1 - Practice #10

Notes
4 Do you include all information systems containing,
processing, and/or transmitting ePHI in your SRA?
Yes. This is the most effective option to protect the confidentiality, integrity, and N/A HIPAA: N/A
availability of ePHI. A comprehensive security risk assessment should include all NIST CSF: ID.RA, PR.DS, ID.AM
information systems that contain, process, or transmit ePHI. Maintain a complete HPH CPG: 1, 11
and accurate inventory of the IT assets in your organization to facilitate the HICP: TV1 - Practice #4, 5
implementation of optimal security controls. This inventory can be conducted and
maintained using a well-designed spreadsheet.

No. Include all information systems that contain, process, or transmit ePHI in your N/A HIPAA: N/A
security risk assessment. In addition, document your systems in a complete NIST CSF: ID.RA, PR.DS, ID.AM
inventory. Maintain a complete and accurate inventory of the IT assets in your HPH CPG: 1, 11
organization to facilitate the implementation of optimal security controls. This HICP: TV1 - Practice #4, 5
inventory can be conducted and maintained using a well-designed spreadsheet.

I don't know. Include all information systems that contain, process, or transmit ePHI in your N/A HIPAA: N/A
security risk assessment. In addition, document your systems in a complete NIST CSF: ID.RA, PR.DS, ID.AM
inventory. Maintain a complete and accurate inventory of the IT assets in your HPH CPG: 1, 11
organization to facilitate the implementation of optimal security controls. This HICP: TV1 - Practice #4, 5
inventory can be conducted and maintained using a well-designed spreadsheet.

Other. Include all information systems that contain, process, or transmit ePHI in your N/A HIPAA: N/A
security risk assessment. In addition, document your systems in a complete NIST CSF: ID.RA, PR.DS, ID.AM
inventory. Maintain a complete and accurate inventory of the IT assets in your HPH CPG: 1, 11
organization to facilitate the implementation of optimal security controls. This HICP: TV1 - Practice #4, 5
inventory can be conducted and maintained using a well-designed spreadsheet.

Flag this question for later. This question will be marked as an area for review and will be included in the N/A HIPAA: N/A
"Flagged Questions" report. NIST CSF: ID.RA, PR.DS, ID.AM
HPH CPG: 1, 11
HICP: TV1 - Practice #4, 5

Notes
5 How do you ensure you are meeting current HIPAA security
regulations?
We review our practice's Security Policies and An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
Procedures and compare to current regulations. and updated periodically, or in response to operational changes, security incidents, NIST CSF: GV.RR, GV.PO, GV.OV, GV.RM
or the occurrence of a significant event. HPH CPG: 1
HICP: TV1 - Practice # 10

We review the current regulations and do our best to An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
meet them. and updated periodically, or in response to operational changes, security incidents, NIST CSF: GV.RR, GV.PO, GV.OV, GV.RM
or the occurrence of a significant event. HPH CPG: 1
HICP: TV1 - Practice # 10

We try to follow the best practices for securing our ePHI An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
but we are not sure we're meeting all the HIPAA security and updated periodically, or in response to operational changes, security incidents, NIST CSF: GV.RR, GV.PO, GV.OV, GV.RM
regulations. or the occurrence of a significant event. HPH CPG: 1
HICP: TV1 - Practice # 10

I don't know. An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
and updated periodically, or in response to operational changes, security incidents, NIST CSF: GV.RR, GV.PO, GV.OV, GV.RM
or the occurrence of a significant event. HPH CPG: 1
HICP: TV1 - Practice # 10

Other. An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
and updated periodically, or in response to operational changes, security incidents, NIST CSF: GV.RR, GV.PO, GV.OV, GV.RM
or the occurrence of a significant event. HPH CPG: 1
HICP: TV1 - Practice # 10

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: GV.RR, GV.PO, GV.OV, GV.RM
HPH CPG: 1
HICP: TV1 - Practice # 10

Notes
6 What do you include in your SRA documentation?
Our SRA documentation includes possible threats and This is the most effective option to protect the confidentiality, integrity, and Required HIPAA: §164.308(a)(1)(ii)(A)
vulnerabilities which we assign impact and likelihood availability of ePHI. Establish a data classification policy that categorizes data as, for NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
ratings to. This allows us to determine severity. We example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant PR.PS, RS.MI
develop corrective action plans as needed to mitigate to each category. Organizational policies should address all user interactions with HPH CPG: 1, 11
identified security deficiencies according to which sensitive data and reinforce the consequences of lost or compromised data. IT asset HICP: TV1 - Practice # 4, 5, 9
threats and vulnerabilities are most severe. management is critical to ensuring that the appropriate cyber hygiene controls are
maintained across all assets in your organization, including medical device
management.

Our SRA documentation includes possible threats and Corrective action plans should be developed as needed to mitigate identified Required HIPAA: §164.308(a)(1)(ii)(A)
vulnerabilities which we assign impact and likelihood security deficiencies according to which threats and vulnerabilities are most severe. NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
ratings to. This allows us to determine severity. We do Establish a data classification policy that categorizes data as, for example, Sensitive, PR.PS, RS.MI
not include corrective action plans. Internal Use, or Public Use. Identify the types of records relevant to each category. HPH CPG: 1, 11
Organizational policies should address all user interactions with sensitive data and HICP: TV1 - Practice # 4, 5, 9
reinforce the consequences of lost or compromised data. IT asset management is
critical to ensuring that the appropriate cyber hygiene controls are maintained
across all assets in your organization, including medical device management.

Our SRA documentation includes possible threats and Threats and vulnerabilities should be documented and given impact and likelihood Required HIPAA: §164.308(a)(1)(ii)(A)
vulnerabilities but does not include impact and ratings. This will help determine severity and is the best way to safeguard and NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
likelihood ratings, severity ratings, or corrective action protect ePHI from potential threats and vulnerabilities. Corrective action plans PR.PS, RS.MI
plans. should be developed as needed to mitigate identified security deficiencies according HPH CPG: 1, 11
to which threats and vulnerabilities are most severe. Establish a data classification HICP: TV1 - Practice # 4, 5, 9
policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use.
Identify the types of records relevant to each category. Organizational policies
should address all user interactions with sensitive data and reinforce the
consequences of lost or compromised data. IT asset management is critical to
ensuring that the appropriate cyber hygiene controls are maintained across all
assets in your organization, including medical device management.

I don't know. Threats and vulnerabilities should be documented and given impact and likelihood Required HIPAA: §164.308(a)(1)(ii)(A)
ratings. This will help determine severity and is the best way to safeguard and NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
protect ePHI from potential threats and vulnerabilities. Corrective action plans PR.PS, RS.MI
should be developed as needed to mitigate identified security deficiencies according HPH CPG: 1, 11
to which threats and vulnerabilities are most severe. Establish a data classification HICP: TV1 - Practice # 4, 5, 9
policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use.
Identify the types of records relevant to each category. Organizational policies
should address all user interactions with sensitive data and reinforce the
consequences of lost or compromised data. IT asset management is critical to
ensuring that the appropriate cyber hygiene controls are maintained across all
assets in your organization, including medical device management.

Other. Threats and vulnerabilities should be documented and given impact and likelihood Required HIPAA: §164.308(a)(1)(ii)(A)
ratings. This will help determine severity and is the best way to safeguard and NIST CSF: ID.RA, ID.AM, GV.OC, PR.DS,
protect ePHI from potential threats and vulnerabilities. Corrective action plans PR.PS, RS.MI
should be developed as needed to mitigate identified security deficiencies according HPH CPG: 1, 11
to which threats and vulnerabilities are most severe. Establish a data classification HICP: TV1 - Practice # 4, 5, 9
policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use.
Identify the types of records relevant to each category. Organizational policies
should address all user interactions with sensitive data and reinforce the
consequences of lost or compromised data. IT asset management is critical to
ensuring that the appropriate cyber hygiene controls are maintained across all
assets in your organization, including medical device management.

Notes
7 Do you respond to the threats and vulnerabilities identified
in your SRA?
Yes, we respond. We also maintain supporting This is the most effective option. Threats and vulnerabilities should be documented Required HIPAA: §164.308(a)(1)(ii)(B)
documentation of our response. within your SRA and given impact and likelihood ratings to determine severity. NIST CSF: ID.RA, GV.RM, RS.MI
Safeguards protecting ePHI from these threats and vulnerabilities should be HPH CPG: 1, 16
evaluated for effectiveness. Corrective action plans with plan of action milestones HICP: TV1 - Practice # 7
should be developed as needed to mitigate identified security deficiencies according
to which threats and vulnerabilities are most severe. Risks should be formally
deemed "accepted" only when appropriate. Conduct routine patching of security
flaws in servers, applications (including web applications), and third-party software.
Maintain software at least monthly, implementing patches distributed by the
vendor community, if patching is not automatic.
Yes, we respond, but we do not maintain documentation Threats and vulnerabilities should be documented within your SRA and given impact Required HIPAA: §164.308(a)(1)(ii)(B)
of our response. and likelihood ratings to determine severity. Safeguards protecting ePHI from these NIST CSF: ID.RA, GV.RM, RS.MI
threats and vulnerabilities should be evaluated for effectiveness. Corrective action HPH CPG: 1, 16
plans with plan of action milestones should be developed as needed to mitigate HICP: TV1 - Practice # 7
identified security deficiencies according to which threats and vulnerabilities are
most severe. Risks should be formally deemed "accepted" only when appropriate.
Conduct routine patching of security flaws in servers, applications (including web
applications), and third-party software. Maintain software at least monthly,
implementing patches distributed by the vendor community, if patching is not
automatic.

No, we don't have a process to respond to identified Threats and vulnerabilities should be documented within your SRA and given impact Required HIPAA: §164.308(a)(1)(ii)(B)
threats and vulnerabilities. and likelihood ratings to determine severity. Safeguards protecting ePHI from these NIST CSF: ID.RA, GV.RM, RS.MI
threats and vulnerabilities should be evaluated for effectiveness. Corrective action HPH CPG: 1, 16
plans with plan of action milestones should be developed as needed to mitigate HICP: TV1 - Practice # 7
identified security deficiencies according to which threats and vulnerabilities are
most severe. Risks should be formally deemed "accepted" only when appropriate.
Conduct routine patching of security flaws in servers, applications (including web
applications), and third-party software. Maintain software at least monthly,
implementing patches distributed by the vendor community, if patching is not
automatic.

I don't know. Threats and vulnerabilities should be documented within your SRA and given impact Required HIPAA: §164.308(a)(1)(ii)(B)
and likelihood ratings to determine severity. Safeguards protecting ePHI from these NIST CSF: ID.RA, GV.RM, RS.MI
threats and vulnerabilities should be evaluated for effectiveness. Corrective action HPH CPG: 1, 16
plans with plan of action milestones should be developed as needed to mitigate HICP: TV1 - Practice # 7
identified security deficiencies according to which threats and vulnerabilities are
most severe. Risks should be formally deemed "accepted" only when appropriate.
Conduct routine patching of security flaws in servers, applications (including web
applications), and third-party software. Maintain software at least monthly,
implementing patches distributed by the vendor community, if patching is not
automatic.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, GV.RM, RS.MI
HPH CPG: 1, 16
HICP: TV1 - Practice # 7

Notes
8 Do you identify specific personnel to respond to and mitigate
the threats and vulnerabilities found in your SRA?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(B)
confidentiality, integrity, and availability of ePHI. Use internal or external experts to NIST CSF: ID.RA, GV.RM, RS.MI, GV.RR,
deploy security methodology. GV.PO, GV.OV, PR.PS
HPH CPG: 1
HICP: TV1 - Practice # 7

No. Consider identifying specific workforce members to respond to and mitigate all Required HIPAA: §164.308(a)(1)(ii)(B)
threats and vulnerabilities identified in your SRA. Use internal or external experts to NIST CSF: ID.RA, GV.RM, RS.MI, GV.RR,
deploy security methodology. GV.PO, GV.OV, PR.PS
HPH CPG: 1
HICP: TV1 - Practice # 7

I don't know. Consider identifying specific workforce members to respond to and mitigate all Required HIPAA: §164.308(a)(1)(ii)(B)
threats and vulnerabilities identified in your SRA. Use internal or external experts to NIST CSF: ID.RA, GV.RM, RS.MI, GV.RR,
deploy security methodology. GV.PO, GV.OV, PR.PS
HPH CPG: 1
HICP: TV1 - Practice # 7

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, GV.RM, RS.MI, GV.RR,
GV.PO, GV.OV, PR.PS
HPH CPG: 1
HICP: TV1 - Practice # 7

Notes
9 Do you communicate SRA results to personnel involved in
responding to threats or vulnerabilities?
Yes. This is the most effective option. Communicate to workforce members who review Required HIPAA: §164.308(a)(1)(ii)(B)
and sign off after reading policies over a specified timeframe. The goal is to establish NIST CSF: ID.RA, GV.RM, RS.MI, PR.PS
a standard practice for workforce members to review applicable policies and attest HPH CPG: 1
to the review, and for the organization to monitor compliance with this standard. HICP: TV1 - Practice # 10

No. You may not be able to implement effective safeguards to protect ePHI if you do not Required HIPAA: §164.308(a)(1)(ii)(B)
document and share the results of your SRA with the staff responsible for making NIST CSF: ID.RA, GV.RM, RS.MI, PR.PS
risk management decisions, developing risk-related policies, and implementing risk HPH CPG: 1
mitigation safeguards for ePHI. Communicate to workforce members who review HICP: TV1 - Practice # 10
and sign off after reading policies over a specified timeframe. The goal is to establish
a standard practice for workforce members to review applicable policies and attest
to the review, and for the organization to monitor compliance with this standard.
I don't know. You may not be able to implement effective safeguards to protect ePHI if you do not Required HIPAA: §164.308(a)(1)(ii)(B)
document and share the results of your SRA with the staff responsible for making NIST CSF: ID.RA, GV.RM, RS.MI, PR.PS
risk management decisions, developing risk-related policies, and implementing risk HPH CPG: 1
mitigation safeguards for ePHI. Communicate to workforce members who review HICP: TV1 - Practice # 10
and sign off after reading policies over a specified timeframe. The goal is to establish
a standard practice for workforce members to review applicable policies and attest
to the review, and for the organization to monitor compliance with this standard.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, GV.RM, RS.MI, PR.PS
HPH CPG: 1
HICP: TV1 - Practice # 10

Notes
10 How do you communicate SRA results to personnel involved
in responding to identified threats or vulnerabilities?

Written and verbal communication as well as This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(B)
coordinated corrective action planning. confidentiality, integrity, and availability of ePHI. Written results of the risk NIST CSF: ID.RA, GV.RM, RS.MI
assessment should be communicated to the personnel responsible for responding HPH CPG: 1
to identified threats and vulnerabilities. The responsible persons should be involved HICP: TV1, Practice # 10
in the creation of corrective action plans to mitigate threats and vulnerabilities for
which they are responsible.

Written communication only. Written results of your SRA should be communicated to the personnel responsible Required HIPAA: §164.308(a)(1)(ii)(B)
for responding to identified threats and vulnerabilities but also consider involving NIST CSF: ID.RA, GV.RM, RS.MI
the personnel responsible for responding to identified threats and vulnerabilities in HPH CPG: 1
the creation of corrective action plans. HICP: TV1, Practice # 10

Verbal communication only. Written results of the risk assessment should be communicated to workforce Required HIPAA: §164.308(a)(1)(ii)(B)
members who will be responsible for responding to identified threats and NIST CSF: ID.RA, GV.RM, RS.MI
vulnerabilities after the completion of the risk assessment. The responsible team HPH CPG: 1
members responsible for responding to identified threats and vulnerabilities should HICP: TV1, Practice # 10
be involved in the creation of corrective action plans to mitigate threats and
vulnerabilities for which they are responsible.

We do not communicate risk assessment results to Written results of the risk assessment should be communicated to workforce Required HIPAA: §164.308(a)(1)(ii)(B)
workforce members. members who will be responsible for responding to identified threats and NIST CSF: ID.RA, GV.RM, RS.MI
vulnerabilities after the completion of the risk assessment. The responsible team HPH CPG: 1
members responsible for responding to identified threats and vulnerabilities should HICP: TV1, Practice # 10
be involved in the creation of corrective action plans to mitigate threats and
vulnerabilities for which they are responsible.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, GV.RM, RS.MI
HPH CPG: 1
HICP: TV1, Practice # 10

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Inadequate risk awareness or failure to identify new
weaknesses
Non-physical threat(s) such as data corruption or information disclosure, interruption of system function and business processes, and/or
legislation or security
Physical threats breaches
such as unauthorized facility access, hardware or equipment malfunction, collisions, trip/fire hazards, and/or hazardous
materials
Natural (chemicals,
threat(s) suchmagnets,
as damageetc.)
from dust/particulates, extreme temperatures, severe weather events, and/or destruction from
animals/insects
Man-made threat(s) such as insider carelessness, theft/vandalism, terrorism/civil unrest, toxic emissions, or hackers/computer criminals
Infrastructure threat(s) such as building/road hazards, power/telephone outages, water leakage (pipes, roof, sprinkler activation), unstable
2 Failure to remediate known risk(s) building conditions
Information disclosure (ePHI, proprietary, intellectual, or confidential)
Penalties from contractual non-compliance with third-party vendors
Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems
Data deletion or corruption of records
Prolonged exposure to hacker, computer criminal, malicious code, or careless insider
Corrective enforcement from regulatory agencies (e.g., HHS, OCR, FTC, CMS, State or Local jurisdictions)
Hardware/equipment malfunction
3 Failure to meet minimum regulatory requirements and
security standards
Corrective enforcement from regulatory agencies (e.g., HHS, OCR, FTC, CMS, State or Local jurisdictions)
Damage to public reputation due to breach
Failure to attain incentives or optimize value-based reimbursement
Litigation from breach victims due to lack of reasonable and appropriate safeguards
4 Inadequate Asset Tracking
Information disclosure (ePHI, proprietary, intellectual, or confidential)
Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems
Unauthorized use of assets or changes to data within information systems
Unauthorized installation of software or applications
Loss, theft, or disruption of assets
Improper operation/configuration of assets
5 Unspecified workforce security responsibilities
Non-remediated weaknesses
Prolonged duration of addressing non-remediated weaknesses
Insider carelessness exposing ePHI or causing disruption to information systems and business processes
Section 2 - Security Policies

Question # Question Text

Section Indicator Question Responses Education Risk Indicated Required? Reference
Questions
1 Do you maintain documentation of policies and procedures
regarding risk assessment, risk management and information
security activities?
Yes, we have a process by which management develops, This is the most effective option among those provided to protect the Required HIPAA: §164.316(a)
implements, reviews, and updates security policies and confidentiality, integrity, and availability of ePHI. Establishing and implementing NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
procedures. cybersecurity policies, procedures, and processes is one of the most effective means PR.PS
of preventing cyberattacks. HPH CPG: 1, 14, 15
HICP: TV1 - Practice # 10

Yes, we have some documentation for our information You should document policies and procedures to ensure you consistently make Required HIPAA: §164.316(a)
security and risk management activities, but not all of informed decisions on the effective monitoring, identification, and mitigation of NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
our policies and procedures are documented. risks to ePHI. Establishing and implementing cybersecurity policies, procedures, and PR.PS
processes is one of the most effective means of preventing cyberattacks. HPH CPG: 1, 14, 15
HICP: TV1 - Practice # 10

No, we do not maintain documentation on our You should document policies and procedures to ensure you consistently make Required HIPAA: §164.316(a)
information security activities or risk management. informed decisions on the effective monitoring, identification, and mitigation of NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
risks to ePHI. Establishing and implementing cybersecurity policies, procedures, and PR.PS
processes is one of the most effective means of preventing cyberattacks. HPH CPG: 1, 14, 15
HICP: TV1 - Practice # 10

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(a)
"Flagged Questions" report. NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
PR.PS
HPH CPG: 1, 14, 15
HICP: TV1 - Practice # 10

Notes
2 Do you review and update your security documentation,
including policies and procedures?
Yes, we review and update our security documentation This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(iii)
periodically and as necessary. confidentiality, integrity, and availability of ePHI. Review an appropriate number of NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
policies over a specified timeframe. The goal is to establish a standard practice to PR.PS, ID.IM
review policies and to monitor compliance with this standard. HPH CPG: 7, 14, 15, 19
HICP: TV1 - Practice # 10

Yes, we review and update our documentation You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
periodically or as needed, but not both. policies and procedures. This will help you safeguard your facilities, information NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
systems, and ePHI. Review an appropriate number of policies over a specified PR.PS, ID.IM
timeframe. The goal is to establish a standard practice to review policies and to HPH CPG: 7, 14, 15, 19
monitor compliance with this standard. HICP: TV1 - Practice # 10

Yes, we review our security documentation but we have You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
not updated our documentation. policies and procedures. This will help you safeguard your facilities, information NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
systems, and ePHI. Review an appropriate number of policies over a specified PR.PS, ID.IM
timeframe. The goal is to establish a standard practice to review policies and to HPH CPG: 7, 14, 15, 19
monitor compliance with this standard. HICP: TV1 - Practice # 10

No, we have never updated our documentation You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
policies and procedures. This will help you safeguard your facilities, information NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
systems, and ePHI. Review an appropriate number of policies over a specified PR.PS, ID.IM
timeframe. The goal is to establish a standard practice to review policies and to HPH CPG: 7, 14, 15, 19
monitor compliance with this standard. HICP: TV1 - Practice # 10

I don't know. You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
policies and procedures. This will help you safeguard your facilities, information NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
systems, and ePHI. Review an appropriate number of policies over a specified PR.PS, ID.IM
timeframe. The goal is to establish a standard practice to review policies and to HPH CPG: 7, 14, 15, 19
monitor compliance with this standard. HICP: TV1 - Practice # 10

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(iii)
"Flagged Questions" report. NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
PR.PS, ID.IM
HPH CPG: 7, 14, 15, 19
HICP: TV1 - Practice # 10

Notes
3 How do you update your security program documentation,
including policies and procedures?
We have a periodic review of information security This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(iii)
policies that formally evaluates their effectiveness. confidentiality, integrity, and availability of ePHI. With clearly articulated NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
Policies and procedures are updated as needed. cybersecurity policies, your employees, contractors, and third-party vendors know PR.PS, ID.IM
which data, applications, systems, and devices they are authorized to access and the HPH CPG: 4
consequences of unauthorized access attempts. HICP: TV1 - Practice # 10
We update policies and procedures ad hoc, for example You should conduct periodic reviews of information security policies and update Required HIPAA: §164.316(b)(2)(iii)
when an immediate need prompts the change. them as needed. With clearly articulated cybersecurity policies, your employees, NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
contractors, and third-party vendors know which data, applications, systems, and PR.PS, ID.IM
devices they are authorized to access and the consequences of unauthorized access HPH CPG: 4
attempts. HICP: TV1 - Practice # 10

We do not have a process for updating our security You should conduct periodic reviews of information security policies and update Required HIPAA: §164.316(b)(2)(iii)
documentation. them as needed. With clearly articulated cybersecurity policies, your employees, NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
contractors, and third-party vendors know which data, applications, systems, and PR.PS, ID.IM
devices they are authorized to access and the consequences of unauthorized access HPH CPG: 4
attempts. HICP: TV1 - Practice # 10

Notes
4 Is the security officer involved in all security policy and
procedure updates?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(iii)
confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
responsibilities throughout the organization, including who is responsible for PR.PS, ID.IM
implementing security practices and setting and establishing policy. HPH CPG: 7, 15, 19
HICP: TV1 - Practice # 10

No. You should have a designated security officer and any/all policy or procedure Required HIPAA: §164.316(b)(2)(iii)
updates should be reported to the security officer. Describe cybersecurity roles and NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
responsibilities throughout the organization, including who is responsible for PR.PS, ID.IM
implementing security practices and setting and establishing policy. HPH CPG: 7, 15, 19
HICP: TV1 - Practice # 10

I don't know. You should have a designated security officer and any/all policy or procedure Required HIPAA: §164.316(b)(2)(iii)
updates should be reported to the security officer. Describe cybersecurity roles and NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
responsibilities throughout the organization, including who is responsible for PR.PS, ID.IM
implementing security practices and setting and establishing policy. HPH CPG: 7, 15, 19
HICP: TV1 - Practice # 10

Other. You should have a designated security officer and any/all policy or procedure Required HIPAA: §164.316(b)(2)(iii)
updates should be reported to the security officer. Describe cybersecurity roles and NIST CSF: GV.RR, GV.PO, GV.OV, ID.RA,
responsibilities throughout the organization, including who is responsible for PR.PS, ID.IM
implementing security practices and setting and establishing policy. HPH CPG: 7, 15, 19
HICP: TV1 - Practice # 10

Notes
5 How does documentation for your risk management and
security procedures compare to your actual business
practices?
Our risk management and security documentation This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(1)(i) & (ii)
completely and accurately reflects our actual business confidentiality, integrity, and availability of ePHI. With clearly articulated NIST CSF: GV.OC, GV.RM, PR.PS
practices. cybersecurity policies, your employees, contractors, and third-party vendors know HPH CPG: 1, 15, 19
which data, applications, systems, and devices they are authorized to access and the HICP: TV1 - Practice # 10
consequences of unauthorized access attempts.

Our risk management and security documentation Risk management and security documentation should accurately reflect business Required HIPAA: §164.316(b)(1)(i) & (ii)
somewhat accurately reflects our business practices. practices. Ensure that your security documentation represents your actual security NIST CSF: GV.OC, GV.RM, PR.PS
practices. With clearly articulated cybersecurity policies, your employees, HPH CPG: 1, 15, 19
contractors, and third-party vendors know which data, applications, systems, and HICP: TV1 - Practice # 10
devices they are authorized to access and the consequences of unauthorized access
attempts.

Our risk management and security documentation does Risk management and security documentation should accurately reflect business Required HIPAA: §164.316(b)(1)(i) & (ii)
not accurately reflect our business practices. practices. Ensure that your security documentation represents your actual security NIST CSF: GV.OC, GV.RM, PR.PS
practices. With clearly articulated cybersecurity policies, your employees, HPH CPG: 1, 15, 19
contractors, and third-party vendors know which data, applications, systems, and HICP: TV1 - Practice # 10
devices they are authorized to access and the consequences of unauthorized access
attempts.

I don't know. Considering reviewing how your risk management documentation and security Required HIPAA: §164.316(b)(1)(i) & (ii)
procedures compare to your business practices. Risk management and security NIST CSF: GV.OC, GV.RM, PR.PS
documentation should accurately reflect business practices. Ensure that your HPH CPG: 1, 15, 19
security documentation represents your actual security practices. With clearly HICP: TV1 - Practice # 10
articulated cybersecurity policies, your employees, contractors, and third-party
vendors know which data, applications, systems, and devices they are authorized to
access and the consequences of unauthorized access attempts.
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(1)(i) & (ii)
"Flagged Questions" report. NIST CSF: GV.OC, GV.RM, PR.PS
HPH CPG: 1, 15, 19
HICP: TV1 - Practice # 10

Notes
6 How long are information security management and risk
management documents kept?
We maintain documents for at least six (6) years from This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(i)
the date of their creation or when they were last in confidentiality, integrity, and availability of ePHI. The federal requirement is six (6) NIST CSF: GV.OC, GV.RM, PR.PS
effect, whichever is longer. These documents are years retention of documentation, but your state or jurisdiction may have additional HPH CPG: 7, 18
maintained and backed up. requirements. HICP: N/A

We maintain documents for at least six (6) years from The federal requirement is six (6) years retention of documentation, but your state Required HIPAA: §164.316(b)(2)(i)
the date of their creation or when they were last in or jurisdiction may have additional requirements. Investigate the requirements for NIST CSF: GV.OC, GV.RM, PR.PS
effect, whichever is longer. These documents are not your state. Consider backing up information security and risk management HPH CPG: 7, 18
backed up. documents. HICP: N/A

We do not have a set amount of time to keep our Ensure your policies, procedures, and other security program documentation are Required HIPAA: §164.316(b)(2)(i)
documentation. retained for at least six (6) years from the date when it was created or last in effect, NIST CSF: GV.OC, GV.RM, PR.PS
whichever is longer. Your state or jurisdiction may have additional requirements. HPH CPG: 7, 18
Consider backing up these documents. HICP: N/A

We do not maintain documents regarding security and Ensure your policies, procedures, and other security program documentation are Required HIPAA: §164.316(b)(2)(i)
risk management. retained for at least six (6) years from the date when it was created or last in effect, NIST CSF: GV.OC, GV.RM, PR.PS
whichever is longer. Your state or jurisdiction may have additional requirements. HPH CPG: 7, 18
Consider backing up these documents. HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(i)
"Flagged Questions" report. NIST CSF: GV.OC, GV.RM, PR.PS
HPH CPG: 7, 18
HICP: N/A

Notes
7 Do you make sure that information security and risk
management documentation is available to those who need
it?
Yes. Documentation is made available to appropriate This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(ii)
workforce members in physical and/or electronic confidentiality, integrity, and availability of ePHI. With clearly articulated NIST CSF: GV.OC, GV.RM, PR.PS
formats (for example, our practice's shared drive or cybersecurity policies, your employees, contractors, and third-party vendors know HPH CPG: 4
intranet). which data, applications, systems, and devices they are authorized to access and the HICP: TV1 - Practice # 10
consequences of unauthorized access attempts.

Documentation is reviewed with appropriate workforce Documentation should be available to workforce members who need it to perform Required HIPAA: §164.316(b)(2)(ii)
members upon initial orientation to the practice, but is the security responsibilities associated with their role and reviewed on a periodic NIST CSF: GV.OC, GV.RM, PR.PS
not reviewed on a periodic basis or available in physical basis. Consider making the documentation available in writing, on a local shared HPH CPG: 4
and/or electronic format unless requested. drive, or other accessible place. With clearly articulated cybersecurity policies, your HICP: TV1 - Practice # 10
employees, contractors, and third-party vendors know which data, applications,
systems, and devices they are authorized to access and the consequences of
unauthorized access attempts.

No. We do not have a process to ensure documentation Documentation should be available to workforce members who need it to perform Required HIPAA: §164.316(b)(2)(ii)
is available to appropriate workforce members who the security responsibilities associated with their role and reviewed on a periodic NIST CSF: GV.OC, GV.RM, PR.PS
need it. basis. Consider making the documentation available in writing, on a local shared HPH CPG: 4
drive, or other accessible place. With clearly articulated cybersecurity policies, your HICP: TV1 - Practice # 10
employees, contractors, and third-party vendors know which data, applications,
systems, and devices they are authorized to access and the consequences of
unauthorized access attempts.

I don't know. Documentation should be available to workforce members who need it to perform Required HIPAA: §164.316(b)(2)(ii)
the security responsibilities associated with their role and reviewed on a periodic NIST CSF: GV.OC, GV.RM, PR.PS
basis. Consider making the documentation available in writing, on a local shared HPH CPG: 4
drive, or other accessible place. With clearly articulated cybersecurity policies, your HICP: TV1 - Practice # 10
employees, contractors, and third-party vendors know which data, applications,
systems, and devices they are authorized to access and the consequences of
unauthorized access attempts.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(ii)
"Flagged Questions" report. NIST CSF: GV.OC, GV.RM, PR.PS
HPH CPG: 4
HICP: TV1 - Practice # 10

Notes
8 How do you ensure that security and risk management
documentation is available to those who need it?
Appropriate workforce members receive instruction on This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(ii)
our information security documentation and where to confidentiality, integrity, and availability of ePHI. Policies are established first and NIST CSF: GV.OC, GV.RM, PR.PS, ID.RA
find it as part of their periodic privacy and security are then supplemented with procedures that enable the policies to be HPH CPG: 4
training. Documentation is securely made available to implemented. Policies describe what is expected, and procedures describe how the HICP: TV1 - Practice # 10
workforce members in physical or electronic formats. expectations are met.
Documentation is reviewed with appropriate workforce Review your information security documentation with your appropriate workforce Required HIPAA: §164.316(b)(2)(ii)
members upon initial orientation to the practice. members upon hire and on an ongoing, periodic basis. Make sure workforce NIST CSF: GV.OC, GV.RM, PR.PS, ID.RA
Documentation is securely made available to members know where to find the documentation for ongoing review. Policies are HPH CPG: 4
appropriate workforce members in physical or electronic established first and are then supplemented with procedures that enable the HICP: TV1 - Practice # 10
formats and they are verbally instructed as to where it policies to be implemented. Policies describe what is expected, and procedures
is. describe how the expectations are met.

Documentation is securely made available to Review your information security documentation with your appropriate workforce Required HIPAA: §164.316(b)(2)(ii)
appropriate workforce members in physical or electronic members upon hire and on an ongoing, periodic basis. Make sure workforce NIST CSF: GV.OC, GV.RM, PR.PS, ID.RA
formats and they are verbally instructed as to where it members know where to find the documentation for ongoing review. Policies are HPH CPG: 4
is. established first and are then supplemented with procedures that enable the HICP: TV1 - Practice # 10
policies to be implemented. Policies describe what is expected, and procedures
describe how the expectations are met.

Other. Review your information security documentation with your appropriate workforce Required HIPAA: §164.316(b)(2)(ii)
members upon hire and on an ongoing, periodic basis. Make sure workforce NIST CSF: GV.OC, GV.RM, PR.PS, ID.RA
members know where to find the documentation for ongoing review. Policies are HPH CPG: 4
established first and are then supplemented with procedures that enable the HICP: TV1 - Practice # 10
policies to be implemented. Policies describe what is expected, and procedures
describe how the expectations are met.

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Failure to update Policies & Procedures
Fines/penalties from mandated regulatory requirements
Unstructured guidance for daily tasks and duties within workforce
2 Failure to share security procedure information with
appropriate parties
Unauthorized access to ePHI or sensitive information permitted
Disruption of information system function
ePHI accessed by unauthorized entities
Insider carelessness causing disruption
Insider carelessness exposing ePHI
3 Inconsistent/unclear risk management documentation
Unclear security coordination across workforce
Unstructured guidance for daily tasks and duties
4 No risk management documentation (or low retention of
documentation)
Fines/penalties from regulatory enforcement
Inability of workforce to perform proper security and privacy-related tasks or access procedural documents
Unstructured workforce coordination of risk management procedures
Section 3 - Security & Workforce

Question # Question Text

Section Indicator Question Responses Education Risk Indicated Required? Reference
Questions
1 Who within your practice is responsible for developing and
implementing information security policies and procedures?

