SRA Tool

Excel Workbook
Version 3.3

See the SRA Tool User Guide available for download on HealthIT.gov for more detailed instructio
Instructions for Use:
This Excel based version of the SRA Tool contains the same content that can be found in the latest version of the Wi
SRA Tool (3.3).
The content is broken down into seven sections. Each section is contained in its own sheet of this workbook. Some e
workbook contain dropdown validation allowing the user to select a response.

The "Response Indicator" column can be used to check a response for a given question. Responses which indicate r
automatically be highlighted in yellow. Select one response per question. The check mark can be cleared by using b
delete.

The "Likelihood" and "Impact" columns in the Threats and Vulnerabilities section of each sheet can be used to rate l
impact as "Low", "Medium", or "High". Likelihood and impact ratings will automatically combine to form a Risk Scor
also be cleared using backspace or delete.

NOTE: This workbook contains risk calculation logic (formulas) and conditional formatting that will break if disturb
where risk is indicated will be highlighted in yellow.

The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither requi
guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or
all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive
safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security R
the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST and HICP standards provided in this tool are for informational purposes only as they may reflect current best p
information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment
management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s s
circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Last U
 Section 1 - SRA Basics
Question Response Risk
#
Section Question Text Indicator Question Responses Guidance Indicated Required? Reference
Questions
1 Has your practice completed a security risk assessment (SRA)
before?
Yes. Continuing to complete security risk assessments will help safeguard the Required HIPAA: §164.308(a)(1)(ii)(A)
confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
scan to improve your risk assesment. RS.MI
HICP: TV1, Practice # 7, 10

No. Performing a security risk assessment periodically will help safeguard the Required HIPAA: §164.308(a)(1)(ii)(A)
confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
scan to improve your risk assesment. RS.MI
HICP: TV1, Practice # 7, 10

I don't know. Performing a security risk assessment periodically will help safeguard the Required HIPAA: §164.308(a)(1)(ii)(A)
confidentiality, integrity, and availability of ePHI. Consider scheduling a vulnerability NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
scan to improve your risk assesment. RS.MI
HICP: TV1, Practice # 7, 10

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: TV1, Practice # 7, 10

Notes
2 Do you review and update your SRA?
Yes. This is the most effective option to protect the confidentiality, integrity, and Required HIPAA: §164.308(a)(1)(ii)(A)
availability of ePHI. Document requirements to periodically update your risk NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
assessment. You may also periodically conduct vulnerability scans. RS.MI
HICP: TV1, Practice # 10

No. Consider reviewing and updating your security risk assessment periodically. Required HIPAA: §164.308(a)(1)(ii)(A)
Document requirements to periodically update your risk assessment. You may also NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
periodically conduct vulnerability scans. RS.MI
HICP: TV1, Practice # 10

I don't know. Consider reviewing and updating your security risk assessment periodically. Required HIPAA: §164.308(a)(1)(ii)(A)
Document requirements to periodically update your risk assessment. You may also NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
periodically conduct vulnerability scans. RS.MI
HICP: TV1, Practice # 10

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: TV1, Practice # 10

Notes
3 How often do you review and update your SRA?
Periodically and in response to operational changes This is the most effective option to protect the confidentiality, integrity, and Required HIPAA: §164.308(a)(1)(ii)(A)
and/or security incidents. availability of ePHI. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: N/A

Periodically but not in response to operational changes An accurate and thorough security risk assessment should be reviewed and updated Required HIPAA: §164.308(a)(1)(ii)(A)
and/or security incidents. periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: N/A

Only in response to operational changes and/or security An accurate and thorough security risk assessment should be reviewed and updated Required HIPAA: §164.308(a)(1)(ii)(A)
incidents. periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: N/A

Ad hoc, without regular frequency. An accurate and thorough security risk assessment should be reviewed and updated Required HIPAA: §164.308(a)(1)(ii)(A)
periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: N/A

I don't know. Consider looking into whether your organization reviews and/or updates your SRA Required HIPAA: §164.308(a)(1)(ii)(A)
periodically, or in response to operational changes, or security incidents. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI
HICP: N/A

Notes
4 Do you include all information systems containing,
processing, and/or transmitting ePHI in your SRA?
Yes. This is the most effective option to protect the confidentiality, integrity, and N/A HIPAA: N/A
availability of ePHI. A comprehensive security risk assessment should include all NIST CSF: ID.RA, PR. DS, ID.AM
information systems that contain, process, or transmit ePHI. Maintain a complete HICP: TV1, Practice # 5
and accurate inventory of the IT assets in your organization to facilitate the
implementation of optimal security controls. This inventory can be conducted and
maintained using a well-designed spreadsheet.

No. Include all information systems that contain, process, or transmit ePHI in your N/A HIPAA: N/A
security risk assessment. In addition, document your systems in a complete NIST CSF: ID.RA, PR. DS, ID.AM
inventory. Maintain a complete and accurate inventory of the IT assets in your HICP: TV1, Practice # 5
organization to facilitate the implementation of optimal security controls. This
inventory can be conducted and maintained using a well-designed spreadsheet.

I don't know. Include all information systems that contain, process, or transmit ePHI in your N/A HIPAA: N/A
security risk assessment. In addition, document your systems in a complete NIST CSF: ID.RA, PR. DS, ID.AM
inventory. Maintain a complete and accurate inventory of the IT assets in your HICP: TV1, Practice # 5
organization to facilitate the implementation of optimal security controls. This
inventory can be conducted and maintained using a well-designed spreadsheet.

Other. Include all information systems that contain, process, or transmit ePHI in your N/A HIPAA: N/A
security risk assessment. In addition, document your systems in a complete NIST CSF: ID.RA, PR. DS, ID.AM
inventory. Maintain a complete and accurate inventory of the IT assets in your HICP: TV1, Practice # 5
organization to facilitate the implementation of optimal security controls. This
inventory can be conducted and maintained using a well-designed spreadsheet.

Flag this question for later. This question will be marked as an area for review and will be included in the N/A HIPAA: N/A
"Flagged Questions" report. NIST CSF: ID.RA, PR. DS, ID.AM
HICP: TV1, Practice # 5
Notes
5 How do you ensure you are meeting current HIPAA security
regulations?
We review our practice's Security Policies and An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
Procedures and compare to current regulations. and updated periodically, or in response to operational changes, security incidents, NIST CSF: ID.GV, ID.RM
or the occurrence of a significant event.  HICP: N/A
We review the current regulations and do our best to An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
meet them. and updated periodically, or in response to operational changes, security incidents, NIST CSF: ID.GV, ID.RM
or the occurrence of a significant event.  HICP: N/A
We try to follow the best practices for securing our ePHI An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
but we are not sure we're meeting all the HIPAA security and updated periodically, or in response to operational changes, security incidents, NIST CSF: ID.GV, ID.RM
regulations. or the occurrence of a significant event.  HICP: N/A
I don't know. An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
and updated periodically, or in response to operational changes, security incidents, NIST CSF: ID.GV, ID.RM
or the occurrence of a significant event.  HICP: N/A
Other. An accurate and thorough security risk assessment should be performed, reviewed Required HIPAA: §164.308(a)(1)(ii)(B)
and updated periodically, or in response to operational changes, security incidents, NIST CSF: ID.GV, ID.RM
or the occurrence of a significant event.  HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.GV, ID.RM
HICP: N/A
Notes
6 What do you include in your SRA documentation?
Our SRA documentation includes possible threats and This is the most effective option to protect the confidentiality, integrity, and Required HIPAA: §164.308(a)(1)(ii)(A)
vulnerabilities which we assign impact and likelihood availability of ePHI. Establish a data classification policy that categorizes data as, for NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
ratings to. This allows us to determine severity. We example, Sensitive, Internal Use, or Public Use. Identify the types of records relevant RS.MI 
develop corrective action plans as needed to mitigate to each category. Organizational policies should address all user interactions with HICP: TV1, Practice # 4, 5, 9
identified security deficiencies according to which sensitive data and reinforce the consequences of lost or compromised data. IT asset
threats and vulnerabilities are most severe. management is critical to ensuring that the appropriate cyber hygiene controls are
maintained across all assets in your organization, including medical device
management.

Our SRA documentation includes possible threats and Corrective action plans should be developed as needed to mitigate identified Required HIPAA: §164.308(a)(1)(ii)(A)
vulnerabilities which we assign impact and likelihood security deficiencies according to which threats and vulnerabilities are most severe. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
ratings to. This allows us to determine severity. We do Establish a data classification policy that categorizes data as, for example, Sensitive, RS.MI 
not include corrective action plans. Internal Use, or Public Use. Identify the types of records relevant to each category. HICP: TV1, Practice # 4, 5, 9
Organizational policies should address all user interactions with sensitive data and
reinforce the consequences of lost or compromised data. IT asset management is
critical to ensuring that the appropriate cyber hygiene controls are maintained
across all assets in your organization, including medical device management.
 Our SRA documentation includes possible threats and Threats and vulnerabilities should be documented and given impact and likelihood Required HIPAA: §164.308(a)(1)(ii)(A)
vulnerabilities but does not include impact and ratings. This will help determine severity and is the best way to safeguard and NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
likelihood ratings, severity ratings, or corrective action protect ePHI from potential threats and vulnerabilities. Corrective action plans RS.MI 
plans. should be developed as needed to mitigate identified security deficiencies according HICP: TV1, Practice # 4, 5, 9
to which threats and vulnerabilities are most severe. Establish a data classification
policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use.
Identify the types of records relevant to each category. Organizational policies
should address all user interactions with sensitive data and reinforce the
consequences of lost or compromised data. IT asset management is critical to
ensuring that the appropriate cyber hygiene controls are maintained across all
assets in your organization, including medical device management.

I don't know. Threats and vulnerabilities should be documented and given impact and likelihood Required HIPAA: §164.308(a)(1)(ii)(A)
ratings. This will help determine severity and is the best way to safeguard and NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
protect ePHI from potential threats and vulnerabilities. Corrective action plans RS.MI 
should be developed as needed to mitigate identified security deficiencies according HICP: TV1, Practice # 4, 5, 9
to which threats and vulnerabilities are most severe. Establish a data classification
policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use.
Identify the types of records relevant to each category. Organizational policies
should address all user interactions with sensitive data and reinforce the
consequences of lost or compromised data. IT asset management is critical to
ensuring that the appropriate cyber hygiene controls are maintained across all
assets in your organization, including medical device management.

Other. Threats and vulnerabilities should be documented and given impact and likelihood Required HIPAA: §164.308(a)(1)(ii)(A)
ratings. This will help determine severity and is the best way to safeguard and NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
protect ePHI from potential threats and vulnerabilities. Corrective action plans RS.MI 
should be developed as needed to mitigate identified security deficiencies according HICP: TV1, Practice # 4, 5, 9
to which threats and vulnerabilities are most severe. Establish a data classification
policy that categorizes data as, for example, Sensitive, Internal Use, or Public Use.
Identify the types of records relevant to each category. Organizational policies
should address all user interactions with sensitive data and reinforce the
consequences of lost or compromised data. IT asset management is critical to
ensuring that the appropriate cyber hygiene controls are maintained across all
assets in your organization, including medical device management.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.RA, ID.AM, ID.BE, PR.DS, PR. IP,
RS.MI 
HICP: TV1, Practice # 4, 5, 9

Notes
7 Do you respond to the threats and vulnerabilities identified
in your SRA?
Yes, we respond. We also maintain supporting This is the most effective option.Threats and vulnerabilities should be documented Required HIPAA: §164.308(a)(1)(ii)(B)
documentation of our response. within your SRA and given impact and likelihood ratings to determine severity. NIST CSF: ID.RA, ID.RM, RS.MI
Safeguards protecting ePHI from these threats and vulnerabilities should be HICP: TV1, Practice # 7
evaluated for effectiveness. Corrective action plans with plan of action milestones
should be developed as needed to mitigate identified security deficiencies according
to which threats and vulnerabilities are most severe. Risks should be formally
deemed "accepted" only when appropriate. Conduct routine patching of security
flaws in servers, applications (including web applications), and third-party software.
Maintain software at least monthly, implementing patches distributed by the
vendor community, if patching is not automatic.

Yes, we respond, but we do not maintain documentation Threats and vulnerabilities should be documented within your SRA and given impact Required HIPAA: §164.308(a)(1)(ii)(B)
of our response. and likelihood ratings to determine severity. Safeguards protecting ePHI from these NIST CSF: ID.RA, ID.RM, RS.MI
threats and vulnerabilities should be evaluated for effectiveness. Corrective action HICP: TV1, Practice # 7
plans with plan of action milestones should be developed as needed to mitigate
identified security deficiencies according to which threats and vulnerabilities are
most severe. Risks should be formally deemed "accepted" only when appropriate.
Conduct routine patching of security flaws in servers, applications (including web
applications), and third-party software. Maintain software at least monthly,
implementing patches distributed by the vendor community, if patching is not
automatic.

No, we don't have a process to respond to identified Threats and vulnerabilities should be documented within your SRA and given impact Required HIPAA: §164.308(a)(1)(ii)(B)
threats and vulnerabilities. and likelihood ratings to determine severity. Safeguards protecting ePHI from these NIST CSF: ID.RA, ID.RM, RS.MI
threats and vulnerabilities should be evaluated for effectiveness. Corrective action HICP: TV1, Practice # 7
plans with plan of action milestones should be developed as needed to mitigate
identified security deficiencies according to which threats and vulnerabilities are
most severe. Risks should be formally deemed "accepted" only when appropriate.
Conduct routine patching of security flaws in servers, applications (including web
applications), and third-party software. Maintain software at least monthly,
implementing patches distributed by the vendor community, if patching is not
automatic.
 I don't know. Threats and vulnerabilities should be documented within your SRA and given impact Required HIPAA: §164.308(a)(1)(ii)(B)
and likelihood ratings to determine severity. Safeguards protecting ePHI from these NIST CSF: ID.RA, ID.RM, RS.MI
threats and vulnerabilities should be evaluated for effectiveness. Corrective action HICP: TV1, Practice # 7
plans with plan of action milestones should be developed as needed to mitigate
identified security deficiencies according to which threats and vulnerabilities are
most severe. Risks should be formally deemed "accepted" only when appropriate.
Conduct routine patching of security flaws in servers, applications (including web
applications), and third-party software. Maintain software at least monthly,
implementing patches distributed by the vendor community, if patching is not
automatic.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, ID.RM, RS.MI
HICP: TV1, Practice # 7
Notes
8 Do you identify specific personnel to respond to and mitigate
the threats and vulnerabilities found in your SRA?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(B)
confidentiality, integrity, and availability of ePHI. Use internal or external experts to NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP
deploy security methodology. HICP: TV1, Practice # 7
No. Consider identifying specific workforce members to respond to and mitigate all Required HIPAA: §164.308(a)(1)(ii)(B)
threats and vulnerabilities identified in your SRA. Use internal or external experts to NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP
deploy security methodology. HICP: TV1, Practice # 7
I don't know. Consider identifying specific workforce members to respond to and mitigate all Required HIPAA: §164.308(a)(1)(ii)(B)
threats and vulnerabilities identified in your SRA. Use internal or external experts to NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP
deploy security methodology. HICP: TV1, Practice # 7
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, ID.RM, RS.MI, ID.GV, PR.IP
HICP: TV1, Practice # 7
Notes
9 Do you communicate SRA results to personnel involved in
responding to threats or vulnerabilities?
Yes. This is the most effective option. Communicate to workforce members who review Required HIPAA: §164.308(a)(1)(ii)(B)
and sign off after reading policies over a specified timeframe. The goal is to establish NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP
a standard practice for workforce members to review applicable policies and attest HICP: TV1, Practice # 10
to the review, and for the organization to monitor compliance with this standard.

No. You may not be able to implement effective safeguards to protect ePHI if you do not Required HIPAA: §164.308(a)(1)(ii)(B)
document and share the results of your SRA with the staff responsible for making NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP
risk management decisions, developing risk-related policies, and implementing risk HICP: TV1, Practice # 10
mitigation safeguards for ePHI. Communicate to workforce members who review
and sign off after reading policies over a specified timeframe. The goal is to establish
a standard practice for workforce members to review applicable policies and attest
to the review, and for the organization to monitor compliance with this standard.

I don't know. You may not be able to implement effective safeguards to protect ePHI if you do not Required HIPAA: §164.308(a)(1)(ii)(B)
document and share the results of your SRA with the staff responsible for making NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP
risk management decisions, developing risk-related policies, and implementing risk HICP: TV1, Practice # 10
mitigation safeguards for ePHI. Communicate to workforce members who review
and sign off after reading policies over a specified timeframe. The goal is to establish
a standard practice for workforce members to review applicable policies and attest
to the review, and for the organization to monitor compliance with this standard.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, ID.RM, RS.MI, PR.IP
HICP: TV1, Practice # 10
Notes
10 How do you communicate SRA results to personnel involved
in responding to identified threats or vulnerabilities?
Written and verbal communication as well as This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(B)
coordinated corrective action planning. confidentiality, integrity, and availability of ePHI.Written results of the risk NIST CSF: ID.RA, ID.RM, RS.MI
assessment should be communicated to the personnel responsible for responding to HICP: N/A
identified threats and vulnerabilities. The responsible persons should be involved in
the creation of corrective action plans to mitigate threats and vulnerabilities for
which they are responsible.

Written communication only. Written results of your SRA should be communicated to the personnel responsible Required HIPAA: §164.308(a)(1)(ii)(B)
for responding to identified threats and vulnerabilities but also consider involving NIST CSF: ID.RA, ID.RM, RS.MI
the personnel responsible for responding to identified threats and vulnerabilities in HICP: N/A
the creation of corrective action plans.
 Verbal communication only. Written results of the risk assessment should be communicated to workforce Required HIPAA: §164.308(a)(1)(ii)(B)
members who will be responsible for responding to identified threats and NIST CSF: ID.RA, ID.RM, RS.MI
vulnerabilities after the completion of the risk assessment. The responsible team HICP: N/A
members responsible for responding to identified threats and vulnerabilities should
be involved in the creation of corrective action plans to mitigate threats and
vulnerabilities for which they are responsible.

We do not communicate risk assessment results to Written results of the risk assessment should be communicated to workforce Required HIPAA: §164.308(a)(1)(ii)(B)
workforce members. members who will be responsible for responding to identified threats and NIST CSF: ID.RA, ID.RM, RS.MI
vulnerabilities after the completion of the risk assessment. The responsible team HICP: N/A
members responsible for responding to identified threats and vulnerabilities should
be involved in the creation of corrective action plans to mitigate threats and
vulnerabilities for which they are responsible.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(B)
"Flagged Questions" report. NIST CSF: ID.RA, ID.RM, RS.MI
HICP: N/A
Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Inadequate risk awareness or failure to identify new
weaknessess
Non-physical threat(s) such as data corruption or
information disclosure,
Physical threats such asinterruption
unauthorizedoffacility
systemaccess,
function
and business
hardware processess,malfunction,
or equipment and/or legislation or security
Natural
breachesthreat(s) such as damage fromcollisions, trip/fire
dust/particulates,
hazards, and/or hazardour
extreme temperatures, materials
severe (chemicals,
weather events, and/or
Man-Made threat(s) such
magnets, etc.) as insider carelessness,
desctruction from
theft/vandelism, animals/insects
terrorism/civil unrest, toxic emissions,
Infrastructure threat(s) such as building/road hazards,
or hackers/computer
power/telephone criminals
outages, water leakage (pipes, roof,
2 Failure to remediate known risk(s)
sprinkler activation), unstable building conditions
Information disclosure (ePHI, proprietary, intellectual, or
confidential)
Penalties from contractual non-compliance with third-
party vendors
Disruption of business processes, information system
function, and/or
Data deletion prolonged adversarial
or corruption of records presence within
information systems
Prolonged exposure to hacker, computer criminal,
malicious code,
Corrective or careless
enforcement insider
from regulatory agencies (e.g.
HHS, OCR, FTC, CMS, State
Hardware/equipment or Local jurisdictions)
malfunction
3 Failure to meet minimum regulatory requirements and
security standards
Corrective enforcement from regulatory agencies (e.g.
HHS,
DamageOCR,toFTC, CMS,
public State ordue
reputation Local
tojurisdictions)
breach
Failure to attain incentives or optimize value-based
reimbursement
Litigation from breach victims due to lack of reasonable
4 Inadequate Asset Tracking and appropriate safeguards
Information disclosure (ePHI, proprietary, intellectual, or
confidential)
Disruption of business processes, information system
function, and/or
Unauthorized useprolonged adversarial
of assets or presence
changes to within
data within
information systems
information systems
Unauthorized installation of software or applications
Loss, theft, or disruption of assets
Improper operation/configuration of assets
5 Unspecified workforce security responsibilities
Non-remediated weaknesses
Prolonged duration of addressing non-remediated
weaknesses
Insider carelessness exposing ePHI or causing disruption
to information systems and business processes
 Section 2 - Security Policies
Question Response Risk
#
Section Question Text Indicator Question Responses Guidance Indicated Required? Reference
Questions
1 Do you maintain documentation of policies and procedures
regarding risk assessment, risk management and information
security activities?
Yes, we have a process by which management develops, This is the most effective option among those provided to protect the Required HIPAA: §164.316(a)
implements, reviews, and updates security policies and confidentiality, integrity, and availability of ePHI. Establishing and implementing NIST CSF: ID.GV, ID.RA, PR.IP
procedures. cybersecurity policies, procedures, and processes is one of the most effective means HICP: TV1, Practice # 10
of preventing cyberattacks.

Yes, we have some documentation for our information You should document policies and procedures to ensure you consistently make Required HIPAA: §164.316(a)
security and risk management activities, but not all of informed decisions on the effective monitoring, identification, and mitigation of risks NIST CSF: ID.GV, ID.RA, PR.IP
our policies and procedures are documented. to ePHI. Establishing and implementing cybersecurity policies, procedures, and HICP: TV1, Practice # 10
processes is one of the most effective means of preventing cyberattacks.

No, we do not maintain documentation on our You should document policies and procedures to ensure you consistently make Required HIPAA: §164.316(a)
information security activities or risk management. informed decisions on the effective monitoring, identification, and mitigation of risks NIST CSF: ID.GV, ID.RA, PR.IP
to ePHI. Establishing and implementing cybersecurity policies, procedures, and HICP: TV1, Practice # 10
processes is one of the most effective means of preventing cyberattacks.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(a)
"Flagged Questions" report. NIST CSF: ID.GV, ID.RA, PR.IP
HICP: TV1, Practice # 10
Notes
2 Do you review and update your security documentation,
including policies and procedures?
Yes, we review and update our security documentation This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(iii)
periodically and as necessary. confidentiality, integrity, and availability of ePHI. Review an appropriate number of NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM
policies over a specified timeframe. The goal is to establish a standard practice to HICP: TV1, Practice # 10
review policies and to monitor compliance with this standard.

Yes, we review and update our documentation You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
periodically or as needed, but not both. policies and procedures. This will help you safeguard your facilities, information NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM
systems, and ePHI. Review an appropriate number of policies over a specified HICP: TV1, Practice # 10
timeframe. The goal is to establish a standard practice to review policies and to
monitor compliance with this standard.

Yes, we review our security documentation but we have You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
not updated our documentation. policies and procedures. This will help you safeguard your facilities, information NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM
systems, and ePHI. Review an appropriate number of policies over a specified HICP: TV1, Practice # 10
timeframe. The goal is to establish a standard practice to review policies and to
monitor compliance with this standard.

No, we have never updated our documentation You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
policies and procedures. This will help you safeguard your facilities, information NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM
systems, and ePHI. Review an appropriate number of policies over a specified HICP: TV1, Practice # 10
timeframe. The goal is to establish a standard practice to review policies and to
monitor compliance with this standard.

I don't know. You should implement a process to periodically review and update your security Required HIPAA: §164.316(b)(2)(iii)
policies and procedures. This will help you safeguard your facilities, information NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM
systems, and ePHI. Review an appropriate number of policies over a specified HICP: TV1, Practice # 10
timeframe. The goal is to establish a standard practice to review policies and to
monitor compliance with this standard.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.GV, ID.RA, PR.IP, RS.IM, RC.IM
HICP: TV1, Practice # 10
Notes
3 How do you update your security program documentation,
including policies and procedures?
We have a periodic review of information security This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(iii)
policies that formally evaluates their effectiveness. confidentiality, integrity, and availability of ePHI. With clearly articulated NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
Policies and procedures are updated as needed. cybersecurity policies, your employees, contractors, and third-party vendors know HICP: TV1, Practice # 10
which data, applications, systems, and devices they are authorized to access and the
consequences of unauthorized access attempts.

We update policies and procedures ad hoc, for example You should conduct periodic reviews of information security policies and update Required HIPAA: §164.316(b)(2)(iii)
when an immediate need prompts the change. them as needed. With clearly articulated cybersecurity policies, your employees, NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
contractors, and third-party vendors know which data, applications, systems, and HICP: TV1, Practice # 10
devices they are authorized to access and the consequences of unauthorized access
attempts.
 We do not have a process for updating our security You should conduct periodic reviews of information security policies and update Required HIPAA: §164.316(b)(2)(iii)
documentation. them as needed. With clearly articulated cybersecurity policies, your employees, NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
contractors, and third-party vendors know which data, applications, systems, and HICP: TV1, Practice # 10
devices they are authorized to access and the consequences of unauthorized access
attempts.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
HICP: TV1, Practice # 10
Notes
4 Is the security officer involved in all security policy and
procedure updates?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(iii)
confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
responsibilities throughout the organization, including who is responsible for HICP: TV1, Practice # 10
implementing security practices and setting and establishing policy.

No. You should have a designated security officer and any/all policy or procedure Required HIPAA: §164.316(b)(2)(iii)
updates should be reported to the security officer. Describe cybersecurity roles and NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
responsibilities throughout the organization, including who is responsible for HICP: TV1, Practice # 10
implementing security practices and setting and establishing policy.

I don't know. You should have a designated security officer and any/all policy or procedure Required HIPAA: §164.316(b)(2)(iii)
updates should be reported to the security officer. Describe cybersecurity roles and NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
responsibilities throughout the organization, including who is responsible for HICP: TV1, Practice # 10
implementing security practices and setting and establishing policy.

Other. You should have a designated security officer and any/all policy or procedure Required HIPAA: §164.316(b)(2)(iii)
updates should be reported to the security officer. Describe cybersecurity roles and NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
responsibilities throughout the organization, including who is responsible for HICP: TV1, Practice # 10
implementing security practices and setting and establishing policy.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.GV, ID.RA, PR.IP, RC.IM, RS.IM
HICP: TV1, Practice # 10
Notes
5 How does documentation for your risk management and
security procedures compare to your actual business
practices?
Our risk management and security documentation This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(1)(i) & (ii)
completely and accurately reflects our actual business confidentiality, integrity, and availability of ePHI. With clearly articulated NIST CSF: ID.BE, ID.RM, PR.IP
practices. cybersecurity policies, your employees, contractors, and third-party vendors know HICP: TV1, Practice # 10
which data, applications, systems, and devices they are authorized to access and the
consequences of unauthorized access attempts.

Our risk management and security documentation Risk management and security documentation should accurately reflect business Required HIPAA: §164.316(b)(1)(i) & (ii)
somewhat accurately reflects our business practices. practices. Ensure that your security documentation represents your actual security NIST CSF: ID.BE, ID.RM, PR.IP
practices. With clearly articulated cybersecurity policies, your employees, HICP: TV1, Practice # 10
contractors, and third-party vendors know which data, applications, systems, and
devices they are authorized to access and the consequences of unauthorized access
attempts.

Our risk management and security documentation does Risk management and security documentation should accurately reflect business Required HIPAA: §164.316(b)(1)(i) & (ii)
not accurately reflect our business practices. practices. Ensure that your security documentation represents your actual security NIST CSF: ID.BE, ID.RM, PR.IP
practices. With clearly articulated cybersecurity policies, your employees, HICP: TV1, Practice # 10
contractors, and third-party vendors know which data, applications, systems, and
devices they are authorized to access and the consequences of unauthorized access
attempts.

