Skip to Content

HIPAA - Evaluation 164.308(a)(8)

460  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that established the extent to which an entity's security policies and procedures meet the requirements of this subpart.


Action Items:
1) Obtain and review documentation of policies and procedures related to technical and nontechnical evaluation. Determine if such policies and procedures identifies how the evaluation of findings, remediation options and recommendations, and remediation decisions are documented; specifies that evaluations will be repeated on a periodic basis and/or when environmental and operations changes are made and/or newly recognized risk affects the security of EPHI; and identifies the frequency of when to evaluate and update the current policy and procedures. Elements to review may include but are not limited to: Workforce members’ roles and responsibilities in the technical and nontechnical evaluation; Management involvement in the process and approval of technical and nontechnical evaluation; Coordination of technical and nontechnical evaluation among departments; Specification of how technical and nontechnical evaluation will be conducted; How technical and nontechnical evaluation findings will be addressed.
2) Obtain and review documentation demonstrating periodic technical and non-technical evaluations. Evaluate and determine if the such evaluation appropriately evaluates EPHI security measures; addresses evaluation findings associated with noncompliant security measures; identifies and measures risks associated with noncompliant security measures; and that evaluation findings are reviewed and certified by appropriate management.
3) Obtain and review documentation of procedures for technology change control/management and documentation of major technology changes which affected the security of EPHI. Obtain and review documentation of plans related to risk management or mitigation efforts in response to evaluations conducted due to a major technology change which affected the security of EPHI. Evaluate and determine if the identified risks associated with noncompliant security measures are addressed in a plan related to risk management or mitigation efforts.


Related Documents:
1) Documentation of policies and procedures related to technical and nontechnical evaluation.
2) Documentation of procedures for technology change control/management and documentation of major technology changes which affected the security of ePHI.
3) Documentation of plans related to risk management or mitigation efforts in response to evaluations conducted due to a major technology change which affected the security of ePHI.


Additional Guidance:
It is important for a covered entity to know if the security plans and procedures it implements continue to adequately protect its EPHI. To accomplish this, covered entities must implement ongoing monitoring and evaluation plans. Covered entities must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments.


The purpose of the evaluation is to establish a process for covered entities to review and maintain reasonable and appropriate security measures to comply with the Security Rule. Initially the evaluation must be based on the security standards implemented to comply with the Security Rule. Subsequent periodic evaluations must be performed in response to environmental or operational changes that affect the security of EPHI. The on-going evaluation should also be performed on a scheduled basis, such as annually or every two years. The evaluation must include reviews of the technical and non-technical aspects of the security program.


Sample questions for covered entities to consider:
- How often should an evaluation be done? For example, are additional evaluations performed if security incidents are identified, changes are made in the organization, or new technology is implemented?
- Is an internal or external evaluation, or a combination of both, most appropriate for the covered entity?
- Are periodic evaluation reports and the supporting material considered in the analysis, recommendations, and subsequent changes fully documented?
Not Rated
Secure Code