The security officer is a member of the workforce This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
identified by name in policy documents. confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
responsibilities throughout the organization, including who is responsible for PR.PS, ID.AM
implementing security practices and setting and establishing policy. HPH CPG: 4
HICP: TV1 - Practice # 10

The role of security officer is described in our policy You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
documentation, but the person who occupies that role is security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
not named. security practices are coordinated, consistent, and that the organization can be held PR.PS, ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HPH CPG: 4
organization, including who is responsible for implementing security practices and HICP: TV1 - Practice # 10
setting and establishing policy.

A member of our workforce. You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
security practices are coordinated, consistent, and that the organization can be held PR.PS, ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HPH CPG: 4
organization, including who is responsible for implementing security practices and HICP: TV1 - Practice # 10
setting and establishing policy.

The security officer is not formally named or otherwise You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
identified in policy. security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
security practices are coordinated, consistent, and that the organization can be held PR.PS, ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HPH CPG: 4
organization, including who is responsible for implementing security practices and HICP: TV1 - Practice # 10
setting and establishing policy.

Other. You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
security practices are coordinated, consistent, and that the organization can be held PR.PS, ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HPH CPG: 4
organization, including who is responsible for implementing security practices and HICP: TV1 - Practice # 10
setting and establishing policy.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(2)
"Flagged Questions" report. NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
PR.PS, ID.AM
HPH CPG: 4
HICP: TV1 - Practice # 10

Notes
2 Do you identify and document the role and responsibilities of
the security officer?
Yes. The security officer is identified by role and this is This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
documented in our practice's information security confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
policies, which describes the role's responsibilities. responsibilities throughout the organization, including who is responsible for PR.PS
implementing security practices and setting and establishing policy. HPH CPG: 4
HICP: TV1 - Practice # 10

Yes. Our practice has a security officer, but there is no You should document who is responsible for coordinating information security Required HIPAA: §164.308(a)(2)
formal documentation of the position or the activities. Describe cybersecurity roles and responsibilities throughout the NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
responsibilities. organization, including who is responsible for implementing security practices and PR.PS
setting and establishing policy. HPH CPG: 4
HICP: TV1 - Practice # 10

No. We have not identified the role of the security You should document who is responsible for coordinating information security Required HIPAA: §164.308(a)(2)
officer. activities. Describe cybersecurity roles and responsibilities throughout the NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO,
organization, including who is responsible for implementing security practices and PR.PS
setting and establishing policy. HPH CPG: 4
HICP: TV1 - Practice # 10

Notes
3 Is your security officer qualified for the position?
Yes. The security officer is an assigned member of the This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
workforce familiar with security and has the ability to confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
design, implement, and enforce security policies and HPH CPG: N/A
procedures. HICP: TV1 - Practice # 8
No. The security officer does not have the ability to Assign responsibility of the security officer to a member of the workforce with the Required HIPAA: §164.308(a)(2)
design, implement, and enforce security policies and ability to ensure security policies are effective and followed consistently. NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
procedures. HPH CPG: N/A
HICP: TV1 - Practice # 8

I don't know. We have not considered what Assign responsibility of the security officer to a member of the workforce with the Required HIPAA: §164.308(a)(2)
qualifications would be appropriate for the security ability to ensure security policies are effective and followed consistently. NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
officer. HPH CPG: N/A
HICP: TV1 - Practice # 8

Notes
4 Do workforce members know who the security officer is?
Yes. Workforce members are aware of who our security This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
officer is. confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
HPH CPG: 4
HICP: N/A

No. Not all workforce members know who our security If your workforce members do not know the name and contact information of the Required HIPAA: §164.308(a)(2)
officer is. security officer, they may not be able to raise security concerns or execute NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
mitigating actions when there are security problems. HPH CPG: 4
HICP: N/A

I don't know. If your workforce members do not know the name and contact information of the Required HIPAA: §164.308(a)(2)
security officer, they may not be able to raise security concerns or execute NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
mitigating actions when there are security problems. HPH CPG: 4
HICP: N/A

Notes
5 Do workforce members know how and when to contact the
security officer?
Workforce members are made aware of the identity of This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
the security officer and reasons for contacting the confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
security officer as part of their orientation to the HPH CPG: 4
practice (upon hire) as well as periodic reminders of our HICP: N/A
internal policies and procedures (e.g., periodic review).

Information about who the security officer is and when If your workforce members do not know the contact information and availability of Required HIPAA: §164.308(a)(2)
they should be contacted is verbally communicated to the security officer, they may not be able to execute immediate and appropriate NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
workforce members, but this is not a formal process. mitigating actions when there are security problems. HPH CPG: 4
HICP: N/A

We do not have a process to inform workforce members If your workforce members do not know the contact information and availability of Required HIPAA: §164.308(a)(2)
about the identity of the security officer or when the the security officer, they may not be able to execute immediate and appropriate NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
security officer needs to be contacted. mitigating actions when there are security problems. HPH CPG: 4
HICP: N/A

Notes
6 Who do people contact for security considerations if there is
NO security officer?
The practice manager. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
implementation of security policies and procedures. HPH CPG: 4
HICP: N/A

Information Technology (IT) Manager. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
implementation of security policies and procedures. If you do not have a designated HPH CPG: 4
security officer, your workforce may not be able to execute immediate and HICP: N/A
appropriate mitigating actions when there are security problems.

Lead physician in the practice. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
implementation of security policies and procedures. If you do not have a designated HPH CPG: 4
security officer, your workforce may not be able to execute immediate and HICP: N/A
appropriate mitigating actions when there are security problems.

Lead nurse in practice. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
implementation of security policies and procedures. If you do not have a designated HPH CPG: 4
security officer, your workforce may not be able to execute immediate and HICP: N/A
appropriate mitigating actions when there are security problems.
Lead consultant for the practice. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
implementation of security policies and procedures. If you do not have a designated HPH CPG: 4
security officer, your workforce may not be able to execute immediate and HICP: N/A
appropriate mitigating actions when there are security problems.

Administrative support for the practice. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
implementation of security policies and procedures. If you do not have a designated HPH CPG: 4
security officer, your workforce may not be able to execute immediate and HICP: N/A
appropriate mitigating actions when there are security problems.

Other. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
implementation of security policies and procedures. If you do not have a designated HPH CPG: 4
security officer, your workforce may not be able to execute immediate and HICP: N/A
appropriate mitigating actions when there are security problems.

Flag this question for later. This question will be marked as an area for review and will be included in the N/A HIPAA: N/A
"Flagged Questions" report. NIST CSF: PR.AT, DE.AE, GV.RR, RS.CO
HPH CPG: 4
HICP: N/A

Notes
7 How are roles and job duties defined as pertained to
accessing ePHI?
We have written job descriptions, roles, and required This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(ii)(A)
qualifications documented for all workforce members confidentiality, integrity, and availability of ePHI. Health care organizations of all NIST CSF: ID.AM, PR.MA, DE.CM, DE.AE,
with access to ePHI. sizes need to clearly identify all users and maintain audit trails that monitor each PR.PS
user's access to data, applications, systems, and endpoints. HPH CPG: 6, 7
HICP: TV1 - Practice #2, 3

We have written job titles, but no written roles or Consider implementing procedures for the authorization and/or supervision of Required HIPAA: §164.308(a)(3)(ii)(A)
responsibilities for workforce members with access to workforce members who work with ePHI or in locations where it might be accessed. NIST CSF: ID.AM, PR.MA, DE.CM, DE.AE,
ePHI. If such procedures are determined to not be reasonable and appropriate, document PR.PS
the reason why and what is being done to compensate for these lack of procedures. HPH CPG: 6, 7
Health care organizations of all sizes need to clearly identify all users and maintain HICP: TV1 - Practice #2, 3
audit trails that monitor each user's access to data, applications, systems, and
endpoints.

We do not have written job roles or responsibilities for Consider implementing procedures for the authorization and/or supervision of Required HIPAA: §164.308(a)(3)(ii)(A)
workforce members with access to ePHI. workforce members who work with ePHI or in locations where it might be accessed. NIST CSF: ID.AM, PR.MA, DE.CM, DE.AE,
If such procedures are determined to not be reasonable and appropriate, document PR.PS
the reason why and what is being done to compensate for these lack of procedures. HPH CPG: 6, 7
Health care organizations of all sizes need to clearly identify all users and maintain HICP: TV1 - Practice #2, 3
audit trails that monitor each user's access to data, applications, systems, and
endpoints.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.AM, PR.MA, DE.CM, DE.AE,
PR.PS
HPH CPG: 6, 7
HICP: TV1 - Practice #2, 3

Notes
8 Do you screen your workforce members (e.g., staff,
volunteers, interns) with tools like credential verification or
background checks to verify trustworthiness?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(B)
confidentiality, integrity, and availability of ePHI. NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
HPH CPG: 6
HICP: N/A

No. Unqualified or untrustworthy users could access your ePHI if policies and Addressable HIPAA: §164.308(a)(3)(ii)(B)
procedures do not require screening workforce members prior to enabling access to NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
facilities, information systems, and ePHI. HPH CPG: 6
HICP: N/A

I don't know. Unqualified or untrustworthy users could access your ePHI if policies and Addressable HIPAA: §164.308(a)(3)(ii)(B)
procedures do not require screening workforce members prior to enabling access to NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
facilities, information systems, and ePHI. HPH CPG: 6
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(B)
"Flagged Questions" report. NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
HPH CPG: 6
HICP: N/A

Notes
9 How are your workforce members screened to verify
trustworthiness?
Professional references are collected and verified. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(B)
Criminal background checks are performed in addition to confidentiality, integrity, and availability of ePHI. NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
verifying licenses, credentials, and certifications. HPH CPG: 6
HICP: N/A
Professional references are collected and verified along Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
with licenses, credentials, and certifications. We do not your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
perform criminal background checks. will access ePHI. HPH CPG: 6
HICP: N/A

We only collect professional references. Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
will access ePHI. HPH CPG: 6
HICP: N/A

We hire through external sources (local school Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
externship or temp agency), and assume their vetting your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
process is sufficient. will access ePHI. HPH CPG: 6
HICP: N/A

Other. Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.AE, PR.AA, PR.IR, PR.PS
will access ePHI. HPH CPG: 6
HICP: N/A

Notes
10 Do you ensure that all workforce members (including
management) are given security training?
Yes, we ensure all workforce members complete security This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(5)(i)
training on a periodic basis. confidentiality, integrity, and availability of ePHI. Establish and maintain a training NIST CSF: PR.AT , GV.RM, PR.PS
program for your workforce that includes a section on phishing attacks. All users in HPH CPG: 4
your organization should be able to recognize phishing techniques. Train your HICP: TV1 - Practice # 1, 4
workforce to comply with organizational procedures and ONC guidance when
transmitting PHI through e-mail. Train staff never to back up data on uncontrolled
storage devices or personal cloud services. Train and regularly remind users that
they must never share their passwords.

Yes, we ensure all workforce members complete security Provide periodic security trainings to all workforce members. The standard states Required HIPAA: §164.308(a)(5)(i)
training, but this not done periodically. that periodic security trainings be completed and documented for all workforce NIST CSF: PR.AT , GV.RM, PR.PS
members, and the documentation is reviewed by your practice's security officer. HPH CPG: 4
Establish and maintain a training program for your workforce that includes a section HICP: TV1 - Practice # 1, 4
on phishing attacks. All users in your organization should be able to recognize
phishing techniques. Train your workforce to comply with organizational procedures
and ONC guidance when transmitting PHI through e-mail. Train staff never to back
up data on uncontrolled storage devices or personal cloud services. Train and
regularly remind users that they must never share their passwords.

No, we do not ensure that all workforce members have Provide periodic security trainings to all workforce members. The standard states Required HIPAA: §164.308(a)(5)(i)
completed security training or that security training is that periodic security trainings be completed and documented for all workforce NIST CSF: PR.AT , GV.RM, PR.PS
completed on a periodic basis. members, and the documentation is reviewed by your practice's security officer. HPH CPG: 4
Establish and maintain a training program for your workforce that includes a section HICP: TV1 - Practice # 1, 4
on phishing attacks. All users in your organization should be able to recognize
phishing techniques. Train your workforce to comply with organizational procedures
and ONC guidance when transmitting PHI through e-mail. Train staff never to back
up data on uncontrolled storage devices or personal cloud services. Train and
regularly remind users that they must never share their passwords.

I don't know. Provide periodic security trainings to all workforce members. The standard states Required HIPAA: §164.308(a)(5)(i)
that periodic security trainings be completed and documented for all workforce NIST CSF: PR.AT , GV.RM, PR.PS
members, and the documentation is reviewed by your practice's security officer. HPH CPG: 4
Establish and maintain a training program for your workforce that includes a section HICP: TV1 - Practice # 1, 4
on phishing attacks. All users in your organization should be able to recognize
phishing techniques. Train your workforce to comply with organizational procedures
and ONC guidance when transmitting PHI through e-mail. Train staff never to back
up data on uncontrolled storage devices or personal cloud services. Train and
regularly remind users that they must never share their passwords.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(5)(i)
"Flagged Questions" report. NIST CSF: PR.AT , GV.RM, PR.PS
HPH CPG: 4
HICP: TV1 - Practice # 1, 4

Notes
11 How do you ensure that all workforce members are given
security training?
We keep a list of workforce members who have This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.308(a)(5)(i)
completed security training. Trainings are provided upon integrity, and availability of ePHI. Train personnel to comply with organizational NIST CSF: PR.AT, PR.PS
hire and periodically thereafter. The list is reviewed and policies. At minimum, provide annual training on the most important policy HPH CPG: 4
verified by the security officer. considerations, such as the use of encryption and PHI transmission restrictions. HICP: TV1 - Practice # 1, 4, 10
Provide staff with training on and awareness of phishing e-mails. Describe the
mechanisms by which the workforce will be trained on cybersecurity practices,
threats, and mitigations.

Our security training is provided by a vendor who keeps This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.308(a)(5)(i)
record of the trainings completed. The records are integrity, and availability of ePHI. Train personnel to comply with organizational NIST CSF: PR.AT, PR.PS
reviewed and verified by the security officer. policies. At minimum, provide annual training on the most important policy HPH CPG: 4
considerations, such as the use of encryption and PHI transmission restrictions. HICP: TV1 - Practice # 1, 4, 10
Provide staff with training on and awareness of phishing e-mails. Describe the
mechanisms by which the workforce will be trained on cybersecurity practices,
threats, and mitigations.

Documentation of security training is maintained in the Provide training periodically and maintain a comprehensive record of all personnel Required HIPAA: §164.308(a)(5)(i)
workforce members' personnel file, but a single who have completed training. Have the security officer review the list. Train NIST CSF: PR.AT, PR.PS
comprehensive record is not kept. personnel to comply with organizational policies. At minimum, provide annual HPH CPG: 4
training on the most important policy considerations, such as the use of encryption HICP: TV1 - Practice # 1, 4, 10
and PHI transmission restrictions. Provide staff with training on and awareness of
phishing e-mails. Describe the mechanisms by which the workforce will be trained
on cybersecurity practices, threats, and mitigations.

We do not maintain records of privacy and security Provide training periodically and maintain a comprehensive record of all personnel Required HIPAA: §164.308(a)(5)(i)
training for our workforce members. who have completed training. Have the security officer review the list. Train NIST CSF: PR.AT, PR.PS
personnel to comply with organizational policies. At minimum, provide annual HPH CPG: 4
training on the most important policy considerations, such as the use of encryption HICP: TV1 - Practice # 1, 4, 10
and PHI transmission restrictions. Provide staff with training on and awareness of
phishing e-mails. Describe the mechanisms by which the workforce will be trained
on cybersecurity practices, threats, and mitigations.

Notes
12 How long are records of workforce member security training
kept?
Records documenting the completion of required This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(5)(i)
security trainings are kept for all workforce members confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, PR.PS
(including management) and retained for at least six (6) HPH CPG: 4
years after completion of the training. HICP: N/A

Records documenting the completion of required Records documenting the completion of security trainings for all workforce Required HIPAA: §164.308(a)(5)(i)
security trainings are kept for all workforce members. members (including management) should be kept for a minimum of six (6) years. NIST CSF: PR.AT, PR.PS
Records are only retained for less than six (6) years. Your state or jurisdiction may have additional requirements beyond six (6) year HPH CPG: 4
retention. HICP: N/A

Records documenting the completion of required Records documenting the completion of security trainings for all workforce Required HIPAA: §164.308(a)(5)(i)
security training are kept for all workforce members. members (including management) should be kept for a minimum of six (6) years. NIST CSF: PR.AT, PR.PS
Records are only kept for the year in which training was Your state or jurisdiction may have additional requirements beyond six (6) year HPH CPG: 4
completed. retention. HICP: N/A

Notes
13 Are procedures in place for monitoring log-in attempts and
reporting discrepancies?
Yes, these procedures workforce members' roles and This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(C)
responsibilities, log-in monitoring procedure, how to confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT,
identify a log-in discrepancy and how to respond to an procedures to track and monitor user access to computers and programs. PR.PS
identified discrepancy. HPH CPG: 18
HICP: TV1 - Practice #2, 3

Yes, we have procedures, but these do not include all of Consider revising your procedures to include roles and responsibilities, how to Addressable HIPAA: §164.308(a)(5)(ii)(C)
the elements listed above. identify a log-in discrepancy, and how to respond to an identified discrepancy. If NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT,
doing so is determined to not be reasonable and appropriate, document the reason PR.PS
why and what compensating control takes its place. Implement access management HPH CPG: 18
procedures to track and monitor user access to computers and programs. HICP: TV1 - Practice #2, 3

Log-in monitoring tools are available but we do not Consider revising your procedures to include roles and responsibilities, how to Addressable HIPAA: §164.308(a)(5)(ii)(C)
actively utilize them. identify a log-in discrepancy, and how to respond to an identified discrepancy. If NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT,
doing so is determined to not be reasonable and appropriate, document the reason PR.PS
why and what compensating control takes its place. Implement access management HPH CPG: 18
procedures to track and monitor user access to computers and programs. HICP: TV1 - Practice #2, 3
No, our privacy and security procedures do not include Consider revising your procedures to include roles and responsibilities, how to Addressable HIPAA: §164.308(a)(5)(ii)(C)
log-in monitoring. identify a log-in discrepancy, and how to respond to an identified discrepancy. If NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT,
doing so is determined to not be reasonable and appropriate, document the reason PR.PS
why and what compensating control takes its place. Implement access management HPH CPG: 18
procedures to track and monitor user access to computers and programs. HICP: TV1 - Practice #2, 3

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(C)
"Flagged Questions" report. NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT,
PR.PS
HPH CPG: 18
HICP: TV1 - Practice #2, 3

Notes
14 Is protection from malicious software (including timely
antivirus/security updates and malware protection) covered
in your procedures?
Yes. Software protection is included in our procedures. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(B)
This includes a review of our procedures for guarding confidentiality, integrity, and availability of ePHI. Antivirus (AV) software is readily NIST CSF: PR.AT, PR.PS
against malware, and the mechanisms in place for available at low cost and is effective at protecting endpoints from computer viruses, HPH CPG: 1, 2
protection, and how procedures for workforce members malware, spam, and ransomware threats. Each endpoint in your organization should HICP: TV1 - Practice # 2, 9
to follow can help to detect and report malicious be equipped with antivirus software that is configured to update automatically. For
software. medical devices, the medical device manufacturer should directly support AV
software, or it should be cleared for operation by the manufacturer. Ensure that a
compliant AV technology is enabled. If AV cannot be implemented, compensating
controls should enforce an AV scan whenever the device is serviced prior to
reconnecting to the device network.

Yes. Our security procedures include a review of our Consider including software protection in your procedures, such as: 1. What Addressable HIPAA: §164.308(a)(5)(ii)(B)
practice's procedure for guarding against malicious protection mechanisms and system capabilities are in place for protection against NIST CSF: PR.AT, PR.PS
software, but does not cover how workforce members malicious software, 2. Workforce members' roles and responsibilities in malicious HPH CPG: 1, 2
can detect and report malicious software or the software protection procedures, 3. Steps to protect against and detect malicious HICP: TV1 - Practice # 2, 9
protection mechanisms and system capabilities in place software, and 4. Actions on how to respond to malicious software infections.
for malware protection. Antivirus (AV) software is readily available at low cost and is effective at protecting
endpoints from computer viruses, malware, spam, and ransomware threats. Each
endpoint in your organization should be equipped with antivirus software that is
configured to update automatically. For medical devices, the medical device
manufacturer should directly support AV software, or it should be cleared for
operation by the manufacturer. Ensure that a compliant AV technology is enabled. If
AV cannot be implemented, compensating controls should enforce an AV scan
whenever the device is serviced prior to reconnecting to the device network.

Protection from malicious software tools are available, Consider including software protection in your procedures, such as: 1. What Addressable HIPAA: §164.308(a)(5)(ii)(B)
but these are not included in our security procedures. protection mechanisms and system capabilities are in place for protection against NIST CSF: PR.AT, PR.PS
malicious software, 2. Workforce members' roles and responsibilities in malicious HPH CPG: 1, 2
software protection procedures, 3. Steps to protect against and detect malicious HICP: TV1 - Practice # 2, 9
software, and 4. Actions on how to respond to malicious software infections.
Antivirus (AV) software is readily available at low cost and is effective at protecting
endpoints from computer viruses, malware, spam, and ransomware threats. Each
endpoint in your organization should be equipped with antivirus software that is
configured to update automatically. For medical devices, the medical device
manufacturer should directly support AV software, or it should be cleared for
operation by the manufacturer. Ensure that a compliant AV technology is enabled. If
AV cannot be implemented, compensating controls should enforce an AV scan
whenever the device is serviced prior to reconnecting to the device network.

No, protection from malicious software is not included in Consider including software protection in your procedures, such as: 1. What Addressable HIPAA: §164.308(a)(5)(ii)(B)
our security procedures. protection mechanisms and system capabilities are in place for protection against NIST CSF: PR.AT, PR.PS
malicious software, 2. Workforce members' roles and responsibilities in malicious HPH CPG: 1, 2
software protection procedures, 3. Steps to protect against and detect malicious HICP: TV1 - Practice # 2, 9
software, and 4. Actions on how to respond to malicious software infections.
Antivirus (AV) software is readily available at low cost and is effective at protecting
endpoints from computer viruses, malware, spam, and ransomware threats. Each
endpoint in your organization should be equipped with antivirus software that is
configured to update automatically. For medical devices, the medical device
manufacturer should directly support AV software, or it should be cleared for
operation by the manufacturer. Ensure that a compliant AV technology is enabled. If
AV cannot be implemented, compensating controls should enforce an AV scan
whenever the device is serviced prior to reconnecting to the device network.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(B)
"Flagged Questions" report. NIST CSF: PR.AT, PR.PS
HPH CPG: 1, 2
HICP: TV1 - Practice # 2, 9

Notes
15 What password security elements are covered in your
security training?
Our security procedures include what our workforce This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(D)
roles/responsibilities are in password security, how to confidentiality, integrity, and availability of ePHI. To stay current with best practices NIST CSF: PR.AT
safeguard passwords, how to respond to a compromised on security procedures consider enforcing password security measures consistent HPH CPG: 2, 8
password, and how to properly change a password using with guidance in NIST SP 800-63-3. Assign a separate user account to each user in HICP: TV1 - Practice # 2, 3
various password characteristics (e.g., many characters your organization. Train and regularly remind users that they must never share their
long, easy to remember, avoiding easy to guess phrases). passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).
For devices that are accessed off site, leverage technologies that use multi-factor
authentication (MFA) before permitting users to access data or applications on the
device. Logins that use only a username and password are often compromised
through phishing e-mails. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

Our security procedures include some but not all of the Consider enforcing password security measures consistent with guidance in NIST SP Addressable HIPAA: §164.308(a)(5)(ii)(D)
items noted above. 800-63-3 as part of your security training. If this is not determined to be reasonable NIST CSF: PR.AT
and appropriate, document the reason why along with your compensating control. HPH CPG: 2, 8
Assign a separate user account to each user in your organization. Train and regularly HICP: TV1 - Practice # 2, 3
remind users that they must never share their passwords. Require each user to
create an account password that is different from the ones used for personal
internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are
accessed off site, leverage technologies that use multi-factor authentication (MFA)
before permitting users to access data or applications on the device. Logins that use
only a username and password are often compromised through phishing e-mails.
Implement MFA authentication for the cloud-based systems that your organization
uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of
access by unauthorized users.

Password security is not covered in our security Consider enforcing password security measures consistent with guidance in NIST SP Addressable HIPAA: §164.308(a)(5)(ii)(D)
procedures. 800-63-3 as part of your security training. If this is not determined to be reasonable NIST CSF: PR.AT
and appropriate, document the reason why along with your compensating control. HPH CPG: 2, 8
Assign a separate user account to each user in your organization. Train and regularly HICP: TV1 - Practice # 2, 3
remind users that they must never share their passwords. Require each user to
create an account password that is different from the ones used for personal
internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are
accessed off site, leverage technologies that use multi-factor authentication (MFA)
before permitting users to access data or applications on the device. Logins that use
only a username and password are often compromised through phishing e-mails.
Implement MFA authentication for the cloud-based systems that your organization
uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of
access by unauthorized users.

Other. Consider enforcing password security measures consistent with guidance in NIST SP Addressable HIPAA: §164.308(a)(5)(ii)(D)
800-63-3 as part of your security training. If this is not determined to be reasonable NIST CSF: PR.AT
and appropriate, document the reason why along with your compensating control. HPH CPG: 2, 8
Assign a separate user account to each user in your organization. Train and regularly HICP: TV1 - Practice # 2, 3
remind users that they must never share their passwords. Require each user to
create an account password that is different from the ones used for personal
internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are
accessed off site, leverage technologies that use multi-factor authentication (MFA)
before permitting users to access data or applications on the device. Logins that use
only a username and password are often compromised through phishing e-mails.
Implement MFA authentication for the cloud-based systems that your organization
uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of
access by unauthorized users.

I don't know. Consider enforcing password security measures consistent with guidance in NIST SP Addressable HIPAA: §164.308(a)(5)(ii)(D)
800-63-3 as part of your security training. If this is not determined to be reasonable NIST CSF: PR.AT
and appropriate, document the reason why along with your compensating control. HPH CPG: 2, 8
Assign a separate user account to each user in your organization. Train and regularly HICP: TV1 - Practice # 2, 3
remind users that they must never share their passwords. Require each user to
create an account password that is different from the ones used for personal
internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For devices that are
accessed off site, leverage technologies that use multi-factor authentication (MFA)
before permitting users to access data or applications on the device. Logins that use
only a username and password are often compromised through phishing e-mails.
Implement MFA authentication for the cloud-based systems that your organization
uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of
access by unauthorized users.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(D)
"Flagged Questions" report. NIST CSF: PR.AT
HPH CPG: 2, 8
HICP: TV1 - Practice # 2, 3

Notes
16 Do you ensure workforce members maintain ongoing
awareness of security requirements?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(A)
confidentiality, integrity, and availability of ePHI. Establish and maintain a training NIST CSF: PR.AT, ID.RA, GV.OC, GV.RR,
program for your workforce that includes a section on phishing attacks. All users in GV.PO, GV.OV
your organization should be able to recognize phishing techniques. Train your HPH CPG: 4
workforce to comply with organizational procedures and ONC guidance when HICP: TV1 - Practice # 1, 4
transmitting PHI through e-mail. Train staff never to back up data on uncontrolled
storage devices or personal cloud services.

No. Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, GV.OC, GV.RR,
document the reason why along with your compensating control. Establish and GV.PO, GV.OV
maintain a training program for your workforce that includes a section on phishing HPH CPG: 4
attacks. All users in your organization should be able to recognize phishing HICP: TV1 - Practice # 1, 4
techniques. Train your workforce to comply with organizational procedures and
ONC guidance when transmitting PHI through e-mail. Train staff never to back up
data on uncontrolled storage devices or personal cloud services.

I don't know. Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, GV.OC, GV.RR,
document the reason why along with your compensating control. Establish and GV.PO, GV.OV
maintain a training program for your workforce that includes a section on phishing HPH CPG: 4
attacks. All users in your organization should be able to recognize phishing HICP: TV1 - Practice # 1, 4
techniques. Train your workforce to comply with organizational procedures and
ONC guidance when transmitting PHI through e-mail. Train staff never to back up
data on uncontrolled storage devices or personal cloud services.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(A)
"Flagged Questions" report. NIST CSF: PR.AT, ID.RA, GV.OC, GV.RR,
GV.PO, GV.OV
HPH CPG: 4
HICP: TV1 - Practice # 1, 4

Notes
17 How does your practice ensure workforce members maintain
ongoing awareness of security requirements?
Formal trainings and periodic security reminders This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(A)
confidentiality, integrity, and availability of ePHI. Provide staff with training on and NIST CSF: PR.AT, ID.RA, GV.OC, GV.RR,
awareness of phishing e-mails. Train personnel to comply with organizational GV.PO, GV.OV
policies. At minimum, provide annual training on the most important policy HPH CPG: 4
considerations, such as the use of encryption and PHI transmission restrictions. HICP: TV1 - Practice # 1, 4

Either formal trainings or periodic security reminders, Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
but not both. reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, GV.OC, GV.RR,
document the reason why along with your compensating control. Provide staff with GV.PO, GV.OV
training on and awareness of phishing e-mails. Train personnel to comply with HPH CPG: 4
organizational policies. At minimum, provide annual training on the most important HICP: TV1 - Practice # 1, 4
policy considerations, such as the use of encryption and PHI transmission
restrictions.

I don't know. Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, GV.OC, GV.RR,
document the reason why along with your compensating control. Provide staff with GV.PO, GV.OV
training on and awareness of phishing e-mails. Train personnel to comply with HPH CPG: 4
organizational policies. At minimum, provide annual training on the most important HICP: TV1 - Practice # 1, 4
policy considerations, such as the use of encryption and PHI transmission
restrictions.

Notes
18 Do you have a sanction policy to enforce security
procedures?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(C)
confidentiality, integrity, and availability of ePHI. NIST CSF: PR.PS
HPH CPG: N/A
HICP: N/A

No. Consider implementing a sanction policy. It is required that your practice be able to Required HIPAA: §164.308(a)(1)(ii)(C)
apply appropriate sanctions against workforce members who fail to comply with NIST CSF: PR.PS
your practice's security policies and procedures. HPH CPG: N/A
HICP: N/A
I don't know. Consider looking into whether your practice has a sanction policy. It is required that Required HIPAA: §164.308(a)(1)(ii)(C)
your practice be able to apply appropriate sanctions against workforce members NIST CSF: PR.PS
who fail to comply with your practice's security policies and procedures. HPH CPG: N/A
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(C)
"Flagged Questions" report. NIST CSF: PR.PS
HPH CPG: N/A
HICP: N/A

Notes
19 What is included in your sanction policy to hold personnel
accountable if they do not follow your security policies and
procedures?
Formal written documentation of the sanction and the Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
reason for the sanction. your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

A formal corrective action plan. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

Identification of the sanctions applied to compliance Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
failures. your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

Training to mitigate repeat offenses. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

Documentation of the sanction outcome. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

All of the above. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(C)
confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, RS.CO, PR.PS
HPH CPG: N/A
HICP: N/A

None of the above. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

Other. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

I don't know. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.PS
security policies and procedures. HPH CPG: N/A
HICP: N/A

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Unqualified, uninformed, or lack of Security Officer
Unqualified workforce or untrained personnel on security standards and procedures
Security policies not followed when not enforced
Misuse of audit tools, information systems, and/or hardware
Increased chance or spread of unknown threats
Insider carelessness exposing ePHI
Unauthorized information disclosure (ePHI, proprietary, intellectual, or confidential)
Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems
2 Untrustworthy employee or business associate
Information disclosure (ePHI, proprietary, intellectual, or confidential)
Disruption of business processes or information system function
Sensitive data exposed or tampered with by insider
Misuse of information systems and/or hardware
Falsification or destruction of records and/or data corruption
Unauthorized access granted to outsiders
3 Inadequate cybersecurity & IT training
Information disclosure (ePHI, proprietary, intellectual, or confidential)
Disruption of business processes or information system function
Social engineering attack or email phishing attack
Misuse of information systems and/or hardware
Information system or facility access granted to unauthorized personnel
Installation of unauthorized software or applications
4 Failure to hold workforce members accountable for
undesired actions
Insider carelessness causing disruption to computer systems
Insider carelessness exposing ePHI to unauthorized persons or entities
Lack of interest for protecting sensitive information
Section 4 - Security & Data

Question # Question Text

Section Indicator Question Responses Education Risk Indicated Required? Reference
Questions
1 Do you manage and control personnel access
to ePHI, systems, and facilities?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
confidentiality, integrity, and availability of ePHI. User accounts enable NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
organizations to control and monitor each user's access to and activities on devices, HPH CPG: 6
EHRs, e-mail, and other third-party software systems. It is essential to protect user HICP: TV1 - Practice #2, 3
accounts to mitigate the risk of cyber threats.

No. Consider implementing policies and procedures to determine, authorize, and Required HIPAA: §164.308(a)(3)(i)
control access of workforce members to ePHI, systems, and facilities as appropriate. NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
User accounts enable organizations to control and monitor each user's access to HPH CPG: 6
and activities on devices, EHRs, e-mail, and other third-party software systems. It is HICP: TV1 - Practice #2, 3
essential to protect user accounts to mitigate the risk of cyber threats.

I don't know. Consider looking into whether you have policies and procedures to determine, Required HIPAA: §164.308(a)(3)(i)
authorize, and control access of workforce members to ePHI, systems, and facilities NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
as appropriate. User accounts enable organizations to control and monitor each HPH CPG: 6
user's access to and activities on devices, EHRs, e-mail, and other third-party HICP: TV1 - Practice #2, 3
software systems. It is essential to protect user accounts to mitigate the risk of
cyber threats.

