Below is our HIPAA Risk Level Evaluation.  It’s a 34 question Privacy and Security Assessment/Gap Questionnaire and will take approximately 15 minutes to complete.  At the end we will ask for a company name and email and give you a detailed report immediately. The report is a graphical analysis that shows where you are with compliance.  For each question answered, the report will give you a risk level, a detailed explanation and full recommendations based on how you answered each questions.  Enjoy!

 

HIPAA Questions
I. PHI Types:
  • To which of the following items of PHI do you have access? Please check all that apply?
    Names All geographic subdivisions/addresses smaller than a State
    All elements of dates (except year) Telephone numbers
    Fax numbers Electronic mail addresses
    Social Security numbers Medical record numbers
    Health plan beneficiary numbers Account numbers
    Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers
    Device identifiers and serial numbers Web Universal Resource Locators (URLs)
    Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints
    Full face photographic images and any comparable images Genetic data
    Please list any previously unmentioned PHI to which you have access (separate by commas)
II. PHI Access:
  • Select One of the following which best describes your company's access to your client's protected health information (PHI)
    You store the PHI on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with the PHI for your client. The PHI *is* encrypted.
    You store the PHI on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with the PHI for your client. The PHI is *NOT* encrypted.
    You store the PHI for your client in a type of data warehouse, but you do not access the data to do any business processing, and the data *is* encrypted. PHI in your possession is never stored on endpoints (e.g. laptops, USB drives, etc.).
    You store the PHI for your client in a type of data warehouse, but you do not access the data to do any business processing, and the data is *NOT* encrypted.
    You access PHI on your client's system through some type of secured remote access connection (e.g. VPN or dedicated line), but you never store the PHI on any of your own systems or storage devices.
    You must go to your client's facilities to access the PHI, but you cannot remove any PHI or access it from a remote location.
III. Compliance Questions:
  • Name the formally designated person or position that serves as your organization's privacy and security officer, or otherwise has assigned responsibility for privacy and security. If none, type None.
  • When was the last time you updated your documented privacy and information security policies and procedures?
    Describe how the privacy and information security policies and procedures are communicated to all personnel, and made available for them to review at any time. Check all that apply.
    Via Email Put on Company Intranet
    Put on Internet Site Distribute Printed Copies
    Make Available in Management Policy Binders Give Access via SIMBUS Helper portal
    Some Other Method Policies and procedures are not communicated or provided
  • Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers.
    Yes
    No
    N/A
    Provide the date for the most recent information security and privacy training.
  • Provide the date for when you performed your most recent information security risk assessment:
    When was the last time you performed a vulnerability or penetration scan on your networks and systems?
  • Do you require information, in all forms, to be disposed of using secure methods?
    Yes
    No
    N/A
    Do you have a documented security event monitoring, security incident plan, and breach response and notification plan, and teams or staff to support the plan?
    Yes
    No
    N/A
  • External Parties: Do you outsource any activities involving protected health information (PHI) or other confidential information obtained from the covered entity?
    Yes
    No
    Not Sure
    If yes to above, does your organization have Business Associate agreements in place with each of these third parties?
    Yes
    No
    N/A
  • Do you follow a process to identify new data protection legal requirements? (e.g., new state breach notification requirements)?
    Yes
    No
    N/A
    Check all the following standards and regulations for which you can verify compliance:
    HIPAA/HITECH ISO/IEC 27001
    PCI-DSS COPPA
    Applicable state breach notice laws Other
    None
IV. Personnel Security
  • Does your organization perform background checks to examine and assess an employee's or contractor's work and criminal history?
    Yes
    No
    N/A
    Are your employees required to sign a non-disclosure agreement upon hire, and then again annually?
    Yes
    No
    N/A
  • Do you have a formal process to manage the termination and/or transfer of employees?
    Yes
    No
    N/A
    Do you have physical security controls (e.g., door locks) to prevent unauthorized access to facilities and a facility security plan?
    Yes
    No
    N/A
  • Do you have controls on systems and networks that host, process and/or transfer sensitive information, including the use of firewalls and controls for protecting network devices from unauthorized access and data-theft?
    Yes
    No
    N/A
    Are connections to your networks and systems logged and monitored?
    Yes
    No
    N/A
  • Do you have a formal access authorization process based on 'least privilege' (employees are granted the least amount of access possible in order to perform their assigned duties) and need to know (access permissions are granted based upon the legitimate business need of the user to access the information)?
    Yes
    No
    N/A
    Do you require each user ID to be unique and not shared with others, and have a process to remove them when the user leaves the organization?
    Yes
    No
    N/A
  • Have you implemented anti-malware (e.g., anti-virus, spam filters, etc.) on your computers and supporting systems?
    Yes
    No
    N/A
    Media handling: Do procedures exist to protect documents (e.g., paper files, prescription labels, print materials, etc.) and computer media (e.g., tapes, disks, CD-ROMs, etc.), from unauthorized disclosure, modification, removal, and destruction? Is sensitive data encrypted when stored on laptop, desktop and server hard drives, flash drives, backup tapes, etc.? If the answer is "No" to either of these questions, answer "No".
    Yes
    No
    N/A
  • Segregation of Computing Environments: Are development, test and production environments separated from operational IT environments to protect production (actively used) applications from inadvertent changes or disruption? Are the data files of your business clients segregated from one another? If the answer to either question is "No" indicate "No" as your answer. Or, is this not applicable at your organization?
    Yes
    No
    N/A
    Segregation of Duties: Are duties separated, where appropriate, to reduce the opportunity for unauthorized modification, unintentional modification or misuse of the organization's IT assets? Or, is this not applicable at your organization?
    Yes
    No
    N/A
  • Change Management: Do formal change management procedures exist for networks, systems, desktops, software releases, deployments, and software vulnerability (e.g., virus or spyware) patching activities? Or, is this not applicable at your organization? If not, please explain why it is not applicable.
    Yes
    No
    N/A
    How would you evaluate your current implementation of all of the above controls?
    Just getting started, but have some of the controls fully implemented.
    Have around half to most of the controls implemented, but still have some work to do
    Have fully implemented all the controls and am now managing ongoing compliance.
  • Could you provide documentation (e.g., information security policies, supporting business documentation, etc.) for all the controls above within 24 hours or request?
    Yes
    For most of the controls above, but some would take longer
    No, we still need to do a lot of documentation, but we're working on it.
Basic Information About Your Company :
  • Company Name  (Optional,but we use this to personalize your printable report)
  • Contact Name  (Optional,but we use this to personalize your printable report)
Final Step: Enter your email so we can send you your results and some really cool free gifts
  • Email (Required)