I don't know. Considering reviewing how your risk management documentation and security Required HIPAA: §164.316(b)(1)(i) & (ii)
procedures compare to your business practices. Risk management and security NIST CSF: ID.BE, ID.RM, PR.IP
documentation should accurately reflect business practices. Ensure that your HICP: TV1, Practice # 10
security documentation represents your actual security practices. With clearly
articulated cybersecurity policies, your employees, contractors, and third-party
vendors know which data, applications, systems, and devices they are authorized to
access and the consequences of unauthorized access attempts.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(1)(i) & (ii)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.IP
HICP: TV1, Practice # 10
Notes
6 How long are information security management and risk
management documents kept?
We maintain documents for at least six (6) years from This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(i)
the date of their creation or when they were last in confidentiality, integrity, and availability of ePHI. The federal requirement is six (6) NIST CSF: ID.BE, ID.RM, PR.IP
effect, whichever is longer. These documents are years retention of documentation, but your state or jurisdiction may have additional HICP: N/A
maintained and backed up. requirements.
 We maintain documents for at least six (6) years from The federal requirement is six (6) years retention of documentation, but your state Required HIPAA: §164.316(b)(2)(i)
the date of their creation or when they were last in or jurisdiction may have additional requirements. Investigate the requirements for NIST CSF: ID.BE, ID.RM, PR.IP
effect, whichever is longer. These documents are not your state. Consider backing up information security and risk management HICP: N/A
backed up. documents.

We do not have a set amount of time to keep our Ensure your policies, procedures, and other security program documentation are Required HIPAA: §164.316(b)(2)(i)
documentation. retained for at least six (6) years from the date when it was created or last in effect, NIST CSF: ID.BE, ID.RM, PR.IP
whichever is longer. Your state or jurisdiction may have additional requirements. HICP: N/A
Consider backing up these documents.

We do not maintain documents regarding security and Ensure your policies, procedures, and other security program documentation are Required HIPAA: §164.316(b)(2)(i)
risk management. retained for at least six (6) years from the date when it was created or last in effect, NIST CSF: ID.BE, ID.RM, PR.IP
whichever is longer. Your state or jurisdiction may have additional requirements. HICP: N/A
Consider backing up these documents.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.IP
HICP: N/A
Notes
7 Do you make sure that information security and risk
management documentation is available to those who need
it?
Yes. Documentation is made available to appropriate This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(ii)
workforce members in physical and/or electronic confidentiality, integrity, and availability of ePHI. With clearly articulated NIST CSF: ID.BE, ID.RM, PR.IP
formats (for example, our practice's shared drive or cybersecurity policies, your employees, contractors, and third-party vendors know HICP: TV1, Practice # 10
intranet). which data, applications, systems, and devices they are authorized to access and the
consequences of unauthorized access attempts.

Documentation is reviewed with appropriate workforce Documentation should be available to workforce members who need it to perform Required HIPAA: §164.316(b)(2)(ii)
members upon initial orientation to the practice, but is the security responsibilities associated with their role and reviewed on a periodic NIST CSF: ID.BE, ID.RM, PR.IP
not reviewed on a periodic basis or available in physical basis. Consider making the documentation available in writing, on a local shared HICP: TV1, Practice # 10
and/or electronic format unless requested. drive, or other accessible place. With clearly articulated cybersecurity policies, your
employees, contractors, and third-party vendors know which data, applications,
systems, and devices they are authorized to access and the consequences of
unauthorized access attempts.

No. We do not have a process to ensure documentation Documentation should be available to workforce members who need it to perform Required HIPAA: §164.316(b)(2)(ii)
is available to appropriate workforce members who the security responsibilities associated with their role and reviewed on a periodic NIST CSF: ID.BE, ID.RM, PR.IP
need it. basis. Consider making the documentation available in writing, on a local shared HICP: TV1, Practice # 10
drive, or other accessible place. With clearly articulated cybersecurity policies, your
employees, contractors, and third-party vendors know which data, applications,
systems, and devices they are authorized to access and the consequences of
unauthorized access attempts.

I don't know. Documentation should be available to workforce members who need it to perform Required HIPAA: §164.316(b)(2)(ii)
the security responsibilities associated with their role and reviewed on a periodic NIST CSF: ID.BE, ID.RM, PR.IP
basis. Consider making the documentation available in writing, on a local shared HICP: TV1, Practice # 10
drive, or other accessible place. With clearly articulated cybersecurity policies, your
employees, contractors, and third-party vendors know which data, applications,
systems, and devices they are authorized to access and the consequences of
unauthorized access attempts.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(ii)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.IP
HICP: TV1, Practice # 10
Notes
8 How do you ensure that security and risk management
documentation is available to those who need it?
Appropriate workforce members receive instruction on This is the most effective option among those provided to protect the Required HIPAA: §164.316(b)(2)(ii)
our information security documentation and where to confidentiality, integrity, and availability of ePHI. Policies are established first and NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA
find it as part of their periodic privacy and security are then supplemented with procedures that enable the policies to be HICP: TV1, Practice # 10
training. Documentation is securely made available to implemented. Policies describe what is expected, and procedures describe how the
workforce members in physical or electronic formats. expectations are met.

Documentation is reviewed with appropriate workforce Review your information security documentation with your appropriate workforce Required HIPAA: §164.316(b)(2)(ii)
members upon initial orientation to the practice. members upon hire and on an ongoing, periodic basis. Make sure workforce NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA
Documentation is securely made available to members know where to find the documentation for ongoing review. Policies are HICP: TV1, Practice # 10
appropriate workforce members in physical or electronic established first and are then supplemented with procedures that enable the
formats and they are verbally instructed as to where it policies to be implemented. Policies describe what is expected, and procedures
is. describe how the expectations are met.

Documentation is securely made available to Review your information security documentation with your appropriate workforce Required HIPAA: §164.316(b)(2)(ii)
appropriate workforce members in physical or electronic members upon hire and on an ongoing, periodic basis. Make sure workforce NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA
formats and they are verbally instructed as to where it members know where to find the documentation for ongoing review. Policies are HICP: TV1, Practice # 10
is. established first and are then supplemented with procedures that enable the
policies to be implemented. Policies describe what is expected, and procedures
describe how the expectations are met.
 Other. Review your information security documentation with your appropriate workforce Required HIPAA: §164.316(b)(2)(ii)
members upon hire and on an ongoing, periodic basis. Make sure workforce NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA
members know where to find the documentation for ongoing review. Policies are HICP: TV1, Practice # 10
established first and are then supplemented with procedures that enable the
policies to be implemented. Policies describe what is expected, and procedures
describe how the expectations are met.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.316(b)(2)(ii)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.IP, ID.RA
HICP: TV1, Practice # 10
Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Failure to update Policies & Procedures
Fines/penalties from mandated regulatory requirements
Unstructured guidance for daily tasks and duties within
2 Failure to share security procedure information with workforce
appropriate parties
Unauthorized access to ePHI or sensitive information
permitted
Disruption of information system function
ePHI exfiltrated to unauthorized entities
Insider carelessness causing disruption
Insider carelessness exposing ePHI
3 Inconsistent/unclear risk management documentation
Unclear security coordination across workforce
Unstructured guidance for daily tasks and duties
4 No risk management documentation (or low retention of
documentation)
Fines/penalties from regulatory enforcement
Inability of workforce to perform proper security &
privacy relatedworkforce
Unstructured tasks or access procedural
coordination documents
of risk
management procedures
 Section 3 - Security & Workforce
Question Response Risk
#
Section Question Text Indicator Question Responses Guidance Indicated Required? Reference
Questions
1 Who within your practice is responsible for developing and
implementing information security policies and procedures?
The security officer is a member of the workforce This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
identified by name in policy documents. confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP,
responsibilities throughout the organization, including who is responsible for ID.AM
implementing security practices and setting and establishing policy. HICP: TV1, Practice # 10

The role of security officer is described in our policy You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
documentation, but the person who occupies that role is security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP,
not named. security practices are coordinated, consistent, and that the organization can be held ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HICP: TV1, Practice # 10
organization, including who is responsible for implementing security practices and
setting and establishing policy.

A member of our workforce. You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP,
security practices are coordinated, consistent, and that the organization can be held ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HICP: TV1, Practice # 10
organization, including who is responsible for implementing security practices and
setting and establishing policy.

The security officer is not formally named or otherwise You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
identified in policy. security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP,
security practices are coordinated, consistent, and that the organization can be held ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HICP: TV1, Practice # 10
organization, including who is responsible for implementing security practices and
setting and establishing policy.

Other. You should have a qualified and capable person appointed to the responsibility of Required HIPAA: §164.308(a)(2)
security officer. Having a central point of contact helps ensure that information NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP,
security practices are coordinated, consistent, and that the organization can be held ID.AM
accountable. Describe cybersecurity roles and responsibilities throughout the HICP: TV1, Practice # 10
organization, including who is responsible for implementing security practices and
setting and establishing policy.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(2)
"Flagged Questions" report. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP,
ID.AM
HICP: TV1, Practice # 10

Notes
2 Do you identify and document the role and responsibilities of
the security officer?
Yes. The security officer is identified by role and this is This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
documented in our practice €™s information security confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP
policies, which describes the role's responsibilities. responsibilities throughout the organization, including who is responsible for HICP: TV1, Practice # 10
implementing security practices and setting and establishing policy.

Yes. Our practice has a security officer, but there is no You should document who is responsible for coordinating information security Required HIPAA: §164.308(a)(2)
formal documentation of the position or the activities. Describe cybersecurity roles and responsibilities throughout the NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP
responsibilities. organization, including who is responsible for implementing security practices and HICP: TV1, Practice # 10
setting and establishing policy.

No. We have not identified the role of the security You should document who is responsible for coordinating information security Required HIPAA: §164.308(a)(2)
officer. activities. Describe cybersecurity roles and responsibilities throughout the NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP
organization, including who is responsible for implementing security practices and HICP: TV1, Practice # 10
setting and establishing policy.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(2)
"Flagged Questions" report. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO, PR.IP
HICP: TV1, Practice # 10
Notes
3 Is your security officer qualified for the position?
Yes. The security officer is an assigned member of the This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
workforce familiar with security and has the ability to confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
design, implement, and enforce security policies and HICP: N/A
procedures.

No. The security officer does not have the ability to Assign responsibility of the security officer to a member of the workforce with the Required HIPAA: §164.308(a)(2)
design, implement, and enforce security policies and ability to ensure security policies are effective and followed consistently. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
procedures.   HICP: N/A
I don't know. We have not considered what Assign responsibility of the security officer to a member of the workforce with the Required HIPAA: §164.308(a)(2)
qualifications would be appropriate for the security ability to ensure security policies are effective and followed consistently. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
officer. HICP: N/A
 Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(2)
"Flagged Questions" report. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
HICP: N/A
Notes
4 Do workforce members know who the security officer is?
Yes. Workforce members are aware of who our security This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
officer is. confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
HICP: N/A
No. Not all workforce members know who our security If your workforce members do not know the name and contact information of the Required HIPAA: §164.308(a)(2)
officer is. security officer, they may not be able to raise security concerns or execute NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
mitigating actions when there are security problems. HICP: N/A
I don't know. If your workforce members do not know the name and contact information of the Required HIPAA: §164.308(a)(2)
security officer, they may not be able to raise security concerns or execute NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
mitigating actions when there are security problems. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(2)
"Flagged Questions" report. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
HICP: N/A
Notes
5 Do workforce members know how and when to contact the
security officer?
Workforce members are made aware of the identity of This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(2)
the security officer and reasons for contacting the confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
security officer as part of their orientation to the practice HICP: N/A
(upon hire) as well as periodic reminders of our internal
policies and procedures (e.g. periodic review).

Information about who the security officer is and when If your workforce members do not know the contact information and availability of Required HIPAA: §164.308(a)(2)
they should be contacted is verbally communicated to the security officer, they may not be able to execute immediate and appropriate NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
workforce members, but this is not a formal process. mitigating actions when there are security problems. HICP: N/A
We do not have a process to inform workforce members If your workforce members do not know the contact information and availability of Required HIPAA: §164.308(a)(2)
about the identity of the security officer or when the the security officer, they may not be able to execute immediate and appropriate NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
security officer needs to be contacted. mitigating actions when there are security problems. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(2)
"Flagged Questions" report. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
HICP: N/A
Notes
6 Who do people contact for security considerations if there is
NO security officer?
The practice manager. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
implementation of security policies and procedures. HICP: N/A
Information Technology (IT) Manager. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
implementation of security policies and procedures.If you do not have a designated HICP: N/A
security officer, your workforce may not be able to execute immediate and
appropriate mitigating actions when there are security problems.

Lead physician in the practice. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
implementation of security policies and procedures.If you do not have a designated HICP: N/A
security officer, your workforce may not be able to execute immediate and
appropriate mitigating actions when there are security problems.

Lead nurse in practice. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
implementation of security policies and procedures.If you do not have a designated HICP: N/A
security officer, your workforce may not be able to execute immediate and
appropriate mitigating actions when there are security problems.

Lead consultant for the practice. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
implementation of security policies and procedures.If you do not have a designated HICP: N/A
security officer, your workforce may not be able to execute immediate and
appropriate mitigating actions when there are security problems.

Admi In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
NISTrative support for the practice. serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
implementation of security policies and procedures.If you do not have a designated HICP: N/A
security officer, your workforce may not be able to execute immediate and
appropriate mitigating actions when there are security problems.
 Other. In order to meet the standard, you should identify a member of your workforce to N/A HIPAA: N/A
serve as the security official and who will be responsible for the development and NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
implementation of security policies and procedures.If you do not have a designated HICP: N/A
security officer, your workforce may not be able to execute immediate and
appropriate mitigating actions when there are security problems.

Flag this question for later. This question will be marked as an area for review and will be included in the N/A HIPAA: N/A
"Flagged Questions" report. NIST CSF: PR.AT, DE.DP, ID.IGV RS.CO
HICP: N/A
Notes
7 How are roles and job duties defined as pertained to
accessing ePHI?
We have written job descriptions, roles, and required This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(ii)(A)
qualifications documented for all workforce members confidentiality, integrity, and availability of ePHI.Health care organizations of all NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP
with access to ePHI. sizes need to clearly identify all users and maintain audit trails that monitor each HICP: TV1, Practice # 3
user€™s access to data, applications, systems, and endpoints.

We have written job titles, but no written roles or Consider implementing procedures for the authorization and/or supervision of Required HIPAA: §164.308(a)(3)(ii)(A)
responsibilities for workforce members with access to workforce members who work with ePHI or in locations where it might be accessed. NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP
ePHI. If such procedures are determined to not be reasonable and appropriate, document HICP: TV1, Practice # 3
the reason why and what is being done to compensate for these lack of procedures.
Health care organizations of all sizes need to clearly identify all users and maintain
audit trails that monitor each user€™s access to data, applications, systems, and
endpoints.

We do not have written job roles or responsibilities for Consider implementing procedures for the authorization and/or supervision of Required HIPAA: §164.308(a)(3)(ii)(A)
workforce members with access to ePHI. workforce members who work with ePHI or in locations where it might be accessed. NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP
If such procedures are determined to not be reasonable and appropriate, document HICP: TV1, Practice # 3
the reason why and what is being done to compensate for these lack of procedures.
Health care organizations of all sizes need to clearly identify all users and maintain
audit trails that monitor each user€™s access to data, applications, systems, and
endpoints.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.AM, PR.MA, DE.CM, DE.DP, PR.IP
HICP: TV1, Practice # 3
Notes
8 Do you screen your workforce members to verify
trustworthiness?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(B)
confidentiality, integrity, and availability of ePHI. NIST CSF: DE.DP, PR.AC, PR.IP
HICP: N/A
No. Unqualified or untrustworthy users could access your ePHI if policies and Addressable HIPAA: §164.308(a)(3)(ii)(B)
procedures do not require screening workforce members prior to enabling access to NIST CSF: DE.DP, PR.AC, PR.IP
facilities, information systems, and ePHI. HICP: N/A
I don't know. Unqualified or untrustworthy users could access your ePHI if policies and Addressable HIPAA: §164.308(a)(3)(ii)(B)
procedures do not require screening workforce members prior to enabling access to NIST CSF: DE.DP, PR.AC, PR.IP
facilities, information systems, and ePHI. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(B)
"Flagged Questions" report. NIST CSF: DE.DP, PR.AC, PR.IP
HICP: N/A
Notes
9 How are your workforce members screened to verify
trustworthiness?
Professional references are collected and verified. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(B)
Criminal background checks are performed in addition to confidentiality, integrity, and availability of ePHI. NIST CSF: DE.DP, PR.AC, PR.IP
verifying licenses, credentials, and certifications . HICP: N/A
Professional references are collected and verified along Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
with licenses, credentials, and certifications. We do not your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.DP, PR.AC, PR.IP
perform criminal background checks. will access ePHI. HICP: N/A
We only collect professional references. Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.DP, PR.AC, PR.IP
will access ePHI. HICP: N/A
We hire through external sources (local school Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
externship or temp agency), and assume their vetting your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.DP, PR.AC, PR.IP
process is sufficient. will access ePHI. HICP: N/A
Other. Consider which methods of personnel screening are reasonable and appropriate for Addressable HIPAA: §164.308(a)(3)(ii)(B)
your organization in order to verify the trustworthiness of workforce members who NIST CSF: DE.DP, PR.AC, PR.IP
will access ePHI. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(B)
"Flagged Questions" report. NIST CSF: DE.DP, PR.AC, PR.IP
HICP: N/A
Notes
10 Do you ensure that all workforce members (including
management) are given security training?
Yes, we ensure all workforce members complete security This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(5)(i)
training on a periodic basis. confidentiality, integrity, and availability of ePHI. Establish and maintain a training NIST CSF: PR.AT , ID.RM, PR.IP
program for your workforce that includes a section on phishing attacks. All users in HICP: TV1, Practice # 1, 4
your organization should be able to recognize phishing techniques. Train your
workforce to comply with organizational procedures and ONC guidance when
transmitting PHI through e-mail. Train staff never to back up data on uncontrolled
storage devices or personal cloud services. Train and regularly remind users that
they must never share their passwords.

Yes, we ensure all workforce members complete security Provide periodic security trainings to all workforce members. The standard states Required HIPAA: §164.308(a)(5)(i)
training, but this not done periodically. that periodic security trainings be completed and documented for all workforce NIST CSF: PR.AT , ID.RM, PR.IP
members, and the documentation is reviewed by your practice's security officer. HICP: TV1, Practice # 1, 4
Establish and maintain a training program for your workforce that includes a section
on phishing attacks. All users in your organization should be able to recognize
phishing techniques. Train your workforce to comply with organizational procedures
and ONC guidance when transmitting PHI through e-mail. Train staff never to back
up data on uncontrolled storage devices or personal cloud services. Train and
regularly remind users that they must never share their passwords.

No, we do not ensure that all workforce members have Provide periodic security trainings to all workforce members. The standard states Required HIPAA: §164.308(a)(5)(i)
completed security training or that security training is that periodic security trainings be completed and documented for all workforce NIST CSF: PR.AT , ID.RM, PR.IP
completed on a periodic basis. members, and the documentation is reviewed by your practice's security officer. HICP: TV1, Practice # 1, 4
Establish and maintain a training program for your workforce that includes a section
on phishing attacks. All users in your organization should be able to recognize
phishing techniques. Train your workforce to comply with organizational procedures
and ONC guidance when transmitting PHI through e-mail. Train staff never to back
up data on uncontrolled storage devices or personal cloud services. Train and
regularly remind users that they must never share their passwords.

I don't know. Provide periodic security trainings to all workforce members. The standard states Required HIPAA: §164.308(a)(5)(i)
that periodic security trainings be completed and documented for all workforce NIST CSF: PR.AT , ID.RM, PR.IP
members, and the documentation is reviewed by your practice's security officer. HICP: TV1, Practice # 1, 4
Establish and maintain a training program for your workforce that includes a section
on phishing attacks. All users in your organization should be able to recognize
phishing techniques. Train your workforce to comply with organizational procedures
and ONC guidance when transmitting PHI through e-mail. Train staff never to back
up data on uncontrolled storage devices or personal cloud services. Train and
regularly remind users that they must never share their passwords.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(5)(i)
"Flagged Questions" report. NIST CSF: PR.AT , ID.RM, PR.IP
HICP: TV1, Practice # 1, 4
Notes
11 How do you ensure that all workforce members are given
security training?
We keep a list of workforce members who have This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.308(a)(5)(i)
completed security training. Trainings are provided upon integrity, and availability of ePHI. Train personnel to comply with organizational NIST CSF: PR.AT, PR.IP
hire and periodically thereafter. The list is reviewed and policies. At minimum, provide annual training on the most salient policy HICP: TV1, Practice # 1, 4, 10
verified by the security officer. considerations, such as the use of encryption and PHI transmission restrictions.
Provide staff with training on and awareness of phishing e-mails. Describe the
mechanisms by which the workforce will be trained on cybersecurity practices,
threats, and mitigations.

Our security training is provided by a vendor who keeps This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.308(a)(5)(i)
record of the trainings completed. The records are integrity, and availability of ePHI. Train personnel to comply with organizational NIST CSF: PR.AT, PR.IP
reviewed and verified by the security officer. policies. At minimum, provide annual training on the most salient policy HICP: TV1, Practice # 1, 4, 10
considerations, such as the use of encryption and PHI transmission restrictions.
Provide staff with training on and awareness of phishing e-mails. Describe the
mechanisms by which the workforce will be trained on cybersecurity practices,
threats, and mitigations.

Documentation of security training is maintained in the Provide training periodically and maintain a comprehensive record of all personnel Required HIPAA: §164.308(a)(5)(i)
workforce members€™ personnel file, but a single who have completed training. Have the security officer review the list. Train NIST CSF: PR.AT, PR.IP
comprehensive record is not kept. personnel to comply with organizational policies. At minimum, provide annual HICP: TV1, Practice # 1, 4, 10
training on the most salient policy considerations, such as the use of encryption and
PHI transmission restrictions. Provide staff with training on and awareness of
phishing e-mails. Describe the mechanisms by which the workforce will be trained
on cybersecurity practices, threats, and mitigations.
 We do not maintain records of privacy and security Provide training periodically and maintain a comprehensive record of all personnel Required HIPAA: §164.308(a)(5)(i)
training for our workforce members. who have completed training. Have the security officer review the list. Train NIST CSF: PR.AT, PR.IP
personnel to comply with organizational policies. At minimum, provide annual HICP: TV1, Practice # 1, 4, 10
training on the most salient policy considerations, such as the use of encryption and
PHI transmission restrictions. Provide staff with training on and awareness of
phishing e-mails. Describe the mechanisms by which the workforce will be trained
on cybersecurity practices, threats, and mitigations.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(5)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.IP
HICP: TV1, Practice # 1, 4, 10
Notes
12 How long are records of workforce member security training
kept?
Records documenting the completion of required This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(5)(i)
security trainings are kept for all workforce members confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, PR.IP
(including management) and retained for at least six (6) HICP: N/A
years after completion of the training.

Records documenting the completion of required Records documenting the completion of security trainings for all workforce Required HIPAA: §164.308(a)(5)(i)
security trainings are kept for all workforce members. members (including management) should be kept for a minimum of six (6) years. NIST CSF: PR.AT, PR.IP
Records are only retained for less than six (6) years. Your state or jurisdiction may have additional requirements beyond six (6) year HICP: N/A
retention.
Records documenting the completion of required Records documenting the completion of security trainings for all workforce Required HIPAA: §164.308(a)(5)(i)
security training are kept for all workforce members. members (including management) should be kept for a minimum of six (6) years. NIST CSF: PR.AT, PR.IP
Records are only kept for the year in which training was Your state or jurisdiction may have additional requirements beyond six (6) year HICP: N/A
completed. retention.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(5)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.IP
HICP: N/A
Notes
13 Are procedures in place for monitoring log-in attempts and
reporting discrepancies?
Yes, these procedures workforce members' roles and This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(C)
responsibilities, log-in monitoring procedure, how to confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT
identify a log-in discrepancy and how to respond to an procedures to track and monitor user access to computers and programs. HICP: TV1, Practice # 3
identified discrepancy.

Yes, we have procedures, but these do not include all of Consider revising your procedures to include roles and responsibilities, how to Addressable HIPAA: §164.308(a)(5)(ii)(C)
the elements listed above. identify a log-in discrepancy, and how to respond to an identified discrepancy. If NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT
doing so is determined to not be reasonable and appropriate, document the reason HICP: TV1, Practice # 3
why and what compensating control takes its place. Implement access management
procedures to track and monitor user access to computers and programs.

Log-in monitoring tools are available but we do not Consider revising your procedures to include roles and responsibilities, how to Addressable HIPAA: §164.308(a)(5)(ii)(C)
actively utilize them. identify a log-in discrepancy, and how to respond to an identified discrepancy. If NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT
doing so is determined to not be reasonable and appropriate, document the reason HICP: TV1, Practice # 3
why and what compensating control takes its place. Implement access management
procedures to track and monitor user access to computers and programs.

No, our privacy and security procedures do not include Consider revising your procedures to include roles and responsibilities, how to Addressable HIPAA: §164.308(a)(5)(ii)(C)
log-in monitoring. identify a log-in discrepancy, and how to respond to an identified discrepancy. If NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT
doing so is determined to not be reasonable and appropriate, document the reason HICP: TV1, Practice # 3
why and what compensating control takes its place. Implement access management
procedures to track and monitor user access to computers and programs.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(C)
"Flagged Questions" report. NIST CSF: DE.AE, DE.CM, RS.CO, PR.AT, PR.PT
HICP: TV1, Practice # 3
Notes
14 Is protection from malicious software (including timely
antivirus/security updates and malware protection) covered
in your procedures?
Yes. Software protection is included in our procedures. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(B)
This includes a review of our procedures for guarding confidentiality, integrity, and availability of ePHI. Antivirus (AV) software is readily NIST CSF: PR.AT, PR.IP
against malware, and the mechanisms in place for available at low cost and is effective at protecting endpoints from computer viruses, HICP: TV1, Practice # 2, 9
protection, and how procedures for workforce members malware, spam, and ransomware threats. Each endpoint in your organization should
to follow can to detect and report malicious software. be equipped with antivirus software that is configured to update automatically. For
medical devices, the medical device manufacturer should directly support AV
software, or it should be cleared for operation by the manufacturer. Ensure that a
compliant AV technology is enabled. If AV cannot be implemented, compensating
controls should enforce an AV scan whenever the device is serviced prior to
reconnecting to the device network.
 Yes. Our security procedures include a review of our Consider including software protection in your procedures, such as: 1. What Addressable HIPAA: §164.308(a)(5)(ii)(B)
practice's procedure for guarding against malicious protection mechanisms and system capabilities are in place for protection against NIST CSF: PR.AT, PR.IP
software, but does not cover how workforce members malicious software, 2. Workforce members' roles and responsibilities in malicious HICP: TV1, Practice # 2, 9
can detect and report malicious software or the software protection procedures, 3. Steps to protect against and detect malicious
protection mechanisms and system capabilities in place software, and 4. Actions on how to respond to malicious software infections.
for malware protection. Antivirus (AV) software is readily available at low cost and is effective at protecting
endpoints from computer viruses, malware, spam, and ransomware threats. Each
endpoint in your organization should be equipped with antivirus software that is
configured to update automatically. For medical devices, the medical device
manufacturer should directly support AV software, or it should be cleared for
operation by the manufacturer. Ensure that a compliant AV technology is enabled. If
AV cannot be implemented, compensating controls should enforce an AV scan
whenever the device is serviced prior to reconnecting to the device network.

Protection from malicious software tools are available, Consider including software protection in your procedures, such as: 1. What Addressable HIPAA: §164.308(a)(5)(ii)(B)
but these are not included in our security procedures. protection mechanisms and system capabilities are in place for protection against NIST CSF: PR.AT, PR.IP
malicious software, 2. Workforce members' roles and responsibilities in malicious HICP: TV1, Practice # 2, 9
software protection procedures, 3. Steps to protect against and detect malicious
software, and 4. Actions on how to respond to malicious software infections.
Antivirus (AV) software is readily available at low cost and is effective at protecting
endpoints from computer viruses, malware, spam, and ransomware threats. Each
endpoint in your organization should be equipped with antivirus software that is
configured to update automatically. For medical devices, the medical device
manufacturer should directly support AV software, or it should be cleared for
operation by the manufacturer. Ensure that a compliant AV technology is enabled. If
AV cannot be implemented, compensating controls should enforce an AV scan
whenever the device is serviced prior to reconnecting to the device network.