We manage and control personnel Consider implementing policies and procedures to determine, authorize, and Required HIPAA: §164.308(a)(3)(i)
access to some but not all. control access of workforce members to ePHI, systems, and facilities as appropriate. NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
User accounts enable organizations to control and monitor each user's access to HPH CPG: 6
and activities on devices, EHRs, e-mail, and other third-party software systems. It is HICP: TV1 - Practice #2, 3
essential to protect user accounts to mitigate the risk of cyber threats.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
HPH CPG: 6
HICP: TV1 - Practice #2, 3

Notes
2 How do you manage and control personnel
access to ePHI, systems, and facilities?
Detailed log of personnel and access This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
levels based on role. Updates are confidentiality, integrity, and availability of ePHI. Implement single sign-on systems NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
reviewed by the security officer. that automatically manage access to all software and tools once users have signed HPH CPG: 3, 6
onto the network. Such systems allow the organization to centrally maintain and HICP: TV1 - Practice #2, 3
monitor access.

Log of personnel names. You should develop, document, and disseminate to workforce members an access Required HIPAA: §164.308(a)(3)(i)
control policy. The access control policy should address purpose, scope, roles, NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
responsibilities, management commitment, the expected coordination among HPH CPG: 3, 6
organizational entities, and compliance requirements. You should also maintain a HICP: TV1 - Practice #2, 3
list of workforce members with their corresponding level of access. This list should
be reviewed and updated by the security officer. Implement single sign-on systems
that automatically manage access to all software and tools once users have signed
onto the network. Such systems allow the organization to centrally maintain and
monitor access.

Access is granted by role, but we do Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
not maintain a corresponding list of procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
personnel. levels based on role within your practice. To meet the standard, any updates based HPH CPG: 3, 6
on changes in the workforce should be verified by the security officer. Implement HICP: TV1 - Practice #2, 3
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allow the organization to
centrally maintain and monitor access.

We do not keep a detailed log of Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
workforce members or designate procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
access levels based on role. levels based on role within your practice. To meet the standard, any updates based HPH CPG: 3, 6
on changes in the workforce should be verified by the security officer. Implement HICP: TV1 - Practice #2, 3
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allow the organization to
centrally maintain and monitor access.
Detailed log of personnel and access Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
levels based on role. procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
levels based on role within your practice. To meet the standard, any updates based HPH CPG: 3, 6
on changes in the workforce should be verified by the security officer. Implement HICP: TV1 - Practice #2, 3
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allow the organization to
centrally maintain and monitor access.

Log of personnel names and access Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
levels. procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
levels based on role within your practice. To meet the standard, any updates based HPH CPG: 3, 6
on changes in the workforce should be verified by the security officer. Implement HICP: TV1 - Practice #2, 3
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allow the organization to
centrally maintain and monitor access.

Other. Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.PS, PR.AA, PR.IR
levels based on role within your practice. To meet the standard, any updates based HPH CPG: 3, 6
on changes in the workforce should be verified by the security officer. Implement HICP: TV1 - Practice #2, 3
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allow the organization to
centrally maintain and monitor access.

Notes
3 What is your process for authorizing,
establishing, and modifying access to ePHI?
Our security procedures designate This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(4)(ii)(B)
personnel authorized to grant, review, confidentiality, integrity, and availability of ePHI. Tailor access for each user based §164.308(a)(4)(ii)(C )
modify, and terminate access. Access on the user's specific workplace requirements. Most users require access to NIST CSF: PR.AA, PR.IR, PR.PS
levels are reviewed and modified as common systems, such as e-mail and file servers. Implementing tailored access is HPH CPG: 6
needed. usually called provisioning. HICP: TV1 - Practice # 3

Our security procedures designate You should implement formal procedures to review and modify personnel access. Addressable HIPAA: §164.308(a)(4)(ii)(B)
personnel authorized to grant and Tailor access for each user based on the user's specific workplace requirements. §164.308(a)(4)(ii)(C )
terminate access. We do not have a Most users require access to common systems, such as e-mail and file servers. NIST CSF: PR.AA, PR.IR, PR.PS
procedure to review and modify Implementing tailored access is usually called provisioning. HPH CPG: 6
access as needed. HICP: TV1 - Practice # 3

Access levels are granted, modified, You should implement a formal security procedure and designate authorized Addressable HIPAA: §164.308(a)(4)(ii)(B)
and terminated as needed, but we do personnel to grant, review, modify, and terminate access. Access levels should be §164.308(a)(4)(ii)(C )
not have formal procedures. reviewed and modified as needed. Tailor access for each user based on the user's NIST CSF: PR.AA, PR.IR, PR.PS
specific workplace requirements. Most users require access to common systems, HPH CPG: 6
such as e-mail and file servers. Implementing tailored access is usually called HICP: TV1 - Practice # 3
provisioning.

We do not have a process in place to You should implement formal procedures to grant, modify, review, and terminate Addressable HIPAA: §164.308(a)(4)(ii)(B)
grant, modify, or terminate access. personnel access. Access levels should be reviewed and modified as needed. Tailor §164.308(a)(4)(ii)(C )
access for each user based on the user's specific workplace requirements. Most NIST CSF: PR.AA, PR.IR, PR.PS
users require access to common systems, such as e-mail and file servers. HPH CPG: 6
Implementing tailored access is usually called provisioning. HICP: TV1 - Practice # 3

I don't know. You should implement formal procedures to grant, modify, review, and terminate Addressable HIPAA: §164.308(a)(4)(ii)(B)
personnel access. Access levels should be reviewed and modified as needed. Tailor §164.308(a)(4)(ii)(C )
access for each user based on the user's specific workplace requirements. Most NIST CSF: PR.AA, PR.IR, PR.PS
users require access to common systems, such as e-mail and file servers. HPH CPG: 6
Implementing tailored access is usually called provisioning. HICP: TV1 - Practice # 3

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(4)(ii)(B)
"Flagged Questions" report. §164.308(a)(4)(ii)(C )
NIST CSF: PR.AA, PR.IR, PR.PS
HPH CPG: 6
HICP: TV1 - Practice # 3

Notes
4 How much access to ePHI is granted to users
or other entities?
Minimum access necessary based on This is the most effective option among those provided to protect the Required HIPAA: §164.502(b)
the user's formal role. confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: PR.AA, PR.IR, PR.PS, GV.RM,
the accounts must be granted access to the organization's computers and programs, PR.DS
as appropriate to each user. Consider following the "minimum necessary" principle HPH CPG: 3, 9
associated with the HIPAA Privacy Rule. Allow each user access only to the HICP: TV1 - Practice # 3
computers and programs required to accomplish that user's job or role in the
organization. This limits the organization's exposure to unauthorized access, loss,
and theft of data if the user's identity or access is compromised.

Access is granted based on user duties Policies and procedures outlining how users are granted only the minimum Required HIPAA: §164.502(b)
and activities but not on any formal necessary access to ePHI should be documented and implemented based on the NIST CSF: PR.AA, PR.IR, PR.PS, GV.RM,
role or minimum necessary user role. Allowing a high degree of access to ePHI may have negative impacts to PR.DS
consideration. your practice. Unauthorized or inappropriate access to ePHI can compromise the HPH CPG: 3, 9
confidentiality, integrity, and availability of your ePHI. As user accounts are HICP: TV1 - Practice # 3
established, the accounts must be granted access to the organization's computers
and programs, as appropriate to each user. Consider following the "minimum
necessary" principle associated with the HIPAA Privacy Rule. Allow each user access
only to the computers and programs required to accomplish that user's job or role
in the organization. This limits the organization's exposure to unauthorized access,
loss, and theft of data if the user's identity or access is compromised.

No limit to access. Policies and procedures outlining how users are granted only the minimum Required HIPAA: §164.502(b)
necessary access to ePHI should be documented and implemented based on the NIST CSF: PR.AA, PR.IR, PR.PS, GV.RM,
user role. Allowing a high degree of access to ePHI may have negative impacts to PR.DS
your practice. Unauthorized or inappropriate access to ePHI can compromise the HPH CPG: 3, 9
confidentiality, integrity, and availability of your ePHI. As user accounts are HICP: TV1 - Practice # 3
established, the accounts must be granted access to the organization's computers
and programs, as appropriate to each user. Consider following the "minimum
necessary" principle associated with the HIPAA Privacy Rule. Allow each user access
only to the computers and programs required to accomplish that user's job or role
in the organization. This limits the organization's exposure to unauthorized access,
loss, and theft of data if the user's identity or access is compromised.

I don't know. Policies and procedures outlining how users are granted only the minimum Required HIPAA: §164.502(b)
necessary access to ePHI should be documented and implemented based on the NIST CSF: PR.AA, PR.IR, PR.PS, GV.RM,
user role. Allowing a high degree of access to ePHI may have negative impacts to PR.DS
your practice. Unauthorized or inappropriate access to ePHI can compromise the HPH CPG: 3, 9
confidentiality, integrity, and availability of your ePHI. As user accounts are HICP: TV1 - Practice # 3
established, the accounts must be granted access to the organization's computers
and programs, as appropriate to each user. Consider following the "minimum
necessary" principle associated with the HIPAA Privacy Rule. Allow each user access
only to the computers and programs required to accomplish that user's job or role
in the organization. This limits the organization's exposure to unauthorized access,
loss, and theft of data if the user's identity or access is compromised.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.502(b)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.PS, GV.RM,
PR.DS
HPH CPG: 3, 9
HICP: TV1 - Practice # 3

Notes
5 How are individual users identified when
accessing ePHI?
Unique IDs and individual passwords This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(i)
are created for authorized workforce confidentiality, integrity, and availability of ePHI. Assign a separate user account to NIST CSF: PR.AA, PR.IR, DE.CM
members and contractors in order each user in your organization. Train and regularly remind users that they must HPH CPG: 8, 9
access ePHI. never share their passwords. Require each user to create an account password that HICP: TV1 - Practice # 3
is different from the ones used for personal internet or e-mail access (e.g., Gmail,
Yahoo, Facebook).

Unique IDs are required in order to If you do not have policies requiring use of a unique identifier for all users accessing Required HIPAA: §164.312(a)(2)(i)
access ePHI but these are not always ePHI, you might not be able to keep track of authorized users and the roles and NIST CSF: PR.AA, PR.IR, DE.CM
used. Generic or shared accounts also responsibilities assigned to them. Assign a separate user account to each user in HPH CPG: 8, 9
exist which have access to ePHI and your organization. Train and regularly remind users that they must never share their HICP: TV1 - Practice # 3
are not specific to unique users. passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).
Generic usernames and/or shared If you do not have policies requiring use of a unique identifier for all users accessing Required HIPAA: §164.312(a)(2)(i)
passwords are used in order to access ePHI, you might not be able to keep track of authorized users and the roles and NIST CSF: PR.AA, PR.IR, DE.CM
ePHI. responsibilities assigned to them. Assign a separate user account to each user in HPH CPG: 8, 9
your organization. Train and regularly remind users that they must never share their HICP: TV1 - Practice # 3
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).

We do not have a process to If you do not have policies requiring use of a unique identifier for all users accessing Required HIPAA: §164.312(a)(2)(i)
authenticate users with unique IDs. ePHI, you might not be able to keep track of authorized users and the roles and NIST CSF: PR.AA, PR.IR, DE.CM
responsibilities assigned to them. Assign a separate user account to each user in HPH CPG: 8, 9
your organization. Train and regularly remind users that they must never share their HICP: TV1 - Practice # 3
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(2)(i)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, DE.CM
HPH CPG: 8, 9
HICP: TV1 - Practice # 3

Notes
6 Do you ensure all of your workforce
members have appropriate access to ePHI?
Yes. We have written procedures to This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
ensure workforce members' access confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: PR.AT, PR.AA, PR.IR, PR.PS
privileges are minimum necessary the accounts must be granted access to the organization's computers and programs, HPH CPG: 9
(i.e., "need to know") based on their as appropriate to each user. Consider following the "minimum necessary" principle HICP: TV1 - Practice # 3,4
roles. These access privileges are associated with the HIPAA Privacy Rule. Allow each user access only to the
approved by the security officer. computers and programs required to accomplish that user's job or role in the
organization. This limits the organization's exposure to unauthorized access, loss,
and theft of data if the user's identity or access is compromised.

Yes. We have written procedures to You should implement and document procedures to ensure workforce members Required HIPAA: §164.308(a)(3)(i)
ensure workforce members' access have access privileges based on their role and no higher than necessary to perform NIST CSF: PR.AT, PR.AA, PR.IR, PR.PS
privileges are minimum necessary but their duties. These procedures and access privileges should be appropriately HPH CPG: 9
these are not always based on their approved and communicated. As user accounts are established, the accounts must HICP: TV1 - Practice # 3,4
roles. be granted access to the organization's computers and programs, as appropriate to
each user. Consider following the "minimum necessary" principle associated with
the HIPAA Privacy Rule. Allow each user access only to the computers and programs
required to accomplish that user's job or role in the organization. This limits the
organization's exposure to unauthorized access, loss, and theft of data if the user's
identity or access is compromised.

Yes. We verbally communicate access You should implement and document procedures to ensure workforce members Required HIPAA: §164.308(a)(3)(i)
privileges to our workforce members have access privileges based on their role and no higher than necessary to perform NIST CSF: PR.AT, PR.AA, PR.IR, PR.PS
but we do not have written their duties. These procedures and access privileges should be appropriately HPH CPG: 9
procedures. approved and communicated. As user accounts are established, the accounts must HICP: TV1 - Practice # 3,4
be granted access to the organization's computers and programs, as appropriate to
each user. Consider following the "minimum necessary" principle associated with
the HIPAA Privacy Rule. Allow each user access only to the computers and programs
required to accomplish that user's job or role in the organization. This limits the
organization's exposure to unauthorized access, loss, and theft of data if the user's
identity or access is compromised.

No. We do not have any procedures You should implement and document procedures to ensure workforce members Required HIPAA: §164.308(a)(3)(i)
for ensuring appropriate workforce have access privileges based on their role and no higher than necessary to perform NIST CSF: PR.AT, PR.AA, PR.IR, PR.PS
member access to ePHI. their duties. These procedures and access privileges should be appropriately HPH CPG: 9
approved and communicated. As user accounts are established, the accounts must HICP: TV1 - Practice # 3,4
be granted access to the organization's computers and programs, as appropriate to
each user. Consider following the "minimum necessary" principle associated with
the HIPAA Privacy Rule. Allow each user access only to the computers and programs
required to accomplish that user's job or role in the organization. This limits the
organization's exposure to unauthorized access, loss, and theft of data if the user's
identity or access is compromised.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.AA, PR.IR, PR.PS
HPH CPG: 9
HICP: TV1 - Practice # 3,4

Notes
7 How do you make sure that your workforce's
designated access to ePHI is logical,
consistent, and appropriate?
Workforce members are granted This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
access based on the minimum confidentiality, integrity, and availability of ePHI. Tailor access for each user based NIST CSF: PR.AT, PR.PS, DE.CM
amount necessary for their role. This on the user's specific workplace requirements. Most users require access to HPH CPG: 3, 8, 9
is consistently applied across the common systems, such as e-mail and file servers. Implementing tailored access is HICP: TV1 - Practice # 3,4
practice and any changes must be usually called provisioning.
formally approved and documented.

Workforce members have a default Review role-based access to determine how specific you can designate access for Required HIPAA: §164.308(a)(3)(i)
level of access for their role, but users, based on their roles. Implement and document procedures to ensure NIST CSF: PR.AT, PR.PS, DE.CM
exceptions are commonly granted. minimum necessary access is in place across the board to the extent reasonable and HPH CPG: 3, 8, 9
appropriate. If access exceptions are commonly granted, they should be HICP: TV1 - Practice # 3,4
documented and policies should be in place outlining the procedure for access
exceptions. Tailor access for each user based on the user's specific workplace
requirements. Most users require access to common systems, such as e-mail and
file servers. Implementing tailored access is usually called provisioning.

Our software vendor designates Review role-based access to determine how specific you can designate access for Required HIPAA: §164.308(a)(3)(i)
access to users, e.g. based on their users, based on their roles. Implement and document procedures to ensure NIST CSF: PR.AT, PR.PS, DE.CM
role as indicated in the system. minimum necessary access is in place across the board to the extent reasonable and HPH CPG: 3, 8, 9
appropriate. If access exceptions are commonly granted, they should be HICP: TV1 - Practice # 3,4
documented and policies should be in place outlining the procedure for access
exceptions. Tailor access for each user based on the user's specific workplace
requirements. Most users require access to common systems, such as e-mail and
file servers. Implementing tailored access is usually called provisioning.

We do not have a procedure for Review role-based access to determine how specific you can designate access for Required HIPAA: §164.308(a)(3)(i)
ensuring user access is appropriate for users, based on their roles. Implement and document procedures to ensure NIST CSF: PR.AT, PR.PS, DE.CM
their role. minimum necessary access is in place across the board to the extent reasonable and HPH CPG: 3, 8, 9
appropriate. If access exceptions are commonly granted, they should be HICP: TV1 - Practice # 3,4
documented and policies should be in place outlining the procedure for access
exceptions. Tailor access for each user based on the user's specific workplace
requirements. Most users require access to common systems, such as e-mail and
file servers. Implementing tailored access is usually called provisioning.

Notes
8 Do you use encryption to control access to
ePHI?
Yes. This is the most effective option. Whenever reasonable and appropriate implement Addressable HIPAA: §164.312(a)(2)(iv)
a mechanism to encrypt and decrypt ePHI. Install encryption software on every NIST CSF: PR.DS, PR.MA
endpoint that connects to your EHR system, especially mobile devices such as HPH CPG: 5
laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. HICP: TV1 - Practice # 1, 4
This simple and inexpensive precaution may prevent a complicated and expensive
breach. If supported by the manufacturer, medical devices should have local
encryption enabled in case the device is stolen. Implement an e-mail encryption
module that enables users to securely send e-mails to external recipients or to
protect information that should only be seen by authorized individuals.

No. You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA: §164.312(a)(2)(iv)
you do not use encryption/decryption methods to control access to ePHI and other NIST CSF: PR.DS, PR.MA
health information. Whenever reasonable and appropriate implement a mechanism HPH CPG: 5
to encrypt and decrypt ePHI. Install encryption software on every endpoint that HICP: TV1 - Practice # 1, 4
connects to your EHR system, especially mobile devices such as laptops. Maintain
audit trails of this encryption in case a device is ever lost or stolen. This simple and
inexpensive precaution may prevent a complicated and expensive breach. If
supported by the manufacturer, medical devices should have local encryption
enabled in case the device is stolen. Implement an e-mail encryption module that
enables users to securely send e-mails to external recipients or to protect
information that should only be seen by authorized individuals.
We have not comprehensively You should evaluate whether encryption is reasonable and appropriate to Addressable HIPAA: §164.312(a)(2)(iv)
evaluated whether encryption is implement. You might not be able to ensure access to ePHI is denied to NIST CSF: PR.DS, PR.MA
reasonable or appropriate to unauthorized users if you do not use encryption/decryption methods to control HPH CPG: 5
implement on our devices and access to ePHI and other health information. Install encryption software on every HICP: TV1 - Practice # 1, 4
information systems. endpoint that connects to your EHR system, especially mobile devices such as
laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen.
This simple and inexpensive precaution may prevent a complicated and expensive
breach. If supported by the manufacturer, medical devices should have local
encryption enabled in case the device is stolen. Implement an e-mail encryption
module that enables users to securely send e-mails to external recipients or to
protect information that should only be seen by authorized individuals.

I don't know. You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA: §164.312(a)(2)(iv)
you do not use encryption/decryption methods to control access to ePHI and other NIST CSF: PR.DS, PR.MA
health information. Whenever reasonable and appropriate implement a mechanism HPH CPG: 5
to encrypt and decrypt ePHI. Install encryption software on every endpoint that HICP: TV1 - Practice # 1, 4
connects to your EHR system, especially mobile devices such as laptops. Maintain
audit trails of this encryption in case a device is ever lost or stolen. This simple and
inexpensive precaution may prevent a complicated and expensive breach. If
supported by the manufacturer, medical devices should have local encryption
enabled in case the device is stolen. Implement an e-mail encryption module that
enables users to securely send e-mails to external recipients or to protect
information that should only be seen by authorized individuals.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(a)(2)(iv)
"Flagged Questions" report. NIST CSF: PR.DS, PR.MA
HPH CPG: 5
HICP: TV1 - Practice # 1, 4

Notes
9 What procedures do you have in place to
encrypt ePHI when deemed reasonable and
appropriate?
Encryption is evaluated as part of our This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(e)(2)(ii)
risk management process. We have confidentiality, integrity, and availability of ePHI. Install encryption software on NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
procedures in place to encrypt data at every endpoint that connects to your EHR system, especially mobile devices such as HPH CPG: 5
rest (for example, USB drives or tapes) laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen. HICP: TV1 - Practice # 1, 4
and in transit (for example, email or This simple and inexpensive precaution may prevent a complicated and expensive
cloud EHR) whenever reasonable and breach. Provide regular training on encryption.
appropriate, and find an alternative
safeguard when not reasonable and
appropriate.

We have procedures in place to Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
encrypt data in transit (for example, your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
email or cloud EHR) but not at rest appropriate, document the reason why and implement an equivalent, alternative HPH CPG: 5
(for example, USB drives or tapes) safeguard. Install encryption software on every endpoint that connects to your EHR HICP: TV1 - Practice # 1, 4
whenever reasonable and system, especially mobile devices such as laptops. Maintain audit trails of this
appropriate. encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.

We have procedures in place to Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
encrypt data at rest (for example, USB your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
drives or tapes) but not in transit (for appropriate, document the reason why and implement an equivalent, alternative HPH CPG: 5
example, email or cloud EHR) safeguard. Install encryption software on every endpoint that connects to your EHR HICP: TV1 - Practice # 1, 4
whenever reasonable and system, especially mobile devices such as laptops. Maintain audit trails of this
appropriate. encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.

Other. Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
appropriate, document the reason why and implement an equivalent, alternative HPH CPG: 5
safeguard. Install encryption software on every endpoint that connects to your EHR HICP: TV1 - Practice # 1, 4
system, especially mobile devices such as laptops. Maintain audit trails of this
encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.
I don't know. Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
appropriate, document the reason why and implement an equivalent, alternative HPH CPG: 5
safeguard. Install encryption software on every endpoint that connects to your EHR HICP: TV1 - Practice # 1, 4
system, especially mobile devices such as laptops. Maintain audit trails of this
encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(e)(2)(ii)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
HPH CPG: 5
HICP: TV1 - Practice # 1, 4

Notes
10 Do you use alternative safeguards in place of
encryption?
Yes. When encryption is not This is the most effective option among those provided to protect the Addressable HIPAA: N/A
reasonable or appropriate, we confidentiality, integrity, and availability of ePHI. For devices that cannot be NIST CSF: GV.RR, GV.PO, GV.OV, PR.DS,
implement an alternative safeguard. encrypted or that are managed by a third party, implement physical security PR.PS, ID.RA
controls to minimize theft or unauthorized removal. Examples include installation of HPH CPG: 5
anti-theft cables, locks on rooms where the devices are located, and the use of HICP: TV1 - Practice # 2
badge readers to monitor access to rooms where devices are located.

No. We do not always have You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA: N/A
alternative safeguards when you do not use alternative safeguards or methods to control access to ePHI and NIST CSF: GV.RR, GV.PO, GV.OV, PR.DS,
encryption is not reasonable or other health information. Whenever encryption is not reasonable or appropriate, PR.PS, ID.RA
appropriate. implement an alternative safeguard or mechanism to protect your ePHI. For devices HPH CPG: 5
that cannot be encrypted or that are managed by a third party, implement physical HICP: TV1 - Practice # 2
security controls to minimize theft or unauthorized removal. Examples include
installation of anti-theft cables, locks on rooms where the devices are located, and
the use of badge readers to monitor access to rooms where devices are located.

I don't know. You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA: N/A
you do not use alternative safeguards or methods to control access to ePHI and NIST CSF: GV.RR, GV.PO, GV.OV, PR.DS,
other health information. Whenever encryption is not reasonable and appropriate PR.PS, ID.RA
implement an alternative safeguard or mechanism to protect your ePHI. For devices HPH CPG: 5
that cannot be encrypted or that are managed by a third party, implement physical HICP: TV1 - Practice # 2
security controls to minimize theft or unauthorized removal. Examples include
installation of anti-theft cables, locks on rooms where the devices are located, and
the use of badge readers to monitor access to rooms where devices are located.

We have encryption in place for some You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA: N/A
devices and systems which access you do not use alternative safeguards or methods to control access to ePHI and NIST CSF: GV.RR, GV.PO, GV.OV, PR.DS,
ePHI, but have not comprehensively other health information. Whenever encryption is not reasonable and appropriate PR.PS, ID.RA
evaluated the reasonable and implement an alternative safeguard or mechanism to protect your ePHI. For devices HPH CPG: 5
appropriateness to do so for all that cannot be encrypted or that are managed by a third party, implement physical HICP: TV1 - Practice # 2
devices and systems. We do not security controls to minimize theft or unauthorized removal. Examples include
always have alternative safeguards installation of anti-theft cables, locks on rooms where the devices are located, and
when encryption is not reasonable the use of badge readers to monitor access to rooms where devices are located.
and appropriate.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: N/A
"Flagged Questions" report. NIST CSF: GV.RR, GV.PO, GV.OV, PR.DS,
PR.PS, ID.RA
HPH CPG: 5
HICP: TV1 - Practice # 2

Notes
11 When encryption is deemed unreasonable or
inappropriate to implement, do you
document the use of an alternative
safeguard?

Yes. We have policies and procedures Having policies and procedures to identify the encryption capabilities of your Addressable HIPAA: N/A
to identify encryption capabilities of devices and information systems and then documenting when encryption is not NIST CSF: PR.DS
our devices and information systems. reasonable or appropriate, and that you have implemented an alternative safeguard HPH CPG: 5
When encryption is not reasonable or is the best practice. For devices that cannot be encrypted or that are managed by a HICP: TV1 - Practice # 2
appropriate, we implement an third party, implement physical security controls to minimize theft or unauthorized
alternative safeguard and document removal. Examples include installation of anti-theft cables, locks on rooms where
it. the devices are located, and the use of badge readers to monitor access to rooms
where devices are located.
No. We do not have policies or Having policies and procedures to identify the encryption capabilities of your Addressable HIPAA: N/A
procedures to document alternative devices and information systems and then documenting when encryption is not NIST CSF: PR.DS
safeguards as a means of controlling reasonable or appropriate, and that you have implemented an alternative safeguard HPH CPG: 5
access to ePHI on our devices and is the best practice. For devices that cannot be encrypted or that are managed by a HICP: TV1 - Practice # 2
information systems. third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located.

I don't know. Having policies and procedures to identify the encryption capabilities of your Addressable HIPAA: N/A
devices and information systems and then documenting when encryption is not NIST CSF: PR.DS
reasonable or appropriate, and that you have implemented an alternative safeguard HPH CPG: 5
is the best practice. For devices that cannot be encrypted or that are managed by a HICP: TV1 - Practice # 2
third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: N/A
"Flagged Questions" report. NIST CSF: PR.DS
HPH CPG: 5
HICP: TV1 - Practice # 2

Notes
12 Have you evaluated implementing any of the
following encryption solutions in your local
environment: full disk encryption, file/folder
encryption, encryption of thumb drives or
other external media?

All of the above. Encryption in these areas is critical to protecting ePHI in your local environment. Addressable HIPAA: §164.312(e)(2)(ii)
Encryption applications prevent hackers from accessing sensitive data, usually by NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
requiring a "key" to encrypt and/or decrypt data. Prohibit the use of unencrypted ID.RA, GV.RM
storage, such as thumb drives, mobile phones, or computers. Require encryption of HPH CPG: 5
these mobile storage mediums before use. HICP: TV1 - Practice # 2

Some of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
Encryption can help safeguard your ePHI, whether you are transmitting it over the ID.RA, GV.RM
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HPH CPG: 5
and from your facility. Encrypting ePHI makes it completely unreadable to anyone HICP: TV1 - Practice # 2
but you or its intend recipient. Encryption applications prevent hackers from
accessing sensitive data, usually by requiring a "key" to encrypt and/or decrypt data.
Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or
computers. Require encryption of these mobile storage mediums before use.

None of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
Encryption can help safeguard your ePHI, whether you are transmitting it over the ID.RA, GV.RM
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HPH CPG: 5
and from your facility. Encrypting ePHI makes it completely unreadable to anyone HICP: TV1 - Practice # 2
but you or its intend recipient. Encryption applications prevent hackers from
accessing sensitive data, usually by requiring a "key" to encrypt and/or decrypt data.
Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or
computers. Require encryption of these mobile storage mediums before use.

I don't know. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
Encryption can help safeguard your ePHI, whether you are transmitting it over the ID.RA, GV.RM
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HPH CPG: 5
and from your facility. Encrypting ePHI makes it completely unreadable to anyone HICP: TV1 - Practice # 2
but you or its intend recipient. Encryption applications prevent hackers from
accessing sensitive data, usually by requiring a "key" to encrypt and/or decrypt data.
Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or
computers. Require encryption of these mobile storage mediums before use.

Notes
13 Have you evaluated implementing
encryption solutions for any of the following
cloud services: email service, file storage,
web applications, remote system backups?

All of the above. Encryption in these areas is critical to protecting ePHI in your cloud environments. Addressable HIPAA: §164.312(e)(2)(ii)
Contracts with EHR vendors should include language that requires medical/PHI data NIST CSF: N/A
to be encrypted both at rest and during transmission between systems. HPH CPG: 5
HICP: TV1 - Practice # 1

Some of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: N/A
Encryption can help safeguard your ePHI, whether you are transmitting it over the HPH CPG: 5
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HICP: TV1 - Practice # 1
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intended recipient. Contracts with EHR vendors should include
language that requires medical/PHI data to be encrypted both at rest and during
transmission between systems.

None of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: N/A
Encryption can help safeguard your ePHI, whether you are transmitting it over the HPH CPG: 5
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HICP: TV1 - Practice # 1
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intended recipient. Contracts with EHR vendors should include
language that requires medical/PHI data to be encrypted both at rest and during
transmission between systems.

Not applicable. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: N/A
Encryption can help safeguard your ePHI, whether you are transmitting it over the HPH CPG: 5
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HICP: TV1 - Practice # 1
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intended recipient. Contracts with EHR vendors should include
language that requires medical/PHI data to be encrypted both at rest and during
transmission between systems.

I don't know. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: N/A
Encryption can help safeguard your ePHI, whether you are transmitting it over the HPH CPG: 5
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HICP: TV1 - Practice # 1
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intended recipient. Contracts with EHR vendors should include
language that requires medical/PHI data to be encrypted both at rest and during
transmission between systems.

Notes
14 Have you evaluated implementing any of the
following encryption solutions for data in
transit: encryption of internet traffic by
means of a VPN, web traffic over HTTP
encrypted email, or secure file transfer?

All of the above. Encryption in these areas is critical to protecting ePHI in transit. At minimum, Addressable HIPAA: §164.312(e)(2)(ii)
provide annual training on the most important policy considerations, such as the NIST CSF: N/A
use of encryption and PHI transmission restrictions. Implement an e-mail encryption HPH CPG: 5
module that enables users to securely send e-mails to external recipients or to HICP: TV1 - Practice # 1, 4
protect information that should only be seen by authorized individuals.
Some of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: N/A
Encryption can help safeguard your ePHI, whether you are transmitting it over the HPH CPG: 5
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HICP: TV1 - Practice # 1, 4
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intended recipient. At minimum, provide annual training on the most
important policy considerations, such as the use of encryption and PHI transmission
restrictions. Implement an e-mail encryption module that enables users to securely
send e-mails to external recipients or to protect information that should only be
seen by authorized individuals.

None of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: N/A
Encryption can help safeguard your ePHI, whether you are transmitting it over the HPH CPG: 5
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HICP: TV1 - Practice # 1, 4
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intended recipient. At minimum, provide annual training on the most
important policy considerations, such as the use of encryption and PHI transmission
restrictions. Implement an e-mail encryption module that enables users to securely
send e-mails to external recipients or to protect information that should only be
seen by authorized individuals.

I don't know Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: N/A
Encryption can help safeguard your ePHI, whether you are transmitting it over the HPH CPG: 5
Internet, backing it up on a server, or just carrying a mobile device or your laptop to HICP: TV1 - Practice # 1, 4
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intended recipient. At minimum, provide annual training on the most
important policy considerations, such as the use of encryption and PHI transmission
restrictions. Implement an e-mail encryption module that enables users to securely
send e-mails to external recipients or to protect information that should only be
seen by authorized individuals.

Notes
15 Do you periodically review your information
systems for how security settings can be
implemented to safeguard ePHI?

Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(1)
confidentiality, integrity, and availability of ePHI. Patching (i.e., regularly updating) NIST CSF: PR.AA, PR.IR, PR.DS, ID.RA,
systems removes vulnerabilities that can be exploited by attackers. Each patch PR.PS, DE.CM
modifies a software application, rendering it more difficult for hackers to maintain HPH CPG: 1, 16, 18, 20
programs that are aligned with the most current version of that software HICP: TV1 - Practice # 2, 7
application. Configure endpoints to patch automatically and ensure that third-party
applications (e.g., Adobe Flash) are patched as soon as possible. Schedule and
conduct vulnerability scans on servers and systems under your control to
proactively identify technology flaws. Remediate flaws based on the severity of the
identified vulnerability. This method is considered an "unauthenticated scan." The
scanner has no extra sets of privileges to the server. It queries a server based on
ports that are active and present for network connectivity. Each server is queried for
vulnerabilities based upon the level of sophistication of the software scanner.
Conduct web application scanning of internet-facing webservers, such as web-based
patient portals. Specialized vulnerability scanners can interrogate running web
applications to identify vulnerabilities in the application design. Conduct routine
patching of security flaws in servers, applications (including web applications), and
third-party software. Maintain software at least monthly, implementing patches
distributed by the vendor community, if patching is not automatic. Robust patch
management processes mitigate vulnerabilities associated with obsolete software
versions, which are often easier for hackers to exploit.
No. Consider periodically reviewing the security settings on all systems which process, Required HIPAA: §164.312(a)(1)
store, or transmit ePHI for how you can implement mechanisms to protect ePHI. NIST CSF: PR.AA, PR.IR, PR.DS, ID.RA,
Patching (i.e., regularly updating) systems removes vulnerabilities that can be PR.PS, DE.CM
exploited by attackers. Each patch modifies a software application, rendering it HPH CPG: 1, 16, 18, 20
more difficult for hackers to maintain programs that are aligned with the most HICP: TV1 - Practice # 2, 7
current version of that software application. Configure endpoints to patch
automatically and ensure that third-party applications (e.g., Adobe Flash) are
patched as soon as possible. Schedule and conduct vulnerability scans on servers
and systems under your control to proactively identify technology flaws. Remediate
flaws based on the severity of the identified vulnerability. This method is considered
an "unauthenticated scan." The scanner has no extra sets of privileges to the server.
It queries a server based on ports that are active and present for network
connectivity. Each server is queried for vulnerabilities based upon the level of
sophistication of the software scanner. Conduct web application scanning of
internet-facing webservers, such as web-based patient portals. Specialized
vulnerability scanners can interrogate running web applications to identify
vulnerabilities in the application design. Conduct routine patching of security flaws
in servers, applications (including web applications),and third-party software.
Maintain software at least monthly, implementing patches distributed by the
vendor community, if patching is not automatic. Robust patch management
processes mitigate vulnerabilities associated with obsolete software versions, which
are often easier for hackers to exploit.

I don't know. Consider looking into whether your practice periodically reviews the security Required HIPAA: §164.312(a)(1)
settings on all systems which process, store, or transmit ePHI for how you can NIST CSF: PR.AA, PR.IR, PR.DS, ID.RA,
implement mechanisms to protect ePHI. Patching (i.e., regularly updating) systems PR.PS, DE.CM
removes vulnerabilities that can be exploited by attackers. Each patch modifies a HPH CPG: 1, 16, 18, 20
software application, rendering it more difficult for hackers to maintain programs HICP: TV1 - Practice # 2, 7
that are aligned with the most current version of that software application.
Configure endpoints to patch automatically and ensure that third-party applications
(e.g., Adobe Flash) are patched as soon as possible. Schedule and conduct
vulnerability scans on servers and systems under your control to proactively identify
technology flaws. Remediate flaws based on the severity of the identified
vulnerability. This method is considered an "unauthenticated scan." The scanner has
no extra sets of privileges to the server. It queries a server based on ports that are
active and present for network connectivity. Each server is queried for
vulnerabilities based upon the level of sophistication of the software scanner.
Conduct web application scanning of internet-facing webservers, such as web-based
patient portals. Specialized vulnerability scanners can interrogate running web
applications to identify vulnerabilities in the application design. Conduct routine
patching of security flaws in servers, applications (including web applications),and
third-party software. Maintain software at least monthly, implementing patches
distributed by the vendor community, if patching is not automatic. Robust patch
management processes mitigate vulnerabilities associated with obsolete software
versions, which are often easier for hackers to exploit.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(1)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, ID.RA,
PR.PS, DE.CM
HPH CPG: 1, 16, 18, 20
HICP: TV1 - Practice # 2, 7

Notes
16 How are you aware of the security settings
for information systems which process, store,
or transmit ePHI?
All systems which create, receive, This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(1)
maintain, or transmit ePHI (including confidentiality, integrity, and availability of ePHI. Vulnerability scans may yield large NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
any firewalls, databases, servers, and amounts of data, which organizations urgently need to classify, evaluate, and ID.RA, PR.MA, DE.CM
networked devices) have been prioritize to remediate security flaws before an attacker can exploit them. HPH CPG: 1, 18, 20
examined to determine how security HICP: TV1 - Practice # 7
settings can be implemented to most
appropriately protect ePHI.

We are aware that systems have Consider reviewing security settings for all systems which process, store, and Required HIPAA: §164.312(a)(1)
security settings to protect ePHI but transmit ePHI. Vulnerability scans may yield large amounts of data, which NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
have not reviewed all systems organizations urgently need to classify, evaluate, and prioritize to remediate ID.RA, PR.MA, DE.CM
comprehensively. security flaws before an attacker can exploit them. HPH CPG: 1, 18, 20
HICP: TV1 - Practice # 7
We do not have a process to review If you do not identify the access control security settings necessary for each of your Required HIPAA: §164.312(a)(1)
security settings for information information systems and electronic devices, you are not taking full advantage of the NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
systems which process, store, or security features available in the hardware and software. Vulnerability scans may ID.RA, PR.MA, DE.CM
transmit ePHI. yield large amounts of data, which organizations urgently need to classify, evaluate, HPH CPG: 1, 18, 20
and prioritize to remediate security flaws before an attacker can exploit them. HICP: TV1 - Practice # 7

I don't know. If you do not identify the access control security settings necessary for each of your Required HIPAA: §164.312(a)(1)
information systems and electronic devices, you are not taking full advantage of the NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
security features available in the hardware and software. Vulnerability scans may ID.RA, PR.MA, DE.CM
yield large amounts of data, which organizations urgently need to classify, evaluate, HPH CPG: 1, 18, 20
and prioritize to remediate security flaws before an attacker can exploit them. HICP: TV1 - Practice # 7

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(1)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
ID.RA, PR.MA, DE.CM
HPH CPG: 1, 18, 20
HICP: TV1 - Practice # 7

Notes
17 Do you use security settings and mechanisms
to record and examine system activity?

Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
confidentiality, integrity, and availability of ePHI. User accounts enable NIST CSF: PR.DS, DE.CM
organizations to control and monitor each user's access to and activities on devices, HPH CPG: 14, 15, 16, 18, 20
EHRs, e-mail, and other third-party software systems. HICP: TV1 - Practice # 3

No. Consider implementing hardware, software, and/or procedural mechanisms to Required HIPAA: §164.312(b)
monitor system activity. User accounts enable organizations to control and monitor NIST CSF: PR.DS, DE.CM
each user's access to and activities on devices, EHRs, e-mail, and other third-party HPH CPG: 14, 15, 16, 18, 20
software systems. HICP: TV1 - Practice # 3

I don't know. Consider looking into whether your practice has implemented hardware, software, Required HIPAA: §164.312(b)
and/or procedural mechanisms to monitor system activity. To meet the NIST CSF: PR.DS, DE.CM
requirement, your practice should have system monitoring mechanisms in place HPH CPG: 14, 15, 16, 18, 20
where ePHI is accessible. User accounts enable organizations to control and monitor HICP: TV1 - Practice # 3
each user's access to and activities on devices, EHRs, e-mail, and other third-party
software systems.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.DS, DE.CM
HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Notes
18 What mechanisms are in place to monitor or
log system activity?
Monitoring of system users, access This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
attempts, and modifications. This confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
includes a date/time stamp. procedures to track and monitor user access to computers and programs. RS.AN
HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Date/time stamp of system access Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
attempts and modifications only. a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Monitoring of system modifications Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
only. a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Identity of users accessing and Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
modifying within the system. a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

None of the above. Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3
Other. Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

I don't know. Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.DS, PR.MA, DE.AE, DE.CM,
RS.AN
HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Notes
19 How do you monitor or track ePHI system
activity?
System activity records are reviewed This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(D)
on a regular basis. The frequency of confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: ID.RA, PR.DS, PR.MA, DE.AE,
reviews is documented within our procedures to track and monitor user access to computers and programs. DE.CM, RS.AN
procedures. Results of activity reviews HPH CPG: 14, 15, 16, 18, 20
are also maintained, including HICP: TV1 - Practice # 3
activities which may prompt further
investigation.

System activity records are reviewed Ensure your practice is able to detect and prevent security incidents by regularly Required HIPAA: §164.308(a)(1)(ii)(D)
as needed but not on a regular basis. reviewing system activity information as part of its ongoing operations and NIST CSF: ID.RA, PR.DS, PR.MA, DE.AE,
Results of activity reviews are following security incidents. Implement access management procedures to track DE.CM, RS.AN
maintained, including activities which and monitor user access to computers and programs. HPH CPG: 14, 15, 16, 18, 20
may prompt further investigation. HICP: TV1 - Practice # 3

System activity records are reviewed Ensure your practice is able to detect and prevent security incidents by regularly Required HIPAA: §164.308(a)(1)(ii)(D)
as needed but not on a regular basis. reviewing system activity information as part of its ongoing operations and NIST CSF: ID.RA, PR.DS, PR.MA, DE.AE,
Documentation of activity reviews are following security incidents. Implement access management procedures to track DE.CM, RS.AN
not maintained. and monitor user access to computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

System activity records are not Ensure your practice is able to detect and prevent security incidents by regularly Required HIPAA: §164.308(a)(1)(ii)(D)
reviewed as needed or on a regular reviewing system activity information as part of its ongoing operations and NIST CSF: ID.RA, PR.DS, PR.MA, DE.AE,
basis. following security incidents. Implement access management procedures to track DE.CM, RS.AN
and monitor user access to computers and programs. HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(D)
"Flagged Questions" report. NIST CSF: ID.RA, PR.DS, PR.MA, DE.AE,
DE.CM, RS.AN
HPH CPG: 14, 15, 16, 18, 20
HICP: TV1 - Practice # 3

Notes
20 Do you have automatic logoff enabled on
devices and platforms accessing ePHI?
Yes, automatic logoff is enabled on all This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(a)(2)(iii)
devices and platforms to terminate confidentiality, integrity, and availability of ePHI. Configure systems and endpoints NIST CSF: PR.AA, PR.IR, PR.DS
access to ePHI after a set time of to automatically lock and log off users after a predetermined period of inactivity, HPH CPG: 11
inactivity. such as 15 minutes. HICP: TV1 - Practice # 3

Yes, automatic logoff is enabled but Consider implementing automatic logoff on all devices and platforms which access Addressable HIPAA: §164.312(a)(2)(iii)
not on all devices and platforms to ePHI. If this is not determined to be reasonable and appropriate, document the NIST CSF: PR.AA, PR.IR, PR.DS
terminate access to ePHI after a set reason why and what compensating control is in its place. Configure systems and HPH CPG: 11
time of inactivity. endpoints to automatically lock and log off users after a predetermined period of HICP: TV1 - Practice # 3
inactivity, such as 15 minutes.

Automatic time-out is enabled on Consider implementing automatic logoff on all devices and platforms which access Addressable HIPAA: §164.312(a)(2)(iii)
electronic devices accessing ePHI, but ePHI. If this is not determined to be reasonable and appropriate, document the NIST CSF: PR.AA, PR.IR, PR.DS
automatic logoff to fully terminate the reason why and what compensating control is in its place. Configure systems and HPH CPG: 11
session is not enabled. endpoints to automatically lock and log off users after a predetermined period of HICP: TV1 - Practice # 3
inactivity, such as 15 minutes.
Automatic logoff is not enabled on Consider implementing automatic logoff on all devices and platforms which access Addressable HIPAA: §164.312(a)(2)(iii)
devices or platforms accessing ePHI. ePHI. If this is not determined to be reasonable and appropriate, document the NIST CSF: PR.AA, PR.IR, PR.DS
reason why and what compensating control is in its place. Configure systems and HPH CPG: 11
endpoints to automatically lock and log off users after a predetermined period of HICP: TV1 - Practice # 3
inactivity, such as 15 minutes.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(a)(2)(iii)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS
HPH CPG: 11
HICP: TV1 - Practice # 3

Notes
21 Do you ensure users accessing ePHI are who
they claim to be?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(d)
confidentiality, integrity, and availability of ePHI. The use of shared or generic NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
accounts should be avoided. If shared accounts are required, train and regularly DE.CM
remind users that they must sign out upon completion of activity or whenever they HPH CPG: 3, 8
leave the device, even for a moment. Passwords should be changed after each use. HICP: TV1 - Practice # 3
Sharing accounts exposes organizations to greater vulnerabilities. For example, the
complexity of updating passwords for multiple users on a shared account may result
in a compromised password remaining active and allowing unauthorized access over
an extended period of time.

No. Procedures should be in place to verify users accessing ePHI are who they claim to Required HIPAA: §164.312(d)
be, such as user authentication. The use of shared or generic accounts should be NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
avoided. If shared accounts are required, train and regularly remind users that they DE.CM
must sign out upon completion of activity or whenever they leave the device, even HPH CPG: 3, 8
for a moment. Passwords should be changed after each use. Sharing accounts HICP: TV1 - Practice # 3
exposes organizations to greater vulnerabilities. For example, the complexity of
updating passwords for multiple users on a shared account may result in a
compromised password remaining active and allowing unauthorized access over an
extended period of time.

I don't know. Procedures should be in place to verify users accessing ePHI are who they claim to Required HIPAA: §164.312(d)
be, such as user authentication. The use of shared or generic accounts should be NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
avoided. If shared accounts are required, train and regularly remind users that they DE.CM
must sign out upon completion of activity or whenever they leave the device, even HPH CPG: 3, 8
for a moment. Passwords should be changed after each use. Sharing accounts HICP: TV1 - Practice # 3
exposes organizations to greater vulnerabilities. For example, the complexity of
updating passwords for multiple users on a shared account may result in a
compromised password remaining active and allowing unauthorized access over an
extended period of time.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(d)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
DE.CM
HPH CPG: 3, 8
HICP: TV1 - Practice # 3

Notes
22 How do you ensure users accessing ePHI are
who they claim to be?
Users authenticate themselves to This is the most effective option among those provided to protect the Required HIPAA: §164.312(d)
access ePHI using the method confidentiality, integrity, and availability of ePHI. Configure systems and endpoints NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
authorized by our practice's policy to automatically lock and log off users after a predetermined period of inactivity, DE.CM
and procedure (for example, user such as 15 minutes. Implement MFA authentication for the cloud-based systems HPH CPG: 3, 8
name and password, physical token, that your organization uses to store or process sensitive data, such as EHRs. MFA HICP: TV1 - Practice # 3
or biometric feature). mitigates the risk of access by unauthorized users.

Users authenticate themselves to Requiring that users utilize unique usernames and passwords, or other forms of Required HIPAA: §164.312(d)
access ePHI, but we do not have a authentication, helps to reduce the risk that unauthorized users can access ePHI and NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
policy or procedure prescribing the compromise access controls already in place. Ensure this is consistently DE.CM
method. implemented at your practice by having a documented procedures to verify that a HPH CPG: 3, 8
person or entity seeking access to ePHI is the one claimed. Configure systems and HICP: TV1 - Practice # 3
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.
Users do not always have unique Requiring that users utilize unique usernames and passwords, or other forms of Required HIPAA: §164.312(d)
authentication to access ePHI (for authentication, helps to reduce the risk that unauthorized users can access ePHI and NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
example, inadvisable practices such as compromise access controls already in place. Ensure this is consistently DE.CM
sharing user names and passwords implemented at your practice by having a documented procedures to verify that a HPH CPG: 3, 8
between multiple members of the person or entity seeking access to ePHI is the one claimed. Configure systems and HICP: TV1 - Practice # 3
workforce may occur). endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

We do not have a procedure for Requiring that users utilize unique usernames and passwords, or other forms of Required HIPAA: §164.312(d)
authenticating users. authentication, helps to reduce the risk that unauthorized users can access ePHI and NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
compromise access controls already in place. Ensure this is consistently DE.CM
implemented at your practice by having a documented procedures to verify that a HPH CPG: 3, 8
person or entity seeking access to ePHI is the one claimed. Configure systems and HICP: TV1 - Practice # 3
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

Notes
23 How do you determine the means by which
ePHI is accessed?
All systems, devices, and applications This is the most effective option among those provided to protect the Required HIPAA: §164.312(d)
which access ePHI are identified, confidentiality, integrity, and availability of ePHI. Assign a separate user account to NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
evaluated, approved, and inventoried. each user in your organization. Train and regularly remind users that they must DE.CM, PR.PS
Users can only access ePHI through never share their passwords. Require each user to create an account password that HPH CPG: 3, 8
these approved systems, devices, and is different from the ones used for personal internet or e-mail access (e.g., Gmail, HICP: TV1 - Practice # 3
applications. Yahoo, Facebook). For devices that are accessed off site, leverage technologies that
use multi-factor authentication (MFA) before permitting users to access data or
applications on the device. Logins that use only a username and password are often
compromised through phishing e-mails. Implement MFA authentication for the
cloud-based systems that your organization uses to store or process sensitive data,
such as EHRs. MFA mitigates the risk of access by unauthorized users.

Applications which access ePHI are Unsecured points could compromise data accessed through an otherwise secure Required HIPAA: §164.312(d)
identified, evaluated, approved, and application. Consider implementing a device management process to ensure NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
inventoried, but we do not manage security standards are in place for all points accessing ePHI. Assign a separate user DE.CM, PR.PS
which devices can access these account to each user in your organization. Train and regularly remind users that HPH CPG: 3, 8
applications (e.g., workforce they must never share their passwords. Require each user to create an account HICP: TV1 - Practice # 3
members' personal devices accessing password that is different from the ones used for personal internet or e-mail access
a cloud-based EHR without first (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage
identifying and approving the device) technologies that use multi-factor authentication (MFA) before permitting users to
access data or applications on the device. Logins that use only a username and
password are often compromised through phishing e-mails. Implement MFA
authentication for the cloud-based systems that your organization uses to store or
process sensitive data, such as EHRs. MFA mitigates the risk of access by
unauthorized users.

Devices and systems which access Secure devices can compromise data when the data itself is used by potentially Required HIPAA: §164.312(d)
ePHI are identified, evaluated, insecure applications. Consider implementing a process to manage which NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
approved, and inventoried, but we do applications access ePHI and how they will securely be enabled to do so. Assign a DE.CM, PR.PS
not manage which applications can separate user account to each user in your organization. Train and regularly remind HPH CPG: 3, 8
access these applications (e.g., ePHI is users that they must never share their passwords. Require each user to create an HICP: TV1 - Practice # 3
maintained in formats which can be account password that is different from the ones used for personal internet or e-
used by many applications) mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site,
leverage technologies that use multi-factor authentication (MFA) before permitting
users to access data or applications on the device. Logins that use only a username
and password are often compromised through phishing e-mails. Implement MFA
authentication for the cloud-based systems that your organization uses to store or
process sensitive data, such as EHRs. MFA mitigates the risk of access by
unauthorized users.
We do not have a procedure for Failing to manage which devices and applications can access ePHI enables Required HIPAA: §164.312(d)
determining the means by which ePHI widespread access that may not be secure, increasing the chance for the NIST CSF: PR.AA, PR.IR, PR.DS, PR.MA,
can be accessed appropriately. confidentiality, integrity, and availability of ePHI to be compromised. Assign a DE.CM, PR.PS
separate user account to each user in your organization. Train and regularly remind HPH CPG: 3, 8
users that they must never share their passwords. Require each user to create an HICP: TV1 - Practice # 3
account password that is different from the ones used for personal internet or e-
mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site,
leverage technologies that use multi-factor authentication (MFA) before permitting
users to access data or applications on the device. Logins that use only a username
and password are often compromised through phishing e-mails. Implement MFA
authentication for the cloud-based systems that your organization uses to store or
process sensitive data, such as EHRs. MFA mitigates the risk of access by
unauthorized users.

Notes
24 Do you protect ePHI from unauthorized
modification or destruction?
Yes. We have developed and This is the most effective option among those provided to protect the Required HIPAA: §164.312(c)(1)
implemented policies and procedures confidentiality, integrity, and availability of ePHI. Organizational policies should NIST CSF: PR.DS
to protect ePHI from improper address all user interactions with sensitive data and reinforce the consequences of HPH CPG: N/A
alteration or destruction. lost or compromised data. HICP: TV1 - Practice # 4

Yes. We have some procedures to Implement policies and procedures to protect ePHI from unauthorized modification Required HIPAA: §164.312(c)(1)
protect the integrity of our ePHI but or destruction, such as user activity monitoring or data validation tools. NIST CSF: PR.DS
these may not be totally Organizational policies should address all user interactions with sensitive data and HPH CPG: N/A
comprehensive. reinforce the consequences of lost or compromised data. HICP: TV1 - Practice # 4

No. We do not have policies or Implement policies and procedures to protect ePHI from unauthorized modification Required HIPAA: §164.312(c)(1)
procedures to ensure the protection or destruction, such as user activity monitoring or data validation tools. NIST CSF: PR.DS
of ePHI. Organizational policies should address all user interactions with sensitive data and HPH CPG: N/A
reinforce the consequences of lost or compromised data. HICP: TV1 - Practice # 4

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(c)(1)
"Flagged Questions" report. NIST CSF: PR.DS
HPH CPG: N/A
HICP: TV1 - Practice # 4

Notes
25 How do you confirm that ePHI has not been
modified or destroyed without
authorization?
We have mechanisms (e.g., integrity This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(c)(2)
verification tools) to corroborate that confidentiality, integrity, and availability of ePHI. Establish a data classification NIST CSF: PR.DS, DE.CM, DE.AE
ePHI has not been altered or policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use. HPH CPG: 16, 17, 18
destroyed in an unauthorized manner Identify the types of records relevant to each category. Implement data loss HICP: TV1 - Practice # 4
or detect if such alteration occurs. prevention technologies to mitigate the risk of unauthorized access to PHI.

We manually monitor changes made This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(c)(2)
to ePHI in systems with audit log confidentiality, integrity, and availability of ePHI. You may want to consider NIST CSF: PR.DS, DE.CM, DE.AE
functionality, but do not have implementing automated electronic mechanisms and/or integrity verification tools. HPH CPG: 16, 17, 18
automated systems. Establish a data classification policy that categorizes data as, for example, Sensitive, HICP: TV1 - Practice # 4
Internal Use, or Public Use. Identify the types of records relevant to each category.
Implement data loss prevention technologies to mitigate the risk of unauthorized
access to PHI.

We do not have resources or Your practice may not be able to safeguard its ePHI if it does not have Addressable HIPAA: §164.312(c)(2)
procedures in place to verify the authentication mechanisms and tools, such as log monitoring or NIST CSF: PR.DS, DE.CM, DE.AE
integrity of ePHI. data encryption validation, that can authenticate ePHI. Consider implementing a HPH CPG: 16, 17, 18
procedure to validate the integrity of your ePHI. If this is determined to not be HICP: TV1 - Practice # 4
reasonable and appropriate, document the reason why and what compensating
control is in its place. Establish a data classification policy that categorizes data as,
for example, Sensitive, Internal Use, or Public Use. Identify the types of records
relevant to each category. Implement data loss prevention technologies to mitigate
the risk of unauthorized access to PHI.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(c)(2)
"Flagged Questions" report. NIST CSF: PR.DS, DE.CM, DE.AE
HPH CPG: 16, 17, 18
HICP: TV1 - Practice # 4
Notes
26 Do you protect against unauthorized access
to or modification of ePHI when it is being
transmitted electronically?
Yes. We have implemented technical This is the most effective option among those provided to protect the Required HIPAA: §164.312(e)(1)
security measures and procedures to confidentiality, integrity, and availability of ePHI. When e-mailing PHI, use a secure NIST CSF: PR.AA, PR.IR, PR.DS
prevent unauthorized access to and messaging application such as Direct Secure Messaging (DSM),which is a nationally HPH CPG: 17
detect modification of transmitted adopted secure e-mail protocol and network for transmitting PHI. DSM can be HICP: TV1 - Practice # 1, 4
ePHI. obtained from EHR vendors and other health information exchange systems. It was
developed and adopted through the Meaningful Use program, and many medical
organizations nationwide now use DSM networks. When texting PHI, use a secure
texting system.

We have developed policies and Implement technical security measures to guard against unauthorized access to Required HIPAA: §164.312(e)(1)
procedures to guide workforce ePHI that is transmitted over an electronic communication network in addition to NIST CSF: PR.AA, PR.IR, PR.DS
members on the secure transmission developing protocols and procedures. Consider implementing measures to detect HPH CPG: 17
of ePHI, but no resources are in place modification of transmitted ePHI; if this is determined to not be reasonable and HICP: TV1 - Practice # 1, 4
(e.g., encrypted email). appropriate, document the reason why along with the compensating control in
place. When e-mailing PHI, use a secure messaging application such as Direct Secure
Messaging (DSM),which is a nationally adopted secure e-mail protocol and network
for transmitting PHI. DSM can be obtained from EHR vendors and other health
information exchange systems. It was developed and adopted through the
Meaningful Use program, and many medical organizations nationwide now use DSM
networks. When texting PHI, use a secure texting system.

Workforce members are verbally Implement technical security measures to guard against unauthorized access to Required HIPAA: §164.312(e)(1)
instructed to use secure modes of ePHI that is transmitted over an electronic communication network in addition to NIST CSF: PR.AA, PR.IR, PR.DS
ePHI transmission. developing protocols and procedures. Consider implementing measures to detect HPH CPG: 17
modification of transmitted ePHI; if this is determined to not be reasonable and HICP: TV1 - Practice # 1, 4
appropriate, document the reason why along with the compensating control in
place. When e-mailing PHI, use a secure messaging application such as Direct Secure
Messaging (DSM),which is a nationally adopted secure e-mail protocol and network
for transmitting PHI. DSM can be obtained from EHR vendors and other health
information exchange systems. It was developed and adopted through the
Meaningful Use program, and many medical organizations nationwide now use DSM
networks. When texting PHI, use a secure texting system.

No. We have not considered how to Implement technical security measures to guard against unauthorized access to Required HIPAA: §164.312(e)(1)
securely transmit ePHI. ePHI that is transmitted over an electronic communication network in addition to NIST CSF: PR.AA, PR.IR, PR.DS
developing protocols and procedures. Consider implementing measures to detect HPH CPG: 17
modification of transmitted ePHI; if this is determined to not be reasonable and HICP: TV1 - Practice # 1, 4
appropriate, document the reason why along with the compensating control in
place. When e-mailing PHI, use a secure messaging application such as Direct Secure
Messaging (DSM),which is a nationally adopted secure e-mail protocol and network
for transmitting PHI. DSM can be obtained from EHR vendors and other health
information exchange systems. It was developed and adopted through the
Meaningful Use program, and many medical organizations nationwide now use DSM
networks. When texting PHI, use a secure texting system.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(e)(1)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS
HPH CPG: 17
HICP: TV1 - Practice # 1, 4

Notes
27 Have you implemented mechanisms to
record activity on information systems which
create or use ePHI?
Yes. Activity on systems which create This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
or use ePHI is recorded and examined. confidentiality, integrity, and availability of ePHI. Implement single sign-on systems NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
This is documented in our procedures, that automatically manage access to all software and tools once users have signed DE.AE, DE.CM, RS.AN, PR.MA
including a complete inventory of onto the network. Such systems allows the organization to centrally maintain and HPH CPG: 18
systems that record activity and how monitor access. HICP: TV1 - Practice # 3
it is examined.

Yes. Activity on systems which create Mechanisms in place to record and examine activity on information systems which Required HIPAA: §164.312(b)
or use ePHI is recorded and examined contain or use ePHI should be documented in your security documentation. NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
through hardware, software or Implement single sign-on systems that automatically manage access to all software DE.AE, DE.CM, RS.AN, PR.MA
procedural mechanisms. However, and tools once users have signed onto the network. Such systems allows the HPH CPG: 18
this process is not formally organization to centrally maintain and monitor access. HICP: TV1 - Practice # 3
documented in our procedures.
Yes. Activity on systems which create Mechanisms should be in place to record and examine activity on information Required HIPAA: §164.312(b)
or use ePHI should be recorded and systems which contain or use ePHI. These mechanisms should be documented in NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
examined per our procedures, but we your security documentation. Implement single sign-on systems that automatically DE.AE, DE.CM, RS.AN, PR.MA
do not have actual hardware, manage access to all software and tools once users have signed onto the network. HPH CPG: 18
software or procedural mechanisms in Such systems allows the organization to centrally maintain and monitor access. HICP: TV1 - Practice # 3
place.

No. We do not have procedures or Mechanisms should be in place to record and examine activity on information Required HIPAA: §164.312(b)
mechanisms to record and examine systems which contain or use ePHI. These mechanisms should be documented in NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
activities and information systems your security documentation. Implement single sign-on systems that automatically DE.AE, DE.CM, RS.AN, PR.MA
which create or use ePHI. manage access to all software and tools once users have signed onto the network. HPH CPG: 18
Such systems allows the organization to centrally maintain and monitor access. HICP: TV1 - Practice # 3

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS,
DE.AE, DE.CM, RS.AN, PR.MA
HPH CPG: 18
HICP: TV1 - Practice # 3

Notes
28 Does the organization stay up to date or
informed (e.g., cybersecurity listserv
monitoring) on emerging threats and
vulnerabilities that may affect information
systems?

Yes, the organization subscribes to This is the most effective option of those provided to track and manage current Required HIPAA: N/A
cybersecurity listservs and other legal and regulatory requirements on protection of individuals information and NIST CSF: GV.OC
informational sources that supply understanding emerging cybersecurity threats. Subscribing to notifications from IT HPH CPG: 14, 15
information regarding legal and authoritative sources on threats and vulnerabilities such as CISA, ISO/IEC, H-ISAC, or HICP: N/A
regulatory requirements pertaining to IT-ISAC is a starting point for keeping abreast of the most current information
cybersecurity emerging threats. available.

Yes, the organization receives periodic The organization should consider regularly monitoring or subscribing to receive Required HIPAA: N/A
updates on current or emerging information from IT authoritative sources on threats and vulnerabilities such as NIST CSF: GV.OC
threats but does not follow listservs CISA, ISO/IEC, H-ISAC, or IT-ISAC to stay abreast of rules, regulations, emerging HPH CPG: 14, 15
or other informational sources on a threats, and standards of information security. HICP: N/A
regular basis.

No, the organization does not The organization should consider regularly monitoring or subscribing to receive Required HIPAA: N/A
subscribe to cybersecurity listservs information from IT authoritative sources on threats and vulnerabilities such as NIST CSF: GV.OC
and other informational sources that CISA, ISO/IEC, H-ISAC, or IT-ISAC to stay abreast of rules, regulations, emerging HPH CPG: 14, 15
supply information regarding legal threats, and standards of information security. HICP: N/A
and regulatory requirements
pertaining to cybersecurity emerging
threats.

Flag this question for later This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: GV.OC
HPH CPG: 14, 15
HICP: N/A

Notes
29 Is there a process in place to identify and
evaluate information systems for potential
emerging technical vulnerabilities and how
the exposure could affect systems that
contain ePHI?

Yes, periodic vulnerability scans or This is the most effective option among those provided to identify potential new Required HIPAA: N/A
penetration testing are done on a threats and vulnerabilities within the information system. Timely information about NIST CSF: GV.OC
regular, scheduled basis to assess technical vulnerabilities should be evaluated to identify the organizations exposure HPH CPG: 1
network computing and physical and to vulnerabilities and appropriate measures should be taken to address the risk. The HICP: N/A
system architecture for weaknesses, organization should identify any patch or software configuration and software end
and software systems that may have of life that needs to be addressed as well as assess all facilities that house critical
reached their end of life. computing assets for physical vulnerabilities and resilience issues. The organization
should monitor sources of cyber threat intelligence for information on new
vulnerabilities in products and services and review processes and procedures for
weaknesses that could be exploited to affect cybersecurity.
Yes, vulnerability scans or penetration Timely information about technical vulnerabilities should be evaluated to identify Required HIPAA: N/A
testing are done but only on a as the organizations exposure to vulnerabilities and appropriate measures should be NIST CSF: GV.OC
needed basis such as when there is a taken to address the risk. The organization should identify any patch or software HPH CPG: 1
suspected weakness. configuration and software end of life that needs to be addressed as well as assess HICP: N/A
all facilities that house critical computing assets for physical vulnerabilities and
resilience issues. The organization should monitor sources of cyber threat
intelligence for information on new vulnerabilities in products and services and
review processes and procedures for weaknesses that could be exploited to affect
cybersecurity.

No, vulnerability testing is not Consider routine testing for technical vulnerabilities so that timely information can Required HIPAA: N/A
performed. be evaluated to identify the organizations exposure to vulnerabilities and NIST CSF: GV.OC
appropriate measures should be taken to address the risk. The organization should HPH CPG: 1
identify any patch or software configuration and software end of life that needs to HICP: N/A
be addressed as well as assess all facilities that house critical computing assets for
physical vulnerabilities and resilience issues. The organization should monitor
sources of cyber threat intelligence for information on new vulnerabilities in
products and services and review processes and procedures for weaknesses that
could be exploited to affect cybersecurity.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: GV.OC
HPH CPG: 1
HICP: N/A

Notes
30 If new threats or vulnerabilities are identified
through regular scanning, what is done to
mitigate and respond to them?
The organization applies their policy This is the most effective option among those provided to respond to and mitigate Required HIPAA: N/A
and procedures consistent with the identified risks. The organization applies the policy and procedures consistent with NIST CSF: GV.OC
risk assessment to mitigate identified the risk assessment to mitigate any identified vulnerabilities in a risk appropriate HPH CPG: 16
vulnerabilities. way. In addition, the organization tracks the progress of risk response HICP: N/A
implementation and uses findings to inform risk response decisions and actions.

