POLICY # 27
EVALUATION
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Perform a periodic technical and non-technical evaluation, based
initially upon the standards implemented under the Security Rule and
subsequently, in response to environmental or operational changes
affecting the security of EPHI, that establishes the extent to which an
entity's security policies and procedures meet the requirements of the
Security Rule.”
Policy Summary:
Sindecuse Health Center (SHC) must regularly conduct a technical and
non-technical evaluation of its security controls and processes to
document its compliance with its security policies and the HIPAA
Security Rule. The evaluation may be carried out by an appropriate SHC
business unit or third party; the process must be formal and defined.
After the initial evaluation, SHC must conduct a thorough technical and
non-technical evaluation of its security controls and processes when
environmental or operational changes significantly impact the
confidentiality, integrity or availability of its EPHI.
Purpose:
This policy reflects SHC’s commitment to regularly conduct a technical
and non-technical evaluation of its security controls and processes to
document compliance with its security policies and the HIPAA Security
Rule.
Policy:
1. SHC must regularly conduct a technical and non-technical evaluation
of its security controls and processes to document its compliance with its
security policies and the HIPAA Security Rule.
2. The evaluation may be carried out by an appropriate SHC business
unit such as the information security officer, internal audit department, or
a third-party organization that has appropriate skills and experience.
3. The evaluation must be formal and defined and at a minimum include:


A detailed review of SHC’s security policies, procedures and
standards to determine whether they are effective and
appropriate.
A gap analysis of the requirements of SHC’s security policies,
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
EVALUATION



procedures and standards and actual practices.
Identification of the risks to SHC information systems.
Assessment of the appropriateness of SHC security controls
compared to the risks to SHC information systems.
Testing of all significant SHC security controls to ensure that
hardware and software controls have been correctly
implemented. Such testing must be carried out only by
authorized and appropriately trained persons.
4. The results of the evaluation must be formally documented and
presented to appropriate SHC management. The document must be
securely maintained.
5. All appropriate areas and employees within SHC must be included in
the evaluation. These should include the following:



Information system owners and administrators
Information system users
Management
6. After the initial evaluation, SHC must conduct a thorough technical
and non-technical evaluation of its security controls and processes when
environmental or operational changes occur which significantly impact
the confidentiality, integrity, or availability of its EPHI. Such changes
include but are not limited to:




Significant security incidents to SHC information systems.
Significant new threats or risks to SHC information systems.
Significant changes to the organizational or technical
infrastructure of SHC.
Significant changes to SHC information security requirements or
responsibilities.
7. Such evaluations must be formal and defined and at a minimum
include:




A detailed review of SHC’s security policies, procedures and
standards to determine whether they are still effective and
appropriate.
Identification of the risks to SHC information systems after the
environmental or operational changes.
Assessment of the appropriateness of SHC security controls
compared to the risks to SHC information systems.
Testing of all SHC security controls affected by the changes to
ensure that hardware and software controls remain correctly and
appropriately implemented. Such testing must be carried out
only by authorized and appropriately trained persons.
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
EVALUATION
8. The results of all such evaluations must be formally documented and
presented to appropriate SHC management. The document must be
securely maintained.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.308(a)(8)(i)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
EVALUATION
information, data, applications, communications, and people.
Security incident means the attempted or successful unauthorized access,
use, disclosure, modification, or destruction of information or
interference with system operations in an information system.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.