No, protection from malicious software is not included in Consider including software protection in your procedures, such as: 1. What Addressable HIPAA: §164.308(a)(5)(ii)(B)
our security procedures. protection mechanisms and system capabilities are in place for protection against NIST CSF: PR.AT, PR.IP
malicious software, 2. Workforce members' roles and responsibilities in malicious HICP: TV1, Practice # 2, 9
software protection procedures, 3. Steps to protect against and detect malicious
software, and 4. Actions on how to respond to malicious software infections.
Antivirus (AV) software is readily available at low cost and is effective at protecting
endpoints from computer viruses, malware, spam, and ransomware threats. Each
endpoint in your organization should be equipped with antivirus software that is
configured to update automatically. For medical devices, the medical device
manufacturer should directly support AV software, or it should be cleared for
operation by the manufacturer. Ensure that a compliant AV technology is enabled. If
AV cannot be implemented, compensating controls should enforce an AV scan
whenever the device is serviced prior to reconnecting to the device network.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(B)
"Flagged Questions" report. NIST CSF: PR.AT, PR.IP
HICP: TV1, Practice # 2, 9
Notes
15 What password security elements are covered in your
security training?
Our security procedures include what our workforce This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(D)
roles/responsibilities are in password security, how to confidentiality, integrity, and availability of ePHI. To stay current with best practices NIST CSF: PR.AT
safeguard passwords, how to respond to a compromised on security procedures consider enforcing password security measures consistent HICP: TV1, Practice # 2, 3
password, and how to properly change a password using with guidance in
various password characteristics (e.g. many characters NIST SP 800-63-3. Assign a separate user account to each user in your organization.
long, easy to remember, avoiding easy to guess phrases). Train and regularly remind users that they must never share their passwords.
Require each user to create an account password that is different from the ones
used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook). For
devices that are accessed off site, leverage technologies that use multi-factor
authentication (MFA) before permitting users to access data or applications on the
device. Logins that use only a username and password are often compromised
through phishing e-mails. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.
 Our security procedures include some but not all of the Consider enforcing password security measures consistent with guidance in Addressable HIPAA: §164.308(a)(5)(ii)(D)
items noted above. NIST SP 800-63-3 as part of your security training. If this is not determined to be NIST CSF: PR.AT
reasonable and appropriate, document the reason why along with your HICP: TV1, Practice # 2, 3
compensating control. Assign a separate user account to each user in your
organization. Train and regularly remind users that they must never share their
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).
For devices that are accessed off site, leverage technologies that use multi-factor
authentication (MFA) before permitting users to access data or applications on the
device. Logins that use only a username and password are often compromised
through phishing e-mails. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

Password security is not covered in our security Consider enforcing password security measures consistent with guidance in Addressable HIPAA: §164.308(a)(5)(ii)(D)
procedures. NIST SP 800-63-3 as part of your security training. If this is not determined to be NIST CSF: PR.AT
reasonable and appropriate, document the reason why along with your HICP: TV1, Practice # 2, 3
compensating control. Assign a separate user account to each user in your
organization. Train and regularly remind users that they must never share their
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).
For devices that are accessed off site, leverage technologies that use multi-factor
authentication (MFA) before permitting users to access data or applications on the
device. Logins that use only a username and password are often compromised
through phishing e-mails. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

Other. Consider enforcing password security measures consistent with guidance in Addressable HIPAA: §164.308(a)(5)(ii)(D)
NIST SP 800-63-3 as part of your security training. If this is not determined to be NIST CSF: PR.AT
reasonable and appropriate, document the reason why along with your HICP: TV1, Practice # 2, 3
compensating control. Assign a separate user account to each user in your
organization. Train and regularly remind users that they must never share their
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).
For devices that are accessed off site, leverage technologies that use multi-factor
authentication (MFA) before permitting users to access data or applications on the
device. Logins that use only a username and password are often compromised
through phishing e-mails. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

I don't know. Consider enforcing password security measures consistent with guidance in Addressable HIPAA: §164.308(a)(5)(ii)(D)
NIST SP 800-63-3 as part of your security training. If this is not determined to be NIST CSF: PR.AT
reasonable and appropriate, document the reason why along with your HICP: TV1, Practice # 2, 3
compensating control. Assign a separate user account to each user in your
organization. Train and regularly remind users that they must never share their
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).
For devices that are accessed off site, leverage technologies that use multi-factor
authentication (MFA) before permitting users to access data or applications on the
device. Logins that use only a username and password are often compromised
through phishing e-mails. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(D)
"Flagged Questions" report. NIST CSF: PR.AT
HICP: TV1, Practice # 2, 3
Notes
16 Do you ensure workforce members maintain ongoing
awareness of security requirements?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(A)
confidentiality, integrity, and availability of ePHI. Establish and maintain a training NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
program for your workforce that includes a section on phishing attacks. All users in HICP: TV1, Practice # 1, 4
your organization should be able to recognize phishing techniques. Train your
workforce to comply with organizational procedures and ONC guidance when
transmitting PHI through e-mail. Train staff never to back up data on uncontrolled
storage devices or personal cloud services.
 No. Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
document the reason why along with your compensating control. Establish and HICP: TV1, Practice # 1, 4
maintain a training program for your workforce that includes a section on phishing
attacks. All users in your organization should be able to recognize phishing
techniques. Train your workforce to comply with organizational procedures and
ONC guidance when transmitting PHI through e-mail. Train staff never to back up
data on uncontrolled storage devices or personal cloud services.

I don't know. Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
document the reason why along with your compensating control. Establish and HICP: TV1, Practice # 1, 4
maintain a training program for your workforce that includes a section on phishing
attacks. All users in your organization should be able to recognize phishing
techniques. Train your workforce to comply with organizational procedures and
ONC guidance when transmitting PHI through e-mail. Train staff never to back up
data on uncontrolled storage devices or personal cloud services.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(A)
"Flagged Questions" report. NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
HICP: TV1, Practice # 1, 4
Notes
17 How does your practice ensure workforce members maintain
ongoing awareness of security requirements?
Formal trainings and periodic security reminders This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(5)(ii)(A)
confidentiality, integrity, and availability of ePHI. Provide staff with training on and NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
awareness of phishing e-mails. Train personnel to comply with organizational HICP: TV1, Practice # 1, 4
policies. At minimum, provide annual training onthe most salient policy
considerations, such as the use of encryption and PHI transmission restrictions.

Either formal trainings or periodic security reminders, Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
but not both. reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
document the reason why along with your compensating control. Provide staff with HICP: TV1, Practice # 1, 4
training on and awareness of phishing e-mails. Train personnel to comply with
organizational policies. At minimum, provide annual training onthe most salient
policy considerations, such as the use of encryption and PHI transmission
restrictions.
I don't know. Consider securing your workforce with formal, regular trainings as well as periodic Addressable HIPAA: §164.308(a)(5)(ii)(A)
reminders. If these steps are not determined to be reasonable and appropriate, NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
document the reason why along with your compensating control. Provide staff with HICP: TV1, Practice # 1, 4
training on and awareness of phishing e-mails. Train personnel to comply with
organizational policies. At minimum, provide annual training onthe most salient
policy considerations, such as the use of encryption and PHI transmission
restrictions.
Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(5)(ii)(A)
"Flagged Questions" report. NIST CSF: PR.AT, ID.RA, ID.BE, ID.GV
HICP: TV1, Practice # 1, 4
Notes
18 Do you have a sanction policy to enforce security
procedures?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(C)
confidentiality, integrity, and availability of ePHI. NIST CSF:  PR.IP
HICP: N/A
No. Consider implementing a sanction policy. It is required that your practice be able to Required HIPAA: §164.308(a)(1)(ii)(C)
apply appropriate sanctions against workforce members who fail to comply with NIST CSF:  PR.IP
your practice's security policies and procedures. HICP: N/A
I don't know. Consider looking into whether your practice has a sanction policy. It is required that Required HIPAA: §164.308(a)(1)(ii)(C)
your practice be able to apply appropriate sanctions against workforce members NIST CSF:  PR.IP
who fail to comply with your practice's security policies and procedures. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(C)
"Flagged Questions" report. NIST CSF:  PR.IP
HICP: N/A
Notes
19 What is included in your sanction policy to hold personnel
accountable if they do not follow your security policies and
procedures?
Formal written documentation of the sanction and the Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
reason for the sanction. your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
A formal corrective action plan. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
Identification of the sanctions applied to compliance Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
failures. your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
 Training to mitigate repeat offenses. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
Documentation of the sanction outcome. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
All of the above. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(C)
confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, RS.CO, PR.IP
HICP: N/A
None of the above. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
Other. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
I don't know. Consider which sanction policies and procedures are reasonable and appropriate for Required HIPAA: §164.308(a)(1)(ii)(C)
your organization in order to hold personnel accountable if they do not follow your NIST CSF: PR.AT, RS.CO, PR.IP
security policies and procedures. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(C)
"Flagged Questions" report. NIST CSF: PR.AT, RS.CO, PR.IP
HICP: N/A
Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Unqualified, uninformed, or lack of Security Officer
Unqualified workforce or untrained personnel on security standards and procedures
Security policies not followed when not enforced
Misuse of audit tools, information systems, and/or hardware
Proliferation of unknown threats
Insider carelessness exposing ePHI
Unauthorized information disclosure (ePHI, proprietary, intellectual, or confidential)
Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems
2 Untrustworthy employee or business associate
Information disclosure (ePHI, proprietary, intellectual, or confidential)
Disruption of business processes or information system function
Sensitive data exposed or tampered with by insider
Misuse of information systems and/or hardware
Falsification or destruction of records and/or data corruption
Unauthorized access granted to outsiders
3 Inadequate cyber security & IT training
Information disclosure (ePHI, proprietary, intellectual, or confidential)
Disruption of business processes or information system function
Social engineering attack or email phishing attack
Misuse of information systems and/or hardware
Information system or factility access granted to unauthorized personnel
Installation of unauthorized software or applications
4 Failure to hold workforce members accountable for undesired actions
Insider carelessness causing disruption to computer systems
Insider carelessness exposing ePHI to unauthorized persons or entities
Lack of interest for protecting sensitive information
 Section 4 - Security & Data
Question Response Risk
#
Section Question Text Indicator Question Responses Guidance Indicated Required? Reference
Questions
1 Do you manage and control personnel access to ePHI,
systems, and facilities?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
confidentiality, integrity, and availability of ePHI. User accounts enable organizations NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
to control and monitor each user€™s access to and activities on devices, EHRs, e- HICP: TV1, Practice # 3
mail, and other third-party software systems. It is essential to protect user accounts
to mitigate the risk of cyber threats.

No. Consider implementing policies and procedures to determine, authorize, and control Required HIPAA: §164.308(a)(3)(i)
access of workforce members to ePHI, systems, and facilities as appropriate. User NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
accounts enable organizations to control and monitor each user €™s access to and HICP: TV1, Practice # 3
activities on devices, EHRs, e-mail, and other third-party software systems. It is
essential to protect user accounts to mitigate the risk of cyber threats.

I don't know. Consider looking into whether you have policies and procedures to determine, Required HIPAA: §164.308(a)(3)(i)
authorize, and control access of workforce members to ePHI, systems, and facilities NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
as appropriate. User accounts enable organizations to control and monitor each HICP: TV1, Practice # 3
user€™s access to and activities on devices, EHRs, e-mail, and other third-party
software systems. It is essential to protect user accounts to mitigate the risk of cyber
threats.
We manage and control personnel access to some but Consider implementing policies and procedures to determine, authorize, and control Required HIPAA: §164.308(a)(3)(i)
not all. access of workforce members to ePHI, systems, and facilities as appropriate. User NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
accounts enable organizations to control and monitor each user €™s access to and HICP: TV1, Practice # 3
activities on devices, EHRs, e-mail, and other third-party software systems. It is
essential to protect user accounts to mitigate the risk of cyber threats.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
HICP: TV1, Practice # 3
Notes
2 How do you manage and control personnel access to ePHI,
systems, and facilities?
Detailed log of personnel and access levels based on This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
role. Updates are reviewed by the security officer. confidentiality, integrity, and availability of ePHI. Implement single sign-on systems NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
that automatically manage access to all software and tools once users have signed HICP: TV1, Practice # 3
onto the network. Such systems allows the organization to centrally maintain and
monitor access.

Log of personnel names. You should develop, document, and disseminate to workforce members an access Required HIPAA: §164.308(a)(3)(i)
control policy. The access control policy should addresses purpose, scope, roles, NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
responsibilities, management commitment, the expected coordination among HICP: TV1, Practice # 3
organizational entities, and compliance requirements. You should also maintain a
list of workforce members with their corresponding level of access. This list should
be reviewed and updated by the security officer. Implement single sign-on systems
that automatically manage access to all software and tools once users have signed
onto the network. Such systems allows the organization to centrally maintain and
monitor access.

Access is granted by role, but we do not maintain a Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
corresponding list of personnel. procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
levels based on role within your practice. To meet the standard, any updates based HICP: TV1, Practice # 3
on changes in the workforce should be verified by the security officer. Implement
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allows the organization to
centrally maintain and monitor access.

We do not keep a detailed log of workforce members or Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
designate access levels based on role. procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
levels based on role within your practice. To meet the standard, any updates based HICP: TV1, Practice # 3
on changes in the workforce should be verified by the security officer. Implement
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allows the organization to
centrally maintain and monitor access.

Detailed log of personnel and access levels based on Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
role. procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
levels based on role within your practice. To meet the standard, any updates based HICP: TV1, Practice # 3
on changes in the workforce should be verified by the security officer. Implement
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allows the organization to
centrally maintain and monitor access.
 Log of personnel names and access levels. Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
levels based on role within your practice. To meet the standard, any updates based HICP: TV1, Practice # 3
on changes in the workforce should be verified by the security officer. Implement
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allows the organization to
centrally maintain and monitor access.

Other. Make sure your access control measures are effective and up-to-date. Implement a Required HIPAA: §164.308(a)(3)(i)
procedure for updating your log upon changes in the workforce to include access NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
levels based on role within your practice. To meet the standard, any updates based HICP: TV1, Practice # 3
on changes in the workforce should be verified by the security officer. Implement
single sign-on systems that automatically manage access to all software and tools
once users have signed onto the network. Such systems allows the organization to
centrally maintain and monitor access.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.IP, PR.AC, PR.PT
HICP: TV1, Practice # 3
Notes
3 What is your process for authorizing, establishing, and
modifying access to ePHI?
Our security procedures designate personnel authorized This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)
to grant, review, modify, and terminate access. Access confidentiality, integrity, and availability of ePHI. Tailor access for each user based (C )
levels are reviewed and modified as needed. on the user€™s specific workplace requirements. Most users require access to NIST CSF: PR.AC, PR.IP
common systems, such as e-mail and file servers. Implementing tailored access is HICP: TV1, Practice # 3
usually called provisioning.

Our security procedures designate personnel authorized You should implement formal procedures to review and modify personnel access. Addressable HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)
to grant and terminate access. We do not have a Tailor access for each user based on the user€™s specific workplace requirements. (C )
procedure to review and modify access as needed. Most users require access to common systems, such as e-mail and file servers. NIST CSF: PR.AC, PR.IP
Implementing tailored access is usually called provisioning. HICP: TV1, Practice # 3

Access levels are granted, modified, and terminated as You should implement a formal security procedure and designate authorized Addressable HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)
needed, but we do not have formal procedures. personnel to grant, review, modify, and terminate access. Access levels should be (C )
reviewed and modified as needed. Tailor access for each user based on the user €™s NIST CSF: PR.AC, PR.IP
specific workplace requirements. Most users require access to common systems, HICP: TV1, Practice # 3
such as e-mail and file servers. Implementing tailored access is usually called
provisioning.

We do not have a process in place to grant, modify, or You should implement formal procedures to grant, modify, review, and terminate Addressable HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)
terminate access. personnel access. Access levels should be reviewed and modified as needed. Tailor (C )
access for each user based on the user€™s specific workplace requirements. Most NIST CSF: PR.AC, PR.IP
users require access to common systems, such as e-mail and file servers. HICP: TV1, Practice # 3
Implementing tailored access is usually called provisioning.

I don't know. You should implement formal procedures to grant, modify, review, and terminate Addressable HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)
personnel access. Access levels should be reviewed and modified as needed. Tailor (C )
access for each user based on the user€™s specific workplace requirements. Most NIST CSF: PR.AC, PR.IP
users require access to common systems, such as e-mail and file servers. HICP: TV1, Practice # 3
Implementing tailored access is usually called provisioning.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(4)(ii)(B) §164.308(a)(4)(ii)
"Flagged Questions" report. (C )
NIST CSF: PR.AC, PR.IP
HICP: TV1, Practice # 3

Notes
4 How much access to ePHI is granted to users or other
entities?
Minimum access necessary based on the user's formal This is the most effective option among those provided to protect the Required HIPAA: §164.502(b)
role. confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS
the accounts must be granted access to the organization €™s computers and HICP: TV1, Practice # 3
programs, as appropriate to each user. Consider following the €œminimum
necessary€ principle associated with the HIPAA Privacy Rule. Allow each user
access only to the computers and programs required to accomplish that user €™s job
or role in the organization. This limits the organization €™s exposure to unauthorized
access, loss, and theft of data if the user€™s identity or access is compromised.
 Access is granted based on user duties and activities but Policies and procedures outlining how users are granted only the minimum Required HIPAA: §164.502(b)
not on any formal role or minimum necessary necessary access to ePHI should be documented and implemented based on the NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS
consideration. user role. Allowing a high degree of access to ePHI may have negative impacts to HICP: TV1, Practice # 3
your practice. Unauthorized or inappropriate access to ePHI can compromise the
confidentiality, integrity, and availability of your ePHI. As user accounts are
established, the accounts must be granted access to the organization €™s computers
and programs, as appropriate to each user. Consider following the €œminimum
necessary€ principle associated with the HIPAA Privacy Rule. Allow each user
access only to the computers and programs required to accomplish that user €™s job
or role in the organization. This limits the organization €™s exposure to unauthorized
access, loss, and theft of data if the user€™s identity or access is compromised.

No limit to access. Policies and procedures outlining how users are granted only the minimum Required HIPAA: §164.502(b)
necessary access to ePHI should be documented and implemented based on the NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS
user role. Allowing a high degree of access to ePHI may have negative impacts to HICP: TV1, Practice # 3
your practice. Unauthorized or inappropriate access to ePHI can compromise the
confidentiality, integrity, and availability of your ePHI. As user accounts are
established, the accounts must be granted access to the organization €™s computers
and programs, as appropriate to each user. Consider following the €œminimum
necessary€ principle associated with the HIPAA Privacy Rule. Allow each user
access only to the computers and programs required to accomplish that user €™s job
or role in the organization. This limits the organization €™s exposure to unauthorized
access, loss, and theft of data if the user€™s identity or access is compromised.

I don't know. Policies and procedures outlining how users are granted only the minimum Required HIPAA: §164.502(b)
necessary access to ePHI should be documented and implemented based on the NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS
user role. Allowing a high degree of access to ePHI may have negative impacts to HICP: TV1, Practice # 3
your practice. Unauthorized or inappropriate access to ePHI can compromise the
confidentiality, integrity, and availability of your ePHI. As user accounts are
established, the accounts must be granted access to the organization €™s computers
and programs, as appropriate to each user. Consider following the €œminimum
necessary€ principle associated with the HIPAA Privacy Rule. Allow each user
access only to the computers and programs required to accomplish that user €™s job
or role in the organization. This limits the organization €™s exposure to unauthorized
access, loss, and theft of data if the user€™s identity or access is compromised.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.502(b)
"Flagged Questions" report. NIST CSF: PR.AC, PR.IP, ID.RM, PR.DS
HICP: TV1, Practice # 3
Notes
5 How are individual users identified when accessing ePHI ?
Unique IDs and individual passwords are created for This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(i)
authorized workforce members and contractors in order confidentiality, integrity, and availability of ePHI. Assign a separate user account to NIST CSF: PR.AC, PR.PT, DE.CM
access ePHI. each user in your organization. Train and regularly remind users that they must HICP: TV1, Practice # 3
never share their passwords. Require each user to create an account password that
is different from the ones used for personal internet or e-mail access (e.g., Gmail,
Yahoo, Facebook).
Unique IDs are required in order to access ePHI but If you do not have policies requiring use of a unique identifier for all users accessing Required HIPAA: §164.312(a)(2)(i)
these are not always used. Generic or shared accounts ePHI, you might not be able to keep track of authorized users and the roles and NIST CSF: PR.AC, PR.PT, DE.CM
also exist which have access to ePHI and are not specific responsibilities assigned to them. Assign a separate user account to each user in HICP: TV1, Practice # 3
to unique users. your organization. Train and regularly remind users that they must never share their
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).

Generic usernames and/or shared passwords are used in If you do not have policies requiring use of a unique identifier for all users accessing Required HIPAA: §164.312(a)(2)(i)
order to access ePHI. ePHI, you might not be able to keep track of authorized users and the roles and NIST CSF: PR.AC, PR.PT, DE.CM
responsibilities assigned to them. Assign a separate user account to each user in HICP: TV1, Practice # 3
your organization. Train and regularly remind users that they must never share their
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).

We do not have a process to authenticate users with If you do not have policies requiring use of a unique identifier for all users accessing Required HIPAA: §164.312(a)(2)(i)
unique IDs. ePHI, you might not be able to keep track of authorized users and the roles and NIST CSF: PR.AC, PR.PT, DE.CM
responsibilities assigned to them. Assign a separate user account to each user in HICP: TV1, Practice # 3
your organization. Train and regularly remind users that they must never share their
passwords. Require each user to create an account password that is different from
the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(2)(i)
"Flagged Questions" report. NIST CSF: PR.AC, PR.PT, DE.CM
HICP: TV1, Practice # 3
Notes
6 Do you ensure all of your workforce members have
appropriate access to ePHI?
 Yes. We have written procedures to ensure workforce This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
members' access privileges are minimum necessary (i.e. confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: PR.AT, PR.AC, PR.IP
"need to know") based on their roles. These access the accounts must be granted access to the organization €™s computers and HICP: TV1, Practice # 3
privileges are approved by the security officer. programs, as appropriate to each user. Consider following the €œminimum
necessary€ principle associated with the HIPAA Privacy Rule. Allow each user
access only to the computers and programs required to accomplish that user €™s job
or role in the organization. This limits the organization €™s exposure to unauthorized
access, loss, and theft of data if the user€™s identity or access is compromised.

Yes. We have written procedures to ensure workforce You should implement and document procedures to ensure workforce members Required HIPAA: §164.308(a)(3)(i)
members' access privileges are minimum necessary but have access privileges based on their role and no higher than necessary to perform NIST CSF: PR.AT, PR.AC, PR.IP
these are not always based on their roles. their duties. These procedures and access privileges should be appropriately HICP: TV1, Practice # 3
approved and communicated. As user accounts are established, the accounts must
be granted access to the organization€™s computers and programs, as appropriate
to each user. Consider following the €œminimum necessary € principle associated
with the HIPAA Privacy Rule. Allow each user access only to the computers and
programs required to accomplish that user€™s job or role in the organization. This
limits the organization€™s exposure to unauthorized access, loss, and theft of data if
the user€™s identity or access is compromised.

Yes. We verbally communicate access privileges to our You should implement and document procedures to ensure workforce members Required HIPAA: §164.308(a)(3)(i)
workforce members but we do not have written have access privileges based on their role and no higher than necessary to perform NIST CSF: PR.AT, PR.AC, PR.IP
procedures. their duties. These procedures and access privileges should be appropriately HICP: TV1, Practice # 3
approved and communicated. As user accounts are established, the accounts must
be granted access to the organization€™s computers and programs, as appropriate
to each user. Consider following the €œminimum necessary € principle associated
with the HIPAA Privacy Rule. Allow each user access only to the computers and
programs required to accomplish that user€™s job or role in the organization. This
limits the organization€™s exposure to unauthorized access, loss, and theft of data if
the user€™s identity or access is compromised.

No. We do not have any procedures for ensuring You should implement and document procedures to ensure workforce members Required HIPAA: §164.308(a)(3)(i)
appropriate workforce member access to ePHI. have access privileges based on their role and no higher than necessary to perform NIST CSF: PR.AT, PR.AC, PR.IP
their duties. These procedures and access privileges should be appropriately HICP: TV1, Practice # 3
approved and communicated. As user accounts are established, the accounts must
be granted access to the organization€™s computers and programs, as appropriate
to each user. Consider following the €œminimum necessary € principle associated
with the HIPAA Privacy Rule. Allow each user access only to the computers and
programs required to accomplish that user€™s job or role in the organization. This
limits the organization€™s exposure to unauthorized access, loss, and theft of data if
the user€™s identity or access is compromised.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.AC, PR.IP
HICP: TV1, Practice # 3
Notes
7 How do you make sure that your workforce's designated
access to ePHI is logical, consistent, and appropriate ?
Workforce members are granted access based on the This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(3)(i)
minimum amount necessary for their role. This is confidentiality, integrity, and availability of ePHI. Tailor access for each user based NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM
consistently applied across the practice and any changes on the user€™s specific workplace requirements. Most users require access to HICP: TV1, Practice # 3
must be formally approved and documented. common systems, such as e-mail and file servers. Implementing tailored access is
usually called provisioning.

Workforce members have a default level of access for Review role-based access to determine how specific you can designate access for Required HIPAA: §164.308(a)(3)(i)
their role, but exceptions are commonly granted.   users, based on their roles. Implement and document procedures to ensure NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM
minimum necessary access is in place across the board to the extent reasonable and HICP: TV1, Practice # 3
appropriate. If access exceptions are commonly granted, they should be
documented and policies should be in place outlining the procedure for access
exceptions. Tailor access for each user based on the user €™s specific workplace
requirements. Most users require access to common systems, such as e-mail and file
servers. Implementing tailored access is usually called provisioning.

Our software vendor designates access to users, e.g. Review role-based access to determine how specific you can designate access for Required HIPAA: §164.308(a)(3)(i)
based on their role as indicated in the system. users, based on their roles. Implement and document procedures to ensure NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM
minimum necessary access is in place across the board to the extent reasonable and HICP: TV1, Practice # 3
appropriate. If access exceptions are commonly granted, they should be
documented and policies should be in place outlining the procedure for access
exceptions. Tailor access for each user based on the user €™s specific workplace
requirements. Most users require access to common systems, such as e-mail and file
servers. Implementing tailored access is usually called provisioning.
 We do not have a procedure for ensuring user access is Review role-based access to determine how specific you can designate access for Required HIPAA: §164.308(a)(3)(i)
appropriate for their role. users, based on their roles. Implement and document procedures to ensure NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM
minimum necessary access is in place across the board to the extent reasonable and HICP: TV1, Practice # 3
appropriate. If access exceptions are commonly granted, they should be
documented and policies should be in place outlining the procedure for access
exceptions. Tailor access for each user based on the user €™s specific workplace
requirements. Most users require access to common systems, such as e-mail and file
servers. Implementing tailored access is usually called provisioning.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(3)(i)
"Flagged Questions" report. NIST CSF: PR.AT, PR.PT, PR.IP, DE.CM
HICP: TV1, Practice # 3
Notes
8 Do you use encryption to control access to ePHI?
Yes. This is the most effective option. Whenever reasonable and appropriate implement Addressable HIPAA: §164.312(a)(2)(iv)
a mechanism to encrypt and decrypt ePHI. Install encryption software on every NIST CSF: PR.DS, PR.MA, PR.PT
endpoint that connects to your EHR system, especially mobile devices such as HICP: TV1, Practice # 1, 4
laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen.
This simple and inexpensive precaution may prevent a complicated and expensive
breach. If supported by the manufacturer, medical devices should have local
encryption enabled in case the device is stolen. Implement an e-mail encryption
module that enables users to securely send e-mails to externalrecipients or to
protect information that should only be seen by authorized individuals.

No. You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA: §164.312(a)(2)(iv)
you do not use encryption/decryption methods to control access to ePHI and other NIST CSF: PR.DS, PR.MA, PR.PT
health information. Whenever reasonable and appropriate implement a mechanism HICP: TV1, Practice # 1, 4
to encrypt and decrypt ePHI. Install encryption software on every endpoint that
connects to your EHR system, especially mobile devices such as laptops. Maintain
audit trails of this encryption in case a device is ever lost or stolen. This simple and
inexpensive precaution may prevent a complicated and expensive breach. If
supported by the manufacturer, medical devices should have local encryption
enabled in case the device is stolen. Implement an e-mail encryption module that
enables users to securely send e-mails to externalrecipients or to protect
information that should only be seen by authorized individuals.

We have not comprehensively evaluated whether You should evaluate whether encryption is reasonable and appropriate to Addressable HIPAA: §164.312(a)(2)(iv)
encryption is reasonable or appropriate to implement on implement. You might not be able to ensure access to ePHI is denied to NIST CSF: PR.DS, PR.MA, PR.PT
our devices and information systems. unauthorized users if you do not use encryption/decryption methods to control HICP: TV1, Practice # 1, 4
access to ePHI and other health information. Install encryption software on every
endpoint that connects to your EHR system, especially mobile devices such as
laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen.
This simple and inexpensive precaution may prevent a complicated and expensive
breach. If supported by the manufacturer, medical devices should have local
encryption enabled in case the device is stolen. Implement an e-mail encryption
module that enables users to securely send e-mails to externalrecipients or to
protect information that should only be seen by authorized individuals.