The vulnerabilities are documented Consider developing and applying the specific policy and procedures to respond to Required HIPAA: N/A
formally and no additional action is and mitigate any identified vulnerabilities in a risk appropriate way. In addition, the NIST CSF: GV.OC
taken. organization could track and monitor the progress of risk response implementation HPH CPG: 16
and uses findings to inform risk response decisions and actions. HICP: N/A

No additional attention is given to Consider developing and applying the specific policy and procedures to respond to Required HIPAA: N/A
identified threats and vulnerabilities. and mitigate any identified vulnerabilities in a risk appropriate way. In addition, the NIST CSF: GV.OC
organization could track and monitor the progress of risk response implementation HPH CPG: 16
and uses findings to inform risk response decisions and actions. HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: GV.OC
HPH CPG: 16
HICP: N/A

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Inadequate access controls
Information disclosure, loss, or theft (ePHI, proprietary, intellectual, or confidential)
Disruption of information system function or adversarial access to unauthorized network segments
Malware installation on information systems or devices
Unauthorized modification of sensitive information
Information system access granted to unauthorized persons or entities
2 Lack of documentation for controlling user
access
Improper or overly broad assignment of access permissions for users
Procedures lack sufficient detail for determining user access
3 Inadequate procedures for evaluating user
activity logs
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unknown source of a security/privacy related incident
Information system access granted to unauthorized personnel
Unauthorized access to or modification of ePHI/sensitive information
4 Users have more access rights than needed
to complete daily tasks
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unauthorized access to ePHI/sensitive information
Unauthorized modification of critical network systems and data
5 Non-unique login credentials for workforce
members
Users violate security rules on information systems
Unknown or unidentified security incidents or breaches occur
Unauthorized user impersonating an authorized user
6 Inadequate use of encryption for ePHI
Disclosure of passwords or login information
Information disclosure, loss, or theft (ePHI, proprietary, intellectual, or confidential)
Fines from regulatory enforcement (due to lack of encryption safe harbor)
Information system access granted to unauthorized personnel
Unauthorized access to or modification of ePHI/sensitive information
7 Inadequate review of computer systems to
ensure maximum security
Accidental modification to ePHI/sensitive information
Denial of service (DoS) to critical systems
Disclosure of passwords and/or login information
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Exploitation of unpatched systems and software
Unauthorized access to or modification of ePHI/sensitive information
8 Lack of automatic logoff/screen lock of
computer systems
Unauthorized access to information systems or devices
Malware installation on information systems or devices
Disclosure of passwords and or login information
Denial of service (DoS) to critical systems
Accidental modification to ePHI
Adversary access to unauthorized network segments
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Exploitation of unpatched systems and software
Unauthorized access to or modification of ePHI/sensitive information
9 Inadequate integrity verification of ePHI
Accidental modification to ePHI
Damage to public reputation via misuse of patient chart data
Inaccurate information given to patients or providers
Unauthorized modification to ePHI
10 ePHI in transit lacking encryption
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unauthorized access to or modification of ePHI/sensitive information
Fines from regulatory enforcement (due to lack of encryption safe harbor)
Section 5 - Security and the Practice

Question # Question Text

Section Indicator Question Responses Education Risk Indicated Required? Reference
Questions
1 Do you manage access to and use of your facility or facilities
(i.e., that house information systems and ePHI)?
Yes. We have written procedures in place restricting This is the most effective option among those provided to protect the Required HIPAA: §164.310(a)(1)
access to and use of our facilities. confidentiality, integrity, and availability of ePHI. Just as network devices need to be NIST CSF: ID.RA, PR.AA, PR.IR, DE.CM,
secured, physical access to the server and network equipment should be restricted PR.PS
to IT professionals. Configure physical rooms and wireless networks to allow HPH CPG: 7
internet access only. HICP: TV1 - Practice # 6

Yes. Authorization of access to and use of our facilities is Consider implementing documented procedures to govern access to facilities. Just Required HIPAA: §164.310(a)(1)
verbally communicated, but we do not have written as network devices need to be secured, physical access to the server and network NIST CSF: ID.RA, PR.AA, PR.IR, DE.CM,
procedures. equipment should be restricted to IT professionals. Configure physical rooms and PR.PS
wireless networks to allow internet access only. HPH CPG: 7
HICP: TV1 - Practice # 6

No. We do not have a process to restrict access to our Consider implementing documented procedures to govern access to facilities. Just Required HIPAA: §164.310(a)(1)
facilities. as network devices need to be secured, physical access to the server and network NIST CSF: ID.RA, PR.AA, PR.IR, DE.CM,
equipment should be restricted to IT professionals. Configure physical rooms and PR.PS
wireless networks to allow internet access only. HPH CPG: 7
HICP: TV1 - Practice # 6

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(a)(1)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AA, PR.IR, DE.CM,
PR.PS
HPH CPG: 7
HICP: TV1 - Practice # 6

Notes
2 What physical protections do you have in place to manage
facility security risks?
We have methods for controlling and managing physical This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(ii)
access to our facility such as, keypads, locks, security confidentiality, integrity, and availability of ePHI. Always keep data and network NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
cameras, etc. We also have an inventory of our practice's closets locked. Grant access using badge readers rather than traditional key locks. DE.CM
facilities that house equipment that create, maintain, Disable network ports that are not in use. Maintain network ports as inactive until HPH CPG: 7, 16
receive, and transmit ePHI. Our policies and procedures an activation request is authorized. This minimizes the risk of an unauthorized user HICP: TV1 - Practice # 6
outline managements' involvement in facility access "plugging in" to an empty port to access to your network. In conference rooms or
control and how authorization credentials for facility waiting areas, establish guest networks that separate organizational data and
access are issued and removed for our workforce systems. This separation will limit the accessibility of private data from guests
members and/or visitors. Workforce members' roles and visiting the organization. Validate that guest networks are configured to access
responsibilities in facility access control procedures are authorized guest services only.
documented and communicated.

We have written procedures documenting our Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
managements' involvement in facility access control policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
procedures. Consider implementing policies and procedures to safeguard the facility and DE.CM
equipment from unauthorized tampering, theft, or physical access. Always keep HPH CPG: 7, 16
data and network closets locked. Grant access using badge readers rather than HICP: TV1 - Practice # 6
traditional key locks. Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user "plugging in" to an empty port to access to your network. In
conference rooms or waiting areas, establish guest networks that separate
organizational data and systems. This separation will limit the accessibility of private
data from guests visiting the organization. Validate that guest networks are
configured to access authorized guest services only.

We have written procedures documenting how Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
authorization credentials for facility access are issued policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
and removed for our workforce members and/or Consider implementing policies and procedures to safeguard the facility and DE.CM
visitors. equipment from unauthorized tampering, theft, or physical access. Always keep HPH CPG: 7, 16
data and network closets locked. Grant access using badge readers rather than HICP: TV1 - Practice # 6
traditional key locks. Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user "plugging in" to an empty port to access to your network. In
conference rooms or waiting areas, establish guest networks that separate
organizational data and systems. This separation will limit the accessibility of private
data from guests visiting the organization. Validate that guest networks are
configured to access authorized guest services only.
We have methods for controlling and managing physical Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
access to our facility such as, keypads, locks, security policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
cameras, etc. Consider implementing policies and procedures to safeguard the facility and DE.CM
equipment from unauthorized tampering, theft, or physical access. Always keep HPH CPG: 7, 16
data and network closets locked. Grant access using badge readers rather than HICP: TV1 - Practice # 6
traditional key locks. Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user "plugging in" to an empty port to access to your network. In
conference rooms or waiting areas, establish guest networks that separate
organizational data and systems. This separation will limit the accessibility of private
data from guests visiting the organization. Validate that guest networks are
configured to access authorized guest services only.

We have an inventory of our practice's facilities that Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
house equipment that create, maintain, receive, and policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
transmit ePHI. Consider implementing policies and procedures to safeguard the facility and DE.CM
equipment from unauthorized tampering, theft, or physical access. Always keep HPH CPG: 7, 16
data and network closets locked. Grant access using badge readers rather than HICP: TV1 - Practice # 6
traditional key locks. Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user "plugging in" to an empty port to access to your network. In
conference rooms or waiting areas, establish guest networks that separate
organizational data and systems. This separation will limit the accessibility of private
data from guests visiting the organization. Validate that guest networks are
configured to access authorized guest services only.

We do not have physical protections in place to manage Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
facility security risks. policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
Consider implementing policies and procedures to safeguard the facility and DE.CM
equipment from unauthorized tampering, theft, or physical access. Always keep HPH CPG: 7, 16
data and network closets locked. Grant access using badge readers rather than HICP: TV1 - Practice # 6
traditional key locks. Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user "plugging in" to an empty port to access to your network. In
conference rooms or waiting areas, establish guest networks that separate
organizational data and systems. This separation will limit the accessibility of private
data from guests visiting the organization. Validate that guest networks are
configured to access authorized guest services only.

I don't know. Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
Consider implementing policies and procedures to safeguard the facility and DE.CM
equipment from unauthorized tampering, theft, or physical access. Always keep HPH CPG: 7, 16
data and network closets locked. Grant access using badge readers rather than HICP: TV1 - Practice # 6
traditional key locks. Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user "plugging in" to an empty port to access to your network. In
conference rooms or waiting areas, establish guest networks that separate
organizational data and systems. This separation will limit the accessibility of private
data from guests visiting the organization. Validate that guest networks are
configured to access authorized guest services only.

Other. Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
Consider implementing policies and procedures to safeguard the facility and DE.CM
equipment from unauthorized tampering, theft, or physical access. Always keep HPH CPG: 7, 16
data and network closets locked. Grant access using badge readers rather than HICP: TV1 - Practice # 6
traditional key locks. Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user "plugging in" to an empty port to access to your network. In
conference rooms or waiting areas, establish guest networks that separate
organizational data and systems. This separation will limit the accessibility of private
data from guests visiting the organization. Validate that guest networks are
configured to access authorized guest services only.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(ii)
"Flagged Questions" report. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
DE.CM
HPH CPG: 7, 16
HICP: TV1 - Practice # 6

Notes
3 Do you restrict physical access to and use of your equipment
(i.e., equipment that house ePHI)?
Yes. We have written policies and implemented This is the most effective option among those provided to protect the Required HIPAA: §164.310(a)(1)
procedures restricting access to equipment that house confidentiality, integrity, and availability of ePHI. Restrict access to assets with NIST CSF: ID.RA, PR.AA, PR.IR, DE.CM,
ePHI to authorized users only. potentially high impact in the event of compromise. This includes medical devices PR.PS
and internet of things (IoT) items (e.g., security cameras, badge readers, HPH CPG: 7, 11
temperature sensors, building management systems). HICP: TV1 - Practice # 6
Yes. We verbally authorize individuals to access Ensure only authorized access to ePHI is allowed by implementing and documenting Required HIPAA: §164.310(a)(1)
equipment that house ePHI, but no written policies or procedures to govern access to equipment that house ePHI. Restrict access to assets NIST CSF: ID.RA, PR.AA, PR.IR, DE.CM,
procedures. with potentially high impact in the event of compromise. This includes medical PR.PS
devices and internet of things (IoT) items (e.g., security cameras, badge readers, HPH CPG: 7, 11
temperature sensors, building management systems). HICP: TV1 - Practice # 6

No. We do not have a process to restrict access to Ensure only authorized access to ePHI is allowed by implementing and documenting Required HIPAA: §164.310(a)(1)
equipment that house ePHI to authorized users. procedures to govern access to equipment that house ePHI. Restrict access to assets NIST CSF: ID.RA, PR.AA, PR.IR, DE.CM,
with potentially high impact in the event of compromise. This includes medical PR.PS
devices and internet of things (IoT) items (e.g., security cameras, badge readers, HPH CPG: 7, 11
temperature sensors, building management systems). HICP: TV1 - Practice # 6

Notes
4 Do you manage workforce member, visitor, and third-party
access to electronic devices?
Yes. We have written procedures for classifying This is the most effective option among those provided to protect the Required HIPAA: §164.310(b)
electronic devices, based on their capabilities, confidentiality, integrity, and availability of ePHI. In conference rooms or waiting NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
connection, and allowable activities; access to electronic areas, establish guest networks that separate organizational data and systems. This PR.PS
devices by workforce members, visitors, and/or third separation will limit the accessibility of private data from guests visiting the HPH CPG: 10, 6
parties is determined based on their classification. organization. Validate that guest networks are configured to access authorized HICP: TV1 - Practice #4, 6
guest services only.

Yes. We have written procedures for access to electronic With regard to workstation-use and physical security, implement policies and Required HIPAA: §164.310(b)
devices, but not detailing all of the variables listed procedures that define how electronic devices are used to access ePHI. In NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
above. conference rooms or waiting areas, establish guest networks that separate PR.PS
organizational data and systems. This separation will limit the accessibility of private HPH CPG: 10, 6
data from guests visiting the organization. Validate that guest networks are HICP: TV1 - Practice #4, 6
configured to access authorized guest services only.

Yes. We verbally instruct users on access to electronic With regard to workstation-use and physical security, implement policies and Required HIPAA: §164.310(b)
devices, but do not have written procedures. procedures that define how electronic devices are used to access ePHI. In NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
conference rooms or waiting areas, establish guest networks that separate PR.PS
organizational data and systems. This separation will limit the accessibility of private HPH CPG: 10, 6
data from guests visiting the organization. Validate that guest networks are HICP: TV1 - Practice #4, 6
configured to access authorized guest services only.

No. We do not have a process for managing workforce With regard to workstation-use and physical security, implement policies and Required HIPAA: §164.310(b)
member, visitor, or third-party access to electronic procedures that define how electronic devices are used to access ePHI. In NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
devices. conference rooms or waiting areas, establish guest networks that separate PR.PS
organizational data and systems. This separation will limit the accessibility of private HPH CPG: 10, 6
data from guests visiting the organization. Validate that guest networks are HICP: TV1 - Practice #4, 6
configured to access authorized guest services only.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(b)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
PR.PS
HPH CPG: 10, 6
HICP: TV1 - Practice #4, 6

Notes
5 Do you have physical protections in place, such as cable locks
for portable laptops, screen filters for screen visible in high
traffic areas, to manage electronic device security risks?

Yes. We have physical protections in place for all This is the most effective option among those provided to protect the Required HIPAA: §164.310(c)
electronic devices and this is documented in policy and confidentiality, integrity, and availability of ePHI. Examples include installation of NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
procedure. anti-theft cables, locks on rooms where the devices are located, screen protectors HPH CPG: 11
or dividers, and the use of badge readers to monitor access to rooms where devices HICP: TV1 - Practice # 6
are located.

Yes. We have some physical protections in place for Implement physical safeguards for all electronic devices that access electronic Required HIPAA: §164.310(c)
some, but not all, electronic devices. protected health information, to restrict access to authorized users. Examples NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
include installation of anti-theft cables, locks on rooms where the devices are HPH CPG: 11
located, screen protectors or dividers, and the use of badge readers to monitor HICP: TV1 - Practice # 6
access to rooms where devices are located.

No. We do not have physical protections in place for our Implement physical safeguards for all electronic devices that access electronic Required HIPAA: §164.310(c)
electronic devices. protected health information, to restrict access to authorized users. Examples NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
include installation of anti-theft cables, locks on rooms where the devices are HPH CPG: 11
located, screen protectors or dividers, and the use of badge readers to monitor HICP: TV1 - Practice # 6
access to rooms where devices are located.

I don't know. Implement physical safeguards for all electronic devices that access electronic Required HIPAA: §164.310(c)
protected health information, to restrict access to authorized users. Examples NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
include installation of anti-theft cables, locks on rooms where the devices are HPH CPG: 11
located, screen protectors or dividers, and the use of badge readers to monitor HICP: TV1 - Practice # 6
access to rooms where devices are located.
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(c)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
HPH CPG: 11
HICP: TV1 - Practice # 6

Notes
6 What physical protections do you have in place for electronic
devices with access to ePHI?
We have robust procedures for electronic device access This is the most effective option among those provided to protect the Required HIPAA: §164.310(c)
control such as, authorization for issuing new electronic confidentiality, integrity, and availability of ePHI. For devices that cannot be NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
device access and removing electronic device access. We encrypted or that are managed by a third party, implement physical security HPH CPG: 11
also use screen filters, docking stations with locks, controls to minimize theft or unauthorized removal. Examples include installation of HICP: TV1 - Practice # 2, 6
and/or cable locks for portable devices, privacy screens anti-theft cables, locks on rooms where the devices are located, and the use of
(walls or partitions), and/or secured proximity for badge readers to monitor access to rooms where devices are located. Disable
servers and network equipment. network ports that are not in use. Maintain network ports as inactive until an
activation request is authorized. This minimizes the risk of an unauthorized user
"plugging in" to an empty port to access to your network.

We have limited procedures for electronic device access Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
control including some but not all of those listed above. appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
issuing new electronic device access and removing electronic device access. Or HPH CPG: 11
using screen filters, docking stations with locks, and/or cable locks for portable HICP: TV1 - Practice # 2, 6
devices, privacy screens (walls or partitions), and/or secured proximity for servers
and network equipment. For devices that cannot be encrypted or that are managed
by a third party, implement physical security controls to minimize theft or
unauthorized removal. Examples include installation of anti-theft cables, locks on
rooms where the devices are located, and the use of badge readers to monitor
access to rooms where devices are located. Disable network ports that are not in
use. Maintain network ports as inactive until an activation request is authorized.
This minimizes the risk of an unauthorized user "plugging in" to an empty port to
access to your network.

We do not have any physical protections in place for Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
electronic device access to ePHI. appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
issuing new electronic device access and removing electronic device access. Or HPH CPG: 11
using screen filters, docking stations with locks, and/or cable locks for portable HICP: TV1 - Practice # 2, 6
devices, privacy screens (walls or partitions), and/or secured proximity for servers
and network equipment. For devices that cannot be encrypted or that are managed
by a third party, implement physical security controls to minimize theft or
unauthorized removal. Examples include installation of anti-theft cables, locks on
rooms where the devices are located, and the use of badge readers to monitor
access to rooms where devices are located. Disable network ports that are not in
use. Maintain network ports as inactive until an activation request is authorized.
This minimizes the risk of an unauthorized user "plugging in" to an empty port to
access to your network.

I don't know. Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
issuing new electronic device access and removing electronic device access. Or HPH CPG: 11
using screen filters, docking stations with locks, and/or cable locks for portable HICP: TV1 - Practice # 2, 6
devices, privacy screens (walls or partitions), and/or secured proximity for servers
and network equipment. For devices that cannot be encrypted or that are managed
by a third party, implement physical security controls to minimize theft or
unauthorized removal. Examples include installation of anti-theft cables, locks on
rooms where the devices are located, and the use of badge readers to monitor
access to rooms where devices are located. Disable network ports that are not in
use. Maintain network ports as inactive until an activation request is authorized.
This minimizes the risk of an unauthorized user "plugging in" to an empty port to
access to your network.

Other. Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
issuing new electronic device access and removing electronic device access. Or HPH CPG: 11
using screen filters, docking stations with locks, and/or cable locks for portable HICP: TV1 - Practice # 2, 6
devices, privacy screens (walls or partitions), and/or secured proximity for servers
and network equipment. For devices that cannot be encrypted or that are managed
by a third party, implement physical security controls to minimize theft or
unauthorized removal. Examples include installation of anti-theft cables, locks on
rooms where the devices are located, and the use of badge readers to monitor
access to rooms where devices are located. Disable network ports that are not in
use. Maintain network ports as inactive until an activation request is authorized.
This minimizes the risk of an unauthorized user "plugging in" to an empty port to
access to your network.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(c)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
HPH CPG: 11
HICP: TV1 - Practice # 2, 6

Notes
7 Do you keep an inventory and a location record of all of its
electronic devices?
Yes. Our inventory list of all electronic devices and their This is the most effective option among those provided to protect the Required HIPAA: §164.310(b)
functions is currently documented and updated on a confidentiality, integrity, and availability of ePHI. A complete and accurate inventory NIST CSF: PR.AA, PR.IR, PR.DS, ID.AM
periodic basis. of the IT assets in your organization facilitates the implementation of optimal HPH CPG: 11
security controls. This inventory can be conducted and maintained using a well- HICP: TV1 - Practice # 5
designed spreadsheet.

Yes. We have a list of electronic devices and their Asset (electronic devices) inventory lists should be kept up-to-date to meet Required HIPAA: §164.310(b)
functions but it has not been updated to reflect compliance and best practice standards. A complete and accurate inventory of the NIST CSF: PR.AA, PR.IR, PR.DS, ID.AM
inventory changes. IT assets in your organization facilitates the implementation of optimal security HPH CPG: 11
controls. This inventory can be conducted and maintained using a well-designed HICP: TV1 - Practice # 5
spreadsheet.

No. We currently do not document and keep an active Your practice may not be aware of threats to devices in use if your practice is not Required HIPAA: §164.310(b)
list of electronic devices and their functions. aware of the location of all of its electronic devices, laptops, printers, copiers, NIST CSF: PR.AA, PR.IR, PR.DS, ID.AM
tablets, smart phones, monitors, and other electronic devices. ePHI can be exposed HPH CPG: 11
in a surrounding or environment that is not suitable for handling or accessing that HICP: TV1 - Practice # 5
information. A complete and accurate inventory of the IT assets in your organization
facilitates the implementation of optimal security controls. This inventory can be
conducted and maintained using a well-designed spreadsheet.

Notes
8 Do you have an authorized user who approves access levels
within information systems and locations that use ePHI?

Yes. We have written procedures outlining who has the This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(A)
authorization to approve access to information systems, confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: ID.AM, PR.MA, PR.PS
location, and ePHI; how access requests are submitted responsibilities throughout the organization, including who is responsible for HPH CPG: 6
and how access is granted. implementing security practices and setting and establishing policy. HICP: TV1 - Practice # 2, 10

Yes. We have written procedures in place describing Consider assigning an authorized user to approve access levels with information Addressable HIPAA: §164.308(a)(3)(ii)(A)
determination of user access levels to information systems and locations that contain and use ePHI. If this is determined to not be NIST CSF: ID.AM, PR.MA, PR.PS
systems, locations, and ePHI, but not detailing all of the reasonable and appropriate, document the reason why and implement a HPH CPG: 6
variables described above. compensating control. Describe cybersecurity roles and responsibilities throughout HICP: TV1 - Practice # 2, 10
the organization, including who is responsible for implementing security practices
and setting and establishing policy.

Yes. We have a verbally communicated process for Consider assigning an authorized user to approve access levels with information Addressable HIPAA: §164.308(a)(3)(ii)(A)
determining access to information systems, locations, systems and locations that contain and use ePHI. If this is determined to not be NIST CSF: ID.AM, PR.MA, PR.PS
and ePHI. reasonable and appropriate, document the reason why and implement a HPH CPG: 6
compensating control. Describe cybersecurity roles and responsibilities throughout HICP: TV1 - Practice # 2, 10
the organization, including who is responsible for implementing security practices
and setting and establishing policy.

No. We do not have procedures to determine user Consider assigning an authorized user to approve access levels with information Addressable HIPAA: §164.308(a)(3)(ii)(A)
access levels to information systems, locations, and systems and locations that contain and use ePHI. If this is determined to not be NIST CSF: ID.AM, PR.MA, PR.PS
ePHI. reasonable and appropriate, document the reason why and implement a HPH CPG: 6
compensating control. Describe cybersecurity roles and responsibilities throughout HICP: TV1 - Practice # 2, 10
the organization, including who is responsible for implementing security practices
and setting and establishing policy.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.AM, PR.MA, PR.PS
HPH CPG: 6
HICP: TV1 - Practice # 2, 10

Notes
9 Do you validate a person's access to facilities (including
workforce members and visitors) based on their role or
function?
Yes. We have procedures for validating access to our This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
facility. Access levels are based on role or function. We confidentiality, integrity, and availability of ePHI. Just as network devices need to be NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
also have strict requirements for validating workforce secured, physical access to the server and network equipment should be restricted DE.CM, DE.CP, PR.PS
members or visitors who seek access to our critical to IT professionals. Configure physical rooms and wireless networks to allow HPH CPG: 6
systems and software programs. internet access only. HICP: TV1 - Practice # 6

Yes. We have procedures for validating a person's access Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
to our facility. Access levels are not based on role or minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
function. legitimate functions. Consider implementing procedures to validate a person's DE.CM, DE.CP, PR.PS
access to facilities based on their role. If this is determined to not be reasonable and HPH CPG: 6
appropriate, document the reason why and implement a compensating control. Just HICP: TV1 - Practice # 6
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.
Yes. We have procedures for validating a person's access Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
to the facility based on their role or function, but do not minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
have additional validation requirements for access to our legitimate functions. Consider implementing procedures to validate a person's DE.CM, DE.CP, PR.PS
critical systems. access to facilities based on their role. If this is determined to not be reasonable and HPH CPG: 6
appropriate, document the reason why and implement a compensating control. Just HICP: TV1 - Practice # 6
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.

Yes. We have an informal process for validating a Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
person's access to facilities, with no written procedures minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
in place. legitimate functions. Consider implementing procedures to validate a person's DE.CM, DE.CP, PR.PS
access to facilities based on their role. If this is determined to not be reasonable and HPH CPG: 6
appropriate, document the reason why and implement a compensating control. Just HICP: TV1 - Practice # 6
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.

No. We do not have a process for validating a person's Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
access to facilities. minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
legitimate functions. Consider implementing procedures to validate a person's DE.CM, DE.CP, PR.PS
access to facilities based on their role. If this is determined to not be reasonable and HPH CPG: 6
appropriate, document the reason why and implement a compensating control. Just HICP: TV1 - Practice # 6
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
DE.CM, DE.CP, PR.PS
HPH CPG: 6
HICP: TV1 - Practice # 6

Notes
10 How do you validate a person's access to your facility?
We maintain lists of authorized persons and have These are effective means of validating facility access. Always keep data and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to identify persons attempting to access network closets locked. Grant access using badge readers rather than traditional key NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
the practice, grant access to authorized persons, and locks. DE.CM, DE.CP
prevent access by unauthorized persons. HPH CPG: 6
HICP: TV1 - Practice # 6

We have controls in place to identify persons attempting Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
to access the practice, grant access to authorized document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
persons, and prevent access by unauthorized persons data and network closets locked. Grant access using badge readers rather than DE.CM, DE.CP
but do not maintain documentation of who is traditional key locks. HPH CPG: 6
authorized. HICP: TV1 - Practice # 6

We maintain lists of authorized persons but do not have Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to identify persons attempting to access document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
the practice, grant access to authorized persons, or data and network closets locked. Grant access using badge readers rather than DE.CM, DE.CP
prevent access by unauthorized persons. traditional key locks. HPH CPG: 6
HICP: TV1 - Practice # 6

We maintain lists of authorized persons and have Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to identify persons attempting to access document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
the practice, but not to grant access to authorized data and network closets locked. Grant access using badge readers rather than DE.CM, DE.CP
persons or prevent access by unauthorized persons. traditional key locks. HPH CPG: 6
HICP: TV1 - Practice # 6

We maintain lists of authorized persons and have Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to grant access to authorized persons document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
or prevent access by unauthorized persons, but not to data and network closets locked. Grant access using badge readers rather than DE.CM, DE.CP
identify persons attempting to access the practice traditional key locks. HPH CPG: 6
HICP: TV1 - Practice # 6

We do not have lists of authorized persons or controls in Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
place to identify persons attempting to access the document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
practice, grant access to authorized persons, or prevent data and network closets locked. Grant access using badge readers rather than DE.CM, DE.CP
access by unauthorized persons. traditional key locks. HPH CPG: 6
HICP: TV1 - Practice # 6

Notes
11 Do you have access validation requirements for personnel
and visitors seeking access to your critical systems (such as
IT, software developers, or network admins)?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
confidentiality, integrity, and availability of ePHI. Just as you might restrict physical NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
access to different parts of your medical office, it is important to restrict the access DE.CM, DE.CP, PR.PS
of third-party entities, including vendors, to separate networks. Allow them to HPH CPG: 6, 3
connect only through tightly controlled interfaces. This limits the exposure to and HICP: TV1 - Practice #3, 6
impact of cyberattacks on both your organization and on the third-party entity.

No. Consider implementing procedures to validate a person's access to critical systems Addressable HIPAA: §164.310(a)(2)(iii)
based on their role or function. If this is determined to not be reasonable and NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
appropriate, document the reason why and implement a compensating control. Just DE.CM, DE.CP, PR.PS
as you might restrict physical access to different parts of your medical office, it is HPH CPG: 6, 3
important to restrict the access of third-party entities, including vendors, to HICP: TV1 - Practice #3, 6
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.

I don't know. Consider implementing procedures to validate a person's access to critical systems Addressable HIPAA: §164.310(a)(2)(iii)
based on their role or function. If this is determined to not be reasonable and NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
appropriate, document the reason why and implement a compensating control. Just DE.CM, DE.CP, PR.PS
as you might restrict physical access to different parts of your medical office, it is HPH CPG: 6, 3
important to restrict the access of third-party entities, including vendors, to HICP: TV1 - Practice #3, 6
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.

Notes
12 Does this include controlling access to your software
programs for testing and revisions?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
DE.CM, DE.CP
HPH CPG: 6, 3
HICP:TV1, Practice # 2

No. Consider implementing procedures to validate a person's access to software Addressable HIPAA: §164.310(a)(2)(iii)
programs based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
and appropriate, document the reason why and implement a compensating control. DE.CM, DE.CP
HPH CPG: 6, 3
HICP:TV1, Practice # 2

I don't know. Consider implementing procedures to validate a person's access to software Addressable HIPAA: §164.310(a)(2)(iii)
programs based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
and appropriate, document the reason why and implement a compensating control. DE.CM, DE.CP
HPH CPG: 6, 3
HICP:TV1, Practice # 2

Notes
13 Do you have procedures for validating a third-party person's
access to the facility based on their role or function?

Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
confidentiality, integrity, and availability of ePHI. Just as you might restrict physical NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
access to different parts of your medical office, it is important to restrict the access DE.CM, DE.CP, PR.PS
of third-party entities, including vendors, to separate networks. Allow them to HPH CPG: 6, 10
connect only through tightly controlled interfaces. This limits the exposure to and HICP: TV1 - Practice # 6
impact of cyberattacks on both your organization and on the third-party entity.

No. Consider implementing procedures to validate a third party person's access to Addressable HIPAA: §164.310(a)(2)(iii)
facilities based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
and appropriate, document the reason why and implement a compensating control. DE.CM, DE.CP, PR.PS
Just as you might restrict physical access to different parts of your medical office, it HPH CPG: 6, 10
is important to restrict the access of third-party entities, including vendors, to HICP: TV1 - Practice # 6
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.
I don't know. Consider implementing procedures to validate a third party person's access to Addressable HIPAA: §164.310(a)(2)(iii)
facilities based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AA, PR.IR, PR.DS,
and appropriate, document the reason why and implement a compensating control. DE.CM, DE.CP, PR.PS
Just as you might restrict physical access to different parts of your medical office, it HPH CPG: 6, 10
is important to restrict the access of third-party entities, including vendors, to HICP: TV1 - Practice # 6
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.

Notes
14 Do you have hardware, software, or other mechanisms that
record and examine activity on information systems with
access to ePHI?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
confidentiality, integrity, and availability of ePHI. Implement single sign-on systems NIST CSF: PR.AA, PR.IR, PR.DS, DE.AE,
that automatically manage access to all software and tools once users have signed DE.CM
onto the network. Such systems allow the organization to centrally maintain and HPH CPG: 18
monitor access. HICP: TV1 - Practice # 3

No. Implement and document mechanisms to record and examine system activity to Required HIPAA: §164.312(b)
ensure your practice is secure systems that contain or use ePHI. Implement single NIST CSF: PR.AA, PR.IR, PR.DS, DE.AE,
sign-on systems that automatically manage access to all software and tools once DE.CM
users have signed onto the network. Such systems allow the organization to HPH CPG: 18
centrally maintain and monitor access. HICP: TV1 - Practice # 3

I don't know. Implement and document mechanisms to record and examine system activity to Required HIPAA: §164.312(b)
ensure your practice is secure systems that contain or use ePHI. Implement single NIST CSF: PR.AA, PR.IR, PR.DS, DE.AE,
sign-on systems that automatically manage access to all software and tools once DE.CM
users have signed onto the network. Such systems allow the organization to HPH CPG: 18
centrally maintain and monitor access. HICP: TV1 - Practice # 3

Notes
15 What requirements are in place for retention of audit
reports?
Our practice retains records of audit report review for a This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
minimum of six (6) years, consistent with retention confidentiality, integrity, and availability of ePHI. Your state or jurisdiction may have NIST CSF: PR.DS, DE.AE, DE.CM, PR.PS
requirements for all information security additional requirements beyond the six (6) year retention requirement. HPH CPG: 18
documentation. HICP: N/A

Requirements are in place to retain records of audit Records of audit report review should be retained for a minimum of six (6) years. Required HIPAA: §164.312(b)
report review, but not for a minimum of six (6) years. Your state or jurisdiction may have additional requirements beyond the six (6) year NIST CSF: PR.DS, DE.AE, DE.CM, PR.PS
retention requirement. HPH CPG: 18
HICP: N/A

Requirements are not in place to retain records of audit Records of audit report review should be retained for a minimum of six (6) years. Required HIPAA: §164.312(b)
report review. Your state or jurisdiction may have additional requirements beyond the six (6) year NIST CSF: PR.DS, DE.AE, DE.CM, PR.PS
retention requirement. HPH CPG: 18
HICP: N/A

Notes
16 Do you maintain records of physical changes upgrades, and
modifications to your facility?
Yes. We have written procedures to document This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. This includes documenting confidentiality, integrity, and availability of ePHI. NIST CSF: PR.DS, PR.MA
when physical security component repairs, HPH CPG: 11
modifications, or updates are needed and our workforce HICP: N/A
members' roles and responsibilities in that process. Any
changes to our facility's security components go through
an authorization process.

Yes. We have written procedures to document Consider including in your procedural documentation what your workforce Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. This includes documenting members' roles and responsibilities are in the repair and modification of physical NIST CSF: PR.DS, PR.MA
when physical security component repairs, security components within your facility. If this is determined to not be reasonable HPH CPG: 11
modifications, or updates are needed. Any changes to and appropriate, document the reason why and implement a compensating control. HICP: N/A
our facility's security components go through an
authorization process.
Yes. We have written procedures to document Consider including in your procedural documentation workforce members' roles and Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. This includes documenting responsibilities as well as the authorization process for making repairs, NIST CSF: PR.DS, PR.MA
when physical security component repairs, modifications, and updates to your facility's physical security components. If this is HPH CPG: 11
modifications, or updates are needed. determined to not be reasonable and appropriate, document the reason why and HICP: N/A
implement a compensating control.

