Questions

You are here:

Home
Questions

Below is our HIPAA Risk Level Evaluation. It’s a 34 question Privacy and Security Assessment/Gap Questionnaire and will take approximately 15 minutes to complete. At the end we will ask for a company name and email and give you a detailed report immediately. The report is a graphical analysis that shows where you are with compliance. For each question answered, the report will give you a risk level, a detailed explanation and full recommendations based on how you answered each questions. Enjoy!

Leave Comment

To which of the following items of PHI do you have access? Please check all that apply?
Names	All geographic subdivisions/addresses smaller than a State
All elements of dates (except year)	Telephone numbers
Fax numbers	Electronic mail addresses
Social Security numbers	Medical record numbers
Health plan beneficiary numbers	Account numbers
Certificate/license numbers	Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers	Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers	Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images	Genetic data
Please list any previously unmentioned PHI to which you have access (separate by commas)

Select One of the following which best describes your company's access to your client's protected health information (PHI)
You store the PHI on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with the PHI for your client. The PHI is encrypted.
You store the PHI on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with the PHI for your client. The PHI is NOT encrypted.
You store the PHI for your client in a type of data warehouse, but you do not access the data to do any business processing, and the data is encrypted. PHI in your possession is never stored on endpoints (e.g. laptops, USB drives, etc.).
You store the PHI for your client in a type of data warehouse, but you do not access the data to do any business processing, and the data is NOT encrypted.
You access PHI on your client's system through some type of secured remote access connection (e.g. VPN or dedicated line), but you never store the PHI on any of your own systems or storage devices.
You must go to your client's facilities to access the PHI, but you cannot remove any PHI or access it from a remote location.

When was the last time you updated your documented privacy and information security policies and procedures?
Describe how the privacy and information security policies and procedures are communicated to all personnel, and made available for them to review at any time. Check all that apply.
Via Email	Put on Company Intranet
Put on Internet Site	Distribute Printed Copies
Make Available in Management Policy Binders	Give Access via SIMBUS Helper portal
Some Other Method	Policies and procedures are not communicated or provided

Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers.
Yes
No
N/A
Provide the date for the most recent information security and privacy training.

Do you require information, in all forms, to be disposed of using secure methods?
Yes
No
N/A
Do you have a documented security event monitoring, security incident plan, and breach response and notification plan, and teams or staff to support the plan?
Yes
No
N/A

External Parties: Do you outsource any activities involving protected health information (PHI) or other confidential information obtained from the covered entity?
Yes
No
Not Sure
If yes to above, does your organization have Business Associate agreements in place with each of these third parties?
Yes
No
N/A

Do you follow a process to identify new data protection legal requirements? (e.g., new state breach notification requirements)?
Yes
No
N/A
Check all the following standards and regulations for which you can verify compliance:
HIPAA/HITECH	ISO/IEC 27001
PCI-DSS	COPPA
Applicable state breach notice laws	Other
None

Does your organization perform background checks to examine and assess an employee's or contractor's work and criminal history?
Yes
No
N/A
Are your employees required to sign a non-disclosure agreement upon hire, and then again annually?
Yes
No
N/A

Do you have a formal access authorization process based on 'least privilege' (employees are granted the least amount of access possible in order to perform their assigned duties) and need to know (access permissions are granted based upon the legitimate business need of the user to access the information)?
Yes
No
N/A
Do you require each user ID to be unique and not shared with others, and have a process to remove them when the user leaves the organization?
Yes
No
N/A

Questions

Cancel reply