I don't know. You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA: §164.312(a)(2)(iv)
you do not use encryption/decryption methods to control access to ePHI and other NIST CSF: PR.DS, PR.MA, PR.PT
health information. Whenever reasonable and appropriate implement a mechanism HICP: TV1, Practice # 1, 4
to encrypt and decrypt ePHI. Install encryption software on every endpoint that
connects to your EHR system, especially mobile devices such as laptops. Maintain
audit trails of this encryption in case a device is ever lost or stolen. This simple and
inexpensive precaution may prevent a complicated and expensive breach. If
supported by the manufacturer, medical devices should have local encryption
enabled in case the device is stolen. Implement an e-mail encryption module that
enables users to securely send e-mails to externalrecipients or to protect
information that should only be seen by authorized individuals.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(a)(2)(iv)
"Flagged Questions" report. NIST CSF: PR.DS, PR.MA, PR.PT
HICP: TV1, Practice # 1, 4
Notes
9 What procedures do you have in place to encrypt ePHI when
deemed reasonable and appropriate?
Encryption is evaluated as part of our risk management This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(e)(2)(ii)
process. We have procedures in place to encrypt data at confidentiality, integrity, and availability of ePHI. Install encryption software on NIST CSF: PR.AC, PR.DS, PR.IP
rest (for example, USB drives or tapes) and in transit (for every endpoint that connects to your EHR system, especially mobile devices such as HICP: TV1, Practice # 1, 4
example, email or cloud EHR) whenever reasonable and laptops. Maintain audit trails of this encryption in case a device is ever lost or stolen.
appropriate, and find an alternative safeguard when not This simple and inexpensive precaution may prevent a complicated and expensive
reasonable and appropriate. breach. Provide regular training on encryption.
 We have procedures in place to encrypt data in transit Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
(for example, email or cloud EHR) but not at rest (for your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AC, PR.DS, PR.IP
example, USB drives or tapes) whenever reasonable and appropriate, document the reason why and implement an equivalent, alternative HICP: TV1, Practice # 1, 4
appropriate. safeguard. Install encryption software on every endpoint that connects to your EHR
system, especially mobile devices such as laptops. Maintain audit trails of this
encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.

We have procedures in place to encrypt data at rest (for Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
example, USB drives or tapes) but not in transit (for your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AC, PR.DS, PR.IP
example, email or cloud EHR) whenever reasonable and appropriate, document the reason why and implement an equivalent, alternative HICP: TV1, Practice # 1, 4
appropriate. safeguard.Install encryption software on every endpoint that connects to your EHR
system, especially mobile devices such as laptops. Maintain audit trails of this
encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.

Other. Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AC, PR.DS, PR.IP
appropriate, document the reason why and implement an equivalent, alternative HICP: TV1, Practice # 1, 4
safeguard. Install encryption software on every endpoint that connects to your EHR
system, especially mobile devices such as laptops. Maintain audit trails of this
encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.

I don't know. Consider encrypting ePHI when it is in transmission as well as when at rest as part of Addressable HIPAA: §164.312(e)(2)(ii)
your risk management process. If encryption is determined not reasonable and NIST CSF: PR.AC, PR.DS, PR.IP
appropriate, document the reason why and implement an equivalent, alternative HICP: TV1, Practice # 1, 4
safeguard. Install encryption software on every endpoint that connects to your EHR
system, especially mobile devices such as laptops. Maintain audit trails of this
encryption in case a device is ever lost or stolen. This simple and inexpensive
precaution may prevent a complicated and expensive breach. Provide regular
training on encryption.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(e)(2)(ii)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.IP
HICP: TV1, Practice # 1, 4
Notes
10 Do you use alternative safeguards in place of encryption?
Yes. When encryption is not reasonable or appropriate, This is the most effective option among those provided to protect the Addressable HIPAA:
we implement an alternative safeguard. confidentiality, integrity, and availability of ePHI. For devices that cannot be NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP
encrypted or that are managed by a third party, implement physical security HICP: TV1, Practice # 2
controls to minimize theft or unauthorized removal. Examples include installation of
anti-theft cables, locks on rooms where the devices are located, and the use of
badge readers to monitor access to rooms where devices are located.

No. We do not always have alternative safeguards when You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA:
encryption is not reasonable or appropriate. you do not use alternative safeguards or methods to control access to ePHI and NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP
other health information. Whenever encryption is not reasonable or appropriate, HICP: TV1, Practice # 2
implement an alternative safeguard or mechanism to protect your ePHI. For devices
that cannot be encrypted or that are managed by a third party, implement physical
security controls to minimize theft or unauthorized removal. Examples include
installation of anti-theft cables, locks on rooms where the devices are located, and
the use of badge readers to monitor access to rooms where devices are located.

I don't know. You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA:
you do not use alternative safeguards or methods to control access to ePHI and NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP
other health information. Whenever encryption is not reasonable and appropriate HICP: TV1, Practice # 2
implement an alternative safeguard or mechanism to protect your ePHI. For devices
that cannot be encrypted or that are managed by a third party, implement physical
security controls to minimize theft or unauthorized removal. Examples include
installation of anti-theft cables, locks on rooms where the devices are located, and
the use of badge readers to monitor access to rooms where devices are located.

We have encryption in place for some devices and You might not be able to ensure access to ePHI is denied to unauthorized users if Addressable HIPAA:
systems which access ePHI, but have not you do not use alternative safeguards or methods to control access to ePHI and NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP
comprehensively evaluated the reasonable and other health information. Whenever encryption is not reasonable and appropriate HICP: TV1, Practice # 2
appropriateness to do so for all devices and systems. We implement an alternative safeguard or mechanism to protect your ePHI. For devices
do not always have alternative safeguards when that cannot be encrypted or that are managed by a third party, implement physical
encryption is not reasonable and appropriate. security controls to minimize theft or unauthorized removal. Examples include
installation of anti-theft cables, locks on rooms where the devices are located, and
the use of badge readers to monitor access to rooms where devices are located.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA:
"Flagged Questions" report. NIST CSF: ID.GV,PR.DS, PR.IP, ID.RA, PR.IP
HICP: TV1, Practice # 2
 Notes
11 When encryption is deemed unreasonable or inappropriate
to implement, do you document the use of an alternative
safeguard?
Yes. We have policies and procedures to identify Having policies and procedures to identify the encryption capabilities of your Addressable HIPAA:
encryption capabilities of our devices and information devices and information systems and then documenting when encryption is not NIST CSF: PR.DS
systems. When encryption is not reasonable or reasonable or appropriate, and that you have implemented an alternative safeguard HICP: TV1, Practice # 2
appropriate, we implement an alternative safeguard and is the best practice. For devices that cannot be encrypted or that are managed by a
document it. third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located.

No. We do not have policies or procedures to document Having policies and procedures to identify the encryption capabilities of your Addressable HIPAA:
alternative safeguards as a means of controlling access devices and information systems and then documenting when encryption is not NIST CSF: PR.DS
to ePHI on our devices and information systems. reasonable or appropriate, and that you have implemented an alternative safeguard HICP: TV1, Practice # 2
is the best practice. For devices that cannot be encrypted or that are managed by a
third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located.

I don't know. Having policies and procedures to identify the encryption capabilities of your Addressable HIPAA:
devices and information systems and then documenting when encryption is not NIST CSF: PR.DS
reasonable or appropriate, and that you have implemented an alternative safeguard HICP: TV1, Practice # 2
is the best practice. For devices that cannot be encrypted or that are managed by a
third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA:
"Flagged Questions" report. NIST CSF: PR.DS
HICP: TV1, Practice # 2
Notes
12 Have you evaluated implementing any of the following
encryption solutions in your local environment? (Full disk
encryption, file/folder encryption, encryption of thumb
drives or other external media)

All of the above. Encryption in these areas is critical to protecting ePHI in your local environment. Addressable HIPAA: §164.312(e)(2)(ii)
Encryption applications prevent hackers from accessing sensitive data, usually by NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM
requiring a €œkey€ to encrypt and/or decrypt data. Prohibit the use of HICP: TV1, Practice # 2
unencrypted storage, such as thumb drives, mobile phones, or computers. Require
encryption of these mobile storage mediums before use.

Some of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 2
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. Encryption applications prevent hackers from
accessing sensitive data, usually by requiring a €œkey € to encrypt and/or decrypt
data. Prohibit the use of unencrypted storage, such as thumb drives, mobile phones,
or computers. Require encryption of these mobile storage mediums before use.

None of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 2
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. Encryption applications prevent hackers from
accessing sensitive data, usually by requiring a €œkey € to encrypt and/or decrypt
data. Prohibit the use of unencrypted storage, such as thumb drives, mobile phones,
or computers. Require encryption of these mobile storage mediums before use.

I don't know. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 2
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. Encryption applications prevent hackers from
accessing sensitive data, usually by requiring a €œkey € to encrypt and/or decrypt
data. Prohibit the use of unencrypted storage, such as thumb drives, mobile phones,
or computers. Require encryption of these mobile storage mediums before use.
 Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(e)(2)(ii)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, DE.CM, ID.RA, ID.RM
HICP: TV1, Practice # 2
Notes
13 Have you evaluated implementing encryption solutions for
any of the following cloud services? (Email service, file
storage, web applications, remote system backups)
All of the above. Encryption in these areas is critical to protecting ePHI in your cloud environments. Addressable HIPAA: §164.312(e)(2)(ii)
Contracts with EHR vendors should include language that requires medical/PHI data NIST CSF:
to be encrypted both at rest and during transmission between systems. HICP: TV1, Practice # 1
Some of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF:
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 1
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. Contracts with EHR vendors should include language
that requires medical/PHI data to be encrypted both at rest and during transmission
between systems.

None of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF:
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 1
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. Contracts with EHR vendors should include language
that requires medical/PHI data to be encrypted both at rest and during transmission
between systems.

Not applicable. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF:
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 1
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. Contracts with EHR vendors should include language
that requires medical/PHI data to be encrypted both at rest and during transmission
between systems.

I don't know. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF:
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 1
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. Contracts with EHR vendors should include language
that requires medical/PHI data to be encrypted both at rest and during transmission
between systems.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(e)(2)(ii)
"Flagged Questions" report. NIST CSF:
HICP: TV1, Practice # 1
Notes
14 Have you evaluated implementing any of the following
encryption solutions for data in transit? (Encryption of
internet traffic by means of a VPN, web traffic over HTTP
encrypted email, or secure file transfer)

All of the above. Encryption in these areas is critical to protecting ePHI in transit. At minimum, Addressable HIPAA: §164.312(e)(2)(ii)
provide annual training on the most salient policy considerations, such as the use of NIST CSF:
encryption and PHI transmission restrictions. Implement an e-mail encryption HICP: TV1, Practice # 1, 4
module that enables users to securely send e-mails to external recipients or to
protect information that should only be seen by authorized individuals.

Some of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF:
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 1, 4
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. At minimum, provide annual training on the most
salient policy considerations, such as the use of encryption and PHI transmission
restrictions. Implement an e-mail encryption module that enables users to securely
send e-mails to external recipients or to protect information that should only be
seen by authorized individuals.
 None of the above. Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF:
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 1, 4
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. At minimum, provide annual training on the most
salient policy considerations, such as the use of encryption and PHI transmission
restrictions. Implement an e-mail encryption module that enables users to securely
send e-mails to external recipients or to protect information that should only be
seen by authorized individuals.

I don't know Consider reviewing and evaluating all the locations where you are processing, Addressable HIPAA: §164.312(e)(2)(ii)
storing, or transmitting ePHI and whether it is reasonable to implement encryption. NIST CSF:
Encryption can help safeguard your ePHI, whether you €™re transmitting it over the HICP: TV1, Practice # 1, 4
Internet, backing it up on a server, or just carrying a mobile device or your laptop to
and from your facility. Encrypting ePHI makes it completely unreadable to anyone
but you or its intend recipient. At minimum, provide annual training on the most
salient policy considerations, such as the use of encryption and PHI transmission
restrictions. Implement an e-mail encryption module that enables users to securely
send e-mails to external recipients or to protect information that should only be
seen by authorized individuals.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(e)(2)(ii)
"Flagged Questions" report. NIST CSF:
HICP: TV1, Practice # 1, 4
Notes
15 Do you periodically review your information systems for how
security settings can be implemented to safeguard ePHI?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(1)
confidentiality, integrity, and availability of ePHI. Patching (i.e., regularly updating) NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM
systems removes vulnerabilities that can be exploited by attackers. Each patch HICP: TV1, Practice # 2, 7
modifies a software application, rendering it more difficult for hackers to maintain
programs that are aligned with the most current version of that software
application. Configure endpoints to patch automatically and ensure that third-party
applications (e.g., Adobe Flash) are patched as soon as possible. Schedule and
conduct vulnerability scans on servers and systems under your control toproactively
identify technology flaws.Remediate flaws based on the severity of the identified
vulnerability. This method is considered an €œunauthenticated scan. € The
scanner has no extra sets of privileges to the server. It queries a server based on
ports that are active and present for network connectivity. Each server isqueried for
vulnerabilities based upon the level of sophistication of the software
scanner.Conduct web application scanning of internet-facing webservers, such as
web-based patientportals. Specialized vulnerability scanners can interrogate running
web applications to identify vulnerabilities in the application design.Conduct routine
patching of security flaws in servers, applications (including web applications),and
third-party software. Maintain software at least monthly, implementing patches
distributedby the vendor community, if patching is not automatic. Robust patch
management processes mitigate vulnerabilities associated with obsolete software
versions, whichare often easier for hackers to exploit.

No. Consider periodically reviewing the security settings on all systems which process, Required HIPAA: §164.312(a)(1)
store, or transmit ePHI for how you can implement mechanisms to protect ePHI. NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM
Patching (i.e., regularly updating) systems removes vulnerabilities that can be HICP: TV1, Practice # 2, 7
exploited by attackers. Each patch modifies a software application, rendering it
more difficult for hackers to maintain programs that are aligned with the most
current version of that software application. Configure endpoints to patch
automatically and ensure that third-party applications (e.g., Adobe Flash) are
patched as soon as possible. Schedule and conduct vulnerability scans on servers
and systems under your control toproactively identify technology flaws.Remediate
flaws based on the severity of the identified vulnerability. This method is considered
an €œunauthenticated scan.€ The scanner has no extra sets of privileges to the
server. It queries a server based on ports that are active and present for network
connectivity. Each server isqueried for vulnerabilities based upon the level of
sophistication of the software scanner.Conduct web application scanning of
internet-facing webservers, such as web-based patientportals. Specialized
vulnerability scanners can interrogate running web applications to identify
vulnerabilities in the application design.Conduct routine patching of security flaws in
servers, applications (including web applications),and third-party software. Maintain
software at least monthly, implementing patches distributedby the vendor
community, if patching is not automatic. Robust patch management processes
mitigate vulnerabilities associated with obsolete software versions, whichare often
easier for hackers to exploit.
 I don't know. Consider looking into whether your practice periodically reviews the security Required HIPAA: §164.312(a)(1)
settings on all systems which process, store, or transmit ePHI for how you can NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM
implement mechanisms to protect ePHI. Patching (i.e., regularly updating) systems HICP: TV1, Practice # 2, 7
removes vulnerabilities that can be exploited by attackers. Each patch modifies a
software application, rendering it more difficult for hackers to maintain programs
that are aligned with the most current version of that software application.
Configure endpoints to patch automatically and ensure that third-party applications
(e.g., Adobe Flash) are patched as soon as possible. Schedule and conduct
vulnerability scans on servers and systems under your control toproactively identify
technology flaws.Remediate flaws based on the severity of the identified
vulnerability. This method is considered an €œunauthenticated scan. € The
scanner has no extra sets of privileges to the server. It queries a server based on
ports that are active and present for network connectivity. Each server isqueried for
vulnerabilities based upon the level of sophistication of the software
scanner.Conduct web application scanning of internet-facing webservers, such as
web-based patientportals. Specialized vulnerability scanners can interrogate running
web applications to identify vulnerabilities in the application design.Conduct routine
patching of security flaws in servers, applications (including web applications),and
third-party software. Maintain software at least monthly, implementing patches
distributedby the vendor community, if patching is not automatic. Robust patch
management processes mitigate vulnerabilities associated with obsolete software
versions, whichare often easier for hackers to exploit.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(1)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, ID.RA, PR.IP, DE.CM
HICP: TV1, Practice # 2, 7
Notes
16 How are you aware of the security settings for information
systems which process, store, or transmit ePHI?
All systems which create, receive, maintain, or transmit This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(1)
ePHI (including any firewalls, databases, servers, and confidentiality, integrity, and availability of ePHI. Vulnerability scans may yield large NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA,
networked devices) have been examined to determine amounts of data, which organizations urgently need to classify, evaluate, and PR.PT, DE.CM
how security settings can be implemented to most prioritize to remediate security flaws before an attacker can exploit them. HICP: TV1, Practice # 7
appropriately protect ePHI.

We are aware that systems have security settings to Consider reviewing security settings for all systems which process, store, and Required HIPAA: §164.312(a)(1)
protect ePHI but have not reviewed all systems transmit ePHI. Vulnerability scans may yield large amounts of data, which NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA,
comprehensively. organizations urgently need to classify, evaluate, and prioritize to remediate security PR.PT, DE.CM
flaws before an attacker can exploit them. HICP: TV1, Practice # 7

We do not have a process to review security settings for If you do not identify the access control security settings necessary for each of your Required HIPAA: §164.312(a)(1)
information systems which process, store, or transmit information systems and electronic devices, you are not taking full advantage of the NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA,
ePHI. security features available in the hardware and software. Vulnerability scans may PR.PT, DE.CM
yield large amounts of data, which organizations urgently need to classify, evaluate, HICP: TV1, Practice # 7
and prioritize to remediate security flaws before an attacker can exploit them.

I don't know. If you do not identify the access control security settings necessary for each of your Required HIPAA: §164.312(a)(1)
information systems and electronic devices, you are not taking full advantage of the NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA,
security features available in the hardware and software. Vulnerability scans may PR.PT, DE.CM
yield large amounts of data, which organizations urgently need to classify, evaluate, HICP: TV1, Practice # 7
and prioritize to remediate security flaws before an attacker can exploit them.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(1)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.IP, ID.RA, PR.MA,
PR.PT, DE.CM
HICP: TV1, Practice # 7

Notes
17 Do you use security settings and mechanisms to record and
examine system activity?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
confidentiality, integrity, and availability of ePHI. User accounts enable organizations NIST CSF: PR.DS, PR.PT, DE.CM
to control and monitor each user€™s access to and activities on devices, EHRs, e- HICP: TV1, Practice # 3
mail, and other third-party software systems.

No. Consider implementing hardware, software, and/or procedural mechanisms to Required HIPAA: §164.312(b)
monitor system activity. User accounts enable organizations to control and monitor NIST CSF: PR.DS, PR.PT, DE.CM
each user€™s access to and activities on devices, EHRs, e-mail, and other third-party HICP: TV1, Practice # 3
software systems.

I don't know. Consider looking into whether your practice has implemented hardware, software, Required HIPAA: §164.312(b)
and/or procedural mechanisms to monitor system activity. To meet the NIST CSF: PR.DS, PR.PT, DE.CM
requirement, your practice should have system monitoring mechanisms in place HICP: TV1, Practice # 3
where ePHI is accessible. User accounts enable organizations to control and monitor
each user€™s access to and activities on devices, EHRs, e-mail, and other third-party
software systems.
 Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.DS, PR.PT, DE.CM
HICP: TV1, Practice # 3
Notes
18 What mechanisms are in place to monitor or log system
activity?
Monitoring of system users, access attempts, and This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
modifications. This includes a date/time stamp. confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
procedures to track and monitor user access to computers and programs. RS.AN
HICP: TV1, Practice # 3

Date/time stamp of system access attempts and Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
modifications only. a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HICP: TV1, Practice # 3

Monitoring of system modifications only. Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HICP: TV1, Practice # 3

Identity of users accessing and modifying within the Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
system. a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HICP: TV1, Practice # 3

None of the above. Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HICP: TV1, Practice # 3

Other. Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HICP: TV1, Practice # 3

I don't know. Determine the mechanisms available to log and monitor system activity. Make sure Required HIPAA: §164.312(b)
a procedure to monitor system activity logs is implemented and documented. NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
Implement access management procedures to track and monitor user access to RS.AN
computers and programs. HICP: TV1, Practice # 3

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.DS, PR.MA, PR.PT, DE.AE, DE.CM,
RS.AN
HICP: TV1, Practice # 3

Notes
19 How do you monitor or track ePHI system activity?
System activity records are reviewed on a regular basis. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(1)(ii)(D)
The frequency of reviews is documented within our confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE,
procedures. Results of activity reviews are also procedures to track and monitor user access to computers and programs. DE.CM, RS.AN
maintained, including activities which may prompt HICP: TV1, Practice # 3
further investigation.

System activity records are reviewed as needed but not Ensure your practice is able to detect and prevent security incidents by regularly Required HIPAA: §164.308(a)(1)(ii)(D)
on a regular basis. Results of activity reviews are reviewing system activity information as part of its ongoing operations and following NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE,
maintained, including activities which may prompt security incidents. Implement access management procedures to track and monitor DE.CM, RS.AN
further investigation. user access to computers and programs. HICP: TV1, Practice # 3

System activity records are reviewed as needed but not Ensure your practice is able to detect and prevent security incidents by regularly Required HIPAA: §164.308(a)(1)(ii)(D)
on a regular basis. Documentation of activity reviews are reviewing system activity information as part of its ongoing operations and following NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE,
not maintained. security incidents. Implement access management procedures to track and monitor DE.CM, RS.AN
user access to computers and programs. HICP: TV1, Practice # 3

System activity records are not reviewed as needed or Ensure your practice is able to detect and prevent security incidents by regularly Required HIPAA: §164.308(a)(1)(ii)(D)
on a regular basis. reviewing system activity information as part of its ongoing operations and following NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE,
security incidents. Implement access management procedures to track and monitor DE.CM, RS.AN
user access to computers and programs. HICP: TV1, Practice # 3

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(1)(ii)(D)
"Flagged Questions" report. NIST CSF: ID.RA, PR.DS, PR.MA, PR.PT, DE.AE,
DE.CM, RS.AN
HICP: TV1, Practice # 3

Notes
20 Do you have automatic logoff enabled on devices and
platforms accessing ePHI?
Yes, automatic logoff is enabled on all devices and This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(a)(2)(iii)
platforms to terminate access to ePHI after a set time of confidentiality, integrity, and availability of ePHI. Configure systems and endpoints NIST CSF: PR.AC, PR.DS
inactivity. to automatically lock and log off users after a predetermined period of inactivity, HICP: TV1, Practice # 3
such as 15 minutes.
 Yes, automatic logoff is enabled but not on all devices Consider implementing automatic logoff on all devices and platforms which access Addressable HIPAA: §164.312(a)(2)(iii)
and platforms to terminate access to ePHI after a set ePHI. If this is not determined to be reasonable and appropriate, document the NIST CSF: PR.AC, PR.DS
time of inactivity. reason why and what compensating control is in its place. Configure systems and HICP: TV1, Practice # 3
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes.

Automatic time-out is enabled on electronic devices Consider implementing automatic logoff on all devices and platforms which access Addressable HIPAA: §164.312(a)(2)(iii)
accessing ePHI, but automatic logoff to fully terminate ePHI. If this is not determined to be reasonable and appropriate, document the NIST CSF: PR.AC, PR.DS
the session is not enabled. reason why and what compensating control is in its place. Configure systems and HICP: TV1, Practice # 3
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes.

Automatic logoff is not enabled on devices or platforms Consider implementing automatic logoff on all devices and platforms which access Addressable HIPAA: §164.312(a)(2)(iii)
accessing ePHI. ePHI. If this is not determined to be reasonable and appropriate, document the NIST CSF: PR.AC, PR.DS
reason why and what compensating control is in its place. Configure systems and HICP: TV1, Practice # 3
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(a)(2)(iii)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS
HICP: TV1, Practice # 3
Notes
21 Do you ensure users accessing ePHI are who they claim to
be?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(d)
confidentiality, integrity, and availability of ePHI. The use of shared or generic NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
accounts should be avoided. If shared accounts are required, train and regularly HICP: TV1, Practice # 3
remind users that they must sign out upon completion of activity or whenever they
leave the device, even for a moment. Passwords should be changed after each use.
Sharing accounts exposes organizations to greater vulnerabilities. For example, the
complexity of updating passwords for multiple users on a shared account may result
in a compromised password remaining active and allowing unauthorized access over
an extended period of time.

No. Procedures should be in place to verify users accessing ePHI are who they claim to Required HIPAA: §164.312(d)
be, such as user authentication. The use of shared or generic accounts should be NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
avoided. If shared accounts are required, train and regularly remind users that they HICP: TV1, Practice # 3
must sign out upon completion of activity or whenever they leave the device, even
for a moment. Passwords should be changed after each use. Sharing accounts
exposes organizations to greater vulnerabilities. For example, the complexity of
updating passwords for multiple users on a shared account may result in a
compromised password remaining active and allowing unauthorized access over an
extended period of time.

I don't know. Procedures should be in place to verify users accessing ePHI are who they claim to Required HIPAA: §164.312(d)
be, such as user authentication. The use of shared or generic accounts should be NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
avoided. If shared accounts are required, train and regularly remind users that they HICP: TV1, Practice # 3
must sign out upon completion of activity or whenever they leave the device, even
for a moment. Passwords should be changed after each use. Sharing accounts
exposes organizations to greater vulnerabilities. For example, the complexity of
updating passwords for multiple users on a shared account may result in a
compromised password remaining active and allowing unauthorized access over an
extended period of time.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(d)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
HICP: TV1, Practice # 3
Notes
22 How do you ensure users accessing ePHI are who they claim
to be?
Users authenticate themselves to access ePHI using the This is the most effective option among those provided to protect the Required HIPAA: §164.312(d)
method authorized by our practice€™s policy and confidentiality, integrity, and availability of ePHI. Configure systems and endpoints NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
procedure (for example, user name and password, to automatically lock and log off users after a predetermined period of inactivity, HICP: TV1, Practice # 3
physical token, or biometric feature). such as 15 minutes. Implement MFA authentication for the cloud-based systems
that your organization uses to store or process sensitive data, such as EHRs. MFA
mitigates the risk of access by unauthorized users.

Users authenticate themselves to access ePHI, but we do Requiring that users utilize unique usernames and passwords, or other forms of Required HIPAA: §164.312(d)
not have a policy or procedure prescribing the method. authentication, helps to reduce the risk that unauthorized users can access ePHI and NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
compromise access controls already in place. Ensure this is consistently HICP: TV1, Practice # 3
implemented at your practice by having a documented procedures to verify that a
person or entity seeking access to ePHI is the one claimed. Configure systems and
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.
 Users do not always have unique authentication to Requiring that users utilize unique usernames and passwords, or other forms of Required HIPAA: §164.312(d)
access ePHI (for example, inadvisable practices such as authentication, helps to reduce the risk that unauthorized users can access ePHI and NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
sharing user names and passwords between multiple compromise access controls already in place. Ensure this is consistently HICP: TV1, Practice # 3
members of the workforce may occur). implemented at your practice by having a documented procedures to verify that a
person or entity seeking access to ePHI is the one claimed. Configure systems and
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

We do not have a procedure for authenticating users.  Requiring that users utilize unique usernames and passwords, or other forms of Required HIPAA: §164.312(d)
authentication, helps to reduce the risk that unauthorized users can access ePHI and NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
compromise access controls already in place. Ensure this is consistently HICP: TV1, Practice # 3
implemented at your practice by having a documented procedures to verify that a
person or entity seeking access to ePHI is the one claimed. Configure systems and
endpoints to automatically lock and log off users after a predetermined period of
inactivity, such as 15 minutes. Implement MFA authentication for the cloud-based
systems that your organization uses to store or process sensitive data, such as EHRs.
MFA mitigates the risk of access by unauthorized users.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(d)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM
HICP: TV1, Practice # 3
Notes
23 How do you determine the means by which ePHI is accessed?
All systems, devices, and applications which access ePHI This is the most effective option among those provided to protect the Required HIPAA: §164.312(d)
are identified, evaluated, approved, and inventoried. confidentiality, integrity, and availability of ePHI. Assign a separate user account to NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP
Users can only access ePHI through these approved each user in your organization. Train and regularly remind users that they must HICP: TV1, Practice # 3
systems, devices, and applications. never share their passwords. Require each user to create an account password that
is different from the ones used for personal internet or e-mail access (e.g., Gmail,
Yahoo, Facebook). For devices that are accessed off site, leverage technologies that
use multi-factor authentication (MFA) before permitting users to access data or
applications on the device. Logins that use only a username and password are often
compromised through phishing e-mails. Implement MFA authentication for the
cloud-based systems that your organization uses to store or process sensitive data,
such as EHRs. MFA mitigates the risk of access by unauthorized users.