No. We communicate and verbally authorize when Consider including in your procedural documentation workforce members' roles and Addressable HIPAA: §164.310(a)(2)(iv)
repairs, modifications, or upgrades to the facility's responsibilities as well as the authorization process for making repairs, NIST CSF: PR.DS, PR.MA
physical security components are needed, but we do not modifications, and updates to your facility's physical security components. If this is HPH CPG: 11
have written procedures for this process. determined to not be reasonable and appropriate, document the reason why and HICP: N/A
implement a compensating control.

No. We do not maintain a log of changes, upgrades, or Consider including in your procedural documentation workforce members' roles and Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. responsibilities as well as the authorization process for making repairs, NIST CSF: PR.DS, PR.MA
modifications, and updates to your facility's physical security components. If this is HPH CPG: 11
determined to not be reasonable and appropriate, document the reason why and HICP: N/A
implement a compensating control.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iv)
"Flagged Questions" report. NIST CSF: PR.DS, PR.MA
HPH CPG: 11
HICP: N/A

Notes
17 How do you maintain awareness of the movement of
electronic devices and media?
We maintain a detailed inventory of all electronic This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(d)(2)(iii)
devices and media which contain ePHI, including where confidentiality, integrity, and availability of ePHI. Although it can be difficult to NIST CSF: PR.MA, DE.AE, DE.CM, PR.DS
they are located, which workforce members are implement and sustain IT asset management processes, such processes should be HPH CPG: 11
authorized to access or possess the devices, and to part of daily IT operations and encompass the lifecycle of each IT asset, including HICP: TV1 - Practice # 5, 10
where they are moved. procurement, deployment, maintenance, and decommissioning (i.e., replacement
or disposal) of the device.

We keep a basic list of devices but do not formally track Devices should be tracked according to which workforce members have access to or Addressable HIPAA: §164.310(d)(2)(iii)
their movement. possession of them, where they are located, and where they are moved. Although it NIST CSF: PR.MA, DE.AE, DE.CM, PR.DS
can be difficult to implement and sustain IT asset management processes, such HPH CPG: 11
processes should be part of daily IT operations and encompass the lifecycle of each HICP: TV1 - Practice # 5, 10
IT asset, including procurement, deployment, maintenance, and decommissioning
(i.e., replacement or disposal) of the device.

We rely on personal memory to maintain awareness of Devices should be tracked according to which workforce members have access to or Addressable HIPAA: §164.310(d)(2)(iii)
device location, movement, and access authorization. possession of them, where they are located, and where they are moved. Although it NIST CSF: PR.MA, DE.AE, DE.CM, PR.DS
can be difficult to implement and sustain IT asset management processes, such HPH CPG: 11
processes should be part of daily IT operations and encompass the lifecycle of each HICP: TV1 - Practice # 5, 10
IT asset, including procurement, deployment, maintenance, and decommissioning
(i.e., replacement or disposal) of the device.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(d)(2)(iii)
"Flagged Questions" report. NIST CSF: PR.MA, DE.AE, DE.CM, PR.DS
HPH CPG: 11
HICP: TV1 - Practice # 5, 10

Notes
18 Are electronic devices secured?
Yes. We have procedures for safeguarding all electronic This is the most effective option among those provided to protect the Required HIPAA: §164.310(c)
devices (such as screen guards, cable locks, locking confidentiality, integrity, and availability of ePHI. A small organization's endpoints NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
storage rooms, cameras, and other physical features). must be protected. Endpoints include desktops, laptops, mobile devices, and other HPH CPG: 11, 16
connected hardware devices (e.g., printers, medical equipment). HICP: TV1 - Practice # 2

We secure electronic devices, but do not have Secure electronic devices with appropriate safeguards, such as screen guards, cable Required HIPAA: §164.310(c)
documented procedures for these safeguards. locks, locking storage rooms, cameras, and other physical features. Document these NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
safeguards in your policies and procedures. A small organization's endpoints must HPH CPG: 11, 16
be protected. Endpoints include desktops, laptops, mobile devices, and other HICP: TV1 - Practice # 2
connected hardware devices (e.g., printers, medical equipment).

We do not have any procedures to secure electronic Secure electronic devices with appropriate safeguards, such as screen guards, cable Required HIPAA: §164.310(c)
devices in our facility. locks, locking storage rooms, cameras, and other physical features. Document these NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM
safeguards in your policies and procedures. A small organization's endpoints must HPH CPG: 11, 16
be protected. Endpoints include desktops, laptops, mobile devices, and other HICP: TV1 - Practice # 2
connected hardware devices (e.g., printers, medical equipment).

Notes
19 Do you back up ePHI to ensure availability when devices are
moved?
Yes. Our critical data and ePHI is centrally stored (such as This is an effective option to protect the confidentiality, integrity, and availability of Addressable HIPAA: §164.310(d)(2)(iv)
in a cloud or active directory server) that can be ePHI. Make sure backups will be available and functional when needed through NIST CSF: PR.DS, PR.PS
accessed from any authorized device. periodic testing. Train staff never to back up data on uncontrolled storage devices or HPH CPG: 11, 16
personal cloud services. Leveraging the cloud for backup purposes is acceptable if HICP: TV1 - Practice # 4
you have established an agreement with the cloud vendor and verified the security
of the vendor's systems.

Yes. We manage our own backups of all critical ePHI This is an effective option to protect the confidentiality, integrity, and availability of Addressable HIPAA: §164.310(d)(2)(iv)
(using portable storage devices) that enables continued ePHI. Make sure backups will be available and functional when needed through NIST CSF: PR.DS, PR.PS
access during device movement. periodic testing. Train staff never to back up data on uncontrolled storage devices or HPH CPG: 11, 16
personal cloud services. Leveraging the cloud for backup purposes is acceptable if HICP: TV1 - Practice # 4
you have established an agreement with the cloud vendor and verified the security
of the vendor's systems.

No. We do not ensure that data will be available when ePHI can be lost, corrupted, or made inaccessible in the future if your practice does Addressable HIPAA: §164.310(d)(2)(iv)
stored on a removed device. not create backup files that are retrievable and exact copies. Make sure backups will NIST CSF: PR.DS, PR.PS
be available and functional when needed through periodic testing. Train staff never HPH CPG: 11, 16
to back up data on uncontrolled storage devices or personal cloud services. HICP: TV1 - Practice # 4
Leveraging the cloud for backup purposes is acceptable if you have established an
agreement with the cloud vendor and verified the security of the vendor's systems.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(d)(2)(iv)
"Flagged Questions" report. NIST CSF: PR.DS, PR.PS
HPH CPG: 11, 16
HICP: TV1 - Practice # 4

Notes
20 Do you ensure devices which created, maintained, received,
or transmitted ePHI are effectively sanitized when they are
disposed of?
Yes. We remove any data storage or memory This is the most effective option among those provided to protect the Required HIPAA: §164.310(d)(1)
component from the device and then store it in a secure confidentiality, integrity, and availability of ePHI. Although it can be difficult to NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
location. Data is wiped from the device prior to implement and sustain IT asset management processes, such processes should be HPH CPG: 11
disposing of the device using a method that conforms to part of daily IT operations and encompass the lifecycle of each IT asset, including HICP: TV1 - Practice # 5
guidelines in NIST SP 800-88 and OCR Guidance to procurement, deployment, maintenance, and decommissioning (i.e., replacement
Render Unsecured Protected Health Information or disposal) of the device.
Unusable, Unreadable, or Indecipherable to
Unauthorized Individuals.

Yes. Devices are given to a third-party, which wipes the This is the most effective option among those provided to protect the Required HIPAA: §164.310(d)(1)
data and disposes of the devices appropriately using a confidentiality, integrity, and availability of ePHI. Although it can be difficult to NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
method that conforms to guidelines in NIST SP 800-88 implement and sustain IT asset management processes, such processes should be HPH CPG: 11
and OCR Guidance to Render Unsecured Protected part of daily IT operations and encompass the lifecycle of each IT asset, including HICP: TV1 - Practice # 5
Health Information Unusable, Unreadable, or procurement, deployment, maintenance, and decommissioning (i.e., replacement
Indecipherable to Unauthorized Individuals. We are or disposal) of the device.
provided a certificate of destruction outlining the
specific devices that were disposed of whenever this is
performed.

Devices are given to a third-party, which wipes the data Third parties should provide documentation certifying that equipment has been Required HIPAA: §164.310(d)(1)
and disposes of the devices appropriately. We are not properly disposed of. Although it can be difficult to implement and sustain IT asset NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
provided a certificate of destruction to confirm management processes, such processes should be part of daily IT operations and HPH CPG: 11
appropriate disposal. encompass the lifecycle of each IT asset, including procurement, deployment, HICP: TV1 - Practice # 5
maintenance, and decommissioning (i.e., replacement or disposal) of the device.

We maintain a secure area where items are stored prior ePHI on these devices should be purged using a method that conforms to guidelines Required HIPAA: §164.310(d)(1)
to disposal, and this is documented in our asset in NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
inventory listing. Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. HPH CPG: 11
Although it can be difficult to implement and sustain IT asset management HICP: TV1 - Practice # 5
processes, such processes should be part of daily IT operations and encompass the
lifecycle of each IT asset, including procurement, deployment, maintenance, and
decommissioning (i.e., replacement or disposal) of the device.

No. We place unused devices out of normal work areas Unused and old equipment should be stored in a secure area if it Required HIPAA: §164.310(d)(1)
but these are not secured. contains/contained ePHI. ePHI on these devices should be purged using a method NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
that conforms to guidelines in NIST SP 800-88 and OCR Guidance to Render HPH CPG: 11
Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable HICP: TV1 - Practice # 5
to Unauthorized Individuals. Although it can be difficult to implement and sustain IT
asset management processes, such processes should be part of daily IT operations
and encompass the lifecycle of each IT asset, including procurement, deployment,
maintenance, and decommissioning (i.e., replacement or disposal) of the device.
No. We do not have procedures for the disposal of ePHI can be removed from your facilities without being observed and/or monitored Required HIPAA: §164.310(d)(1)
devices and media. if your practice does not have security policies and procedures to physically protect NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
and securely store electronic devices and media. ePHI on these devices should be HPH CPG: 11
purged using a method that conforms to guidelines in NIST SP 800-88 and OCR HICP: TV1 - Practice # 5
Guidance to Render Unsecured Protected Health Information Unusable,
Unreadable, or Indecipherable to Unauthorized Individuals. Although it can be
difficult to implement and sustain IT asset management processes, such processes
should be part of daily IT operations and encompass the lifecycle of each IT asset,
including procurement, deployment, maintenance, and decommissioning (i.e.,
replacement or disposal) of the device.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(d)(1)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.DS, PR.PS
HPH CPG: 11
HICP: TV1 - Practice # 5

Notes
21 How do you determine what is considered appropriate use
of electronic devices and connected network devices?
We have documented policies and procedures in place This is the most effective option among those provided to protect the Required HIPAA: §164.310(b)
outlining proper functions to be performed on electronic confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
devices and devices (e.g., whether or not they should the accounts must be granted access to the organization's computers and programs, ID.RA
access ePHI), how those functions will be performed, as appropriate to each user. Consider following the "minimum necessary" principle HPH CPG: 3, 11
who is authorized to use the devices, and the physical associated with the HIPAA Privacy Rule. Allow each user access only to the HICP: TV1 - Practice # 4, 5
surroundings of the devices. computers and programs required to accomplish that user's job or role in the
organization. This limits the organization's exposure to unauthorized access, loss,
and theft of data if the user's identity or access is compromised.

We verbally communicate appropriate use of equipment Develop policies and procedures to enforce access control policies that define the Required HIPAA: §164.310(b)
but do not have requirements outlined in writing. appropriate use and surroundings of information systems, electronic devices, and NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
other electronic devices that contain ePHI (such as laptops, printers, copiers, ID.RA
tablets, smart phones, monitors, and other devices). As user accounts are HPH CPG: 3, 11
established, the accounts must be granted access to the organization's computers HICP: TV1 - Practice # 4, 5
and programs, as appropriate to each user. Consider following the "minimum
necessary" principle associated with the HIPAA Privacy Rule. Allow each user access
only to the computers and programs required to accomplish that user's job or role
in the organization. This limits the organization's exposure to unauthorized access,
loss, and theft of data if the user's identity or access is compromised.

We do not have any policies or procedures outlining Workforce members, business associates, services providers, and the general public Required HIPAA: §164.310(b)
appropriate use of electronic devices and connected may not be aware of how to use devices appropriately, or how to secure those NIST CSF: PR.AA, PR.IR, PR.DS, DE.CM,
devices. devices physically, if your practice does not implement policies and procedures that ID.RA
define expectations for proper use. As user accounts are established, the accounts HPH CPG: 3, 11
must be granted access to the organization's computers and programs, as HICP: TV1 - Practice # 4, 5
appropriate to each user. Consider following the "minimum necessary" principle
associated with the HIPAA Privacy Rule. Allow each user access only to the
computers and programs required to accomplish that user's job or role in the
organization. This limits the organization's exposure to unauthorized access, loss,
and theft of data if the user's identity or access is compromised.

Notes
22 Do you ensure access to ePHI is terminated when
employment or other arrangements with the workforce
member ends?
Yes. We have written procedures documenting This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(C)
termination or change of access to ePHI upon confidentiality, integrity, and availability of ePHI. When an employee leaves your NIST CSF: PR.AA, PR.IR, PR.PS
termination or change of employment, including organization, ensure that procedures are executed to terminate the employee's HPH CPG: 6
recovery of access control devices (including access immediately. Prompt user termination prevents former employees from HICP: TV1 - Practice # 3
organization-owned devices, media, and equipment), accessing patient data and other sensitive information after they have left the
deactivation of information system access, appropriate organization. This is very important for organizations that use cloud-based systems
changes in access levels and/or privileges pursuant to where access is based on credentials, rather than physical presence at a particular
job description changes that necessitate more or less computer. Similarly, if an employee changes jobs within the organization, it is
access to ePHI, time frames to terminate access to ePHI, important to terminate access related to the employee's former position before
and exit interviews that include a discussion of privacy granting access based on the requirements for the new position.
and security topics regarding ePHI.
Yes. We have written procedures documenting Changes to access to ePHI should be documented in the event of device recovery, Addressable HIPAA: §164.308(a)(3)(ii)(C)
termination or change of access to ePHI upon deactivation of user access, and changes in access levels or privileges. Policy NIST CSF: PR.AA, PR.IR, PR.PS
termination or change of employment, but not detailing documentation should include details on how the process is completed. When an HPH CPG: 6
all of the variables listed above. employee leaves your organization, ensure that procedures are executed to HICP: TV1 - Practice # 3
terminate the employee's access immediately. Prompt user termination prevents
former employees from accessing patient data and other sensitive information after
they have left the organization. This is very important for organizations that use
cloud-based systems where access is based on credentials, rather than physical
presence at a particular computer. Similarly, if an employee changes jobs within the
organization, it is important to terminate access related to the employee's former
position before granting access based on the requirements for the new position.

Yes. We have a verbal process to ensure access to ePHI Changes to access to ePHI should be documented in the event of device recovery, Addressable HIPAA: §164.308(a)(3)(ii)(C)
is changed or terminated as needed, but no written deactivation of user access, and changes in access levels or privileges. Policy NIST CSF: PR.AA, PR.IR, PR.PS
procedures. documentation should include details on how the process is completed. When an HPH CPG: 6
employee leaves your organization, ensure that procedures are executed to HICP: TV1 - Practice # 3
terminate the employee's access immediately. Prompt user termination prevents
former employees from accessing patient data and other sensitive information after
they have left the organization. This is very important for organizations that use
cloud-based systems where access is based on credentials, rather than physical
presence at a particular computer. Similarly, if an employee changes jobs within the
organization, it is important to terminate access related to the employee's former
position before granting access based on the requirements for the new position.

No. We do not have a process to ensure access to ePHI is Individuals without a need to know can access your practice's ePHI if it does not Addressable HIPAA: §164.308(a)(3)(ii)(C)
changed or terminated as needed. have documented policies and procedures for terminating authorized access to its NIST CSF: PR.AA, PR.IR, PR.PS
facilities, information systems, and ePHI once the need for access no longer exists. HPH CPG: 6
When an employee leaves your organization, ensure that procedures are executed HICP: TV1 - Practice # 3
to terminate the employee's access immediately. Prompt user termination prevents
former employees from accessing patient data and other sensitive information after
they have left the organization. This is very important for organizations that use
cloud-based systems where access is based on credentials, rather than physical
presence at a particular computer. Similarly, if an employee changes jobs within the
organization, it is important to terminate access related to the employee's former
position before granting access based on the requirements for the new position.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(C)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, PR.PS
HPH CPG: 6
HICP: TV1 - Practice # 3

Notes
23 Do you have procedures for terminating or changing third-
party access when the contract, business associate
agreement, or other arrangement with the third party ends
or is changed?

Yes This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(C)
confidentiality, integrity, and availability of ePHI. When an employee leaves your NIST CSF: PR.AA, PR.IR, PR.PS
organization, ensure that procedures are executed to terminate the employee's HPH CPG: 10
access immediately. Prompt user termination prevents former employees from HICP: TV1 - Practice # 3
accessing patient data and other sensitive information after they have left the
organization. This is very important for organizations that use cloud-based systems
where access is based on credentials, rather than physical presence at a particular
computer. Similarly, if an employee changes jobs within the organization, it is
important to terminate access related to the employee's former position before
granting access based on the requirements for the new position.

No Ensure that access to ePHI by third parties is terminated or changed appropriately Addressable HIPAA: §164.308(a)(3)(ii)(C)
when your contractual relationship with them or changes, respectively. When an NIST CSF: PR.AA, PR.IR, PR.PS
employee leaves your organization, ensure that procedures are executed to HPH CPG: 10
terminate the employee's access immediately. Prompt user termination prevents HICP: TV1 - Practice # 3
former employees from accessing patient data and other sensitive information after
they have left the organization. This is very important for organizations that use
cloud-based systems where access is based on credentials, rather than physical
presence at a particular computer. Similarly, if an employee changes jobs within the
organization, it is important to terminate access related to the employee's former
position before granting access based on the requirements for the new position.

Notes
24 How do you ensure media is sanitized prior to re-use?
We have a process to completely purge data from all This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.310(d)(2)(ii)
devices prior to re-use through device reimaging, integrity, and availability of ePHI. Ensure that obsolete data are removed or NIST CSF: PR.PS, PR.MA
degaussing, or other industry standard method; our destroyed properly so they cannot be accessed by cyber-thieves. Just as paper HPH CPG: 11, 16
method conforms to guidelines in NIST SP 800-88 and medical and financial records must be fully destroyed by shredding or burning, HICP: TV1 - Practice # 4
OCR Guidance to Render Unsecured Protected Health digital data must be properly disposed of to ensure that they cannot be
Information Unusable, Unreadable, or Indecipherable to inappropriately recovered. Discuss options for properly disposing of outdated or
Unauthorized Individuals. unneeded data with your IT support. Do not assume that deleting or erasing files
means that the data are destroyed.

We sometimes remove ePHI from devices using a Implement procedures for removal of ePHI from electronic media before the media Required HIPAA: §164.310(d)(2)(ii)
method that conforms to guidelines in NIST SP 800-88 are made available for re-use. Ensure that obsolete data are removed or destroyed NIST CSF: PR.PS, PR.MA
and OCR Guidance to Render Unsecured Protected properly so they cannot be accessed by cyber-thieves. Just as paper medical and HPH CPG: 11, 16
Health Information Unusable, Unreadable, or financial records must be fully destroyed by shredding or burning, digital data must HICP: TV1 - Practice # 4
Indecipherable to Unauthorized Individuals, but not be properly disposed of to ensure that they cannot be inappropriately recovered.
always, prior to re-use. Discuss options for properly disposing of outdated or unneeded data with your IT
support. Do not assume that deleting or erasing files means that the data are
destroyed.

We delete files with ePHI from devices but do not do Deleting files does not fully purge data from the device. Implement procedures for Required HIPAA: §164.310(d)(2)(ii)
anything else to purge data prior to re-use. removal of ePHI from electronic media before the media are made available for re- NIST CSF: PR.PS, PR.MA
use. Ensure that obsolete data are removed or destroyed properly so they cannot HPH CPG: 11, 16
be accessed by cyber-thieves. Just as paper medical and financial records must be HICP: TV1 - Practice # 4
fully destroyed by shredding or burning, digital data must be properly disposed of to
ensure that they cannot be inappropriately recovered. Discuss options for properly
disposing of outdated or unneeded data with your IT support. Do not assume that
deleting or erasing files means that the data are destroyed.

We do not have a process to remove ePHI from devices Implement procedures for removal of ePHI from electronic media before the media Required HIPAA: §164.310(d)(2)(ii)
prior to re-use. are made available for re-use. Ensure that obsolete data are removed or destroyed NIST CSF: PR.PS, PR.MA
properly so they cannot be accessed by cyber-thieves. Just as paper medical and HPH CPG: 11, 16
financial records must be fully destroyed by shredding or burning, digital data must HICP: TV1 - Practice # 4
be properly disposed of to ensure that they cannot be inappropriately recovered.
Discuss options for properly disposing of outdated or unneeded data with your IT
support. Do not assume that deleting or erasing files means that the data are
destroyed.

We have a third-party business associate sanitize devices Document procedures for removal of ePHI from electronic media before the media Required HIPAA: §164.310(d)(2)(ii)
for the practice prior to their re-use. The business are made available for re-use. Make sure your practice maintains detailed records of NIST CSF: PR.PS, PR.MA
associate does not provide a certificate of proper the sanitization performed and have a BAA in place with the business associate. HPH CPG: 11, 16
disposal identifying the sanitized devices individually Ensure that obsolete data are removed or destroyed properly so they cannot be HICP: TV1 - Practice # 4
(e.g., with serial numbers). accessed by cyber-thieves. Just as paper medical and financial records must be fully
destroyed by shredding or burning, digital data must be properly disposed of to
ensure that they cannot be inappropriately recovered. Discuss options for properly
disposing of outdated or unneeded data with your IT support. Do not assume that
deleting or erasing files means that the data are destroyed.

We have a third-party business associate sanitize devices This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.310(d)(2)(ii)
for the practice prior to their re-use. The business integrity, and availability of ePHI. Ensure that obsolete data are removed or NIST CSF: PR.PS, PR.MA
associate always provide a certificate of proper disposal destroyed properly so they cannot be accessed by cyber-thieves. Just as paper HPH CPG: 11, 16
identifying the sanitized devices individually (e.g., with medical and financial records must be fully destroyed by shredding or burning, HICP: TV1 - Practice # 4
serial numbers). digital data must be properly disposed of to ensure that they cannot be
inappropriately recovered. Discuss options for properly disposing of outdated or
unneeded data with your IT support. Do not assume that deleting or erasing files
means that the data are destroyed.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(d)(2)(ii)
"Flagged Questions" report. NIST CSF: PR.PS, PR.MA
HPH CPG: 11, 16
HICP: TV1 - Practice # 4

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Inadequate facility access management procedures where
information systems reside
Unauthorized access to facility occurs undetected
Workforce and visitors access critical or sensitive business areas without authorization
Increased response time to respond to facility security incidents
Inconsistency in granting access to facilities
2 Inadequate physical protection for information systems
Access allowed by unauthorized personnel
Adversary access to unauthorized network segments (via wireless penetration or USB/removable media)
Insider tampering of sensitive network equipment
Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Exploitation of unpatched systems and software
Unauthorized access to or modification of ePHI/sensitive information
Adversarial sniffing/wiretapping/eavesdropping on network traffic
3 Undocumented location of equipment or assets
Unconfirmed identity of connected physical devices/equipment
Unauthorized devices gaining access to the network
Unconfirmed identity of connected devices/equipment
Exploitation of unsecured computer systems
4 Inadequate access controls for business associate and
vendor access
Adversary leverages third-party access to gain access to facility and devices
Adversary leverages third-party permissions or credentials to access data or assets
Uncontrolled access used to disrupt or steal equipment or data
Damage to public reputation due to breach
ePHI accessed by unauthorized entities
Inability to confirm identity of visitor throughout the facility
Inability to monitor physical location of business associates and vendors within the facility
Tampering of sensitive network equipment
5 Inadequate sanitation of media
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Disclosure of passwords and or login information
Unauthorized access to ePHI/sensitive information
Unknown disposition of unused devices and data
Unauthorized modification of user accounts and/or permissions
6 Inadequate procedures for proper workstation and
connected network device security
Appropriate security settings may not be applied to all devices/equipment
Unauthorized connected devices/equipment on the network
Unauthorized access to or modification of ePHI/sensitive information
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Workstations or devices tampered with, lost, or destroyed
7 Failure to ensure user accounts are configured with
appropriate permissions
Access granted to and maintained by unauthorized persons
Adversary gaining access to unauthorized areas of the facility
Adversary retains presence within or access to information systems
Damage to public reputation due to breach
Disclosure of passwords and or login information
ePHI shared with business associates/vendors improperly
Exploiting unpatched systems and software
Tampering of sensitive network equipment
Unauthorized access to ePHI
Unauthorized access to sensitive information
Unauthorized modification to ePHI
Section 6 - Security and Business Associates

Question # Question Text

Section Indicator Question Responses Education Risk Indicated Required? Reference
Questions
1 Do you contract with business associates or other third-party
vendors?
Yes. Make sure all business associates and third-party vendors have been evaluated to Required HIPAA: N/A
determine whether or not they require a Business Associate Agreement. NIST CSF: GV.RR, GV.PO, GV.OV
HPH CPG: 10
HICP: TV1 - Practice # 3

No. If you don't have expertise to perform operational, security, or other tasks, Required HIPAA: N/A
contracting with third-party vendors and business associates can augment your NIST CSF: GV.RR, GV.PO, GV.OV
practice's capabilities. HPH CPG: 10
HICP: TV1 - Practice # 3

I don't know. If you don't have expertise to perform operational, security, or other tasks, Required HIPAA: N/A
contracting with third-party vendors and business associates can augment your NIST CSF: GV.RR, GV.PO, GV.OV
practice's capabilities. HPH CPG: 10
HICP: TV1 - Practice # 3

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: GV.RR, GV.PO, GV.OV
HPH CPG: 10
HICP: TV1 - Practice # 3

Notes
2 Do you allow third-party vendors to access your information
systems and/or ePHI?
Yes. Make sure all business associates and third-party vendors have been evaluated to Required HIPAA: N/A
determine whether or not they require a Business Associate Agreement. User NIST CSF: GV.RR, GV.PO, GV.OV
accounts enable organizations to control and monitor each user's access to and HPH CPG: 10
activities on devices, EHRs, e-mail, and other third-party software systems. It is HICP: TV1 - Practice # 3
essential to protect user accounts to mitigate the risk of cyber threats.

No. Working with business associates and third-party vendors can be beneficial to your Required HIPAA: N/A
practice, as long as reasonable and appropriate security precautions are taken for NIST CSF: GV.RR, GV.PO, GV.OV
business associates accessing ePHI. User accounts enable organizations to control HPH CPG: 10
and monitor each user's access to and activities on devices, EHRs, e-mail, and other HICP: TV1 - Practice # 3
third-party software systems. It is essential to protect user accounts to mitigate the
risk of cyber threats.

I don't know. Consider looking into whether your practice allows business associates or third- Required HIPAA: N/A
party vendors to access your information systems. Your practice may be at risk and NIST CSF: GV.RR, GV.PO, GV.OV
unable to safeguard your ePHI if unauthorized third parties have access to your HPH CPG: 10
information systems. User accounts enable organizations to control and monitor HICP: TV1 - Practice # 3
each user's access to and activities on devices, EHRs, e-mail, and other third-party
software systems. It is essential to protect user accounts to mitigate the risk of
cyber threats.

Notes
3 How do you identify which business associates need access
to create, receive, maintain, or transmit ePHI?
We review business associate contracts to determine This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
which vendors or contractors require access to ePHI and confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
we include a Business Associate Agreement (BAA) in our the accounts must be granted access to the organization's computers and programs, HPH CPG: 10, 12
contract with them. as appropriate to each user. Consider following the "minimum necessary" principle HICP: TV1 - Practice # 3
associated with the HIPAA Privacy Rule. Allow each user access only to the
computers and programs required to accomplish that user's job or role in the
organization. This limits the organization's exposure to unauthorized access, loss,
and theft of data if the user's identity or access is compromised.

We assume that business associates who need access to Take an active role in protecting your ePHI. Review your business associate Required HIPAA: §164.308(b)(1)
our ePHI will indicate that and include a BAA with their contracts to determine which business associates require a BAA and ensure fully NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
contract with us. executed BAAs are in place with all required business associates. As user accounts HPH CPG: 10, 12
are established, the accounts must be granted access to the organization's HICP: TV1 - Practice # 3
computers and programs, as appropriate to each user. Consider following the
"minimum necessary" principle associated with the HIPAA Privacy Rule. Allow each
user access only to the computers and programs required to accomplish that user's
job or role in the organization. This limits the organization's exposure to
unauthorized access, loss, and theft of data if the user's identity or access is
compromised.
I don't know. We have not formally considered which of Take an active role in protecting your ePHI. Review your business associate Required HIPAA: §164.308(b)(1)
our business associates require access to ePHI. contracts to determine which business associates require a BAA and ensure fully NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
executed BAAs are in place with all required business associates. As user accounts HPH CPG: 10, 12
are established, the accounts must be granted access to the organization's HICP: TV1 - Practice # 3
computers and programs, as appropriate to each user. Consider following the
"minimum necessary" principle associated with the HIPAA Privacy Rule. Allow each
user access only to the computers and programs required to accomplish that user's
job or role in the organization. This limits the organization's exposure to
unauthorized access, loss, and theft of data if the user's identity or access is
compromised.

We have informal discussions to evaluate whether Take an active role in protecting your ePHI. Review your business associate Required HIPAA: §164.308(b)(1)
access to our ePHI is required. contracts to determine which business associates require a BAA and ensure fully NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
executed BAAs are in place with all required business associates. As user accounts HPH CPG: 10, 12
are established, the accounts must be granted access to the organization's HICP: TV1 - Practice # 3
computers and programs, as appropriate to each user. Consider following the
"minimum necessary" principle associated with the HIPAA Privacy Rule. Allow each
user access only to the computers and programs required to accomplish that user's
job or role in the organization. This limits the organization's exposure to
unauthorized access, loss, and theft of data if the user's identity or access is
compromised.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(1)
"Flagged Questions" report. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
HPH CPG: 10, 12
HICP: TV1 - Practice # 3

Notes
4 How does your practice enforce or monitor access for each
of these business associates?
We determine degree of access based on the amount of This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
ePHI accessed, the types of devices or mechanisms used confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
for access, and our ability to control and monitor third- procedures to track and monitor user access to computers and programs. DE.CM
party access. HPH CPG: 10
HICP: TV1 - Practice # 3

We assume that all business associate access is equal Take an active role in protecting your ePHI. Determine the degree of access a Required HIPAA: §164.308(b)(1)
with regard to determining risk. business associate has by reviewing the amount of ePHI accessed, the types of NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
devices and mechanisms used for access, and your ability to control and monitor DE.CM
their access. Document your procedures in your security policies. Implement access HPH CPG: 10
management procedures to track and monitor user access to computers and HICP: TV1 - Practice # 3
programs.

We do not consider degree of access as it pertains to Take an active role in protecting your ePHI. Determine the degree of access a Required HIPAA: §164.308(b)(1)
business associates. business associate has by reviewing the amount of ePHI accessed, the types of NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS,
devices and mechanisms used for access, and your ability to control and monitor DE.CM
their access. Document your procedures in your security policies. Implement access HPH CPG: 10
management procedures to track and monitor user access to computers and HICP: TV1 - Practice # 3
programs.

Notes
5 How do business associates communicate important changes
in security practices, personnel, etc. to you?
Our BAAs include language describing how security- This is the most effective option among those provided to protect the Required HIPAA: N/A
relevant changes should be communicated to our confidentiality, integrity, and availability of ePHI. NIST CSF: GV.RR, GV.PO, GV.OV
organization. HPH CPG: 10, 13
HICP: N/A

We rely on our business associates to communicate with Consider including language in Business Associate Agreements describing their Required HIPAA: N/A
us in a manner they deem effective. communication of relevant security changes to your practice. NIST CSF: GV.RR, GV.PO, GV.OV
HPH CPG: 10, 13
HICP: N/A

We are not sure how our business associates manage Consider including language in Business Associate Agreements describing their Required HIPAA: N/A
security or communicate changes to our practice. communication of relevant security changes to your practice. NIST CSF: GV.RR, GV.PO, GV.OV
HPH CPG: 10, 13
HICP: N/A

Notes
6 Have you executed business associate agreements with all
business associates who create, receive, maintain, or
transmit ePHI on your behalf?
Yes. We ensure all business associates have a fully This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(3)
executed BAA with us before creating, receiving, confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AA, PR.IR
maintaining, or transmitting ePHI on our behalf. HPH CPG: 10
HICP: N/A

Yes. We assume business associates with whom we Make sure all business associates who access ePHI have a fully executed BAA with Required HIPAA: §164.308(b)(3)
require a BAA will prompt us to put one in place. your practice before being granted access. Include this requirement in your security NIST CSF: PR.AA, PR.IR
policies and procedures. HPH CPG: 10
HICP: N/A

No. We do not execute BAAs when we have business Make sure all business associates who access ePHI have a fully executed BAA with Required HIPAA: §164.308(b)(3)
associates accessing ePHI. your practice before being granted access. Include this requirement in your security NIST CSF: PR.AA, PR.IR
policies and procedures. HPH CPG: 10
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(3)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR
HPH CPG: 10
HICP: N/A

Notes
7 How do you maintain awareness of business associate
security practices (i.e., in addition to Business Associate
Agreements)?
Our practice performs extra due diligence in the form of This is the most effective option among those provided to protect the Required HIPAA: N/A
monitoring third-party connections to our information confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, RS.CO, DE.CM
systems or other forms of access, in addition to including HPH CPG: 10, 12, 13
language for security compliance in our Business HICP: N/A
Associate Agreements (BAAs).

