Evaluation

§164.308(a)(8): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.

Audit Inquiry

Does the entity have policies and procedures in place to perform periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes or newly recognized risk affecting the security of ePHI?

Does the entity perform periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes or newly recognized risk affecting the security of ePHI?

Obtain and review documentation of policies and procedures related to technical and nontechnical evaluation. Determine if such policies and procedures identifies how the evaluation of findings, remediation options and recommendations, and remediation decisions are documented; specifies that evaluations will be repeated on a periodic basis and/or when environmental and operations changes are made and/or newly recognized risk affects the security of ePHI; and identifies the frequency of when to evaluate and update the current policy and procedures.

Elements to review may include but are not limited to:
• Workforce members’ roles and responsibilities in the technical and nontechnical evaluation
• Management involvement in the process and approval of technical and nontechnical evaluation
• Coordination of technical and nontechnical evaluation among departments
• Specification of how technical and nontechnical evaluation will be conducted
• How technical and nontechnical evaluation findings will be addressed

Obtain and review documentation demonstrating periodic technical and non-technical evaluations. Evaluate and determine if the such evaluation appropriately evaluates ePHI security measures; addresses evaluation findings associated with non-compliant security measures; identifies and measures risks associated with non-compliant security measures; and that evaluation findings are reviewed and certified by appropriate management.

Obtain and review documentation of procedures for technology change control/management and documentation of major technology changes which affected the security of ePHI. Obtain and review documentation of plans related to risk management or mitigation efforts in response to evaluations conducted due to a major technology change which affected the security of ePHI. Evaluate and determine if the identified risks associated with non-compliant security measures are addressed in a plan related to risk management or mitigation efforts.

Required/Addressable

Required