Applications which access ePHI are identified, evaluated, Unsecured points could compromise data accessed through an otherwise secure Required HIPAA: §164.312(d)
approved, and inventoried, but we do not manage which application. Consider implementing a device management process to ensure NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP
devices can access these applications (e.g. workforce security standards are in place for all points accessing ePHI. Assign a separate user HICP: TV1, Practice # 3
members€™ personal devices accessing a cloud-based account to each user in your organization. Train and regularly remind users that
EHR without first identifying and approving the device) they must never share their passwords. Require each user to create an account
password that is different from the ones used for personal internet or e-mail access
(e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site, leverage
technologies that use multi-factor authentication (MFA) before permitting users to
access data or applications on the device. Logins that use only a username and
password are often compromised through phishing e-mails. Implement MFA
authentication for the cloud-based systems that your organization uses to store or
process sensitive data, such as EHRs. MFA mitigates the risk of access by
unauthorized users.

Devices and systems which access ePHI are identified, Secure devices can compromise data when the data itself is used by potentially Required HIPAA: §164.312(d)
evaluated, approved, and inventoried, but we do not insecure applications. Consider implementing a process to manage which NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP
manage which applications can access these applications applications access ePHI and how they will securely be enabled to do so. Assign a HICP: TV1, Practice # 3
(e.g. ePHI is maintained in formats which can be used by separate user account to each user in your organization. Train and regularly remind
many applications) users that they must never share their passwords. Require each user to create an
account password that is different from the ones used for personal internet or e-
mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site,
leverage technologies that use multi-factor authentication (MFA) before permitting
users to access data or applications on the device. Logins that use only a username
and password are often compromised through phishing e-mails. Implement MFA
authentication for the cloud-based systems that your organization uses to store or
process sensitive data, such as EHRs. MFA mitigates the risk of access by
unauthorized users.
 We do not have a procedure for determining the means Failing to manage which devices and applications can access ePHI enables Required HIPAA: §164.312(d)
by which ePHI can be accessed appropriately. widespread access that may not be secure, increasing the chance for the NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP
confidentiality, integrity, and availability of ePHI to be compromised. Assign a HICP: TV1, Practice # 3
separate user account to each user in your organization. Train and regularly remind
users that they must never share their passwords. Require each user to create an
account password that is different from the ones used for personal internet or e-
mail access (e.g., Gmail, Yahoo, Facebook). For devices that are accessed off site,
leverage technologies that use multi-factor authentication (MFA) before permitting
users to access data or applications on the device. Logins that use only a username
and password are often compromised through phishing e-mails. Implement MFA
authentication for the cloud-based systems that your organization uses to store or
process sensitive data, such as EHRs. MFA mitigates the risk of access by
unauthorized users.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(d)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.MA, DE.CM, PR.IP
HICP: TV1, Practice # 3
Notes
24 Do you protect ePHI from unauthorized modification or
destruction?
Yes. We have developed and implemented policies and This is the most effective option among those provided to protect the Required HIPAA: §164.312(c)(1)
procedures to protect ePHI from improper alteration or confidentiality, integrity, and availability of ePHI. Organizational policies should NIST CSF: PR.DS
destruction. address all user interactions with sensitive data and reinforce the consequences of HICP: TV1, Practice # 4
lostor compromised data.

Yes. We have some procedures to protect the integrity Implement policies and procedures to protect ePHI from unauthorized modification Required HIPAA: §164.312(c)(1)
of our ePHI but these may not be totally comprehensive. or destruction, such as user activity monitoring or data validation tools. NIST CSF: PR.DS
Organizational policies should address all user interactions with sensitive data and HICP: TV1, Practice # 4
reinforce the consequences of lostor compromised data.

No. We do not have policies or procedures to ensure the Implement policies and procedures to protect ePHI from unauthorized modification Required HIPAA: §164.312(c)(1)
protection of ePHI. or destruction, such as user activity monitoring or data validation tools. NIST CSF: PR.DS
Organizational policies should address all user interactions with sensitive data and HICP: TV1, Practice # 4
reinforce the consequences of lostor compromised data.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(c)(1)
"Flagged Questions" report. NIST CSF: PR.DS
HICP: TV1, Practice # 4
Notes
25 How do you confirm that ePHI has not been modified or
destroyed without authorization?
We have mechanisms (e.g. integrity verification tools) to This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(c)(2)
corroborate that ePHI has not been altered or destroyed confidentiality, integrity, and availability of ePHI. Establish a data classification policy NIST CSF: PR.DS, DE.CM, DE.AE
in an unauthorized manner or detect if such alteration that categorizes data as, for example, Sensitive, InternalUse, or Public Use. Identify HICP: TV1, Practice # 4
occurs. the types of records relevant to each category. Implement data loss prevention
technologies to mitigate the risk of unauthorized access to PHI.

We manually monitor changes made to ePHI in systems This is the most effective option among those provided to protect the Addressable HIPAA: §164.312(c)(2)
with audit log functionality, but do not have automated confidentiality, integrity, and availability of ePHI.. You may want to consider NIST CSF: PR.DS, DE.CM, DE.AE
systems. implementing an automated electronic mechanisms and/or integrity verification HICP: TV1, Practice # 4
tools. Establish a data classification policy that categorizes data as, for example,
Sensitive, InternalUse, or Public Use. Identify the types of records relevant to each
category. Implement data loss prevention technologies to mitigate the risk of
unauthorized access to PHI.
We do not have resources or procedures in place to Your practice may not be able to safeguard its ePHI if it does not have Addressable HIPAA: §164.312(c)(2)
verify the integrity of ePHI. authentication mechanisms and tools, such as log monitoring or NIST CSF: PR.DS, DE.CM, DE.AE
data encryption validation, that can authenticate ePHI. Consider implementing a HICP: TV1, Practice # 4
procedure to validate the integrity of your ePHI. If this is determined to not be
reasonable and appropriate, document the reason why and what compensating
control is in its place. Establish a data classification policy that categorizes data as,
for example, Sensitive, InternalUse, or Public Use. Identify the types of records
relevant to each category. Implement data loss prevention technologies to mitigate
the risk of unauthorized access to PHI.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.312(c)(2)
"Flagged Questions" report. NIST CSF: PR.DS, DE.CM, DE.AE
HICP: TV1, Practice # 4
Notes
26 Do you protect against unauthorized access to or
modification of ePHI when it is being transmitted
electronically?
 Yes. We have implemented technical security measures This is the most effective option among those provided to protect the Required HIPAA: §164.312(e)(1)
and procedures to prevent unauthorized access to and confidentiality, integrity, and availability of ePHI. When e-mailing PHI, use a secure NIST CSF: PR.AC, PR.DS
detect modification of transmitted ePHI. messaging application such as Direct Secure Messaging (DSM),which is a nationally HICP: TV1, Practice # 1, 4
adopted secure e-mail protocol and network for transmitting PHI. DSM can be
obtained from EHR vendors and other health information exchange systems. It was
developed and adopted through the Meaningful Use program, and many medical
organizations nationwide now use DSM networks. When texting PHI, use a secure
texting system.
We have developed policies and procedures to guide Implement technical security measures to guard against unauthorized access to Required HIPAA: §164.312(e)(1)
workforce members on the secure transmission of ePHI, ePHI that is transmitted over an electronic communication network in addition to NIST CSF: PR.AC, PR.DS
but no resources are in place (e.g. encrypted email). developing protocols and procedures. Consider implementing measures to detect HICP: TV1, Practice # 1, 4
modification of transmitted ePHI; if this is determined to not be reasonable and
appropriate, document the reason why along with the compensating control in
place. When e-mailing PHI, use a secure messaging application such as Direct Secure
Messaging (DSM),which is a nationally adopted secure e-mail protocol and network
for transmitting PHI. DSM can be obtained from EHR vendors and other health
information exchange systems. It was developed and adopted through the
Meaningful Use program, and many medical organizations nationwide now use DSM
networks. When texting PHI, use a secure texting system.

Workforce members are verbally instructed to use Implement technical security measures to guard against unauthorized access to Required HIPAA: §164.312(e)(1)
secure modes of ePHI transmission. ePHI that is transmitted over an electronic communication network in addition to NIST CSF: PR.AC, PR.DS
developing protocols and procedures. Consider implementing measures to detect HICP: TV1, Practice # 1, 4
modification of transmitted ePHI; if this is determined to not be reasonable and
appropriate, document the reason why along with the compensating control in
place. When e-mailing PHI, use a secure messaging application such as Direct Secure
Messaging (DSM),which is a nationally adopted secure e-mail protocol and network
for transmitting PHI. DSM can be obtained from EHR vendors and other health
information exchange systems. It was developed and adopted through the
Meaningful Use program, and many medical organizations nationwide now use DSM
networks. When texting PHI, use a secure texting system.

No. We have not considered how to securely transmit Implement technical security measures to guard against unauthorized access to Required HIPAA: §164.312(e)(1)
ePHI. ePHI that is transmitted over an electronic communication network in addition to NIST CSF: PR.AC, PR.DS
developing protocols and procedures. Consider implementing measures to detect HICP: TV1, Practice # 1, 4
modification of transmitted ePHI; if this is determined to not be reasonable and
appropriate, document the reason why along with the compensating control in
place. When e-mailing PHI, use a secure messaging application such as Direct Secure
Messaging (DSM),which is a nationally adopted secure e-mail protocol and network
for transmitting PHI. DSM can be obtained from EHR vendors and other health
information exchange systems. It was developed and adopted through the
Meaningful Use program, and many medical organizations nationwide now use DSM
networks. When texting PHI, use a secure texting system.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(e)(1)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS
HICP: TV1, Practice # 1, 4
Notes
27 Have you implemented mechanisms to record activity on
information systems which create or use ePHI ?
Yes. Activity on systems which create or use ePHI is This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
recorded and examined. This is documented in our confidentiality, integrity, and availability of ePHI. Implement single sign-on systems NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
procedures, including a complete inventory of systems that automatically manage access to all software and tools once users have signed RS.AN, PR.MA
that record activity and how it is examined. onto the network. Such systems allows the organization to centrally maintain and HICP: TV1, Practice # 3
monitor access.

Yes. Activity on systems which create or use ePHI is Mechanisms in place to record and examine activity on information systems which Required HIPAA: §164.312(b)
recorded and examined through hardware, software or contain or use ePHI should be documented in your security documentation. NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
procedural mechanisms. However, this process is not Implement single sign-on systems that automatically manage access to all software RS.AN, PR.MA
formally documented in our procedures. and tools once users have signed onto the network. Such systems allows the HICP: TV1, Practice # 3
organization to centrally maintain and monitor access.

Yes. Activity on systems which create or use ePHI should Mechanisms should be in place to record and examine activity on information Required HIPAA: §164.312(b)
be recorded and examined per our procedures, but we systems which contain or use ePHI. These mechanisms should be documented in NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
do not have actual hardware, software or procedural your security documentation. Implement single sign-on systems that automatically RS.AN, PR.MA
mechanisms in place. manage access to all software and tools once users have signed onto the network. HICP: TV1, Practice # 3
Such systems allows the organization to centrally maintain and monitor access.

No. We do not have procedures or mechanisms to Mechanisms should be in place to record and examine activity on information Required HIPAA: §164.312(b)
record and examine activities and information systems systems which contain or use ePHI. These mechanisms should be documented in NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
which create or use ePHI. your security documentation. Implement single sign-on systems that automatically RS.AN, PR.MA
manage access to all software and tools once users have signed onto the network. HICP: TV1, Practice # 3
Such systems allows the organization to centrally maintain and monitor access.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
RS.AN, PR.MA
HICP: TV1, Practice # 3
 Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Inadequate access controls
Information disclosure, loss, or theft (ePHI, proprietary, intellectual, or confidential)
Disruption of information system function or adversarial access to unauthorized network segments
Malware installation on information systems or devices
Unauthorized modification of sensitive information
Information system access granted to unauthorized persons or entities
2 Lack of documentation for controlling user access
Illegitimate assignment of permissions for users
Unguided procedures when determining levels of user access
3 Inadequate procedures for evaluating user activity logs
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unknown source of a security/privacy related incident
Information system access granted to unauthorized personnel
Unauthorized access to or modification of ePHI/sensitive information
4 Users have more access rights than needed to complete daily tasks
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unauthorized access to ePHI/sensitive information
Unauthorized modification of critical network systems and data
5 Non-unique login credentials for workforce members
Users violate security rules on information systems
Unknown or unidentified security incidents or breaches occur
Unauthorized user impersonating an authorized user
6 Inadequate use of encryption for ePHI
Disclosure of passwords or login information
Information disclosure, loss, or theft (ePHI, proprietary, intellectual, or confidential)
Fines from regulatory enforcement (due to lack of encryption safeharbor)
Information system access granted to unauthorized personnel
Unauthorized access to or modification of ePHI/sensitive information
7 Inadequate review of computer systems to ensure maximum security
Accidental modification to ePHI/sensitive information
Denial of service (DoS) to critical systems
Disclosure of passwords and or login information
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Exploitation of unpatched systems & software
Unauthorized access to or modification of ePHI/sensitive information
8 Lack of automatic logoff/screen lock of computer systems
Unauthorized access to information systems or devices
Malware installation on information systems or devices
Disclosure of passwords and or login information
Denial of service (DoS) to critical systems
Accidental modification to ePHI
Adversary access to unauthorized network segments
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Exploitation of unpatched systems & software
Unauthorized access to or modification of ePHI/sensitive information
9 Inadequate integrity verification of ePHI
Accidental modification to ePHI
Damage to public reputation via misuse of patient chart data
Inaccurate information given to patients or providers
Unauthorized modification to ePHI
10 ePHI in transit lacking encryption
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unauthorized access to or modification of ePHI/sensitive information
Fines from regulatory enforcement (due to lack of encryption safeharbor)
 Section 5 - Security and the Practice
Question Response Risk
#
Section Question Text Indicator Question Responses Guidance Indicated Required? Reference
Questions
1 Do you manage access to and use of your facility or facilities
[i.e. that house information systems and ePHI]?
Yes. We have written procedures in place restricting This is the most effective option among those provided to protect the Required HIPAA: §164.310(a)(1)
access to and use of our facilities. confidentiality, integrity, and availability of ePHI. Just as network devices need to be NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
secured, physical access to the server and network equipment should be restricted HICP: TV1, Practice # 6
to IT professionals. Configure physical rooms and wireless networks to allow
internet access only.

Yes. Authorization of access to and use of our facilities is Consider implementing documented procedures to govern access to facilities. Just Required HIPAA: §164.310(a)(1)
verbally communicated, but we do not have written as network devices need to be secured, physical access to the server and network NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
procedures. equipment should be restricted to IT professionals. Configure physical rooms and HICP: TV1, Practice # 6
wireless networks to allow internet access only.

No. We do not have a process to restrict access to our Consider implementing documented procedures to govern access to facilities. Just Required HIPAA: §164.310(a)(1)
facilities. as network devices need to be secured, physical access to the server and network NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
equipment should be restricted to IT professionals. Configure physical rooms and HICP: TV1, Practice # 6
wireless networks to allow internet access only.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(a)(1)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
HICP: TV1, Practice # 6
Notes
2 What physical protections do you have in place to manage
facility security risks?
We have methods for controlling and managing physical This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(ii)
access to our facility such as, keypads, locks, security confidentiality, integrity, and availability of ePHI. Always keep data and network NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
cameras, etc. We also have an inventory of our practice's closets locked. Grant access using badge readers rather than traditional key HICP: TV1, Practice # 6
facilities that house equipment that create, maintain, locks.Disable network ports that are not in use. Maintain network ports as inactive
receive, and transmit ePHI.Our policies and procedures until an activation request is authorized. This minimizes the risk of an unauthorized
outline managements' involvement in facility access user €œplugging in€ to an empty port to access to your network.In conference
control and how authorization credentials for facility rooms or waiting areas, establish guest networks that separate organizational data
access are issued and removed for our workforce and systems. This separation will limit the accessibility of private data from guests
members and/or visitors. Workforce members' roles and visiting the organization. Validate that guest networks are configured to access
responsibilities in facility access control procedures are authorized guest services only.
documented and communicated.

We have written procedures documenting our Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
managements' involvement in facility access control policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
procedures. Consider implementing policies and procedures to safeguard the facility and HICP: TV1, Practice # 6
equipment from unauthorized tampering, theft, or physical access. Always keep
data and network closets locked. Grant access using badge readers rather than
traditional key locks.Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user €œplugging in€ to an empty port to access to your
network.In conference rooms or waiting areas, establish guest networks that
separate organizational data and systems. This separation will limit the accessibility
of private data from guests visiting the organization. Validate that guest networks
are configured to access authorized guest services only.

We have written procedures documenting how Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
authorization credentials for facility access are issued policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
and removed for our workforce members and/or Consider implementing policies and procedures to safeguard the facility and HICP: TV1, Practice # 6
visitors. equipment from unauthorized tampering, theft, or physical access. Always keep
data and network closets locked. Grant access using badge readers rather than
traditional key locks.Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user €œplugging in€ to an empty port to access to your
network.In conference rooms or waiting areas, establish guest networks that
separate organizational data and systems. This separation will limit the accessibility
of private data from guests visiting the organization. Validate that guest networks
are configured to access authorized guest services only.
 We have methods for controlling and managing physical Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
access to our facility such as, keypads, locks, security policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
cameras, etc. Consider implementing policies and procedures to safeguard the facility and HICP: TV1, Practice # 6
equipment from unauthorized tampering, theft, or physical access. Always keep
data and network closets locked. Grant access using badge readers rather than
traditional key locks.Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user €œplugging in€ to an empty port to access to your
network.In conference rooms or waiting areas, establish guest networks that
separate organizational data and systems. This separation will limit the accessibility
of private data from guests visiting the organization. Validate that guest networks
are configured to access authorized guest services only.

We have an inventory of our practice's facilities that Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
house equipment that create, maintain, receive, and policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
transmit ePHI. Consider implementing policies and procedures to safeguard the facility and HICP: TV1, Practice # 6
equipment from unauthorized tampering, theft, or physical access. Always keep
data and network closets locked. Grant access using badge readers rather than
traditional key locks.Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user €œplugging in€ to an empty port to access to your
network.In conference rooms or waiting areas, establish guest networks that
separate organizational data and systems. This separation will limit the accessibility
of private data from guests visiting the organization. Validate that guest networks
are configured to access authorized guest services only.

We do not have physical protections in place to manage Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
facility security risks. policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
Consider implementing policies and procedures to safeguard the facility and HICP: TV1, Practice # 6
equipment from unauthorized tampering, theft, or physical access. Always keep
data and network closets locked. Grant access using badge readers rather than
traditional key locks.Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user €œplugging in€ to an empty port to access to your
network.In conference rooms or waiting areas, establish guest networks that
separate organizational data and systems. This separation will limit the accessibility
of private data from guests visiting the organization. Validate that guest networks
are configured to access authorized guest services only.

I don't know. Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
Consider implementing policies and procedures to safeguard the facility and HICP: TV1, Practice # 6
equipment from unauthorized tampering, theft, or physical access. Always keep
data and network closets locked. Grant access using badge readers rather than
traditional key locks.Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user €œplugging in€ to an empty port to access to your
network.In conference rooms or waiting areas, establish guest networks that
separate organizational data and systems. This separation will limit the accessibility
of private data from guests visiting the organization. Validate that guest networks
are configured to access authorized guest services only.

Other. Ensure only authorized access to ePHI and facilities is allowed by implementing Addressable HIPAA: §164.310(a)(2)(ii)
policies and procedures to limit physical access systems and facilities housing ePHI. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
Consider implementing policies and procedures to safeguard the facility and HICP: TV1, Practice # 6
equipment from unauthorized tampering, theft, or physical access. Always keep
data and network closets locked. Grant access using badge readers rather than
traditional key locks.Disable network ports that are not in use. Maintain network
ports as inactive until an activation request is authorized. This minimizes the risk of
an unauthorized user €œplugging in€ to an empty port to access to your
network.In conference rooms or waiting areas, establish guest networks that
separate organizational data and systems. This separation will limit the accessibility
of private data from guests visiting the organization. Validate that guest networks
are configured to access authorized guest services only.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(ii)
"Flagged Questions" report. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
HICP: TV1, Practice # 6
Notes
3 Do you restrict physical access to and use of your equipment
[i.e. equipment that house ePHI]?
 Yes. We have written policies and implemented This is the most effective option among those provided to protect the Required HIPAA: §164.310(a)(1)
procedures restricting access to equipment that house confidentiality, integrity, and availability of ePHI. Restrict access to assets with NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
ePHI to authorized users only. potentially high impact in the event of compromise. This includes medical devices HICP: TV1, Practice # 6
and internet of things (IoT) items (e.g., security cameras, badge readers,
temperature sensors, building management systems).

Yes. We verbally authorize individuals to access Ensure only authorized access to ePHI is allowed by implementing and documenting Required HIPAA: §164.310(a)(1)
equipment that house ePHI, but no written policies or procedures to govern access to equipment that house ePHI. Restrict access to assets NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
procedures. with potentially high impact in the event of compromise. This includes medical HICP: TV1, Practice # 6
devices and internet of things (IoT) items (e.g., security cameras, badge readers,
temperature sensors, building management systems).

No. We do not have a process to restrict access to Ensure only authorized access to ePHI is allowed by implementing and documenting Required HIPAA: §164.310(a)(1)
equipment that house ePHI to authorized users. procedures to govern access to equipment that house ePHI. Restrict access to assets NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
with potentially high impact in the event of compromise. This includes medical HICP: TV1, Practice # 6
devices and internet of things (IoT) items (e.g., security cameras, badge readers,
temperature sensors, building management systems).

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(a)(1)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AC, DE.CM, PR.IP
HICP: TV1, Practice # 6
Notes
4 Do you manage workforce member, visitor, and third party
access to electronic devices?
Yes. We have written procedures for classifying This is the most effective option among those provided to protect the Required HIPAA: §164.310(b)
electronic devices, based on their capabilities, confidentiality, integrity, and availability of ePHI. In conference rooms or waiting NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP
connection, and allowable activities; access to electronic
areas, establish guest networks that separate organizational data and systems. This HICP: TV1, Practice # 6
devices by workforce members, visitors, and/or third separation will limit the accessibility of private data from guests visiting the
parties is determined based on their classification. organization. Validate that guest networks are configured to access authorized guest
services only.
Yes. We have written procedures for access to electronic Implement policies and procedures that specify the proper functions to be Required HIPAA: §164.310(b)
devices, but not detailing all of the variables listed performed, the manner in which those functions are to be performed, and the NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP
above. physical attributes of the surroundings of a specific electronic device or class of HICP: TV1, Practice # 6
electronic device that can access ePHI. In conference rooms or waiting areas,
establish guest networks that separate organizational data and systems. This
separation will limit the accessibility of private data from guests visiting the
organization. Validate that guest networks are configured to access authorized guest
services only.

Yes. We verbally instruct users on access to electronic Implement policies and procedures that specify the proper functions to be Required HIPAA: §164.310(b)
devices, but do not have written procedures. performed, the manner in which those functions are to be performed, and the NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP
physical attributes of the surroundings of a specific electronic device or class of HICP: TV1, Practice # 6
electronic device that can access ePHI. In conference rooms or waiting areas,
establish guest networks that separate organizational data and systems. This
separation will limit the accessibility of private data from guests visiting the
organization. Validate that guest networks are configured to access authorized guest
services only.

No. We do not have a process for managing workforce Implement policies and procedures that specify the proper functions to be Required HIPAA: §164.310(b)
member, visitor, or third party access to electronic performed, the manner in which those functions are to be performed, and the NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP
devices. physical attributes of the surroundings of a specific electronic device or class of HICP: TV1, Practice # 6
electronic device that can access ePHI. In conference rooms or waiting areas,
establish guest networks that separate organizational data and systems. This
separation will limit the accessibility of private data from guests visiting the
organization. Validate that guest networks are configured to access authorized guest
services only.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(b)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, PR.IP
HICP: TV1, Practice # 6
Notes
5 Do you have physical protections in place, such as cable locks
for portable laptops, screen filters for screen visible in high
traffic areas, to manage electronic device security risks?
Yes. We have physical protections in place for all This is the most effective option among those provided to protect the Required HIPAA: §164.310(c)
electronic devices and this is documented in policy and confidentiality, integrity, and availability of ePHI. Examples include installation of NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
procedure. anti-theft cables, locks on rooms where the devices are located, and the use of HICP: TV1, Practice # 6
badge readers to monitor access to rooms where devices are located.

Yes. We have some physical protections in place for Implement physical safeguards for all electronic devices that access electronic Required HIPAA: §164.310(c)
some, but not all, electronic devices. protected health information, to restrict access to authorized users. Examples NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
include installation of anti-theft cables, locks on rooms where the devices are HICP: TV1, Practice # 6
located, and the use of badge readers to monitor access to rooms where devices are
located.
 No. We do not have physical protections in place for our Implement physical safeguards for all electronic devices that access electronic Required HIPAA: §164.310(c)
electronic devices. protected health information, to restrict access to authorized users. Examples NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
include installation of anti-theft cables, locks on rooms where the devices are HICP: TV1, Practice # 6
located, and the use of badge readers to monitor access to rooms where devices are
located.

I don't know. Implement physical safeguards for all electronic devices that access electronic Required HIPAA: §164.310(c)
protected health information, to restrict access to authorized users. Examples NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
include installation of anti-theft cables, locks on rooms where the devices are HICP: TV1, Practice # 6
located, and the use of badge readers to monitor access to rooms where devices are
located.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(c)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
HICP: TV1, Practice # 6
Notes
6 What physical protections do you have in place for electronic
devices with access to ePHI?
We have robust procedures for electronic device access This is the most effective option among those provided to protect the Required HIPAA: §164.310(c)
control such as, authorization for issuing new electronic confidentiality, integrity, and availability of ePHI. For devices that cannot be NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
device access and removing electronic device access. We encrypted or that are managed by a third party, implement physical security HICP: TV1, Practice # 2, 6
also use screen filters, docking stations with locks, controls to minimize theft or unauthorized removal. Examples include installation of
and/or cable locks for portable devices, privacy screens anti-theft cables, locks on rooms where the devices are located, and the use of
[walls or partitions], and/or secured proximity for badge readers to monitor access to rooms where devices are located. Disable
servers and network equipment. network ports that are not in use. Maintain network ports as inactive until an
activation request is authorized. This minimizes the risk of an unauthorized user
€œplugging in€ to an empty port to access to your network.

We have limited procedures for electronic device access Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
control including some but not all of those listed above. appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
issuing new electronic device access and removing electronic device access. Or using HICP: TV1, Practice # 2, 6
screen filters, docking stations with locks, and/or cable locks for portable devices,
privacy screens [walls or partitions], and/or secured proximity for servers and
network equipment. For devices that cannot be encrypted or that are managed by a
third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located. Disable network ports that are not in use. Maintain
network ports as inactive until an activation request is authorized. This minimizes
the risk of an unauthorized user €œplugging in € to an empty port to access to
your network.

We do not have any physical protections in place for Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
electronic device access to ePHI. appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
issuing new electronic device access and removing electronic device access. Or using HICP: TV1, Practice # 2, 6
screen filters, docking stations with locks, and/or cable locks for portable devices,
privacy screens [walls or partitions], and/or secured proximity for servers and
network equipment. For devices that cannot be encrypted or that are managed by a
third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located. Disable network ports that are not in use. Maintain
network ports as inactive until an activation request is authorized. This minimizes
the risk of an unauthorized user €œplugging in € to an empty port to access to
your network.

I don't know. Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
issuing new electronic device access and removing electronic device access. Or using HICP: TV1, Practice # 2, 6
screen filters, docking stations with locks, and/or cable locks for portable devices,
privacy screens [walls or partitions], and/or secured proximity for servers and
network equipment. For devices that cannot be encrypted or that are managed by a
third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located. Disable network ports that are not in use. Maintain
network ports as inactive until an activation request is authorized. This minimizes
the risk of an unauthorized user €œplugging in € to an empty port to access to
your network.
 Other. Consider which physical safeguards to protect access to ePHI can be reasonably and Required HIPAA: §164.310(c)
appropriately implemented in your practice. Consider an authorization process for NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
issuing new electronic device access and removing electronic device access. Or using HICP: TV1, Practice # 2, 6
screen filters, docking stations with locks, and/or cable locks for portable devices,
privacy screens [walls or partitions], and/or secured proximity for servers and
network equipment. For devices that cannot be encrypted or that are managed by a
third party, implement physical security controls to minimize theft or unauthorized
removal. Examples include installation of anti-theft cables, locks on rooms where
the devices are located, and the use of badge readers to monitor access to rooms
where devices are located. Disable network ports that are not in use. Maintain
network ports as inactive until an activation request is authorized. This minimizes
the risk of an unauthorized user €œplugging in € to an empty port to access to
your network.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(c)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
HICP: TV1, Practice # 2, 6
Notes
7 Do you keep an inventory and a location record of all of its
electronic devices?
Yes. Our inventory list of all electronic devices and their This is the most effective option among those provided to protect the Required HIPAA: §164.310(b)
functions is currently documented and updated on a confidentiality, integrity, and availability of ePHI. A complete and accurate inventory NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM
periodic basis. of the IT assets in your organization facilitates the implementation of optimal HICP: TV1, Practice # 5
security controls. This inventory can be conducted and maintained using a well-
designed spreadsheet.
Yes. We have a list of electronic devices and their Asset (electronic devices) inventory lists should be kept up-to-date to meet Required HIPAA: §164.310(b)
functions but it has not been updated to reflect compliance and best practice standards. A complete and accurate inventory of the NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM
inventory changes. IT assets in your organization facilitates the implementation of optimal security HICP: TV1, Practice # 5
controls. This inventory can be conducted and maintained using a well-designed
spreadsheet.