We rely on the language of our BAAs to ensure that Consider monitoring, auditing, or obtaining information from business associates to Required HIPAA: N/A
business associates are securing ePHI. ensure the security of ePHI and include language about this in Business Associate NIST CSF: PR.AT, RS.CO, DE.CM
Agreements. HPH CPG: 10, 12, 13
HICP: N/A

We are not sure how to maintain awareness of our Consider monitoring, auditing, or obtaining information from business associates to Required HIPAA: N/A
business associates' security practices. ensure the security of ePHI and include language about this in Business Associate NIST CSF: PR.AT, RS.CO, DE.CM
Agreements. HPH CPG: 10, 12, 13
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: PR.AT, RS.CO, DE.CM
HPH CPG: 10, 12, 13
HICP: N/A

Notes
8 Do you include satisfactory assurances within your Business
Associate Agreements pertaining to how your business
associates safeguard ePHI?
Yes. Our Business Associate Agreements include This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(1)(i)
specifications on authorized use and disclosure of ePHI confidentiality, integrity, and availability of ePHI. NIST CSF: GV.RR, GV.PO, GV.OV
as well as other requirements as required by the HPH CPG: 10, 12, 13
Omnibus Rule updates to HIPAA. HICP: N/A

Yes. BAAs include specifications on authorized use and Ensure all BAAs have been updated to meet the requirements of the HIPAA Security Required HIPAA: §164.314(a)(1)(i)
disclosure of ePHI. Rule and Omnibus Rule updates to HIPAA. NIST CSF: GV.RR, GV.PO, GV.OV
HPH CPG: 10, 12, 13
HICP: N/A

No. We are not sure about what satisfactory assurances Ensure all BAAs have been updated to meet the requirements of the HIPAA Security Required HIPAA: §164.314(a)(1)(i)
are included in our BAAs. Rule and Omnibus Rule updates to HIPAA. NIST CSF: GV.RR, GV.PO, GV.OV
HPH CPG: 10, 12, 13
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(1)(i)
"Flagged Questions" report. NIST CSF: GV.RR, GV.PO, GV.OV
HPH CPG: 10, 12, 13
HICP: N/A

Notes
9 What terms are in your BAAs to outline how your business
associates ensure subcontractors access ePHI securely?
In addition to language in our BAAs, our Business This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(2)(iii)
Associates provide specific assurances to us, including confidentiality, integrity, and availability of ePHI. NIST CSF: DE.AE, RS.CO
how they ensure subcontractors secure ePHI. HPH CPG: 10
HICP: N/A

Our BAAs include language requiring the business Consider reviewing with your business associates how they manage security Required HIPAA: §164.314(a)(2)(iii)
associate to obtain satisfactory assurances from expectations for their subcontractors. NIST CSF: DE.AE, RS.CO
subcontractors as to how they protect ePHI. HPH CPG: 10
HICP: N/A

We are not sure how to obtain satisfactory assurances Ensure your practice can safeguard ePHI by ensuring the terms and conditions of Required HIPAA: §164.314(a)(2)(iii)
from subcontractors. your practice's BAAs outline appropriate requirements for your BAAs with NIST CSF: DE.AE, RS.CO
subcontractors. HPH CPG: 10
HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(2)(iii)
"Flagged Questions" report. NIST CSF: DE.AE, RS.CO
HPH CPG: 10
HICP: N/A

Notes
10 Do your BAAs require your third-party vendors to report
security incidents to your practice in a timely manner?
Yes. Our BAAs describe requirements to provide This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(2)(i)( c)
satisfactory assurances for the protection of ePHI, obtain confidentiality, integrity, and availability of ePHI. Make sure your point of contact NIST CSF: ID.RA, DE.AE, RS.CO
the same assurances from its subcontractors, and with your business associate knows whom to contact at your organization to HPH CPG: 10, 13
report security incidents (experienced by the Business provide information about security incidents. HICP: TV1 - Practice # 8
Associate or its subcontractors) to our practice in a
timely manner.

No. We are not sure how this requirement is described Your practice may not be able to safeguard its information systems and ePHI if your Required HIPAA: §164.314(a)(2)(i)( c)
within our BAAs. practice's Business Associates are not required to provide satisfactory assurances NIST CSF: ID.RA, DE.AE, RS.CO
for the protection of ePHI, obtain the same assurances from its subcontractors, and HPH CPG: 10, 13
report security incidents (experienced by the Business Associate or its HICP: TV1 - Practice # 8
subcontractors) to you in a timely manner. Make sure your point of contact with
your business associate knows whom to contact at your organization to provide
information about security incidents.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(2)(i)( c)
"Flagged Questions" report. NIST CSF: ID.RA, DE.AE, RS.CO
HPH CPG: 10, 13
HICP: TV1 - Practice # 8

Notes
11 Have you updated all your BAAs to reflect the requirements
in the 2013 Omnibus Rule updates to HIPAA?
We have reviewed all BAAs and have confirmed their This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(1)
compliance with the Omnibus Rule updates to HIPAA. confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, GV.OC, PR.AT, GV.RR,
GV.PO, GV.OV
HPH CPG: 10, 13
HICP: N/A

We have reviewed all BAAs and are in the process of Update BAAs to reflect Omnibus Rule updates to HIPAA and HIPAA compliance. Required HIPAA: §164.314(a)(1)
updating formerly out-of-date BAAs. NIST CSF: ID.AM, GV.OC, PR.AT, GV.RR,
GV.PO, GV.OV
HPH CPG: 10, 13
HICP: N/A

We assume all BAAs are up to date with the Omnibus All BAAs should be reviewed to ensure compliance with the Omnibus Rule updates Required HIPAA: §164.314(a)(1)
Rule updates to HIPAA but have not reviewed the to HIPAA and HIPAA compliance. NIST CSF: ID.AM, GV.OC, PR.AT, GV.RR,
agreements to make sure. GV.PO, GV.OV
HPH CPG: 10, 13
HICP: N/A

We are not sure if our BAAs are up to date with Omnibus All BAAs should be reviewed to ensure compliance with the Omnibus Rule updates Required HIPAA: §164.314(a)(1)
Rule requirements. to HIPAA and HIPAA compliance. NIST CSF: ID.AM, GV.OC, PR.AT, GV.RR,
GV.PO, GV.OV
HPH CPG: 10, 13
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(1)
"Flagged Questions" report. NIST CSF: ID.AM, GV.OC, PR.AT, GV.RR,
GV.PO, GV.OV
HPH CPG: 10, 13
HICP: N/A

Notes
12 How does your practice document all of its business
associates requiring access to ePHI?
We maintain a current listing of all business associates This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
with access to ePHI in addition to having Business confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
Associate Agreements (BAAs) on file with any business HPH CPG: 10
associates with access to ePHI. HICP: N/A

We maintain copies of fully executed BAAs on file for This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
any business associates with access to ePHI. confidentiality, integrity, and availability of ePHI. Note that the Office for Civil Rights NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
may request an inventory listing of your Business Associates in the event of an audit HPH CPG: 10
or investigation. HICP: N/A

We are not sure how these business associate Knowing who provides services to your practice and the nature of the services is an Required HIPAA: §164.308(b)(1)
relationships are documented. important component of your security plan. Note that the Office for Civil Rights may NIST CSF: ID.AM, PR.AA, PR.IR, PR.DS
request an inventory listing of your Business Associates in the event of an audit or HPH CPG: 10
investigation. HICP: N/A

Notes
13 Do you obtain Business Associate Agreements (BAAs) from
business associates who access another covered entity's
ePHI on your behalf?
Yes. We make sure to have BAAs in place with covered This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(2)
entities for which we are Business Associates as well as confidentiality, integrity, and availability of ePHI. NIST CSF: N/A
subcontractors to those covered entities who contract HPH CPG: 10
with us. HICP: N/A

Yes. We make sure to have BAAs in place with covered Make sure your practice has BAAs in place with covered entities for which your Required HIPAA: §164.308(b)(2)
entities for which we are Business Associates. practice is a Business Associate as well as subcontractors to those covered entities NIST CSF: N/A
who contract with your practice HPH CPG: 10
HICP: N/A

No. We do not obtain assurances from business Make sure your practice has BAAs in place with covered entities for which your Required HIPAA: §164.308(b)(2)
associates who access another covered entity's ePHI on practice is a Business Associate as well as subcontractors to those covered entities NIST CSF: N/A
our behalf. who contract with your practice HPH CPG: 10
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(2)
"Flagged Questions" report. NIST CSF: N/A
HPH CPG: 10
HICP: N/A

Notes
14 Does the organization require business associates and third-
party vendors to implement security requirements more
stringent than required in the HIPAA Rules?
Yes, contracts with vendors or BAs outline requirements This is the most effective of the options provided. The HIPAA Rules require a Required HIPAA: N/A
to follow the HIPAA Rules as applicable to BAs with covered entity obtain satisfactory assurances from its business associates that it will NIST CSF: GV.SC
additional cybersecurity protocols. appropriately safeguard PHI it receives or creates on behalf of the covered entity. HPH CPG: 13
Organizations could consider protocols within their business practice to include HICP: N/A
enhanced cybersecurity and supply chain requirements beyond those required by
the HIPAA Rules that third parties can follow and how compliance with the
requirements may be verified. Rules and protocols for information sharing between
the organization and suppliers are detailed and included in contracts between the
two.

No, contracts with vendors or BAs outline requirements The HIPAA Rules require a covered entity to obtain satisfactory assurances from its Required HIPAA: N/A
to follow the HIPAA Rules as applicable to BAs without business associate that it will appropriately safeguard PHI it receives or creates on NIST CSF: GV.SC
additional cybersecurity protocols. behalf of the covered entity. Organizations could consider protocols within their HPH CPG: 13
business practice to include enhanced cybersecurity and supply chain requirements HICP: N/A
beyond those required by the HIPAA Rules that third parties can follow and how
compliance with the requirements may be verified. Rules and protocols for
information sharing between the organization and suppliers are detailed and
included in contracts between the two.

Notes
15 How do you track and verify business associate and third-
party vendor compliance to security policies and where are
these policies documented?
The organization has developed a risk management This is the most effective of the options provided. The organization could require Required HIPAA: N/A
program with policies and procedures that guide the business associate and third-party vendor to disclose cybersecurity features, NIST CSF: GV.SC
implementation and monitoring of business associate functions, and known vulnerabilities of their products and services for the life of the HPH CPG: 13
and third-party vendor activities related to cybersecurity product or the term of service. Contracts could require evidence of performing HICP: N/A
compliance. acceptable security practices through self-attestation, conformance to known
standards, certifications, or inspections. Business associates and third-party vendors
could be monitored to ensure they are fulfilling their security obligations
throughout the relationship lifecycle.

The organization verifies business associate and third- The organization could require business associates and third-party vendors to Required HIPAA: N/A
party vendor status each year but does not perform disclose cybersecurity features, functions, and known vulnerabilities of their NIST CSF: GV.SC
evaluations. products and services for the life of the product or the term of service. Contracts HPH CPG: 13
could require evidence of performing acceptable security practices through self- HICP: N/A
attestation, conformance to known standards, certifications, or inspections.
Business associates and third-party vendors could be monitored to ensure they are
fulfilling their security obligations throughout the relationship lifecycle.

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Uncontrolled access to ePHI to business associates/vendors

Access to unauthorized segments of the network

Carelessness causing disruption to computer systems
Carelessness exposing ePHI
Damage to public reputation due to breach
Disclosure of passwords and or login information
ePHI accessed by unauthorized entities
Exploiting unpatched systems and software
Unauthorized access to ePHI
Unauthorized modification to ePHI
2 Inadequate business associate/vendor agreements
Inability to hold third parties accountable to securing your ePHI
Breach goes unreported due to lack of established communication requirements with third-party
Provide sensitive information and ePHI without authorization
Loss of support services or contracts
Damage to public reputation or litigation
3 No security or privacy assurances obtained from business
associates/vendors
Information system or facility access granted to unauthorized personnel
Adversarial access to unauthorized network segments
Corrective enforcement outcomes from regulatory agencies
Disclosure of passwords and or login information
Social engineering or hacking attack affecting third-party impacts your practice's data
Disruption of access to data due to inadequate contractor security controls
Unauthorized access to or modification of ePHI/sensitive information
Exploitation of unsecured third-party systems and software
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
4 Failure to update or review business associate contracts
Contract termination due to expiration
Provide sensitive information and ePHI without authorization
Disruption of access to data due to contract dispute or lapse
Inability to determine the criticality of access granted to third parties
Fines, litigation, and financial penalties from non-compliance
Section 7 - Contingency Planning

Question # Question Text

Section Indicator Question Responses Education Risk Indicated Required? Reference
Questions
1 Does your practice have a contingency plan in the event of
an emergency?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. Describe requirements for users to NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
report suspicious activities in the organization and for the cybersecurity department PR.PS, RS.MA
to manage incident response. HPH CPG: 7, 19
HICP: TV1 - Practice # 8

No. Ensure your practice can operate effectively and efficiently under emergency by Required HIPAA: §164.308(a)(7)(i)
having a contingency plan. This should be included in your documented policies and NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
procedures. The contingency plan should be reviewed, tested, and updated PR.PS, RS.MA
periodically. As part of this you should determine what critical services and ePHI HPH CPG: 7, 19
must be available during an emergency. Describe requirements for users to report HICP: TV1 - Practice # 8
suspicious activities in the organization and for the cybersecurity department to
manage incident response.

I don't know. Ensure your practice can operate effectively and efficiently under emergency by Required HIPAA: §164.308(a)(7)(i)
having a contingency plan. This should be included in your documented policies and NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
procedures. The contingency plan should be reviewed, tested, and updated PR.PS, RS.MA
periodically. As part of this you should determine what critical services and ePHI HPH CPG: 7, 19
must be available during an emergency. Describe requirements for users to report HICP: TV1 - Practice # 8
suspicious activities in the organization and for the cybersecurity department to
manage incident response.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA
HPH CPG: 7, 19
HICP: TV1 - Practice # 8

Notes
2 Is your contingency plan documented?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA
HPH CPG: 7, 19
HICP: N/A

No. Your contingency plan should be documented in your policies and procedures. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA
HPH CPG: 7, 19
HICP: N/A

I don't know. Your contingency plan should be documented in your policies and procedures. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA
HPH CPG: 7, 19
HICP: N/A

Notes
3 Do you periodically update your contingency plan?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, ID.IM
HPH CPG: 7, 19
HICP: N/A

Yes, but only if there are changes in our practice. Consider reviewing and updating your contingency plan on a periodic basis. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, ID.IM
HPH CPG: 7, 19
HICP: N/A

No. Consider reviewing and updating your contingency plan on a periodic basis. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, ID.IM
HPH CPG: 7, 19
HICP: N/A
I don't know. Consider reviewing and updating your contingency plan on a periodic basis. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, ID.IM
HPH CPG: 7, 19
HICP: N/A

Notes
4 How do you ensure that your contingency plan is effective
and updated appropriately?
We periodically review the plans contents, perform tests This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(ii)(D)
of the plan, and record the results. We revise the plan as confidentiality, integrity, and availability of ePHI. NIST CSF: ID.IM, ID.RA, PR.PS, GV.OC
needed and document this in policy. HPH CPG: 7, 19
HICP: N/A

We periodically review the plan's contents but do not Consider periodically testing the contingency plan for effectiveness. Maintain Required HIPAA: §164.308(a)(7)(ii)(D)
perform any tests or exercises of the plan's documentation of contingency plan testing and revisions in your policies and NIST CSF: ID.IM, ID.RA, PR.PS, GV.OC
effectiveness. procedures. HPH CPG: 7, 19
HICP: N/A

We periodically run tests or exercises of the plan's Consider maintaining documentation of contingency plan testing and revisions in Required HIPAA: §164.308(a)(7)(ii)(D)
effectiveness, but we do not document these tests. We your policies and procedures. NIST CSF: ID.IM, ID.RA, PR.PS, GV.OC
have not made updates to our contingency plan yet. HPH CPG: 7, 19
HICP: N/A

We do not review or test our contingency plan. Consider periodically reviewing and testing the contingency plan for effectiveness. Required HIPAA: §164.308(a)(7)(ii)(D)
Maintain documentation of contingency plan testing and revisions in your policies NIST CSF: ID.IM, ID.RA, PR.PS, GV.OC
and procedures. HPH CPG: 7, 19
HICP: N/A

I don't know. Consider periodically reviewing and testing the contingency plan for effectiveness. Required HIPAA: §164.308(a)(7)(ii)(D)
Maintain documentation of contingency plan testing and revisions in your policies NIST CSF: ID.IM, ID.RA, PR.PS, GV.OC
and procedures. HPH CPG: 7, 19
HICP: N/A

Other. Depending on what other actions your practice does to ensure your contingency Required HIPAA: §164.308(a)(7)(ii)(D)
plan is updated appropriately, you may want to consider periodically reviewing and NIST CSF: ID.IM, ID.RA, PR.PS, GV.OC
testing the contingency plan for effectiveness. Maintain documentation of HPH CPG: 7, 19
contingency plan testing and revisions in your policies and procedures. HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(ii)(D)
"Flagged Questions" report. NIST CSF: ID.IM, ID.RA, PR.PS, GV.OC
HPH CPG: 7, 19
HICP: N/A

Notes
5 Have you considered what kind of emergencies could
damage critical information systems or prevent access to
ePHI within your practice?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, ID.RA
HPH CPG: 7, 19
HICP: N/A

No. You should consider all natural and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. You should also document how NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
you would respond in these situations to maintain security of ePHI in your policies PR.PS, RS.MA, ID.RA
and procedures. HPH CPG: 7, 19
HICP: N/A

I don't know. You should consider all natural and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. You should also document how NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
you would respond in these situations to maintain security of ePHI in your policies PR.PS, RS.MA, ID.RA
and procedures. HPH CPG: 7, 19
HICP: N/A

Notes
6 What types of emergencies have you considered?
We have considered natural disasters, such as wildfire, You should consider infrastructure and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
damaging winds, floods, hurricanes, tornadoes, or confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
earthquakes. PR.PS, RS.MA, ID.RA
HPH CPG: 7, 19
HICP: N/A
We have considered man-made disasters, such as You should consider all infrastructure and natural disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
vandalism, biochemical warfare, toxic emissions, or civil confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
unrest/terrorism. PR.PS, RS.MA, ID.RA
HPH CPG: 7, 19
HICP: N/A

We have considered infrastructure issues, such as You should consider all natural and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
blackouts, road blocks, building hazards, network or data confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
center outages. PR.PS, RS.MA, ID.RA
HPH CPG: 7, 19
HICP: N/A

All of the above. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, ID.RA
HPH CPG: 7, 19
HICP: N/A

Other. You should consider infrastructure, natural, and man-made disasters that could Required HIPAA: §164.308(a)(7)(i)
affect the confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, ID.RA
HPH CPG: 7, 19
HICP: N/A

Notes
7 Have you documented in your policies and procedures
various emergency types and how you would respond to
them?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA
HPH CPG: 7, 19
HICP: N/A

No. Consider all natural and man-made disasters that could affect the confidentiality, Required HIPAA: §164.308(a)(7)(i)
integrity, and availability of ePHI. Documented how you would respond in these NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
situations to maintain security of ePHI in your policies and procedures. PR.PS, RS.MA
HPH CPG: 7, 19
HICP: N/A

I don't know. Consider all natural and man-made disasters that could affect the confidentiality, Required HIPAA: §164.308(a)(7)(i)
integrity, and availability of ePHI. Documented how you would respond in these NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
situations to maintain security of ePHI in your policies and procedures. PR.PS, RS.MA
HPH CPG: 7, 19
HICP: N/A

Notes
8 Does your practice have policies and procedures in place to
prevent, detect, and respond to security incidents?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS
HPH CPG: 18, 19
HICP: N/A

No. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(i)
and ePHI if it does not have policies and procedures designed to help prevent, NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS
detect, and respond to security incidents. HPH CPG: 18, 19
HICP: N/A

I don't know. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(i)
and ePHI if it does not have policies and procedures designed to help prevent, NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS
detect, and respond to security incidents. HPH CPG: 18, 19
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(6)(i)
"Flagged Questions" report. NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS
HPH CPG: 18, 19
HICP: N/A

Notes
9 How does your practice prevent, detect, and respond to
security incidents?
We have a security incident response plan documented Consider testing the security incident response plan periodically using a Required HIPAA: §164.308(a)(6)(i)
in our policies and procedures. documented process. The incident plan should cover broad categories of incidents NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
to prepare for. Testing the incident plan is an effective means of preparation and RS.IP
training. Describe requirements for users to report suspicious activities in the HPH CPG: 7, 18, 19
organization and for the cybersecurity department to manage incident response. HICP: TV1 - Practice # 8

As part of training exercises we periodically test our Testing your incident response plan is an effective means of preparation and Required HIPAA: §164.308(a)(6)(i)
security incident response plan. training. The incident plan should cover a range of categories to prepare for and NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
should be documented in your policies and procedures. Also consider tracking RS.IP
security incident responses and outcomes and communicating them to the HPH CPG: 7, 18, 19
appropriate workforce members for security incident awareness and mitigation. HICP: TV1 - Practice # 8
Describe requirements for users to report suspicious activities in the organization
and for the cybersecurity department to manage incident response.

We track all security incident responses and outcomes Consider documenting your incident response plan in your policies and procedures Required HIPAA: §164.308(a)(6)(i)
and report them to our security officer. We then ensure and testing the plan periodically using a documented process. The incident plan NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
proper mitigation procedures are followed in a timely should cover broad categories of incidents to prepare for. Testing the incident plan RS.IP
manner. is an effective means of preparation and training. Describe requirements for users HPH CPG: 7, 18, 19
to report suspicious activities in the organization and for the cybersecurity HICP: TV1 - Practice # 8
department to manage incident response.

We communicate recent security incident responses and Consider documenting your incident response plan in your policies and procedures Required HIPAA: §164.308(a)(6)(i)
outcomes to our workforce for additional security and testing the plan periodically using a documented process. The incident plan NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
awareness and prevention. should cover broad categories of incidents to prepare for. Testing the incident plan RS.IP
is an effective means of preparation and training. Describe requirements for users HPH CPG: 7, 18, 19
to report suspicious activities in the organization and for the cybersecurity HICP: TV1 - Practice # 8
department to manage incident response.

All of the above. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(i)
confidentiality, integrity, and availability of ePHI. Describe requirements for users to NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
report suspicious activities in the organization and for the cybersecurity department RS.IP
to manage incident response. HPH CPG: 7, 18, 19
HICP: TV1 - Practice # 8

Our security incident response plan is tested as needed Consider documenting your incident response plan in your policies and procedures Required HIPAA: §164.308(a)(6)(i)
(for example, when activated in real-world situations) and testing the plan periodically using a documented process. The incident plan NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
but not on a periodic basis. should cover broad categories of incidents to prepare for. Testing the incident plan RS.IP
is an effective means of preparation and training. Describe requirements for users HPH CPG: 7, 18, 19
to report suspicious activities in the organization and for the cybersecurity HICP: TV1 - Practice # 8
department to manage incident response.

We do not have a process for managing security Develop an incident response plan that covers broad categories of incidents to Required HIPAA: §164.308(a)(6)(i)
incidents or an incident response testing plan. prepare for. Ensure that security incident response, reporting, and mitigation NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
procedures are followed by workforce members, are conducted in a timely manner, RS.IP
and their outcomes are properly documented and communicated to the HPH CPG: 7, 18, 19
appropriate workforce members. Also consider testing the plan to ensure its HICP: TV1 - Practice # 8
effectiveness. Describe requirements for users to report suspicious activities in the
organization and for the cybersecurity department to manage incident response.

I don't know. Develop an incident response plan that covers broad categories of incidents to Required HIPAA: §164.308(a)(6)(i)
prepare for. Ensure that security incident response, reporting, and mitigation NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
procedures are followed by workforce members, are conducted in a timely manner, RS.IP
and their outcomes are properly documented and communicated to the HPH CPG: 7, 18, 19
appropriate workforce members. Also consider testing the plan to ensure its HICP: TV1 - Practice # 8
effectiveness. Describe requirements for users to report suspicious activities in the
organization and for the cybersecurity department to manage incident response.

Other. Consider developing an incident response plan that covers broad categories of Required HIPAA: §164.308(a)(6)(i)
incidents to prepare for. Ensure that security incident response, reporting, and NIST CSF: DE.AE, RS.CO, RC.CO, PR.PS,
mitigation procedures are followed by workforce members, are conducted in a RS.IP
timely manner, and their outcomes are properly documented and communicated to HPH CPG: 7, 18, 19
the appropriate workforce members. Also consider testing the plan to ensure its HICP: TV1 - Practice # 8
effectiveness. Describe requirements for users to report suspicious activities in the
organization and for the cybersecurity department to manage incident response.

Notes
10 Has your practice identified specific personnel as your
incident response team?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(ii)
confidentiality, integrity, and availability of ePHI. Before an incident occurs, make NIST CSF: RC.CO, GV.RM, PR.PS, DE.AE,
sure you understand who will lead your incident investigation. Additionally, make RS.MA, RS.CO, RS.AN, RS.MI, ID.AM,
sure you understand which personnel will support the leader during each phase of GV.RR, GV.PO, GV.OV
the investigation. At minimum, you should identify the top security expert who will HPH CPG: 7, 19
provide direction to the supporting personnel. HICP: TV1 - Practice # 8

No. Identify workforce members who need access to facilities in the event of an Required HIPAA: §164.308(a)(6)(ii)
emergency, identify roles and responsibilities, and create a backup plan for NIST CSF: RC.CO, GV.RM, PR.PS, DE.AE,
accessing facilities and critical data. Before an incident occurs, make sure you RS.MA, RS.CO, RS.AN, RS.MI, ID.AM,
understand who will lead your incident investigation. Additionally, make sure you GV.RR, GV.PO, GV.OV
understand which personnel will support the leader during each phase of the HPH CPG: 7, 19
investigation. At minimum, you should identify the top security expert who will HICP: TV1 - Practice # 8
provide direction to the supporting personnel.

I don't know. Identify workforce members who need access to facilities in the event of an Required HIPAA: §164.308(a)(6)(ii)
emergency, identify roles and responsibilities, and create a backup plan for NIST CSF: RC.CO, GV.RM, PR.PS, DE.AE,
accessing facilities and critical data. Before an incident occurs, make sure you RS.MA, RS.CO, RS.AN, RS.MI, ID.AM,
understand who will lead your incident investigation. Additionally, make sure you GV.RR, GV.PO, GV.OV
understand which personnel will support the leader during each phase of the HPH CPG: 7, 19
investigation. At minimum, you should identify the top security expert who will HICP: TV1 - Practice # 8
provide direction to the supporting personnel.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(6)(ii)
"Flagged Questions" report. NIST CSF: RC.CO, GV.RM, PR.PS, DE.AE,
RS.MA, RS.CO, RS.AN, RS.MI, ID.AM,
GV.RR, GV.PO, GV.OV
HPH CPG: 7, 19
HICP: TV1 - Practice # 8

Notes
11 How are members of your incident response team identified
and trained?
Workforce members are trained on their role and This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(ii)
responsibilities as part of the incident response team confidentiality, integrity, and availability of ePHI. At minimum, you should identify NIST CSF: PR.AT, RC.CO, GV.RM, PR.PS,
(upon hire) as well as periodic reminders of our internal the top security expert who will provide direction to the supporting personnel. DE.AE, RS.MA, RS.CO, RS.AN, RS.MI,
policies and procedures and testing exercises. Ensure that the leader is fully authorized to execute all tasks required to complete ID.AM, ID.RA
the investigation. HPH CPG: 4, 7, 19
HICP: TV1 - Practice # 8

Workforce members are trained on their role and Train members of your incident response team both upon hire and during periodic Required HIPAA: §164.308(a)(6)(ii)
responsibilities as part of the incident response team review. Testing your incident response plan can be an effective training method. At NIST CSF: PR.AT, RC.CO, GV.RM, PR.PS,
(upon hire). minimum, you should identify the top security expert who will provide direction to DE.AE, RS.MA, RS.CO, RS.AN, RS.MI,
the supporting personnel. Ensure that the leader is fully authorized to execute all ID.AM, ID.RA
tasks required to complete the investigation. HPH CPG: 4, 7, 19
HICP: TV1 - Practice # 8

Workforce members are verbally communicated about Consider formally documenting and training workforce members on matters Required HIPAA: §164.308(a)(6)(ii)
what their role and responsibility is on the incident regarding their role and responsibility on the incident response team. Testing your NIST CSF: PR.AT, RC.CO, GV.RM, PR.PS,
response team, but this is not a formal process. incident response plan can be an effective training method. At minimum, you DE.AE, RS.MA, RS.CO, RS.AN, RS.MI,
should identify the top security expert who will provide direction to the supporting ID.AM, ID.RA
personnel. Ensure that the leader is fully authorized to execute all tasks required to HPH CPG: 4, 7, 19
complete the investigation. HICP: TV1 - Practice # 8

We do not have a process to inform workforce members Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(ii)
about their role and responsibility on the incident and ePHI if it does not identify members of its incident response team and assure NIST CSF: PR.AT, RC.CO, GV.RM, PR.PS,
response team. workforce members are trained and that incident response plans are tested. At DE.AE, RS.MA, RS.CO, RS.AN, RS.MI,
minimum, you should identify the top security expert who will provide direction to ID.AM, ID.RA
the supporting personnel. Ensure that the leader is fully authorized to execute all HPH CPG: 4, 7, 19
tasks required to complete the investigation. HICP: TV1 - Practice # 8

I don't know. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(ii)
and ePHI if it does not identify members of its incident response team and assure NIST CSF: PR.AT, RC.CO, GV.RM, PR.PS,
workforce members are trained and that incident response plans are tested. At DE.AE, RS.MA, RS.CO, RS.AN, RS.MI,
minimum, you should identify the top security expert who will provide direction to ID.AM, ID.RA
the supporting personnel. Ensure that the leader is fully authorized to execute all HPH CPG: 4, 7, 19
tasks required to complete the investigation. HICP: TV1 - Practice # 8

Other. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(ii)
and ePHI if it does not identify members of its incident response team and assure NIST CSF: PR.AT, RC.CO, GV.RM, PR.PS,
workforce members are trained and that incident response plans are tested. At DE.AE, RS.MA, RS.CO, RS.AN, RS.MI,
minimum, you should identify the top security expert who will provide direction to ID.AM, ID.RA
the supporting personnel. Ensure that the leader is fully authorized to execute all HPH CPG: 4, 7, 19
tasks required to complete the investigation. HICP: TV1 - Practice # 8

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(6)(ii)
"Flagged Questions" report. NIST CSF: PR.AT, RC.CO, GV.RM, PR.PS,
DE.AE, RS.MA, RS.CO, RS.AN, RS.MI,
ID.AM, ID.RA
HPH CPG: 4, 7, 19
HICP: TV1 - Practice # 8

Notes
12 Has your practice evaluated and determined which systems
and ePHI are necessary for maintaining business-as-usual in
the event of an emergency?
Yes, we have a process of evaluating all hardware and This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
software systems, including those of business associates, confidentiality, integrity, and availability of ePHI. Define the standard practices for NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
to determine criticality of the systems and ePHI that recovering IT assets in the case of a disaster, including backup plans. PR.PS, RS.MA
would be accessed by executing our contingency plan. HPH CPG: 19
This is documented along with our asset inventory. HICP: TV1 - Practice # 10

Yes, we have identified which information systems are Consider documenting this process and include all mission-critical systems in your Required HIPAA: §164.308(a)(7)(i)
more critical than others, including those of business contingency plan. Define the standard practices for recovering IT assets in the case NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
associates, but have not formally documented this in our of a disaster, including backup plans. PR.PS, RS.MA
contingency plan. HPH CPG: 19
HICP: TV1 - Practice # 10

No, we have not implemented a process for identifying Consider evaluating all hardware and software systems, including those of business Required HIPAA: §164.308(a)(7)(i)
and assessing criticality of information systems. associates, to determine criticality of the systems and ePHI that would be accessed. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
Document this process and include all mission-critical systems in your contingency PR.PS, RS.MA
plan. Define the standard practices for recovering IT assets in the case of a disaster, HPH CPG: 19
including backup plans. HICP: TV1 - Practice # 10

I don't know. Consider evaluating all hardware and software systems, including those of business Required HIPAA: §164.308(a)(7)(i)
associates, to determine criticality of the systems and ePHI that would be accessed. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
Document this process and include all mission-critical systems in your contingency PR.PS, RS.MA
plan. Define the standard practices for recovering IT assets in the case of a disaster, HPH CPG: 19
including backup plans. HICP: TV1 - Practice # 10

Other. Consider evaluating all hardware and software systems, including those of business Required HIPAA: §164.308(a)(7)(i)
associates, to determine criticality of the systems and ePHI that would be accessed. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
Document this process and include all mission-critical systems in your contingency PR.PS, RS.MA
plan. Define the standard practices for recovering IT assets in the case of a disaster, HPH CPG: 19
including backup plans. HICP: TV1 - Practice # 10

Notes
13 How would your practice maintain access to ePHI in the
event of an emergency, system failure, or physical disaster?

