HIPAA Compliance Self-Assessment

Outlined in this document is a HIPAA compliance self-assessment for Covered Entities and
Business Associates. The first section, General Documentation, details what should be included
in your organization's policies and procedures for compliance with current HIPAA regulations.
This section also discusses the requirements of an annual compliance education program.

The last two sections, HIPAA Privacy and HIPAA Security, list the specific areas of risk in your
organization—identified from current HIPAA regulations—that should be analyzed and
addressed.

For more information, contact BridgeFront directly. We offer online education, guides, template
policies, consulting, and comprehensive risk-assessment services. Call 1-866-447-2211 or send
an email to info@bridgefront.com. Or, visit on the web at www.bridgefront.com.

By BridgeFront
April 2011

BridgeFront  4400 NE 77th Ave., Suite 275  Vancouver, Washington 98662  866-447-2211  www.BridgeFront.com

-1-
General Documentation
1) A manual of implementation specifications that specify the allowable minimums or ranges for "acceptable risk"
and technological/physical mechanisms to be used to achieve compliance specifications. Such "minimums or
ranges" remain vendor neutral, but would reflect accepted standard specifications for each item.

For example:
a) Encryption used must be of strength equivalent to the specifications using NIST approved algorithms: AES,
Triple DES, or other cited standard.
b) "Acceptable Risk" levels will be set to monetary amounts where the calculations employed demonstrate
that, on a lifecycle basis, the cost of a given protective measure is equal to or greater than the value of the
asset it is intended to safeguard from compromise.

2) Every large Covered Entity will have in place a Continuity of Operations Plan (e.g. "Disaster Recovery" or
"Business Continuity Plan") that has been formulated in accordance with the NIST Standard Special Publication
800-30. This plan will be tested no less than annually, and documentation illustrating this will be produced and be
subject to the six-year records retention rule. For those Covered Entities electing to outsource this capability, the
chosen outsource provider must meet this same specification.

3) It is "best-practice" for officials—appointed to the required positions under HIPAA—possess credentials that
demonstrate their knowledge and experience in the areas of Security and Privacy. The credentials should include
certifications that require Continuing Professional Education (CPE) at minimum of 40 contact hours each calendar
year. Some examples of such certifications include:

a) CISSP (Technical Security)

b) MBCI (Continuity Planning)
c) CISM (Security Governance)
d) CHPA (Privacy Associate)
e) CHRM (Risk Management)
f) CIPP (Information and Privacy)
g) IISP (Information Security)

4) Employees will receive appropriate training in the requirements of HIPAA pertaining to their roles in the
organization. This training will occur at New Employee Orientation (NEO) and no less than annually thereafter.
(Supplementary training may be required more often as changes occur in the governing legislation or by changes in
organizational policy and procedure.) Records documenting this training, including test results, signature (or
electronic record) shall be maintained the in the Employee file until they depart their employment.

BridgeFront  4400 NE 77th Ave., Suite 275  Vancouver, Washington 98662  866-447-2211  www.BridgeFront.com

-2-
HIPAA Privacy Criteria
Risk Assessment

1) Protected Health Information (PHI) matrix

2) Identification of state requirements
3) Systems analysis & plan
4) Documentation of PHI

Administrative

1) Designation of Privacy and Security Official(s)

2) Contracts and agreements
3) Workforce training
4) Compliance documentation and retention
5) Complaints/remedying impermissible uses and disclosures

Protected Health Information (PHI) Uses and Disclosures

1) Minimum necessary
2) De-identified information
3) Data use agreements
4) Authorizations
5) Marketing
6) Fundraising
7) Research
8) Designated record sets
9) Information requests from covered entity or individuals

BridgeFront  4400 NE 77th Ave., Suite 275  Vancouver, Washington 98662  866-447-2211  www.BridgeFront.com

-3-
HIPAA Security Criteria
Administrative Safeguards 8) Evaluation

1) Security Management Process Physical Safeguards

a) Risk analysis 1) Facility Access Controls

b) Risk management
c) Sanction policy a) Contingency operations
d) Information system activity review b) Facility security plan
c) Access control and validation procedures
2) Assigned Security Responsibility d) Maintenance records

3) Workforce Security 2) Workstation Use

a) Authorization and/or supervision 3) Device and Media Controls

b) Workforce clearance procedure
c) Termination procedures a) Disposal
b) Media re-use
4) Information Access Management c) Accountability
d) Data backup and storage
a) Access authorization
b) Access establishment and modification Technical Safeguards

5) Security Awareness and Training 1) Access Controls

a) Security reminders a) Unique user identification

b) Protection from malicious software b) Emergency access procedure
c) Log-in monitoring c) Automatic logoff
d) Password management d) Encryption and decryption

6) Security Incident Procedures 2) Audit Controls

a) Response and reporting 3) Integrity

7) Contingency Plan a) Mechanism to authenticate ePHI

a) Data backup plan
b) Disaster recovery plan 4) Person or Entity Authentication
c) Emergency mode operation plan
d) Testing and revision procedure 5) Transmission Security
e) Applications and data criticality analysis
a) Integrity controls
b) Encryption

BridgeFront  4400 NE 77th Ave., Suite 275  Vancouver, Washington 98662  866-447-2211  www.BridgeFront.com

-4-