No. We currently do not document and keep an active Your practice may not be aware of threats to devices in use if your practice is not Required HIPAA: §164.310(b)
list of electronic devices and their functions. aware of the location of all of its electronic devices, laptops, printers, copiers, NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM
tablets, smart phones, monitors, and other electronic devices. ePHI can be exposed HICP: TV1, Practice # 5
in a surrounding or environment that is not suitable for handling or accessing that
information. A complete and accurate inventory of the IT assets in your organization
facilitates the implementation of optimal security controls. This inventory can be
conducted and maintained using a well-designed spreadsheet.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(b)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, ID.AM
HICP: TV1, Practice # 5
Notes
8 Do you have an authorized user who approves access levels
within information systems and locations that use ePHI?
Yes. We have written procedures outlining who has the This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(A)
authorization to approve access to information systems, confidentiality, integrity, and availability of ePHI. Describe cybersecurity roles and NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP
location, and ePHI; how access requests are submitted; responsibilities throughout the organization, including who is responsible for HICP: TV1, Practice # 10
and how access is granted. implementing security practices and setting and establishing policy.

Yes. We have written procedures in place describing Consider assigning an authorized user to approve access levels with information Addressable HIPAA: §164.308(a)(3)(ii)(A)
determination of user access levels to information systems and locations that contain and use ePHI. If this is determined to not be NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP
systems, locations, and ePHI, but not detailing all of the reasonable and appropriate, document the reason why and implement a HICP: TV1, Practice # 10
variables described above. compensating control. Describe cybersecurity roles and responsibilities throughout
the organization, including who is responsible for implementing security practices
and setting and establishing policy.

Yes. We have a verbally communicated process for Consider assigning an authorized user to approve access levels with information Addressable HIPAA: §164.308(a)(3)(ii)(A)
determining access to information systems, locations, systems and locations that contain and use ePHI. If this is determined to not be NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP
and ePHI. reasonable and appropriate, document the reason why and implement a HICP: TV1, Practice # 10
compensating control. Describe cybersecurity roles and responsibilities throughout
the organization, including who is responsible for implementing security practices
and setting and establishing policy.

No. We do not have procedures to determine user Consider assigning an authorized user to approve access levels with information Addressable HIPAA: §164.308(a)(3)(ii)(A)
access levels to information systems, locations, and systems and locations that contain and use ePHI. If this is determined to not be NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP
ePHI. reasonable and appropriate, document the reason why and implement a HICP: TV1, Practice # 10
compensating control. Describe cybersecurity roles and responsibilities throughout
the organization, including who is responsible for implementing security practices
and setting and establishing policy.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(A)
"Flagged Questions" report. NIST CSF: ID.AM, PR.MA, PR.PT, PR.IP
HICP: TV1, Practice # 10
Notes
9 Do you validate a person's access to facilities (including
workforce members and visitors) based on their role or
function?
 Yes. We have procedures for validating access to our This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
facility. Access levels are based on role or function. We confidentiality, integrity, and availability of ePHI. Just as network devices need to be NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
also have strict requirements for validating workforce secured, physical access to the server and network equipment should be restricted DE.CP, PR.IP
members or visitors who seek access to our critical to IT professionals. Configure physical rooms and wireless networks to allow HICP: TV1, Practice # 6
systems and software programs. internet access only.

Yes. We have procedures for validating a person's access Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
to our facility. Access levels are not based on role or minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
function. legitimate functions. Consider implementing procedures to validate a person's DE.CP, PR.IP
access to facilities based on their role. If this is determined to not be reasonable and HICP: TV1, Practice # 6
appropriate, document the reason why and implement a compensating control. Just
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.

Yes. We have procedures for validating a person €™s Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
access to the facility based on their role or function, but minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
do not have additional validation requirements for legitimate functions. Consider implementing procedures to validate a person's DE.CP, PR.IP
access to our critical systems. access to facilities based on their role. If this is determined to not be reasonable and HICP: TV1, Practice # 6
appropriate, document the reason why and implement a compensating control. Just
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.

Yes. We have an informal process for validating a Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
person€™s access to facilities, with no written minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
procedures in place. legitimate functions. Consider implementing procedures to validate a person's DE.CP, PR.IP
access to facilities based on their role. If this is determined to not be reasonable and HICP: TV1, Practice # 6
appropriate, document the reason why and implement a compensating control. Just
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.

No. We do not have a process for validating a person €™s Access to facilities, especially areas which house ePHI, should be limited to the Addressable HIPAA: §164.310(a)(2)(iii)
access to facilities. minimum amount necessary for workforce members or visitors to complete their NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
legitimate functions. Consider implementing procedures to validate a person's DE.CP, PR.IP
access to facilities based on their role. If this is determined to not be reasonable and HICP: TV1, Practice # 6
appropriate, document the reason why and implement a compensating control. Just
as network devices need to be secured, physical access to the server and network
equipment should be restricted to IT professionals. Configure physical rooms and
wireless networks to allow internet access only.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
DE.CP, PR.IP
HICP: TV1, Practice # 6

Notes
10 How do you validate a person's access to your facility?
We maintain lists of authorized persons and have These are effective means of validating facility access. Always keep data and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to identify persons attempting to access network closets locked. Grant access using badge readers rather than traditional key NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
the practice, grant access to authorized persons, and locks. DE.CP
prevent access by unauthorized persons. HICP: TV1, Practice # 6

We have controls in place to identify persons attempting Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
to access the practice, grant access to authorized document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
persons, and prevent access by unauthorized persons data and network closets locked. Grant access using badge readers rather than DE.CP
but do not maintain documentation of who is traditional key locks. HICP: TV1, Practice # 6
authorized.
We maintain lists of authorized persons but do not have Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to identify persons attempting to access document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
the practice, grant access to authorized persons, or data and network closets locked. Grant access using badge readers rather than DE.CP
prevent access by unauthorized persons. traditional key locks. HICP: TV1, Practice # 6

We maintain lists of authorized persons and have Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to identify persons attempting to access document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
the practice, but not to grant access to authorized data and network closets locked. Grant access using badge readers rather than DE.CP
persons or prevent access by unauthorized persons. traditional key locks. HICP: TV1, Practice # 6

We maintain lists of authorized persons and have Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
controls in place to grant access to authorized persons document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
or prevent access by unauthorized persons, but not to data and network closets locked. Grant access using badge readers rather than DE.CP
identify persons attempting to access the practice traditional key locks. HICP: TV1, Practice # 6

We do not have lists of authorized persons or controls in Consider appropriate methods of validating access to your facility. Implement and Addressable HIPAA: §164.310(a)(2)(iii)
place to identify persons attempting to access the document safeguards determined to be reasonable and appropriate. Always keep NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
practice, grant access to authorized persons, or prevent data and network closets locked. Grant access using badge readers rather than DE.CP
access by unauthorized persons. traditional key locks. HICP: TV1, Practice # 6
 Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
DE.CP
HICP: TV1, Practice # 6

Notes
11 Do you have access validation requirements for personnel
and visitors seeking access to your critical systems (such as
IT, software developers, or network admins)?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
confidentiality, integrity, and availability of ePHI. Just as you might restrict physical NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
access to different parts of your medical office, it €™s important to restrict the DE.CP, PR.IP
access of third-party entities, including vendors, to separate networks. Allow them HICP: TV1, Practice # 6
to connect only through tightly controlled interfaces. This limits the exposure to and
impact of cyberattacks on both your organization and on the third-party entity.

No. Consider implementing procedures to validate a person's access to critical systems Addressable HIPAA: §164.310(a)(2)(iii)
based on their role or function. If this is determined to not be reasonable and NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
appropriate, document the reason why and implement a compensating control. Just DE.CP, PR.IP
as you might restrict physical access to different parts of your medical office, it €™s HICP: TV1, Practice # 6
important to restrict the access of third-party entities, including vendors, to
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.

I don't know. Consider implementing procedures to validate a person's access to critical systems Addressable HIPAA: §164.310(a)(2)(iii)
based on their role or function. If this is determined to not be reasonable and NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
appropriate, document the reason why and implement a compensating control. Just DE.CP, PR.IP
as you might restrict physical access to different parts of your medical office, it €™s HICP: TV1, Practice # 6
important to restrict the access of third-party entities, including vendors, to
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
DE.CP, PR.IP
HICP: TV1, Practice # 6

Notes
12 Does this include controlling access to your software
programs for testing and revisions?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
DE.CP
HICP: N/A

No. Consider implementing procedures to validate a person's access to software Addressable HIPAA: §164.310(a)(2)(iii)
programs based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
and appropriate, document the reason why and implement a compensating control. DE.CP
HICP: N/A

I don't know. Consider implementing procedures to validate a person's access to software Addressable HIPAA: §164.310(a)(2)(iii)
programs based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
and appropriate, document the reason why and implement a compensating control. DE.CP
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
DE.CP
HICP: N/A

Notes
13 Do you have procedures for validating a third party
person€™s access to the facility based on their role or
function?
Yes. This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iii)
confidentiality, integrity, and availability of ePHI. Just as you might restrict physical NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
access to different parts of your medical office, it €™s important to restrict the DE.CP, PR.IP
access of third-party entities, including vendors, to separate networks. Allow them HICP: TV1, Practice # 6
to connect only through tightly controlled interfaces. This limits the exposure to and
impact of cyberattacks on both your organization and on the third-party entity.
 No. Consider implementing procedures to validate a third party person's access to Addressable HIPAA: §164.310(a)(2)(iii)
facilities based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
and appropriate, document the reason why and implement a compensating control. DE.CP, PR.IP
Just as you might restrict physical access to different parts of your medical office, HICP: TV1, Practice # 6
it€™s important to restrict the access of third-party entities, including vendors, to
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.

I don't know. Consider implementing procedures to validate a third party person's access to Addressable HIPAA: §164.310(a)(2)(iii)
facilities based on their role or function. If this is determined to not be reasonable NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
and appropriate, document the reason why and implement a compensating control. DE.CP, PR.IP
Just as you might restrict physical access to different parts of your medical office, HICP: TV1, Practice # 6
it€™s important to restrict the access of third-party entities, including vendors, to
separate networks. Allow them to connect only through tightly controlled
interfaces. This limits the exposure to and impact of cyberattacks on both your
organization and on the third-party entity.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iii)
"Flagged Questions" report. NIST CSF: ID.RA, PR.AC, PR.DS, PR.PT, DE.CM,
DE.CP, PR.IP
HICP: TV1, Practice # 6

Notes
14 Do you have hardware, software, or other mechanisms that
record and examine activity on information systems with
access to ePHI?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
confidentiality, integrity, and availability of ePHI. Implement single sign-on systems NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
that automatically manage access to all software and tools once users have signed HICP: TV1, Practice # 3
onto the network. Such systems allows the organization to centrally maintain and
monitor access.

No. Implement and document mechanisms to record and examine system activity to Required HIPAA: §164.312(b)
ensure your practice is secure systems that contain or use ePHI. Implement single NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
sign-on systems that automatically manage access to all software and tools once HICP: TV1, Practice # 3
users have signed onto the network. Such systems allows the organization to
centrally maintain and monitor access.

I don't know. Implement and document mechanisms to record and examine system activity to Required HIPAA: §164.312(b)
ensure your practice is secure systems that contain or use ePHI. Implement single NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
sign-on systems that automatically manage access to all software and tools once HICP: TV1, Practice # 3
users have signed onto the network. Such systems allows the organization to
centrally maintain and monitor access.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, DE.AE, DE.CM,
HICP: TV1, Practice # 3
Notes
15 What requirements are in place for retention of audit
reports?
Our practice retains records of audit report review for a This is the most effective option among those provided to protect the Required HIPAA: §164.312(b)
minimum of six (6) years, consistent with retention confidentiality, integrity, and availability of ePHI. Your state or jurisdiction may have NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP
requirements for all information security additional requirements beyond the six (6) year retention requirement. HICP: N/A
documentation.
Requirements are in place to retain records of audit Records of audit report review should be retained for a minimum of six (6) years. Required HIPAA: §164.312(b)
report review, but not for a minimum of six (6) years .  Your state or jurisdiction may have additional requirements beyond the six (6) year NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP
retention requirement. HICP: N/A
Requirements are not in place to retain records of audit Records of audit report review should be retained for a minimum of six (6) years. Required HIPAA: §164.312(b)
report review. Your state or jurisdiction may have additional requirements beyond the six (6) year NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP
retention requirement. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(b)
"Flagged Questions" report. NIST CSF: PR.DS, PR.PT, DE.AE, DE.CM, PR.IP
HICP: N/A
Notes
16 Do you maintain records of physical changes upgrades, and
modifications to your facility?
Yes. We have written procedures to document This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. This includes documenting confidentiality, integrity, and availability of ePHI. NIST CSF: PR.DS, PR.MA
when physical security component repairs, HICP: N/A
modifications, or updates are needed and our workforce
members' roles and responsibilities in that process. Any
changes to our facility's security components go through
an authorization process.
 Yes. We have written procedures to document Consider including in your procedural documentation what your workforce Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. This includes documenting members' roles and responsibilities are in the repair and modification of physical NIST CSF: PR.DS, PR.MA
when physical security component repairs, security components within your facility. If this is determined to not be reasonable HICP: N/A
modifications, or updates are needed. Any changes to and appropriate, document the reason why and implement a compensating control.
our facility's security components go through an
authorization process.

Yes. We have written procedures to document Consider including in your procedural documentation workforce members' roles and Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. This includes documenting responsibilities as well as the authorization process for making repairs, NIST CSF: PR.DS, PR.MA
when physical security component repairs, modifications, and updates to your facility's physical security components. If this is HICP: N/A
modifications, or updates are needed. determined to not be reasonable and appropriate, document the reason why and
implement a compensating control.

No. We communicate and verbally authorize when Consider including in your procedural documentation workforce members' roles and Addressable HIPAA: §164.310(a)(2)(iv)
repairs, modifications, or upgrades to the facility's responsibilities as well as the authorization process for making repairs, NIST CSF: PR.DS, PR.MA
physical security components are needed, but we do not modifications, and updates to your facility's physical security components. If this is HICP: N/A
have written procedures for this process. determined to not be reasonable and appropriate, document the reason why and
implement a compensating control.

No. We do not maintain a log of changes, upgrades, or Consider including in your procedural documentation workforce members' roles and Addressable HIPAA: §164.310(a)(2)(iv)
modifications to our facility. responsibilities as well as the authorization process for making repairs, NIST CSF: PR.DS, PR.MA
modifications, and updates to your facility's physical security components. If this is HICP: N/A
determined to not be reasonable and appropriate, document the reason why and
implement a compensating control.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(iv)
"Flagged Questions" report. NIST CSF: PR.DS, PR.MA
HICP: N/A
Notes
17 How do you maintain awareness of the movement of
electronic devices and media?
We maintain a detailed inventory of all electronic This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(d)(2)(iii)
devices and media which contain ePHI, including where confidentiality, integrity, and availability of ePHI. Although it can be difficult to NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS
they are located, which workforce members are implement and sustain IT asset management processes, such processes should be HICP: TV1, Practice # 5, 10
authorized to access or possess the devices, and to part of daily IT operations and encompass the lifecycle of each IT asset, including
where they are moved. procurement, deployment, maintenance, and decommissioning (i.e., replacement or
disposal) of the device.

We keep a basic list of devices but do not formally track Devices should be tracked according to which workforce members have access to or Addressable HIPAA: §164.310(d)(2)(iii)
their movement. possession of them, where they are located, and where they are moved. Although it NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS
can be difficult to implement and sustain IT asset management processes, such HICP: TV1, Practice # 5, 10
processes should be part of daily IT operations and encompass the lifecycle of each
IT asset, including procurement, deployment, maintenance, and decommissioning
(i.e., replacement or disposal) of the device.

We rely on personal memory to maintain awareness of Devices should be tracked according to which workforce members have access to or Addressable HIPAA: §164.310(d)(2)(iii)
device location, movement, and access authorization. possession of them, where they are located, and where they are moved. Although it NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS
can be difficult to implement and sustain IT asset management processes, such HICP: TV1, Practice # 5, 10
processes should be part of daily IT operations and encompass the lifecycle of each
IT asset, including procurement, deployment, maintenance, and decommissioning
(i.e., replacement or disposal) of the device.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(d)(2)(iii)
"Flagged Questions" report. NIST CSF: PR.MA, PR.PT, DE.AE, DE.CM, PR.DS
HICP: TV1, Practice # 5, 10
Notes
18 Are electronic devices secured?
Yes. We have procedures for safeguarding all electronic This is the most effective option among those provided to protect the Required HIPAA: §164.310(c)
devices (such as screen guards, cable locks, locking confidentiality, integrity, and availability of ePHI. A small organization €™s endpoints NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
storage rooms, cameras, and other physical features). must be protected. Endpoints include desktops, laptops, mobile devices, and other HICP: TV1, Practice # 2
connected hardware devices (e.g., printers, medical equipment).

We secure electronic devices, but do not have Secure electronic devices with appropriate safeguards, such as screen guards, cable Required HIPAA: §164.310(c)
documented procedures for these safeguards. locks, locking storage rooms, cameras, and other physical features. Document these NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
safeguards in your policies and procedures. A small organization €™s endpoints must HICP: TV1, Practice # 2
be protected. Endpoints include desktops, laptops, mobile devices, and other
connected hardware devices (e.g., printers, medical equipment).

We do not have any procedures to secure electronic Secure electronic devices with appropriate safeguards, such as screen guards, cable Required HIPAA: §164.310(c)
devices in our facility. locks, locking storage rooms, cameras, and other physical features. Document these NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
safeguards in your policies and procedures. A small organization €™s endpoints must HICP: TV1, Practice # 2
be protected. Endpoints include desktops, laptops, mobile devices, and other
connected hardware devices (e.g., printers, medical equipment).

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(c)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM
HICP: TV1, Practice # 2
Notes
19 Do you back up ePHI to ensure availability when devices are
moved? 
Yes. Our critical data and ePHI is centrally stored (such as This is an effective option to protect the confidentiality, integrity, and availability of Addressable HIPAA: §164.310(d)(2)(iv)
in a cloud or active directory server) that can be ePHI. Make sure backups will be available and functional when needed through NIST CSF: PR.DS, PR.IP
accessed from any authorized device. periodic testing. Train staff never to back up data on uncontrolled storage devices or HICP: TV1, Practice # 4
personal cloud services. Leveraging the cloud for backup purposes is acceptable if
you have established an agreement with the cloud vendor and verified the security
of the vendor€™s systems.

Yes. We manage our own backups of all critical ePHI This is an effective option to protect the confidentiality, integrity, and availability of Addressable HIPAA: §164.310(d)(2)(iv)
(using portable storage devices) that enables continued ePHI. Make sure backups will be available and functional when needed through NIST CSF: PR.DS, PR.IP
access during device movement. periodic testing. Train staff never to back up data on uncontrolled storage devices or HICP: TV1, Practice # 4
personal cloud services. Leveraging the cloud for backup purposes is acceptable if
you have established an agreement with the cloud vendor and verified the security
of the vendor€™s systems.

No. We do not ensure that data will be available when ePHI can be lost, corrupted, or made inaccessible in the future if your practice does Addressable HIPAA: §164.310(d)(2)(iv)
stored on a removed device. not create backup files that are retrievable and exact copies. Make sure backups will NIST CSF: PR.DS, PR.IP
be available and functional when needed through periodic testing. Train staff never HICP: TV1, Practice # 4
to back up data on uncontrolled storage devices or personal cloud services.
Leveraging the cloud for backup purposes is acceptable if you have established an
agreement with the cloud vendor and verified the security of the vendor €™s
systems.
Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(d)(2)(iv)
"Flagged Questions" report. NIST CSF: PR.DS, PR.IP
HICP: TV1, Practice # 4
Notes
20 Do you ensure devices which created, maintained, received,
or transmitted ePHI are effectively sanitized when they are
disposed of?
Yes. We remove any data storage or memory This is the most effective option among those provided to protect the Required HIPAA: §164.310(d)(1)
component from the device and then store it in a secure confidentiality, integrity, and availability of ePHI. Although it can be difficult to NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP
location. Data is wiped from the device prior to disposing implement and sustain IT asset management processes, such processes should be HICP: TV1, Practice # 5
of the device using a method that conforms to part of daily IT operations and encompass the lifecycle of each IT asset, including
guidelines in procurement, deployment, maintenance, and decommissioning (i.e., replacement or
NIST SP 800-88 and OCR Guidance to Render Unsecured disposal) of the device.
Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals.
Yes. Devices are given to a third-party, which wipes the This is the most effective option among those provided to protect the Required HIPAA: §164.310(d)(1)
data and disposes of the devices appropriately using a confidentiality, integrity, and availability of ePHI. Although it can be difficult to NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP
method that conforms to guidelines in implement and sustain IT asset management processes, such processes should be HICP: TV1, Practice # 5
NIST SP 800-88 and OCR Guidance to Render Unsecured part of daily IT operations and encompass the lifecycle of each IT asset, including
Protected Health Information Unusable, Unreadable, or procurement, deployment, maintenance, and decommissioning (i.e., replacement or
Indecipherable to Unauthorized Individuals. We are disposal) of the device.
provided a certificate of destruction outlining the
specific devices that were disposed of whenever this is
performed.

Devices are given to a third-party, which wipes the data Third parties should provide documentation certifying that equipment has been Required HIPAA: §164.310(d)(1)
and disposes of the devices appropriately. We are not properly disposed of. Although it can be difficult to implement and sustain IT asset NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP
provided a certificate of destruction to confirm management processes, such processes should be part of daily IT operations and HICP: TV1, Practice # 5
appropriate disposal. encompass the lifecycle of each IT asset, including procurement, deployment,
maintenance, and decommissioning (i.e., replacement or disposal) of the device.

We maintain a secure area where items are stored prior ePHI on these devices should be purged using a method that conforms to guidelines Required HIPAA: §164.310(d)(1)
to disposal, and this is documented in our asset in NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP
inventory listing. NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health HICP: TV1, Practice # 5
Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
Although it can be difficult to implement and sustain IT asset management
processes, such processes should be part of daily IT operations and encompass the
lifecycle of each IT asset, including procurement, deployment, maintenance, and
decommissioning (i.e., replacement or disposal) of the device.

No. We place unused devices out of normal work areas Unused and old equipment should be stored in a secure area if it Required HIPAA: §164.310(d)(1)
but these are not secured. contains/contained ePHI. ePHI on these devices should be purged using a method NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP
that conforms to guidelines in HICP: TV1, Practice # 5
NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
Although it can be difficult to implement and sustain IT asset management
processes, such processes should be part of daily IT operations and encompass the
lifecycle of each IT asset, including procurement, deployment, maintenance, and
decommissioning (i.e., replacement or disposal) of the device.
 No. We do not have procedures for the disposal of ePHI can be removed from your facilities without being observed and/or monitored Required HIPAA: §164.310(d)(1)
devices and media. if your practice does not have security policies and procedures to physically protect NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP
and securely store electronic devices and media. ePHI on these devices should be HICP: TV1, Practice # 5
purged using a method that conforms to guidelines in
NIST SP 800-88 and OCR Guidance to Render Unsecured Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
Although it can be difficult to implement and sustain IT asset management
processes, such processes should be part of daily IT operations and encompass the
lifecycle of each IT asset, including procurement, deployment, maintenance, and
decommissioning (i.e., replacement or disposal) of the device.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(d)(1)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, PR.IP
HICP: TV1, Practice # 5
Notes
21 How do you determine what is considered appropriate use
of electronic devices and connected network devices?
We have documented policies and procedures in place This is the most effective option among those provided to protect the Required HIPAA: §164.310(b)
outlining proper functions to be performed on electronic confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA
devices and devices (e.g. whether or not they should the accounts must be granted access to the organization €™s computers and HICP: TV1, Practice # 4, 5
access ePHI), how those functions will be performed, programs, as appropriate to each user. Consider following the €œminimum
who is authorized to use the devices, and the physical necessary€ principle associated with the HIPAA Privacy Rule. Allow each user
surroundings of the devices. access only to the computers and programs required to accomplish that user €™s job
or role in the organization. This limits the organization €™s exposure to unauthorized
access, loss, and theft of data if the user€™s identity or access is compromised.

We verbally communicate appropriate use of equipment Develop policies and procedures to enforce access control policies that define the Required HIPAA: §164.310(b)
but do not have requirements outlined in writing. appropriate use and surroundings of information systems, electronic devices, and NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA
other electronic devices that contain ePHI (such as laptops, printers, copiers, tablets, HICP: TV1, Practice # 4, 5
smart phones, monitors, and other devices). As user accounts are established, the
accounts must be granted access to the organization €™s computers and programs,
as appropriate to each user. Consider following the €œminimum necessary €
principle associated with the HIPAA Privacy Rule. Allow each user access only to the
computers and programs required to accomplish that user €™s job or role in the
organization. This limits the organization€™s exposure to unauthorized access, loss,
and theft of data if the user€™s identity or access is compromised.

We do not have any policies or procedures outlining Workforce members, business associates, services providers, and the general public Required HIPAA: §164.310(b)
appropriate use of electronic devices and connected may not be aware of how to use devices appropriately, or how to secure those NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA
devices. devices physically, if your practice does not implement policies and procedures that HICP: TV1, Practice # 4, 5
define expectations for proper use. As user accounts are established, the accounts
must be granted access to the organization €™s computers and programs, as
appropriate to each user. Consider following the €œminimum necessary €
principle associated with the HIPAA Privacy Rule. Allow each user access only to the
computers and programs required to accomplish that user €™s job or role in the
organization. This limits the organization€™s exposure to unauthorized access, loss,
and theft of data if the user€™s identity or access is compromised.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(b)
"Flagged Questions" report. NIST CSF: PR.AC, PR.DS, PR.PT, DE.CM, ID.RA
HICP: TV1, Practice # 4, 5
Notes
22 Do you ensure access to ePHI is terminated when
employment or other arrangements with the workforce
member ends?
Yes. We have written procedures documenting This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(C)
termination or change of access to ePHI upon confidentiality, integrity, and availability of ePHI. When an employee leaves your NIST CSF: PR.AC, PR.IP
termination or change of employment, including organization, ensure that procedures are executed to terminate the employee €™s HICP: TV1, Practice # 3
recovery of access control devices (including access immediately. Prompt user termination prevents former employees from
organization-owned devices, media, and equipment), accessing patient data and other sensitive information after they have left the
deactivation of information system access, appropriate organization. This is very important for organizations that use cloud-based systems
changes in access levels and/or privileges pursuant to where access is based on credentials, rather than physical presence at a particular
job description changes that necessitate more or less computer. access based on the requirements for the new position. Similarly, if an
access to ePHI, time frames to terminate access to ePHI, employee changes jobs within the organization, it is important to terminate access
and exit interviews that include a discussion of privacy related to the employee€™s former position before granting
and security topics regarding ePHI.
 Yes. We have written procedures documenting Changes to access to ePHI should be documented in the event of device recovery, Addressable HIPAA: §164.308(a)(3)(ii)(C)
termination or change of access to ePHI upon deactivation of user access, and changes in access levels or privileges. Policy NIST CSF: PR.AC, PR.IP
termination or change of employment, but not detailing documentation should include details on how the process is completed. When an HICP: TV1, Practice # 3
all of the variables listed above. employee leaves your organization, ensure that procedures are executed to
terminate the employee€™s access immediately. Prompt user termination prevents
former employees from accessing patient data and other sensitive information after
they have left the organization. This is very important for organizations that use
cloud-based systems where access is based on credentials, rather than physical
presence at a particular computer. access based on the requirements for the new
position. Similarly, if an employee changes jobs within the organization, it is
important to terminate access related to the employee €™s former position before
granting

Yes. We have a verbal process to ensure access to ePHI Changes to access to ePHI should be documented in the event of device recovery, Addressable HIPAA: §164.308(a)(3)(ii)(C)
is changed or terminated as needed, but no written deactivation of user access, and changes in access levels or privileges. Policy NIST CSF: PR.AC, PR.IP
procedures. documentation should include details on how the process is completed. When an HICP: TV1, Practice # 3
employee leaves your organization, ensure that procedures are executed to
terminate the employee€™s access immediately. Prompt user termination prevents
former employees from accessing patient data and other sensitive information after
they have left the organization. This is very important for organizations that use
cloud-based systems where access is based on credentials, rather than physical
presence at a particular computer. access based on the requirements for the new
position. Similarly, if an employee changes jobs within the organization, it is
important to terminate access related to the employee €™s former position before
granting

No. We do not have a process to ensure access to ePHI is Individuals without a need to know can access your practice €™s ePHI if it does not Addressable HIPAA: §164.308(a)(3)(ii)(C)
changed or terminated as needed. have documented policies and procedures for terminating authorized access to its NIST CSF: PR.AC, PR.IP
facilities, information systems, and ePHI once the need for access no longer exists. HICP: TV1, Practice # 3
When an employee leaves your organization, ensure that procedures are executed
to terminate the employee€™s access immediately. Prompt user termination
prevents former employees from accessing patient data and other sensitive
information after they have left the organization. This is very important for
organizations that use cloud-based systems where access is based on credentials,
rather than physical presence at a particular computer. access based on the
requirements for the new position. Similarly, if an employee changes jobs within the
organization, it is important to terminate access related to the employee €™s former
position before granting

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(C)
"Flagged Questions" report. NIST CSF: PR.AC, PR.IP
HICP: TV1, Practice # 3
Notes
23 Do you have procedures for terminating or changing third-
party access when the contract, business associate
agreement, or other arrangement with the third party ends
or is changed?