We have established procedures and mechanisms for This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(ii)
obtaining necessary electronic protected health confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AA, PR.IR, GV.OC, PR.DS,
information during an emergency. PR.PS, PR.MA, RS.MA, RS.CO
HPH CPG: 19
HICP: N/A

We have mechanisms in place to obtain access to ePHI Document procedures to describe how your practice will maintain access to ePHI in Required HIPAA: §164.312(a)(2)(ii)
during an emergency but do not have procedures the event of an emergency, system failure, or physical disaster. Your practice might NIST CSF: PR.AA, PR.IR, GV.OC, PR.DS,
documenting how these mechanisms are to be utilized. not be able to recover ePHI and other health information during an emergency or PR.PS, PR.MA, RS.MA, RS.CO
when systems become unavailable if it does not backup ePHI by saving an exact HPH CPG: 19
copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment). HICP: N/A

We do not have procedures or mechanisms to maintain Document procedures to describe how your practice will maintain access to ePHI in Required HIPAA: §164.312(a)(2)(ii)
access to ePHI in the event of an emergency. the event of an emergency, system failure, or physical disaster. Your practice might NIST CSF: PR.AA, PR.IR, GV.OC, PR.DS,
not be able to recover ePHI and other health information during an emergency or PR.PS, PR.MA, RS.MA, RS.CO
when systems become unavailable if it does not backup ePHI by saving an exact HPH CPG: 19
copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment). HICP: N/A

I don't know. Document procedures to describe how your practice will maintain access to ePHI in Required HIPAA: §164.312(a)(2)(ii)
the event of an emergency, system failure, or physical disaster. Your practice might NIST CSF: PR.AA, PR.IR, GV.OC, PR.DS,
not be able to recover ePHI and other health information during an emergency or PR.PS, PR.MA, RS.MA, RS.CO
when systems become unavailable if it does not backup ePHI by saving an exact HPH CPG: 19
copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment). HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(2)(ii)
"Flagged Questions" report. NIST CSF: PR.AA, PR.IR, GV.OC, PR.DS,
PR.PS, PR.MA, RS.MA, RS.CO
HPH CPG: 19
HICP: N/A

Notes
14 How would your practice maintain security of ePHI and
crucial business processes before, during, and after an
emergency?
We have robust contingency plans which provide for This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(ii)(C)
alternate site or other means for continued access to confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.PS, RS.MA,
ePHI. We test them periodically to ensure continuity of RS.CO, RS.AN, RC.CO, RC.RP
security processes in an emergency setting. HPH CPG: 7, 19
HICP: N/A

We have contingency plans which will be used to Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
maintain continuity of security processes during an business processes for protection of the security of electronic protected health NIST CSF: GV.OC, GV.RM, PR.PS, RS.MA,
emergency setting. information while operating in emergency mode. RS.CO, RS.AN, RC.CO, RC.RP
HPH CPG: 7, 19
HICP: N/A

We have not implemented a means of ensuring Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
continuity of security processes in an emergency setting. business processes for protection of the security of electronic protected health NIST CSF: GV.OC, GV.RM, PR.PS, RS.MA,
information while operating in emergency mode. RS.CO, RS.AN, RC.CO, RC.RP
HPH CPG: 7, 19
HICP: N/A

I don't know. Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
business processes for protection of the security of electronic protected health NIST CSF: GV.OC, GV.RM, PR.PS, RS.MA,
information while operating in emergency mode. RS.CO, RS.AN, RC.CO, RC.RP
HPH CPG: 7, 19
HICP: N/A

Other. Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
business processes for protection of the security of electronic protected health NIST CSF: GV.OC, GV.RM, PR.PS, RS.MA,
information while operating in emergency mode. RS.CO, RS.AN, RC.CO, RC.RP
HPH CPG: 7, 19
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(ii)(C)
"Flagged Questions" report. NIST CSF: GV.OC, GV.RM, PR.PS, RS.MA,
RS.CO, RS.AN, RC.CO, RC.RP
HPH CPG: 7, 19
HICP: N/A

Notes
15 Do you have a plan for backing up and restoring critical data?

Yes, we have a plan for determining which data is This is the most effective option among those provided to protect the Required & Addressable HIPAA: §164.308(a)(7)(ii)
critically needed, creating retrievable, exact copies of confidentiality, integrity, and availability of ePHI. Define the standard practices for (A),§164.308(a)(7)(ii)(B), and
critical data and how to restore that data, including from recovering IT assets in the case of a disaster, including backup plans. §164.308(a)(7)(ii)(E)
alternate locations. We also test and revise the plan, as NIST CSF: GV.OC, ID.RA, GV.RM, RS.AN,
needed. PR.PS, RS.MA, RS.CO, RC.CO, RC.RP,
PR.DS
HPH CPG: 19, 20
HICP: TV1 - Practice # 10

Yes, we have a plan for creating retrievable, exact copies Consider conducting periodic tests of backup recovery procedures. Define the Required & Addressable HIPAA: §164.308(a)(7)(ii)
of critical data and how to restore that data. We do not standard practices for recovering IT assets in the case of a disaster, including backup (A),§164.308(a)(7)(ii)(B), and
have a process for testing and revising this plan. plans. §164.308(a)(7)(ii)(E)
NIST CSF: GV.OC, ID.RA, GV.RM, RS.AN,
PR.PS, RS.MA, RS.CO, RC.CO, RC.RP,
PR.DS
HPH CPG: 19, 20
HICP: TV1 - Practice # 10

We do not have a data backup and restoration plan. You should establish and implement procedures to create and maintain retrievable Required & Addressable HIPAA: §164.308(a)(7)(ii)
exact copies of electronic protected health information. Consider implementing, (A),§164.308(a)(7)(ii)(B), and
documenting, and testing a data backup and restoration plan. Define the standard §164.308(a)(7)(ii)(E)
practices for recovering IT assets in the case of a disaster, including backup plans. NIST CSF: GV.OC, ID.RA, GV.RM, RS.AN,
PR.PS, RS.MA, RS.CO, RC.CO, RC.RP,
PR.DS
HPH CPG: 19, 20
HICP: TV1 - Practice # 10

I don't know. You should establish and implement procedures to create and maintain retrievable Required & Addressable HIPAA: §164.308(a)(7)(ii)
exact copies of electronic protected health information. Consider looking into (A),§164.308(a)(7)(ii)(B), and
whether your practice is implementing, documenting, and testing a data backup and §164.308(a)(7)(ii)(E)
restoration plan. Define the standard practices for recovering IT assets in the case of NIST CSF: GV.OC, ID.RA, GV.RM, RS.AN,
a disaster, including backup plans. PR.PS, RS.MA, RS.CO, RC.CO, RC.RP,
PR.DS
HPH CPG: 19, 20
HICP: TV1 - Practice # 10

Flag this question for later. This question will be marked as an area for review and will be included in the Required & Addressable HIPAA: §164.308(a)(7)(ii)
"Flagged Questions" report. (A),§164.308(a)(7)(ii)(B), and
§164.308(a)(7)(ii)(E)
NIST CSF: GV.OC, ID.RA, GV.RM, RS.AN,
PR.PS, RS.MA, RS.CO, RC.CO, RC.RP,
PR.DS
HPH CPG: 19, 20
HICP: TV1 - Practice # 10
Notes
16 How is your practice's emergency procedure activated?
Upon identification or initiation of an emergency This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(ii)
situation, emergency procedures are activated according confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, PR.PS, DE.AE, RS.MA,
to documented procedure, such as by formal RS.CO
communication from the security officer or other HPH CPG: 19
designated personnel. HICP: N/A

We do not have a procedure to ensure that the Details about how and when to activate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
emergency procedure is activated consistently when procedure. NIST CSF: GV.OC, PR.PS, DE.AE, RS.MA,
emergency events are identified. RS.CO
HPH CPG: 19
HICP: N/A

I don't know. Details about how and when to activate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
procedure. NIST CSF: GV.OC, PR.PS, DE.AE, RS.MA,
RS.CO
HPH CPG: 19
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(2)(ii)
"Flagged Questions" report. NIST CSF: GV.OC, PR.PS, DE.AE, RS.MA,
RS.CO
HPH CPG: 19
HICP: N/A

Notes
17 How is access to your facility coordinated in the event of
disasters or emergency situations?
We have written policies and procedures outlining This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(i)
facility access for the restoration of lost data under the confidentiality, integrity, and availability of ePHI. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
Disaster Recovery Plan and Emergency Mode Operations PR.PS, RS.MA, PR.DS, RS.CO, RC.RP
Plan in the event of an emergency. Members of the HPH CPG: 19
workforce who need access to the facility in an HICP: N/A
emergency have been identified. Roles and
responsibilities have been defined. A backup plan for
accessing the facility and critical data is in place.

We have written policies and procedures outlining Implement written policies and procedures outlining facility access for the Addressable HIPAA: §164.310(a)(2)(i)
facility access for the restoration of lost data under the restoration of lost data under the Disaster Recovery Plan and Emergency Mode NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
Disaster Recovery Plan and Emergency Mode Operations Operations Plan in the event of an emergency. Ensure members of the workforce PR.PS, RS.MA, PR.DS, RS.CO, RC.RP
Plan in the event of an emergency, but it does not who need access to the facility in an emergency have been identified. Define HPH CPG: 19
include all of the variables described above. workforce member roles and responsibilities. Ensure that a backup plan for HICP: N/A
accessing the facility and critical data is in place.

We do not have a written plan for accessing the facility Implement written policies and procedures outlining facility access for the Addressable HIPAA: §164.310(a)(2)(i)
in the event of disasters or emergency situations. restoration of lost data under the Disaster Recovery Plan and Emergency Mode NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
Operations Plan in the event of an emergency. Ensure members of the workforce PR.PS, RS.MA, PR.DS, RS.CO, RC.RP
who need access to the facility in an emergency have been identified. Define HPH CPG: 19
workforce member roles and responsibilities. Ensure that a backup plan for HICP: N/A
accessing the facility and critical data is in place.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(i)
"Flagged Questions" report. NIST CSF: GV.OC, GV.RM, PR.AA, PR.IR,
PR.PS, RS.MA, PR.DS, RS.CO, RC.RP
HPH CPG: 19
HICP: N/A

Notes
18 How is your emergency procedure terminated after the
emergency circumstance is over?
Upon the conclusion of the emergency situation, normal This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(ii)
operations are resumed according to documented confidentiality, integrity, and availability of ePHI. NIST CSF: N/A
procedure, such as by formal communication from the HPH CPG: 19
security officer or other designated personnel. HICP: N/A

We do not have a procedure to ensure that normal Details about how and when to terminate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
operations are resumed after the conclusion of an procedure. NIST CSF: N/A
emergency. HPH CPG: 19
HICP: N/A

I don't know. Details about how and when to terminate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
procedure. NIST CSF: N/A
HPH CPG: 19
HICP: N/A

Notes
19 Do you formally evaluate the effectiveness of your security
safeguards, including physical safeguards?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(8)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, GV.OC, ID.RA, PR.PS,
DE.AE, DE.CM, RS.MI, ID.IM, RC.MI
HPH CPG: 19
HICP: N/A

No. Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
procedures. This should be done periodically and in response to changes in the NIST CSF: ID.AM, GV.OC, ID.RA, PR.PS,
security environment. DE.AE, DE.CM, RS.MI, ID.IM, RC.MI
HPH CPG: 19
HICP: N/A

I don't know. Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
procedures. This should be done periodically and in response to changes in the NIST CSF: ID.AM, GV.OC, ID.RA, PR.PS,
security environment. DE.AE, DE.CM, RS.MI, ID.IM, RC.MI
HPH CPG: 19
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(8)
"Flagged Questions" report. NIST CSF: ID.AM, GV.OC, ID.RA, PR.PS,
DE.AE, DE.CM, RS.MI, ID.IM, RC.MI
HPH CPG: 19
HICP: N/A

Notes
20 How do you evaluate the effectiveness of your security
safeguards, including physical safeguards?
We have procedures in place to evaluate the This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(8)
effectiveness of our security policies and procedures, confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, GV.OC, ID.RA, PR.PS,
physical safeguards, and technical safeguards. Our DE.AE, DE.CM, RS.MI, ID.IM, RC.MI
evaluation is conducted periodically and in response to HPH CPG: 19
changes in the security environment. HICP: N/A

We have procedures in place to evaluate the Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
effectiveness of our security policies and procedures, procedures periodically and in response to changes in the security environment. NIST CSF: ID.AM, GV.OC, ID.RA, PR.PS,
physical safeguards, and technical safeguards but we do DE.AE, DE.CM, RS.MI, ID.IM, RC.MI
not update them with any set frequency. HPH CPG: 19
HICP: N/A

We do not have a formal process to evaluate the Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
effectiveness of our security safeguards. procedures. This should be done periodically and in response to changes in the NIST CSF: ID.AM, GV.OC, ID.RA, PR.PS,
security environment. DE.AE, DE.CM, RS.MI, ID.IM, RC.MI
HPH CPG: 19
HICP: N/A

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Failure to adopt a documented business contingency plan
Corrective enforcement outcomes from regulatory agencies
Failure to define purpose, scope, roles/responsibilities, and/or management commitment
Inability to demonstrate recovery objectives and restoration priorities
Litigation due to not meeting minimum security requirements
Unguided procedures during downtime or unexpected event
2 Failure to update or review contingency plan procedures
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unauthorized access to or modification of ePHI/sensitive information
Out-of-date documentation not reflecting the most recent expected procedures
Inconsistent or inadequate contingency response due to uncertainty
Unguided procedures during downtime or unexpected event
3 Lack of consideration to reasonably anticipated
environmental threats
Damage to public reputation due to information breach/loss
Physical damage to facility
Financial loss from increased downtime of information systems
Inability to recovery from system failure
Increased recovery time during unexpected downtime of information systems
Injury or death of personnel (employee, patient, guest)
Loss of productivity
Overheating of network devices due to increased ambient temperature
Physical access granted to unauthorized persons or entities
Power outage affecting the availability of critical security and information systems
4 Infrequent training provided to staff and personal regarding
business contingency procedures
Damage to public reputation due to information breach/loss
Financial loss from increased downtime of information systems
Inability to recovery from system failure
Increased recovery time during unexpected downtime of information systems
Loss of productivity
5 Inadequate written procedures for security incident tracking
and monitoring
Adversaries maintain exploitation capability due to security incidents being undetected or undocumented
Failure to adopt remediation plan based on identified security incidents
Failure to define purpose, scope, roles, responsibilities, and or management commitment pertaining to the tracking of security incidents
6 Lack of access to ePHI during emergency events
Damage to public reputation
Lost revenue from canceled appointments
Term

Acceptable Risk

Access Control

Access List

Administrative Safeguards

Asset

Audit
Back-up

Business Associate

Compromise

Confidentiality

Contingency Plan

Continuous Monitoring

Covered Entity

Cryptography

Disaster Recovery Plan

Electronic Media

Electronic Protected Health Information (ePHI)

Encryption

Hardware

Health Information

High Impact

Impact

Information Security

Information Security Policies

Information Systems

Information System-related Security Risks

Integrity

Low Impact

Management Controls
Media

Moderate Impact

Operational Controls

Patch

Phishing

Physical Safeguards

Portable Electronic Device

Protected Health Information

Remote Access

Risk

Risk Analysis

Risk Assessment

Risk Management

Risk Mitigation

Role-based Access Control

Safeguards

Security

Security Incident

Security Plan

Software

Spyware

Standard

Threat

Transmission

Verification

Virtual Private Network (VPN)

Vulnerability

Vulnerability Assessment
Definition
The level of risk that is considered acceptable. It implies that the potential harm or negative impact associated
with the risk is deemed reasonable or manageable.
Restrictions placed on access to systems or data someone is allowed to have. Access controls determine what
information, areas, or functions a person can access based on their role, responsibilities, and clearance. Access
control levels are set to maintain security, privacy, and control over sensitive information.
A list that defines permissions to access systems, data, or other resources. The access list ensures that only
authorized individuals are granted access while preventing unauthorized access.
The rules and actions put in place by an organization to keep information safe and ensure business operations
run smoothly. These safeguards include activities such as creating and enforcing policies, training employees,
and establishing processes to protect sensitive data and maintain security.
Something valuable to an organization. It can be physical, intangible, financial, or digital. Examples of assets
relevant to small to medium-sized practices include: computers, mobile devices, network devices, and software.
Assets can include more than just physical devices.
Independent review and examination of records and activities to assess the adequacy of system controls and to
ensure compliance with established policies and operational procedures.
A copy of files and programs made to facilitate recovery if necessary.
A business associate is a person or entity that performs certain functions or activities that involve the use or
disclosure of protected health information on behalf of, or provides services to, a covered entity or another
business associate.
The unauthorized disclosure, modification, substitution, or use of sensitive data (e.g., keys, metadata, or other
security-related information) or the unauthorized modification of a security-related system, device, or process in
order to gain unauthorized access.
Preserving authorized restrictions on information access and disclosure, including means for protecting personal
privacy and proprietary information.
A plan to continue operations in case something unexpected happens. A contingency plan helps minimize
negative impacts following an adverse event and involves: 1) identifying potential problems or risks and 2)
creating a plan of steps or actions to take to continue operations should these problems occur.
Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational
risk management decisions.
A covered entity is an organization or individual defined by HIPAA as: 1) a health plan, 2) a healthcare
clearinghouse, or 3) healthcare provider who transmits any health information in electronic form in connection
with a covered transaction.
The use of mathematical techniques to transform data to prevent it from being read or tampered with by
unauthorized parties.
A written plan for recovering one or more information systems at an alternate facility in response to a major
hardware or software failure or destruction of facilities.

Electronic media refers to digital content and communication that is created, stored, and transmitted
electronically. It includes various forms of media such as text, images, audio, and video that are accessed and
shared through electronic means. Electronic media encompasses any digital content that can be viewed,
listened to, transmitted, or interacted with using electronic devices.
ePHI refers to protected health data in electronic form (i.e., PHI that is stored, transmitted, or processed
electronically).
Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended
recipient from reading that data. Encryption helps protect sensitive data, such as personal information, financial
details or confidential communications, from unauthorized access or interception. It adds an extra layer of
security; even if someone gains access to encrypted information they won't understand it without knowing how
it was encrypted.
Hardware refers to the physical components or devices of a computer system or electronic device. It includes
tangible objects that you can touch and see, such as the computer itself, the monitor, keyboard, mouse, printer,
and other devices connected to it.

Any information, whether oral or recorded in any form or medium, that: (1) is created or received by a
healthcare provider, health plan, public health authority, employer, life insurer, school or university, or
healthcare clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of
individuals; the provision of healthcare to individuals; or the past, present, or future payment for the provision
of healthcare to individuals. Health information is confidential and sensitive because it reveals personal and
private details about an individual's health status.

High Impact means the loss of confidentiality, integrity, or availability that would be expected to have severe
adverse effects on organizational operations, organizational assets, or individuals. Severe adverse effects could
include serious operational damage to organizational assets, high levels of financial loss, or individual harm that
could involve loss of life or physical harm.
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of
information, unauthorized modification of information, unauthorized destruction of information, or loss of
information or information system availability.

Information security means protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.
It includes implementing various security controls, such as encryption, firewalls, strong passwords, user
authentication, and regular back ups. Information Security also involves raising awareness among individuals to
ensure they understand the importance or protecting information and following secure practices.

Information security policies are an organizations rules that outline how an organization should protect and
manage sensitive information. These policies provide clear instructions on how to handle and safeguard data to
ensure its confidentiality, integrity and availability. Information security policies cover various aspects, such as
user access controls, password requirements, data classifications, incident response procedures, data back up
practices, and security awareness training.

Information systems refer to the tools, technologies, and processes used to collect, store, process, and distribute
information. They are designed to manage and organize data in a way that supports decision-making and
enables efficient operations. Information systems can include a combination of hardware, software, networks,
and people. The main purpose of information systems is to facilitate the flow of information, enhance
productivity, and improve decision-making.
Risks that arise through the loss of confidentiality, integrity, or availability of information or information systems
and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals,
other organizations, and the Nation.
Integrity refers to the quality of data being accurate, complete, and trustworthy (i.e., data has not been altered
or destroyed in an unauthorized manner).
Low Impact means the loss of confidentiality, integrity, and availability that would be expected to have limited
adverse effects on an organization's operations, assets, or individuals.
The security controls (i.e., safeguards or countermeasures) for an information system that focus on the
management of risk and the management of information security.
Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks,
large-scale integration (LSI) memory chips, and printouts (but not including display media) onto which
information is recorded, stored, or printed within an information system. Media can also refer to digital
platforms, such as cloud storage or online servers, where data is stored and accessed electronically (i.e.,
electronic media).

Moderate Impact means the loss of confidentiality, integrity, and availability that would be expected to have
significant degradation of an organization's operations, assets, or individuals. Adverse effects could include
significant operational damage to organizational assets, financial loss, or individual harm that is not loss of life or
physical.
The security controls (i.e., safeguards or countermeasures) for an information system that primarily are
implemented and executed by people (as opposed to systems).
A patch is a piece of code or software that is created to fix issues or improve the performance of a computer
program or system. A software patch is designed to fix problems or vulnerabilities in computer programs.

Phishing is a form of social engineering designed to trick an individual into disclosing sensitive information, such
as passwords, credit card numbers, or personal information. Attackers often do this by pretending to be
someone trustworthy like a bank, company, or government agency. They may send an email or message that
looks genuine but is actually fake.
Physical measures, policies, and procedures to protect an organization's electronic information systems,
facilities, and equipment from natural and environmental hazards, and unauthorized intrusion.

Electronic devices that are portable in nature having the capability to store, record, and/or transmit text,
images/video, or audio data. Examples of such devices include, but are not limited to: pagers, laptops, cellular
telephones, radios, compact disc and cassette players/recorders, portable digital assistant, audio devices,
watches with input capability, and reminder recorders.
Protected health information (PHI) is information, including demographic data, that relates to: 1) an individuals
past, present, or future physical or mental health condition; 2) the provision of health care to an individual; 3)
the past, present or future payment for the provision of healthcare to an individual
Access to an organizational information system by a user (or an information system) communicating through an
external, non-organization-controlled network (e.g., the Internet).
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a
function of: 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of
occurrence.
The process of identifying and assessing risks to security based upon the likelihood of occurrence, the resulting
impact, and implemented safeguards that mitigate this impact.

The process of identifying risks to organizational operations (including mission, functions, image, reputation),
organizational assets, individuals, other organizations, and the Nation, from the operation of an information
system. Risk Assessment is part of risk management. It incorporates threat and vulnerability analyses and
considers mitigations provided by security controls planned or in place, often synonymous with risk analysis.

The program and supporting processes to manage information security risk to organizational operations
(including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the
Nation. It includes: 1) establishing the context for risk-related activities; 2) assessing risk; 3) responding to risk
once determined; and 4) monitoring risk over time.
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures
recommended from the risk management process.

Role-based access control limits who can access certain information or perform specific tasks based on their role
or job function. It creates different levels of access privilege defined by responsibilities rather than by individual.
Protective measures prescribed to meet the security objectives (i.e., confidentiality, integrity, and availability)
specified for an information system. Safeguards may include security features; management controls; personnel
security; and security of physical structures, areas, and devices. Synonymous with security controls and
countermeasures.
Security refers to measures and practices put in place to protect people, assets, or information from potential
harm, threats, or unauthorized access.
A security incident is an event or situation with a breach or violation of security measures or policies. It's
something unexpected or unwanted; a situation that puts operations, security, or information at risk.
A security plan is a formal document that outlines the steps and measures to be taken to ensure the safety and
security of people, assets, or information. It's a well-thought-out plan that helps prevent, detect, and respond to
potential threats or risks.
Computer programs and associated data that may be dynamically written or modified during execution.
Software may also be known as programs or applications.
Software that is secretly or surreptitiously installed into an information system to gather information on
individuals or organizations without their knowledge.
A standard is a set of rules or requirements that define processes or practices. It is a benchmark or reference
point that ensures consistency, quality, and safety.

Any circumstance or event with the potential to adversely impact organizational operations (including mission,
functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an
information system via unauthorized access, destruction, disclosure, or modification of information, and/or
denial of service.
Transmission refers to the process of sending or transferring something, such as passing or conveying
information or data, from one point to another.
Confirmation through the provision of objective evidence that specified requirements have been fulfilled (e.g.,
an entity's requirements have been correctly defined, an entity's attributes have been correctly presented, a
procedure or function performs as intended and leads to the expected outcome).
A virtual private network is a private and secure pathway that allows the organization to access the internet or
connect to a network while keeping the organization's data protected.
Weakness in a system, system security procedures, internal controls, or implementation that could be exploited
or triggered by a threat. Vulnerabilities exist in different areas such as physical systems, computer networks,
software applications, and human behavior.
A vulnerability assessment is a thorough inspection to find potential security risks. It is a careful examination or
evaluation to identify weaknesses or flaws that could be exploited to gain unauthorized access.
Low Low LowLow Low
Low Medium LowMediuMedium
Low High LowHigh High
Medium Low MediumLoLow
Medium Medium MediumMeMedium
Medium High MediumHiCritical
High Low HighLow Medium
High Medium HighMedi High
High High HighHigh Critical

Sra Tool: See The Sra Tool User Guide Available For Download On Healthit - Gov For More Detailed Instructions and Faqs
No ratings yet
Sra Tool: See The Sra Tool User Guide Available For Download On Healthit - Gov For More Detailed Instructions and Faqs
64 pages
Hipaa Security: Risk Assessment
No ratings yet
Hipaa Security: Risk Assessment
36 pages
HIPAA Risk Assessment Template BP
100% (1)
HIPAA Risk Assessment Template BP
17 pages
Healthcare IT Security Guide
No ratings yet
Healthcare IT Security Guide
189 pages
Risk Analysis1
No ratings yet
Risk Analysis1
13 pages
Security Risk Assessment PowerPoints - B Martin (Updated)
No ratings yet
Security Risk Assessment PowerPoints - B Martin (Updated)
8 pages
Attachment D - 20140320 Sratool Content - Technical Volume v61 Clean
No ratings yet
Attachment D - 20140320 Sratool Content - Technical Volume v61 Clean
128 pages
Risk Analysis Template 05
No ratings yet
Risk Analysis Template 05
20 pages
Risk Analysis Template 20
No ratings yet
Risk Analysis Template 20
18 pages
Risk Assessment Report
No ratings yet
Risk Assessment Report
3 pages
Health IT Security Risk Assessment Tool
100% (1)
Health IT Security Risk Assessment Tool
57 pages
4med1072 Understanding The Hipaa Security Rule
No ratings yet
4med1072 Understanding The Hipaa Security Rule
12 pages
It Security Risk Assessment Guidelines
No ratings yet
It Security Risk Assessment Guidelines
19 pages
It Security Risk Assessment Guidelines
No ratings yet
It Security Risk Assessment Guidelines
23 pages
2022 BSI HIPAA Compliance Report
No ratings yet
2022 BSI HIPAA Compliance Report
20 pages
HIPPA Assessment Checklist v1.5
No ratings yet
HIPPA Assessment Checklist v1.5
1 page
Practice Fusion - Mu Security Audit
No ratings yet
Practice Fusion - Mu Security Audit
20 pages
Hipaa Risk Analysis
100% (1)
Hipaa Risk Analysis
33 pages
HIPAA Compliance Self-Assessment Guide
100% (1)
HIPAA Compliance Self-Assessment Guide
3 pages
Risk Assessment
No ratings yet
Risk Assessment
20 pages
Risk Assessment
No ratings yet
Risk Assessment
20 pages
Hipaa Risk Analysis
No ratings yet
Hipaa Risk Analysis
33 pages
HIPAA Security Gap Assessment Audit Report
No ratings yet
HIPAA Security Gap Assessment Audit Report
62 pages
HIPAA Security Checklist HH
No ratings yet
HIPAA Security Checklist HH
4 pages
HIPAA Compliance Handout 2nd Attempt
No ratings yet
HIPAA Compliance Handout 2nd Attempt
4 pages
Guide To Privacy and Security of Electronic Health Information
No ratings yet
Guide To Privacy and Security of Electronic Health Information
63 pages
HIPAA Security: Admin Safeguards
No ratings yet
HIPAA Security: Admin Safeguards
29 pages
Hipaa Self Assessment
No ratings yet
Hipaa Self Assessment
5 pages
HIPAA Journal HIPAA Compliance Checklist PDF
No ratings yet
HIPAA Journal HIPAA Compliance Checklist PDF
4 pages
Security and Risk Analysis Questionnaire
No ratings yet
Security and Risk Analysis Questionnaire
6 pages
Project Preparation-Security Program Charter
No ratings yet
Project Preparation-Security Program Charter
5 pages
Hipaa Checklist Harmony Sase
No ratings yet
Hipaa Checklist Harmony Sase
6 pages
HIPAA Security Policy #6 - Incident Response
No ratings yet
HIPAA Security Policy #6 - Incident Response
6 pages
Checklist HIPAA 2020 v1
No ratings yet
Checklist HIPAA 2020 v1
7 pages
HITRUST Approach To HIPAA Compliance 0619
No ratings yet
HITRUST Approach To HIPAA Compliance 0619
44 pages
Hipaa Security Checklist
No ratings yet
Hipaa Security Checklist
2 pages
Hipaa Compliance Checklist
100% (1)
Hipaa Compliance Checklist
5 pages
Security Program and Policies: by Sari Stern Greene
No ratings yet
Security Program and Policies: by Sari Stern Greene
31 pages
Hipaa Compliance Checklist
No ratings yet
Hipaa Compliance Checklist
4 pages
HIPAA Incident Breach Investigation
No ratings yet
HIPAA Incident Breach Investigation
10 pages
Unit 3 Part 3
No ratings yet
Unit 3 Part 3
9 pages
HIPAA Compliance Checklist 2022
No ratings yet
HIPAA Compliance Checklist 2022
10 pages
m5 Report Template
No ratings yet
m5 Report Template
8 pages
LifeStance HIPAA Compliance Training
No ratings yet
LifeStance HIPAA Compliance Training
37 pages
Hipaa Lesson 1
No ratings yet
Hipaa Lesson 1
6 pages
HIPAA Security Compliance Guide
No ratings yet
HIPAA Security Compliance Guide
56 pages
NURS FPX 8022 Assessment 2
No ratings yet
NURS FPX 8022 Assessment 2
5 pages
Risk Assessment Policies Guide
No ratings yet
Risk Assessment Policies Guide
9 pages
Developers Guide To HIPAA Compliance
No ratings yet
Developers Guide To HIPAA Compliance
10 pages
Health Insurance Portability and Accountability Act (HIPAA) : HIPAA Requirements Solution Practical Application
No ratings yet
Health Insurance Portability and Accountability Act (HIPAA) : HIPAA Requirements Solution Practical Application
5 pages
Remoteuse PDF
No ratings yet
Remoteuse PDF
6 pages
Cyber Security Audit 1
No ratings yet
Cyber Security Audit 1
8 pages
Ransom Ware Fact Sheet
No ratings yet
Ransom Ware Fact Sheet
8 pages
HITEQ - Health Center Security and Compliance Guide - January2019 PDF
No ratings yet
HITEQ - Health Center Security and Compliance Guide - January2019 PDF
19 pages
Wa0020.
No ratings yet
Wa0020.
11 pages
NOVUS HEB ZZ XX SC E 6101+Electrical+LV+Schematic+ +C02.dwg
No ratings yet
NOVUS HEB ZZ XX SC E 6101+Electrical+LV+Schematic+ +C02.dwg
2 pages
Facilities Maintenance Plan Template Facilities Maintenance Plan
No ratings yet
Facilities Maintenance Plan Template Facilities Maintenance Plan
8 pages
Build Assesment
No ratings yet
Build Assesment
39 pages
WTC Whitepaper V06
No ratings yet
WTC Whitepaper V06
11 pages
Waterregs99 Guidance
No ratings yet
Waterregs99 Guidance
74 pages
Verification From
No ratings yet
Verification From
6 pages
Sponsorship Proposal Template
No ratings yet
Sponsorship Proposal Template
6 pages
Data Analyst Resume: Skills & Experience
No ratings yet
Data Analyst Resume: Skills & Experience
1 page
Partial Audit Plan A. Background of The Company Jollibee Foods Corporation (The Parent Company) Was Incorporated in The Philippines
No ratings yet
Partial Audit Plan A. Background of The Company Jollibee Foods Corporation (The Parent Company) Was Incorporated in The Philippines
2 pages
Law Students' Product Quality Study
No ratings yet
Law Students' Product Quality Study
34 pages
Freecharge - Deals - Business Proposal
No ratings yet
Freecharge - Deals - Business Proposal
11 pages
UIN - Settlement Volume and Value Summary - 06-Feb-2025
No ratings yet
UIN - Settlement Volume and Value Summary - 06-Feb-2025
8 pages
Audit Independent MCQS'
No ratings yet
Audit Independent MCQS'
107 pages
Report MRPL 2018
No ratings yet
Report MRPL 2018
244 pages
PMI Ready - 1.0 PM Fundamental & Core (Day 1)
No ratings yet
PMI Ready - 1.0 PM Fundamental & Core (Day 1)
37 pages
General Application Form - Uni-Medical Healthcare Limited 2025
No ratings yet
General Application Form - Uni-Medical Healthcare Limited 2025
4 pages
Corporate Strategy Diversification and The Multibusiness Company
100% (1)
Corporate Strategy Diversification and The Multibusiness Company
55 pages
English for Business Communication Exam
No ratings yet
English for Business Communication Exam
14 pages
COVID's Impact on Airlines: A Study
No ratings yet
COVID's Impact on Airlines: A Study
174 pages
Course Hero Corporate Finance - Unit VIII - Final
No ratings yet
Course Hero Corporate Finance - Unit VIII - Final
19 pages
Test Bank For Principles of Economics Arab World 3rd Edition
No ratings yet
Test Bank For Principles of Economics Arab World 3rd Edition
17 pages
D.H.Tradelink Mumbai GST Certificate
No ratings yet
D.H.Tradelink Mumbai GST Certificate
3 pages
CHP 12
No ratings yet
CHP 12
22 pages
Nestle Advance
No ratings yet
Nestle Advance
6 pages
Entry Level Instructional Design Resume
100% (1)
Entry Level Instructional Design Resume
4 pages
Sub Contractor Agreement Signed
No ratings yet
Sub Contractor Agreement Signed
4 pages
Job Platform User Experience Survey
No ratings yet
Job Platform User Experience Survey
1 page
Busman 106 Activity Sheet No. 1
No ratings yet
Busman 106 Activity Sheet No. 1
2 pages
UHSB FM FCM 009 Residence Request Form
No ratings yet
UHSB FM FCM 009 Residence Request Form
2 pages
Bill 115192675877736562473721684
No ratings yet
Bill 115192675877736562473721684
1 page
Enhancement On Coffee Processing Facility (Roasting Machine)
No ratings yet
Enhancement On Coffee Processing Facility (Roasting Machine)
16 pages
Empowering Citizen Developers
No ratings yet
Empowering Citizen Developers
2 pages
Amendment of Rate DFA
No ratings yet
Amendment of Rate DFA
1 page
Updated Spam
No ratings yet
Updated Spam
10 pages
Term Paper On Money Market of Bangladesh
100% (1)
Term Paper On Money Market of Bangladesh
4 pages