Yes This is the most effective option among those provided to protect the Addressable HIPAA: §164.308(a)(3)(ii)(C)
confidentiality, integrity, and availability of ePHI. When an employee leaves your NIST CSF: PR.AC, PR.IP
organization, ensure that procedures are executed to terminate the employee €™s HICP: TV1, Practice # 3
access immediately. Prompt user termination prevents former employees from
accessing patient data and other sensitive information after they have left the
organization. This is very important for organizations that use cloud-based systems
where access is based on credentials, rather than physical presence at a particular
computer. access based on the requirements for the new position. Similarly, if an
employee changes jobs within the organization, it is important to terminate access
related to the employee€™s former position before granting

No Ensure that access to ePHI by third parties is terminated or changed appropriately Addressable HIPAA: §164.308(a)(3)(ii)(C)
when your contractual relationship with them s or changes, respectively. When an NIST CSF: PR.AC, PR.IP
employee leaves your organization, ensure that procedures are executed to HICP: TV1, Practice # 3
terminate the employee€™s access immediately. Prompt user termination prevents
former employees from accessing patient data and other sensitive information after
they have left the organization. This is very important for organizations that use
cloud-based systems where access is based on credentials, rather than physical
presence at a particular computer. access based on the requirements for the new
position. Similarly, if an employee changes jobs within the organization, it is
important to terminate access related to the employee €™s former position before
granting

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.308(a)(3)(ii)(C)
"Flagged Questions" report. NIST CSF: PR.AC, PR.IP
HICP: TV1, Practice # 3
Notes
24 How do you ensure media is sanitized prior to re-use?
We have a process to completely purge data from all This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.310(d)(2)(ii)
devices prior to re-use through device reimaging, integrity, and availability of ePHI. Ensure that obsolete data are removed or NIST CSF: PR.IP, PR.MA
degaussing, or other industry standard method; our destroyed properly so they cannot be accessed by cyber-thieves. Just as paper HICP: TV1, Practice # 4
method conforms to guidelines in medical and financial records must be fully destroyed by shredding or burning,
NIST SP 800-88 and OCR Guidance to Render Unsecured digital data must be properly disposed of to ensure that they cannot be
Protected Health Information Unusable, Unreadable, or inappropriately recovered. Discuss options for properly disposing of outdated or
Indecipherable to Unauthorized Individuals. unneeded data with your IT support. Do not assume that deleting or erasing files
means that the data are destroyed.

We sometimes remove ePHI from devices using a Implement procedures for removal of ePHI from electronic media before the media Required HIPAA: §164.310(d)(2)(ii)
method that conforms to guidelines in are made available for re-use. Ensure that obsolete data are removed or destroyed NIST CSF: PR.IP, PR.MA
NIST SP 800-88 and OCR Guidance to Render Unsecured properly so they cannot be accessed by cyber-thieves. Just as paper medical and HICP: TV1, Practice # 4
Protected Health Information Unusable, Unreadable, or financial records must be fully destroyed by shredding or burning, digital data must
Indecipherable to Unauthorized Individuals, but not be properly disposed of to ensure that they cannot be inappropriately recovered.
always, prior to re-use. Discuss options for properly disposing of outdated or unneeded data with your IT
support. Do not assume that deleting or erasing files means that the data are
destroyed.

We delete files with ePHI from devices but do not do Deleting files does not fully purge data from the device. Implement procedures for Required HIPAA: §164.310(d)(2)(ii)
anything else to purge data prior to re-use. removal of ePHI from electronic media before the media are made available for re- NIST CSF: PR.IP, PR.MA
use. Ensure that obsolete data are removed or destroyed properly so they cannot HICP: TV1, Practice # 4
be accessed by cyber-thieves. Just as paper medical and financial records must be
fully destroyed by shredding or burning, digital data must be properly disposed of to
ensure that they cannot be inappropriately recovered. Discuss options for properly
disposing of outdated or unneeded data with your IT support. Do not assume that
deleting or erasing files means that the data are destroyed.

We do not have a process to remove ePHI from devices Implement procedures for removal of ePHI from electronic media before the media Required HIPAA: §164.310(d)(2)(ii)
prior to re-use. are made available for re-use. Ensure that obsolete data are removed or destroyed NIST CSF: PR.IP, PR.MA
properly so they cannot be accessed by cyber-thieves. Just as paper medical and HICP: TV1, Practice # 4
financial records must be fully destroyed by shredding or burning, digital data must
be properly disposed of to ensure that they cannot be inappropriately recovered.
Discuss options for properly disposing of outdated or unneeded data with your IT
support. Do not assume that deleting or erasing files means that the data are
destroyed.

We have a third party business associate sanitize devices Document procedures for removal of ePHI from electronic media before the media Required HIPAA: §164.310(d)(2)(ii)
for the practice prior to their re-use. The business are made available for re-use. Make sure your practice maintains detailed records of NIST CSF: PR.IP, PR.MA
associate does not provide a certificate of proper the sanitization performed and have a BAA in place with the business associate. HICP: TV1, Practice # 4
disposal identifying the sanitized devices individually Ensure that obsolete data are removed or destroyed properly so they cannot be
(e.g. with serial numbers). accessed by cyber-thieves. Just as paper medical and financial records must be fully
destroyed by shredding or burning, digital data must be properly disposed of to
ensure that they cannot be inappropriately recovered. Discuss options for properly
disposing of outdated or unneeded data with your IT support. Do not assume that
deleting or erasing files means that the data are destroyed.

We have a third party business associate sanitize devices This is an effective option among those provided to protect the confidentiality, Required HIPAA: §164.310(d)(2)(ii)
for the practice prior to their re-use. The business integrity, and availability of ePHI. Ensure that obsolete data are removed or NIST CSF: PR.IP, PR.MA
associate always provide a certificate of proper disposal destroyed properly so they cannot be accessed by cyber-thieves. Just as paper HICP: TV1, Practice # 4
identifying the sanitized devices individually (e.g. with medical and financial records must be fully destroyed by shredding or burning,
serial numbers). digital data must be properly disposed of to ensure that they cannot be
inappropriately recovered. Discuss options for properly disposing of outdated or
unneeded data with your IT support. Do not assume that deleting or erasing files
means that the data are destroyed.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.310(d)(2)(ii)
"Flagged Questions" report. NIST CSF: PR.IP, PR.MA
HICP: TV1, Practice # 4
Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Inadequate facility access management procedures where information systems reside
Unauthorized access to facility occurs undetected
Workforce and visitors access critical or sensitive business areas without authorization
Increased response time to respond to facility security incidents
Inconsistency in granting access to facilities
2 Inadequate physical protection for information systems
Access allowed by unauthorized personnel
Adversary access to unauthorized network segments (via wireless penetration or USB/removable media)
Insider tampering of sensitive network equipment
Disruption of business processes, information system function, and/or prolonged adversarial presence within information systems
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Exploitation of unpatched systems & software
Unauthorized access to or modification of ePHI/sensitive information
Adversarial sniffing/wiretapping/eavesdropping on network traffic
3 Undocumented location of equipment or assets
Unconfirmed identity of connected physical devices/equipment
Unauthorized devices gaining access to the network
Unconfirmed identity of connected devices/equipment
Exploitation of unsecured computer systems
4 Inadequate access controls for business associate and vendor access
Adversary leverages third party access to gain access to facility and devices
Adversary leverages third party access to exfiltrate data or assets
Uncontrolled access used to disrupt or steal equipment or data
Damage to public reputation due to breach
ePHI accessed by unauthorized entities
Inability to confirm identity of visitor throughout the facility
Inability to monitor physical location of business associates and vendors within the facility
Tampering of sensitive network equipment
5 Inadequate sanitation of media
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Disclosure of passwords and or login information
Unauthorized access to ePHI/sensitive information
Unknown disposition of unused devices and data
Unauthorized modification of user accounts and/or permissions
6 Inadequate procedures for proper workstation and connected network device security
Appropriate security settings may not be applied to all devices/equipment
Unauthorized connected devices/equipment on the network
Unauthorized access to or modification of ePHI/sensitive information
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Workstations or devices tampered with, lost, or destroyed
7 Failure to ensure user accounts are configured with appropirate permissions
Access granted to and maintained by unauthorized persons
Adversary gaining access to unauthorized areas of the facility
Adversary retains presence within or access to information systems
Damage to public reputation due to breach
Disclosure of passwords and or login information
ePHI exfiltrated to unauthorized entities
Exploiting unpatched systems & software
Tampering of sensitive network equipment
Unauthorized access to ePHI
Unauthorized access to sensitive information
Unauthorized modification to ePHI
 Section 6 - Security and Business Associates
Question Response
#
Section Question Text Indicator Question Responses Guidance Risk Indicated Required? Reference
Questions
1 Do you contract with business associates or other third-party
vendors?
Yes. Make sure all business associates and third-party vendors have been evaluated to Required HIPAA: N/A
determine whether or not they require a Business Associate Agreement. NIST CSF: ID.GV
HICP: N/A
No. If you don't have expertise to perform operational, security, or other tasks, Required HIPAA: N/A
contracting with third-party vendors and business associates can augment your NIST CSF: ID.GV
practice's capabilities. HICP: N/A
I don't know. If you don't have expertise to perform operational, security, or other tasks, Required HIPAA: N/A
contracting with third-party vendors and business associates can augment your NIST CSF: ID.GV
practice's capabilities. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: ID.GV
HICP: N/A
Notes
2 Do you allow third-party vendors to access your information
systems and/or ePHI?
Yes. Make sure all business associates and third-party vendors have been evaluated to Required HIPAA: N/A
determine whether or not they require a Business Associate Agreement. User NIST CSF: ID.GV
accounts enable organizations to control and monitor each user €™s access to and HICP: TV1, Practice # 3
activities on devices, EHRs, e-mail, and other third-party software systems. It is
essential to protect user accounts to mitigate the risk of cyber threats.

No. Working with business associates and third-party vendors can be beneficial to your Required HIPAA: N/A
practice, as long as reasonable and appropriate security precautions are taken for NIST CSF: ID.GV
business associates accessing ePHI. User accounts enable organizations to control HICP: TV1, Practice # 3
and monitor each user€™s access to and activities on devices, EHRs, e-mail, and
other third-party software systems. It is essential to protect user accounts to
mitigate the risk of cyber threats.

I don't know. Consider looking into whether your practice allows business associates or third- Required HIPAA: N/A
party vendors to access your information systems. Your practice may be at risk and NIST CSF: ID.GV
unable to safeguard your ePHI if unauthorized third parties have access to your HICP: TV1, Practice # 3
information systems. User accounts enable organizations to control and monitor
each user€™s access to and activities on devices, EHRs, e-mail, and other third-party
software systems. It is essential to protect user accounts to mitigate the risk of cyber
threats.
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: ID.GV
HICP: TV1, Practice # 3
Notes
3 How do you identify which business associates need access
to create, receive, maintain, or transmit ePHI?
We review business associate contracts to determine This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
which vendors or contractors require access to ePHI and confidentiality, integrity, and availability of ePHI. As user accounts are established, NIST CSF: ID.AM, PR.AC, PR.DS
we include a Business Associate Agreement (BAA) in our the accounts must be granted access to the organization €™s computers and HICP: TV1, Practice # 3
contract with them. programs, as appropriate to each user. Consider following the €œminimum
necessary€ principle associated with the HIPAA Privacy Rule. Allow each user
access only to the computers and programs required to accomplish that user €™s job
or role in the organization. This limits the organization €™s exposure to unauthorized
access, loss, and theft of data if the user€™s identity or access is compromised.

We assume that business associates who need access to Take an active role in protecting your ePHI. Review your business associate Required HIPAA: §164.308(b)(1)
our ePHI will indicate that and include a BAA with their contracts to determine which business associates require a BAA and ensure fully NIST CSF: ID.AM, PR.AC, PR.DS
contract with us. executed BAAs are in place with all required business associates. As user accounts HICP: TV1, Practice # 3
are established, the accounts must be granted access to the organization €™s
computers and programs, as appropriate to each user. Consider following the
€œminimum necessary€ principle associated with the HIPAA Privacy Rule. Allow
each user access only to the computers and programs required to accomplish that
user€™s job or role in the organization. This limits the organization €™s exposure to
unauthorized access, loss, and theft of data if the user €™s identity or access is
compromised.
 I don't know. We have not formally considered which of Take an active role in protecting your ePHI. Review your business associate Required HIPAA: §164.308(b)(1)
our business associates require access to ePHI. contracts to determine which business associates require a BAA and ensure fully NIST CSF: ID.AM, PR.AC, PR.DS
executed BAAs are in place with all required business associates. As user accounts HICP: TV1, Practice # 3
are established, the accounts must be granted access to the organization €™s
computers and programs, as appropriate to each user. Consider following the
€œminimum necessary€ principle associated with the HIPAA Privacy Rule. Allow
each user access only to the computers and programs required to accomplish that
user€™s job or role in the organization. This limits the organization €™s exposure to
unauthorized access, loss, and theft of data if the user €™s identity or access is
compromised.

We have informal discussions to evaluate whether Take an active role in protecting your ePHI. Review your business associate Required HIPAA: §164.308(b)(1)
access to our ePHI is required. contracts to determine which business associates require a BAA and ensure fully NIST CSF: ID.AM, PR.AC, PR.DS
executed BAAs are in place with all required business associates. As user accounts HICP: TV1, Practice # 3
are established, the accounts must be granted access to the organization €™s
computers and programs, as appropriate to each user. Consider following the
€œminimum necessary€ principle associated with the HIPAA Privacy Rule. Allow
each user access only to the computers and programs required to accomplish that
user€™s job or role in the organization. This limits the organization €™s exposure to
unauthorized access, loss, and theft of data if the user €™s identity or access is
compromised.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(1)
"Flagged Questions" report. NIST CSF: ID.AM, PR.AC, PR.DS
HICP: TV1, Practice # 3
Notes
4 How does your practice enforce or monitor access for each
of these business associates?
We determine degree of access based on the amount of This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
ePHI accessed, the types of devices or mechanisms used confidentiality, integrity, and availability of ePHI. Implement access management NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
for access, and our ability to control and monitor third- procedures to track and monitor user access to computers and programs. HICP: TV1, Practice # 3
party access.

We assume that all business associate access is equal Take an active role in protecting your ePHI. Determine the degree of access a Required HIPAA: §164.308(b)(1)
with regard to determining risk. business associate has by reviewing the amount of ePHI accessed, the types of NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
devices and mechanisms used for access, and your ability to control and monitor HICP: TV1, Practice # 3
their access. Document your procedures in your security policies. Implement access
management procedures to track and monitor user access to computers and
programs.

We do not consider degree of access as it pertains to Take an active role in protecting your ePHI. Determine the degree of access a Required HIPAA: §164.308(b)(1)
business associates. business associate has by reviewing the amount of ePHI accessed, the types of NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
devices and mechanisms used for access, and your ability to control and monitor HICP: TV1, Practice # 3
their access. Document your procedures in your security policies. Implement access
management procedures to track and monitor user access to computers and
programs.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(1)
"Flagged Questions" report. NIST CSF: ID.AM, PR.AC, PR.DS, DE.CM
HICP: TV1, Practice # 3
Notes
5 How do business associates communicate important changes
in security practices, personnel, etc. to you?
Our BAAs include language describing how security- This is the most effective option among those provided to protect the Required HIPAA: N/A
relevant changes should be communicated to our confidentiality, integrity, and availability of ePHI. NIST CSF: ID.GV
organization. HICP: N/A
We rely on our business associates to communicate with Consider including language in Business Associate Agreements describing their Required HIPAA: N/A
us in a manner they deem effective. communication of relevant security changes to your practice. NIST CSF: ID.GV
HICP: N/A
We are not sure how our business associates manage Consider including language in Business Associate Agreements describing their Required HIPAA: N/A
security or communicate changes to our practice. communication of relevant security changes to your practice. NIST CSF: ID.GV
HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: ID.GV
HICP: N/A
Notes
6 Have you executed business associate agreements with all
business associates who create, receive, maintain, or
transmit ePHI on your behalf?
Yes. We ensure all business associates have a fully This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(3)
executed BAA with us before creating, receiving, confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AC
maintaining, or transmitting ePHI on our behalf. HICP: N/A
Yes. We assume business associates with whom we Make sure all business associates who access ePHI have a fully executed BAA with Required HIPAA: §164.308(b)(3)
require a BAA will prompt us to put one in place. your practice before being granted access. Include this requirement in your security NIST CSF: PR.AC
policies and procedures. HICP: N/A
 No. We do not execute BAAs when we have business Make sure all business associates who access ePHI have a fully executed BAA with Required HIPAA: §164.308(b)(3)
associates accessing ePHI. your practice before being granted access. Include this requirement in your security NIST CSF: PR.AC
policies and procedures. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(3)
"Flagged Questions" report. NIST CSF: PR.AC
HICP: N/A
Notes
7 How do you maintain awareness of business associate
security practices? (e.g. in addition to Business Associate
Agreements)
Our practice performs extra due diligence in the form of This is the most effective option among those provided to protect the Required HIPAA: N/A
monitoring third-party connections to our information confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AT, RS.CO, DE.CM
systems or other forms of access, in addition to including HICP: N/A
language for security compliance in our Business
Associate Agreements (BAAs).

We rely on the language of our BAAs to ensure that Consider monitoring, auditing, or obtaining information from business associates to Required HIPAA: N/A
business associates are securing ePHI. ensure the security of ePHI and include language about this in Business Associate NIST CSF: PR.AT, RS.CO, DE.CM
Agreements. HICP: N/A
We are not sure how to maintain awareness of our Consider monitoring, auditing, or obtaining information from business associates to Required HIPAA: N/A
business associates' security practices. ensure the security of ePHI and include language about this in Business Associate NIST CSF: PR.AT, RS.CO, DE.CM
Agreements. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: N/A
"Flagged Questions" report. NIST CSF: PR.AT, RS.CO, DE.CM
HICP: N/A
Notes
8 Do you include satisfactory assurances within your Business
Associate Agreements pertaining to how your business
associates safeguard ePHI?
Yes. Our Business Associate Agreements include This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(1)(i)
specifications on authorized use and disclosure of ePHI confidentiality, integrity, and availability of ePHI. NIST CSF: ID.GV
as well as other requirements as required by the HICP: N/A
Omnibus Rule updates to HIPAA.

Yes. BAAs include specifications on authorized use and Ensure all BAAs have been updated to meet the requirements of the HIPAA Security Required HIPAA: §164.314(a)(1)(i)
disclosure of ePHI. Rule and Omnibus Rule updates to HIPAA. NIST CSF: ID.GV
HICP: N/A
No. We are not sure about what satisfactory assurances Ensure all BAAs have been updated to meet the requirements of the HIPAA Security Required HIPAA: §164.314(a)(1)(i)
are included in our BAAs. Rule and Omnibus Rule updates to HIPAA. NIST CSF: ID.GV
HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(1)(i)
"Flagged Questions" report. NIST CSF: ID.GV
HICP: N/A
Notes
9 What terms are in your BAA's to outline how your business
associates ensure subcontractors access ePHI securely?
In addition to language in our BAAs, our Business This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(2)(iii)
Associates provide specific assurances to us, including confidentiality, integrity, and availability of ePHI. NIST CSF: DE.AE, DE.DP, RS.CO
how they ensure subcontractors secure ePHI. HICP: N/A
Our BAAs include language requiring the business Consider reviewing with your business associates how they manage security Required HIPAA: §164.314(a)(2)(iii)
associate to obtain satisfactory assurances from expectations for their subcontractors. NIST CSF: DE.AE, DE.DP, RS.CO
subcontractors as to how they protect ePHI. HICP: N/A
We are not sure how to obtain satisfactory assurances Ensure your practice can safeguard ePHI by ensuring the terms and conditions of Required HIPAA: §164.314(a)(2)(iii)
from subcontractors. your practice€™s BAAs outline appropriate requirements for your BAAs with NIST CSF: DE.AE, DE.DP, RS.CO
subcontractors. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(2)(iii)
"Flagged Questions" report. NIST CSF: DE.AE, DE.DP, RS.CO
HICP: N/A
Notes
10 Do your BAA's require your third-party vendors to report
security incidents to your practice in a timely manner?
Yes. Our BAAs describe requirements to provide This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(2)(i)( c)
satisfactory assurances for the protection of ePHI, obtain confidentiality, integrity, and availability of ePHI. Make sure your point of contact NIST CSF: ID.RA, DE.AE, DE.DP, RS.CO
the same assurances from its subcontractors, and with your business associate knows whom to contact at your organization to HICP: TV1, Practice # 8
report security incidents (experienced by the Business provide information about security incidents.
Associate or its subcontractors) to our practice in a
timely manner. 
 No. We are not sure how this requirement is described Your practice may not be able to safeguard its information systems and ePHI if your Required HIPAA: §164.314(a)(2)(i)( c)
within our BAAs. practice€™s Business Associates are not required to provide satisfactory assurances NIST CSF: ID.RA, DE.AE, DE.DP, RS.CO
for the protection of ePHI, obtain the same assurances from its subcontractors, and HICP: TV1, Practice # 8
report security incidents (experienced by the Business Associate or its
subcontractors) to you in a timely manner. Make sure your point of contact with
your business associate knows whom to contact at your organization to provide
information about security incidents.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(2)(i)( c)
"Flagged Questions" report. NIST CSF: ID.RA, DE.AE, DE.DP, RS.CO
HICP: TV1, Practice # 8
Notes
11 Have you updated all your BAA's to reflect the requirements
in the 2013 Omnibus Rule updates to HIPAA?
We have reviewed all BAAs and have confirmed their This is the most effective option among those provided to protect the Required HIPAA: §164.314(a)(1)
compliance with the Omnibus Rule updates to HIPAA. confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV
HICP: N/A
We have reviewed all BAAs and are in the process of Update BAAs to reflect Omnibus Rule updates to HIPAA and HIPAA compliance. Required HIPAA: §164.314(a)(1)
updating formerly out-of-date BAAs. NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV
HICP: N/A
We assume all BAAs are up to date with the Omnibus All BAAs should be reviewed to ensure compliance with the Omnibus Rule updates Required HIPAA: §164.314(a)(1)
Rule updates to HIPAA but have not reviewed the to HIPAA and HIPAA compliance. NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV
agreements to make sure. HICP: N/A
We are not sure if our BAAs are up to date with Omnibus All BAAs should be reviewed to ensure compliance with the Omnibus Rule updates Required HIPAA: §164.314(a)(1)
Rule requirements. to HIPAA and HIPAA compliance. NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV
HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.314(a)(1)
"Flagged Questions" report. NIST CSF: ID.AM, ID.BE, PR.AT, ID.GV
HICP: N/A
Notes
12 How does your practice document all of its business
associates requiring access to ePHI?
We maintain a current listing of all business associates This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
with access to ePHI in addition to having Business confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, PR.AC, PR.DS
Associate Agreements (BAAs) on file with any business HICP: N/A
associates with access to ePHI.

We maintain copies of fully executed BAAs on file for This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(1)
any business associates with access to ePHI. confidentiality, integrity, and availability of ePHI.Note that the Office for Civil Rights NIST CSF: ID.AM, PR.AC, PR.DS
may request an inventory listing of your Business Associates in the event of an audit HICP: N/A
or investigation.
We are not sure how these business associate Knowing who provides services to your practice and the nature of the services is an Required HIPAA: §164.308(b)(1)
relationships are documented. important component of your security plan. Note that the Office for Civil Rights may NIST CSF: ID.AM, PR.AC, PR.DS
request an inventory listing of your Business Associates in the event of an audit or HICP: N/A
investigation.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(1)
"Flagged Questions" report. NIST CSF: ID.AM, PR.AC, PR.DS
HICP: N/A
Notes
13 Do you obtain Business Associate Agreements (BAAs) from
business associates who access another covered entity's
ePHI on your behalf?
Yes. We make sure to have BAAs in place with covered This is the most effective option among those provided to protect the Required HIPAA: §164.308(b)(2)
entities for which we are Business Associates as well as confidentiality, integrity, and availability of ePHI. NIST CSF: N/A
subcontractors to those covered entities who contract HICP: N/A
with us.

Yes. We make sure to have BAAs in place with covered Make sure your practice has BAAs in place with covered entities for which your Required HIPAA: §164.308(b)(2)
entities for which we are Business Associates. practice is a Business Associate as well as subcontractors to those covered entities NIST CSF: N/A
who contract with your practice HICP: N/A
No. We do not obtain assurances from business Make sure your practice has BAAs in place with covered entities for which your Required HIPAA: §164.308(b)(2)
associates who access another covered entity €™s ePHI practice is a Business Associate as well as subcontractors to those covered entities NIST CSF: N/A
on our behalf. who contract with your practice HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(b)(2)
"Flagged Questions" report. NIST CSF: N/A
HICP: N/A
Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Uncontrolled access to ePHI to business associates/vendors
Access to unauthorized segments of the network
Carelessness causing disruption to computer systems
Carelessness exposing ePHI
 Damage to public reputation due to breach
Disclosure of passwords and or login information
ePHI exfiltrated to unauthorized entities
Exploiting unpatched systems & software
Unauthorized access to ePHI
Unauthorized modification to ePHI
2 Inadequate business associate/vendor agreements
Inability to hold third parties accountable to securing your ePHI
Breach goes unreported due to lack of established communication requirements with third-party
Provide sensitive information and ePHI without authorization
Loss of support services or contracts
Damage to public reputation or litigation
3 No security or privacy assurances obtained from business associates/vendors
Information system or factility access granted to unauthorized personnel
Adversarial access to unauthorized network segments
Corrective enforcement outcomes from regulatory agencies
Disclosure of passwords and or login information
Social engineering or hacking attack affecting third-party impacts your practice's data
Disruption of access to data due to inadequate contractor security controls
Unauthorized access to or modification of ePHI/sensitive information
Exploitation of unsecured third-party systems & software
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
4 Failure to update or review business associate contracts
Contract termination due to expiration
Provide sensitive information and ePHI without authorization
Disruption of access to data due to contract dispute or lapse
Inability to determine the criticality of access granted to third parties
Fines, litigation, and financial penalties from non-compliance
 Section 7 - Contingency Planning
Question Response
#
Section Question Text Indicator Question Responses Guidance Risk Indicated Required? Reference
Questions
1 Does your practice have a contingency plan in the event of
an emergency?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. Describe requirements for users to NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
report suspicious activities in the organization and for the cybersecurity department HICP: TV1, Practice # 8
to manage incident response.

No. Ensure your practice can operate effectively and efficiently under emergency by Required HIPAA: §164.308(a)(7)(i)
having a contingency plan. This should be included in your documented policies and NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
procedures. The contingency plan should be reviewed, tested, and updated HICP: TV1, Practice # 8
periodically. As part of this you should determine what critical services and ePHI
must be available during an emergency. Describe requirements for users to report
suspicious activities in the organization and for the cybersecurity department to
manage incident response.

I don't know. Ensure your practice can operate effectively and efficiently under emergency by Required HIPAA: §164.308(a)(7)(i)
having a contingency plan. This should be included in your documented policies and NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
procedures. The contingency plan should be reviewed, tested, and updated HICP: TV1, Practice # 8
periodically. As part of this you should determine what critical services and ePHI
must be available during an emergency. Describe requirements for users to report
suspicious activities in the organization and for the cybersecurity department to
manage incident response.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: TV1, Practice # 8
Notes
2 Is your contingency plan documented?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: N/A
No. Your contingency plan should be documented in your policies and procedures. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: N/A
I don't know. Your contingency plan should be documented in your policies and procedures. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: N/A
Notes
3 Do you periodically update your contingency plan?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
RS.IM, RC.IM
HICP: N/A

Yes, but only if there are changes in our practice. Consider reviewing and updating your contingency plan on a periodic basis. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
RS.IM, RC.IM
HICP: N/A

No. Consider reviewing and updating your contingency plan on a periodic basis. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
RS.IM, RC.IM
HICP: N/A

I don't know. Consider reviewing and updating your contingency plan on a periodic basis. Required HIPAA: §164.308(a)(7)(i)
NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
RS.IM, RC.IM
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
RS.IM, RC.IM
HICP: N/A

Notes
4 How do you ensure that your contingency plan is effective
and updated appropriately?
 We periodically review the plans contents, perform tests This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(ii)(D)
of the plan, and record the results. We revise the plan as confidentiality, integrity, and availability of ePHI. NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE
needed and document this in policy. HICP: N/A
We periodically review the plan's contents but do not Consider periodically testing the contingency plan for effectiveness. Maintain Required HIPAA: §164.308(a)(7)(ii)(D)
perform any tests or exercises of the plan €™s documentation of contingency plan testing and revisions in your policies and NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE
effectiveness. procedures. HICP: N/A
We periodically run tests or exercises of the plan's Consider maintaining documentation of contingency plan testing and revisions in Required HIPAA: §164.308(a)(7)(ii)(D)
effectiveness, but we do not document these tests. We your policies and procedures. NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE
have not made updates to our contingency plan yet. HICP: N/A
We do not review or test our contingency plan. Consider periodically reviewing and testing the contingency plan for effectiveness. Required HIPAA: §164.308(a)(7)(ii)(D)
Maintain documentation of contingency plan testing and revisions in your policies NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE
and procedures. HICP: N/A
I don't know. Consider periodically reviewing and testing the contingency plan for effectiveness. Required HIPAA: §164.308(a)(7)(ii)(D)
Maintain documentation of contingency plan testing and revisions in your policies NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE
and procedures. HICP: N/A
Other. Depending on what other actions your practice does to ensure your contingency Required HIPAA: §164.308(a)(7)(ii)(D)
plan is updated appropriately, you may want to consider periodically reviewing and NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE
testing the contingency plan for effectiveness. Maintain documentation of HICP: N/A
contingency plan testing and revisions in your policies and procedures.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(ii)(D)
"Flagged Questions" report. NIST CSF: RS.IM, ID.RA, PR.IP, RC.IM, ID.BE
HICP: N/A
Notes
5 Have you considered what kind of emergencies could
damage critical information systems or prevent access to
ePHI within your practice?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
ID.RA
HICP: N/A

No. You should consider all natural and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. You should also document how NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
you would respond in these situations to maintain security of ePHI in your policies ID.RA
and procedures. HICP: N/A

I don't know. You should consider all natural and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. You should also document how NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
you would respond in these situations to maintain security of ePHI in your policies ID.RA
and procedures. HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
ID.RA
HICP: N/A

Notes
6 What types of emergencies have you considered?
We have considered natural disasters, such as wildfire, You should consider infrastructure and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
damaging winds, floods, hurricanes, tornadoes, or confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
earthquakes. ID.RA
HICP: N/A

We have considered man-made disasters, such as You should consider all infrastructure and natural disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
vandalism, biochemical warfare, toxic emissions, or civil confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
unrest/terrorism. ID.RA
HICP: N/A

We have considered infrastructure issues, such as You should consider all natural and man-made disasters that could affect the Required HIPAA: §164.308(a)(7)(i)
blackouts, road blocks, building hazards, network or data confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
center outages. ID.RA
HICP: N/A

All of the above. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
ID.RA
HICP: N/A

Other. You should consider infrastructure, natural, and man-made disasters that could Required HIPAA: §164.308(a)(7)(i)
affect the confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
ID.RA
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
ID.RA
HICP: N/A

Notes
7 Have you documented in your policies and procedures
various emergency types and how you would respond to
them?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: N/A
No. Consider all natural and man-made disasters that could affect the confidentiality, Required HIPAA: §164.308(a)(7)(i)
integrity, and availability of ePHI. Documented how you would respond in these NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
situations to maintain security of ePHI in your policies and procedures. HICP: N/A
I don't know. Consider all natural and man-made disasters that could affect the confidentiality, Required HIPAA: §164.308(a)(7)(i)
integrity, and availability of ePHI. Documented how you would respond in these NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
situations to maintain security of ePHI in your policies and procedures. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: N/A
Notes
8 Does your practice have policies and procedures in place to
prevent, detect, and respond to security incidents?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(i)
confidentiality, integrity, and availability of ePHI. NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP
HICP: N/A
No. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(i)
and ePHI if it does not have policies and procedures designed to help prevent, NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP
detect and respond to security incidents. HICP: N/A
I don't know. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(i)
and ePHI if it does not have policies and procedures designed to help prevent, NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP
detect and respond to security incidents. HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(6)(i)
"Flagged Questions" report. NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP
HICP: N/A
Notes
9 How does your practice prevent, detect, and respond to
security incidents?
We have a security incident response plan documented Consider testing the security incident response plan periodically using a Required HIPAA: §164.308(a)(6)(i)
in our policies and procedures. documented process. The incident plan should cover broad categories of incidents NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
to prepare for. Testing the incident plan is an effective means of preparation and HICP: TV1, Practice # 8
training. Describe requirements for users to report suspicious activities in the
organization and for the cybersecurity department to manage incident response.

As part of training exercises we periodically test our Testing your incident response plan is an effective means of preparation and Required HIPAA: §164.308(a)(6)(i)
security incident response plan. training. The incident plan should cover a range of categories to prepare for and NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
should be documented in your policies and procedures.Also consider tracking HICP: TV1, Practice # 8
security incident responses and outcomes and communicating them to the
appropriate workforce members for security incident awareness and mitigation.
Describe requirements for users to report suspicious activities in the organization
and for the cybersecurity department to manage incident response.

We track all security incident responses and outcomes Consider documenting your incident response plan in your policies and procedures Required HIPAA: §164.308(a)(6)(i)
and report them to our security officer. We then ensure and testing the plan periodically using a documented process. The incident plan NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
proper mitigation procedures are followed in a timely should cover broad categories of incidents to prepare for. Testing the incident plan HICP: TV1, Practice # 8
manner. is an effective means of preparation and training. Describe requirements for users to
report suspicious activities in the organization and for the cybersecurity department
to manage incident response.

We communicate recent security incident responses and Consider documenting your incident response plan in your policies and procedures Required HIPAA: §164.308(a)(6)(i)
outcomes to our workforce for additional security and testing the plan periodically using a documented process. The incident plan NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
awareness and prevention. should cover broad categories of incidents to prepare for. Testing the incident plan HICP: TV1, Practice # 8
is an effective means of preparation and training. Describe requirements for users to
report suspicious activities in the organization and for the cybersecurity department
to manage incident response.

All of the above. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(i)
confidentiality, integrity, and availability of ePHI. Describe requirements for users to NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
report suspicious activities in the organization and for the cybersecurity department HICP: TV1, Practice # 8
to manage incident response.

Our security incident response plan is tested as needed Consider documenting your incident response plan in your policies and procedures Required HIPAA: §164.308(a)(6)(i)
(for example, when activated in real-world situations) and testing the plan periodically using a documented process. The incident plan NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
but not on a periodic basis. should cover broad categories of incidents to prepare for. Testing the incident plan HICP: TV1, Practice # 8
is an effective means of preparation and training. Describe requirements for users to
report suspicious activities in the organization and for the cybersecurity department
to manage incident response.
 We do not have a process for managing security Develop an incident response plan that covers broad categories of incidents to Required HIPAA: §164.308(a)(6)(i)
incidents or an incident response testing plan. prepare for. Ensure that security incident response, reporting, and mitigation NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
procedures are followed by workforce members, are conducted in a timely manner, HICP: TV1, Practice # 8
and their outcomes are properly documented and communicated to the
appropriate workforce members. Also consider testing the plan to ensure its
effectiveness. Describe requirements for users to report suspicious activities in the
organization and for the cybersecurity department to manage incident response.

I don't know. Develop an incident response plan that covers broad categories of incidents to Required HIPAA: §164.308(a)(6)(i)
prepare for. Ensure that security incident response, reporting, and mitigation NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
procedures are followed by workforce members, are conducted in a timely manner, HICP: TV1, Practice # 8
and their outcomes are properly documented and communicated to the
appropriate workforce members. Also consider testing the plan to ensure its
effectiveness. Describe requirements for users to report suspicious activities in the
organization and for the cybersecurity department to manage incident response.

Other. Consider developing an incident response plan that covers broad categories of Required HIPAA: §164.308(a)(6)(i)
incidents to prepare for. Ensure that security incident response, reporting, and NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
mitigation procedures are followed by workforce members, are conducted in a HICP: TV1, Practice # 8
timely manner, and their outcomes are properly documented and communicated to
the appropriate workforce members. Also consider testing the plan to ensure its
effectiveness. Describe requirements for users to report suspicious activities in the
organization and for the cybersecurity department to manage incident response.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(6)(i)
"Flagged Questions" report. NIST CSF: DE.AE, RS.CO, RC.CO, PR.IP, RS.IP
HICP: TV1, Practice # 8
Notes
10 Has your practice identified specific personnel as your
incident response team?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(ii)
confidentiality, integrity, and availability of ePHI. Before an incident occurs, make NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP,
sure you understand who will lead your incident investigation. Additionally, make RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV
sure you understand which personnel will support the leader during each phase of HICP: TV1, Practice # 8
the investigation. At minimum, you should identify the top security expert who will
provide direction to the supporting personnel.

No. Identify workforce members who need access to facilities in the event of an Required HIPAA: §164.308(a)(6)(ii)
emergency, identify roles and responsibilities, and create a backup plan for NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP,
accessing facilities and critical data. Before an incident occurs, make sure you RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV
understand who will lead your incident investigation. Additionally, make sure you HICP: TV1, Practice # 8
understand which personnel will support the leader during each phase of the
investigation. At minimum, you should identify the top security expert who will
provide direction to the supporting personnel.

I don't know. Identify workforce members who need access to facilities in the event of an Required HIPAA: §164.308(a)(6)(ii)
emergency, identify roles and responsibilities, and create a backup plan for NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP,
accessing facilities and critical data. Before an incident occurs, make sure you RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV
understand who will lead your incident investigation. Additionally, make sure you HICP: TV1, Practice # 8
understand which personnel will support the leader during each phase of the
investigation. At minimum, you should identify the top security expert who will
provide direction to the supporting personnel.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(6)(ii)
"Flagged Questions" report. NIST CSF: RC.CO, ID.RM, PR.IP, DE.AE, DE.DP,
RS.RP, RS.CO, RS.AN, RS.MI, ID.AM, ID.GV
HICP: TV1, Practice # 8

Notes
11 How are members of your incident response team identified
and trained?
Workforce members are trained on their role and This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(6)(ii)
responsibilities as part of the incident response team confidentiality, integrity, and availability of ePHI. At minimum, you should identify NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE,
(upon hire) as well as periodic reminders of our internal the top security expert who will provide direction to the supporting personnel. DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM,
policies and procedures and testing exercises. Ensure that the leader is fully authorized to execute all tasks required to complete ID.RA
the investigation. HICP: TV1, Practice # 8

Workforce members are trained on their role and Train members of your incident response team both upon hire and during periodic Required HIPAA: §164.308(a)(6)(ii)
responsibilities as part of the incident response team review. Testing your incident response plan can be an effective training method. At NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE,
(upon hire). minimum, you should identify the top security expert who will provide direction to DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM,
the supporting personnel. Ensure that the leader is fully authorized to execute all ID.RA
tasks required to complete the investigation. HICP: TV1, Practice # 8

Workforce members are verbally communicated about Consider formally documenting and training workforce members on matters Required HIPAA: §164.308(a)(6)(ii)
what their role and responsibility is on the incident regarding their role and responsibility on the incident response team. Testing your NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE,
response team, but this is not a formal process. incident response plan can be an effective training method. At minimum, you should DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM,
identify the top security expert who will provide direction to the supporting ID.RA
personnel. Ensure that the leader is fully authorized to execute all tasks required to HICP: TV1, Practice # 8
complete the investigation.
 We do not have a process to inform workforce members Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(ii)
about their role and responsibility on the incident and ePHI if it does not identify members of its incident response team and assure NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE,
response team. workforce members are trained and that incident response plans are tested. At DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM,
minimum, you should identify the top security expert who will provide direction to ID.RA
the supporting personnel. Ensure that the leader is fully authorized to execute all HICP: TV1, Practice # 8
tasks required to complete the investigation.

I don't know. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(ii)
and ePHI if it does not identify members of its incident response team and assure NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE,
workforce members are trained and that incident response plans are tested. At DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM,
minimum, you should identify the top security expert who will provide direction to ID.RA
the supporting personnel. Ensure that the leader is fully authorized to execute all HICP: TV1, Practice # 8
tasks required to complete the investigation.

Other. Your practice may not be able to safeguard its information systems, applications, Required HIPAA: §164.308(a)(6)(ii)
and ePHI if it does not identify members of its incident response team and assure NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE,
workforce members are trained and that incident response plans are tested. At DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM,
minimum, you should identify the top security expert who will provide direction to ID.RA
the supporting personnel. Ensure that the leader is fully authorized to execute all HICP: TV1, Practice # 8
tasks required to complete the investigation.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(6)(ii)
"Flagged Questions" report. NIST CSF: PR.AT, RC.CO, ID.RM, PR.IP, DE.AE,
DE.DP, RS.RP, RS.CO, RS.AN, RS.MI, ID.AM,
ID.RA
HICP: TV1, Practice # 8

Notes
12 Has your practice evaluated and determined which systems
and ePHI are necessary for maintaining business-as-usual in
the event of an emergency?
Yes, we have a process of evaluating all hardware and This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(i)
software systems, including those of business associates, confidentiality, integrity, and availability of ePHI. Define the standard practices for NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
to determine criticality of the systems and ePHI that recovering IT assets in the case of a disaster, including backup plans. HICP: TV1, Practice # 10
would be accessed by executing our contingency plan.
This is documented along with our asset inventory.

Yes, we have identified which information systems are Consider documenting this process and include all mission-critical systems in your Required HIPAA: §164.308(a)(7)(i)
more critical than others, including those of business contingency plan. Define the standard practices for recovering IT assets in the case NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
associates, but have not formally documented this in our of a disaster, including backup plans. HICP: TV1, Practice # 10
contingency plan.

No, we have not implemented a process for identifying Consider evaluating all hardware and software systems, including those of business Required HIPAA: §164.308(a)(7)(i)
and assessing criticality of information systems. associates, to determine criticality of the systems and ePHI that would be accessed. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
Document this process and include all mission-critical systems in your contingency HICP: TV1, Practice # 10
plan. Define the standard practices for recovering IT assets in the case of a disaster,
including backup plans.

I don't know. Consider evaluating all hardware and software systems, including those of business Required HIPAA: §164.308(a)(7)(i)
associates, to determine criticality of the systems and ePHI that would be accessed. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
Document this process and include all mission-critical systems in your contingency HICP: TV1, Practice # 10
plan. Define the standard practices for recovering IT assets in the case of a disaster,
including backup plans.

Other. Consider evaluating all hardware and software systems, including those of business Required HIPAA: §164.308(a)(7)(i)
associates, to determine criticality of the systems and ePHI that would be accessed. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
Document this process and include all mission-critical systems in your contingency HICP: TV1, Practice # 10
plan. Define the standard practices for recovering IT assets in the case of a disaster,
including backup plans.

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP
HICP: TV1, Practice # 10
Notes
13 How would your practice maintain access to ePHI in the
event of an emergency, system failure, or physical disaster?
We have established procedures and mechanisms for This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(ii)
obtaining necessary electronic protected health confidentiality, integrity, and availability of ePHI. NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA,
information during an emergency. PR.PT, RS.RP, RS.CO
HICP: N/A

We have mechanisms in place to obtain access to ePHI Document procedures to describe how your practice will maintain access to ePHI in Required HIPAA: §164.312(a)(2)(ii)
during an emergency but do not have procedures the event of an emergency, system failure, or physical disaster. Your practice might NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA,
documenting how these mechanisms are to be utilized. not be able to recover ePHI and other health information during an emergency or PR.PT, RS.RP, RS.CO
when systems become unavailable if it does not backup ePHI by saving an exact HICP: N/A
copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment).
 We do not have procedures or mechanisms to maintain Document procedures to describe how your practice will maintain access to ePHI in Required HIPAA: §164.312(a)(2)(ii)
access to ePHI in the event of an emergency. the event of an emergency, system failure, or physical disaster. Your practice might NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA,
not be able to recover ePHI and other health information during an emergency or PR.PT, RS.RP, RS.CO
when systems become unavailable if it does not backup ePHI by saving an exact HICP: N/A
copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment).

I don't know. Document procedures to describe how your practice will maintain access to ePHI in Required HIPAA: §164.312(a)(2)(ii)
the event of an emergency, system failure, or physical disaster. Your practice might NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA,
not be able to recover ePHI and other health information during an emergency or PR.PT, RS.RP, RS.CO
when systems become unavailable if it does not backup ePHI by saving an exact HICP: N/A
copy to a magnetic disk/tape or a virtual storage (e.g., cloud environment).

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(2)(ii)
"Flagged Questions" report. NIST CSF: PR.AC, ID.BE, PR.DS, PR.IP, PR.MA,
PR.PT, RS.RP, RS.CO
HICP: N/A

Notes
14 How would your practice maintain security of ePHI and
crucial business processes before, during, and after an
emergency?
We have robust contingency plans which provide for This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(7)(ii)(C)
alternate site or other means for continued access to confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO,
ePHI. We test them periodically to ensure continuity of RS.AN, RC.CO, RC.RP
security processes in an emergency setting. HICP: N/A

We have contingency plans which will be used to Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
maintain continuity of security processes during an business processes for protection of the security of electronic protected health NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO,
emergency setting. information while operating in emergency mode. RS.AN, RC.CO, RC.RP
HICP: N/A

We have not implemented a means of ensuring Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
continuity of security processes in an emergency setting. business processes for protection of the security of electronic protected health NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO,
information while operating in emergency mode. RS.AN, RC.CO, RC.RP
HICP: N/A

I don't know. Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
business processes for protection of the security of electronic protected health NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO,
information while operating in emergency mode. RS.AN, RC.CO, RC.RP
HICP: N/A

Other. Establish (and implement as needed) procedures to enable continuation of critical Required HIPAA: §164.308(a)(7)(ii)(C)
business processes for protection of the security of electronic protected health NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO,
information while operating in emergency mode. RS.AN, RC.CO, RC.RP
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(7)(ii)(C)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.IP, RS.RP, RS.CO,
RS.AN, RC.CO, RC.RP
HICP: N/A

Notes
15 Do you have a plan for backing up and restoring critical data?
Yes, we have a plan for determining which data is This is the most effective option among those provided to protect the Required & HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)
critically needed, creating retrievable, exact copies of confidentiality, integrity, and availability of ePHI. Define the standard practices for Addressable (B), and §164.308(a)(7)(ii)(E)
critical data and how to restore that data, including from recovering IT assets in the case of a disaster, including backup plans. NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP,
alternate locations. We also test and revise the plan, as RS.RP, RS.CO, RC.CO, RC.RP, PR.DS
needed. HICP: TV1, Practice # 10

Yes, we have a plan for creating retrievable, exact copies Consider conducting periodic tests of backup recovery procedures. Define the Required & HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)
of critical data and how to restore that data. We do not standard practices for recovering IT assets in the case of a disaster, including backup Addressable (B), and §164.308(a)(7)(ii)(E)
have a process for testing and revising this plan. plans. NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP,
RS.RP, RS.CO, RC.CO, RC.RP, PR.DS
HICP: TV1, Practice # 10

We do not have a data backup and restoration plan. You should establish and implement procedures to create and maintain retrievable Required & HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)
exact copies of electronic protected health information. Consider implementing, Addressable (B), and §164.308(a)(7)(ii)(E)
documenting, and testing a data backup and restoration plan. Define the standard NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP,
practices for recovering IT assets in the case of a disaster, including backup plans. RS.RP, RS.CO, RC.CO, RC.RP, PR.DS
HICP: TV1, Practice # 10

I don't know. You should establish and implement procedures to create and maintain retrievable Required & HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)
exact copies of electronic protected health information. Consider looking into Addressable (B), and §164.308(a)(7)(ii)(E)
whether your practice is implementing, documenting, and testing a data backup and NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP,
restoration plan. Define the standard practices for recovering IT assets in the case of RS.RP, RS.CO, RC.CO, RC.RP, PR.DS
a disaster, including backup plans. HICP: TV1, Practice # 10
 Flag this question for later. This question will be marked as an area for review and will be included in the Required & HIPAA: §164.308(a)(7)(ii)(A),§164.308(a)(7)(ii)
"Flagged Questions" report. Addressable (B), and §164.308(a)(7)(ii)(E)
NIST CSF: ID.BE, ID.RA, ID.RM, RS.AN, PR.IP,
RS.RP, RS.CO, RC.CO, RC.RP, PR.DS
HICP: TV1, Practice # 10

Notes
16 How is your practice's emergency procedure activated?
Upon identification or initiation of an emergency This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(ii)
situation, emergency procedures are activated according confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP,
to documented procedure, such as by formal RS.CO
communication from the security officer or other HICP: N/A
designated personnel.

We do not have a procedure to ensure that the Details about how and when to activate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
emergency procedure is activated consistently when procedure. NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP,
emergency events are identified. RS.CO
HICP: N/A

I don't know. Details about how and when to activate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
procedure. NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP,
RS.CO
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(2)(ii)
"Flagged Questions" report. NIST CSF: ID.BE, PR.IP, PR.PT, DE.DP, RS.RP,
RS.CO
HICP: N/A

Notes
17 How is access to your facility coordinated in the event of
disasters or emergency situations?
We have written policies and procedures outlining This is the most effective option among those provided to protect the Addressable HIPAA: §164.310(a)(2)(i)
facility access for the restoration of lost data under the confidentiality, integrity, and availability of ePHI. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
Disaster Recovery Plan and Emergency Mode Operations PR.DS, RS.CO, RC.RP
Plan in the event of an emergency. Members of the HICP: N/A
workforce who need access to the facility in an
emergency have been identified. Roles and
responsibilities have been defined. A backup plan for
accessing the facility and critical data is in place.

We have written policies and procedures outlining Implement written policies and procedures outlining facility access for the Addressable HIPAA: §164.310(a)(2)(i)
facility access for the restoration of lost data under the restoration of lost data under the Disaster Recovery Plan and Emergency Mode NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
Disaster Recovery Plan and Emergency Mode Operations Operations Plan in the event of an emergency. Ensure members of the workforce PR.DS, RS.CO, RC.RP
Plan in the event of an emergency, but it does not who need access to the facility in an emergency have been identified. Define HICP: N/A
include all of the variables described above. workforce member roles and responsibilities. Ensure that a backup plan for
accessing the facility and critical data is in place.

We do not have a written plan for accessing the facility Implement written policies and procedures outlining facility access for the Addressable HIPAA: §164.310(a)(2)(i)
in the event of disasters or emergency situations. restoration of lost data under the Disaster Recovery Plan and Emergency Mode NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
Operations Plan in the event of an emergency. Ensure members of the workforce PR.DS, RS.CO, RC.RP
who need access to the facility in an emergency have been identified. Define HICP: N/A
workforce member roles and responsibilities. Ensure that a backup plan for
accessing the facility and critical data is in place.

Flag this question for later. This question will be marked as an area for review and will be included in the Addressable HIPAA: §164.310(a)(2)(i)
"Flagged Questions" report. NIST CSF: ID.BE, ID.RM, PR.AC, PR.IP, RS.RP,
PR.DS, RS.CO, RC.RP
HICP: N/A

Notes
18 How is your emergency procedure terminated after the
emergency circumstance is over?
Upon the conclusion of the emergency situation, normal This is the most effective option among those provided to protect the Required HIPAA: §164.312(a)(2)(ii)
operations are resumed according to documented confidentiality, integrity, and availability of ePHI. NIST CSF: N/A
procedure, such as by formal communication from the HICP: N/A
security officer or other designated personnel.

We do not have a procedure to ensure that normal Details about how and when to terminate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
operations are resumed after the conclusion of an procedure. NIST CSF: N/A
emergency. HICP: N/A
I don't know. Details about how and when to terminate should be documented in the emergency Required HIPAA: §164.312(a)(2)(ii)
procedure. NIST CSF: N/A
HICP: N/A
Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.312(a)(2)(ii)
"Flagged Questions" report. NIST CSF: N/A
HICP: N/A
Notes
19 Do you formally evaluate the effectiveness of your security
safeguards, including physical safeguards?
Yes. This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(8)
confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
HICP: N/A

No. Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
procedures. This should be done periodically and in response to changes in the NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
security environment. DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
HICP: N/A

I don't know. Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
procedures. This should be done periodically and in response to changes in the NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
security environment. DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(8)
"Flagged Questions" report. NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
HICP: N/A

Notes
20 How do you evaluate the effectiveness of your security
safeguards, including physical safeguards?
We have procedures in place to evaluate the This is the most effective option among those provided to protect the Required HIPAA: §164.308(a)(8)
effectiveness of our security policies and procedures, confidentiality, integrity, and availability of ePHI. NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
physical safeguards, and technical safeguards. Our DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
evaluation is conducted periodically and in response to HICP: N/A
changes in the security environment.

We have procedures in place to evaluate the Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
effectiveness of our security policies and procedures, procedures periodically and in response to changes in the security environment. NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
physical safeguards, and technical safeguards but we do DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
not update them with any set frequency. HICP: N/A

We do not have a formal process to evaluate the Consider conducting technical and non-technical evaluations of security policies and Required HIPAA: §164.308(a)(8)
effectiveness of our security safeguards. procedures. This should be done periodically and in response to changes in the NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
security environment. DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
HICP: N/A

Flag this question for later. This question will be marked as an area for review and will be included in the Required HIPAA: §164.308(a)(8)
"Flagged Questions" report. NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
HICP: N/A

Flag this question for later. Required HIPAA: §164.308(a)(8)

NIST CSF: ID.AM, ID.BE, ID.RA, PR.IP, DE.AE,
DE.CM, DE.DP, RS.MI, RS.IM, RC.MI
HICP: N/A

Notes

Threats & Vulnerabilities Likelihood Impact Risk Score

1 Failure to adopt a documented business contingency plan
Corrective enforcement outcomes from regulatory agencies
Failure to define purpose, scope, roles/responsibilities, and/or management commitment
Inability to demonstrate recovery objectives and restoration priorities
Litigation due to not meeting minimum security requirements
Unguided procedures during downtime or unexpected event
2 Failure to update or review contingency plan procedures
Information disclosure or theft (ePHI, proprietary, intellectual, or confidential)
Unauthorized access to or modification of ePHI/sensitive information
Out-of-date documentation not reflecting the most recent expected procedures
Inconsistent or inadequate contingency response due to uncertainty
Unguided procedures during downtime or unexpected event
3 Lack of consideration to reasonably anticipated environmental threats
Damage to public reputation due to information breach/loss
Physicial damage to facility
Financial loss from increased downtime of information systems
Inability to recovery from system failure
Increased recovery time during unexpected downtime of information systems
Injury or death of personnel (employee, patient, guest)
Loss of productivity
Overheating of network devices due to increased ambient temperature
Physical access granted to unauthorized persons or entities
Power outage affecting the availability of critical security and information systems
4 Infrequent training provided to staff and personal regarding business contingency procedures
Damage to public reputation due to information breach/loss
 Financial loss from increased downtime of information systems
Inability to recovery from system failure
Increased recovery time during unexpected downtime of information systems
Loss of productivity
5 Inadequate written procedures for security incident tracking and monitoring
Adversaries maintain exploitation capability due to security incidents being undetected or undocumented
Failure to adopt remediation plan based on identified security incidents
Failure to define purpose, scope, roles, responsibilities, and or management commitment pertaining to the tracking of security incidents
6 Lack of access to ePHI during emergency events
Damage to public reputation
Lost revenue from canceled appointments
Low Low LowLow Low
Low Medium LowMediuMedium
Low High LowHigh High
Medium Low MediumLoLow
Medium Medium MediumMeMedium
Medium High MediumHiCritical
High Low HighLow Medium
High Medium HighMedi High
High High HighHigh Critical