Evaluation Policy

Goal: Obtain satisfactory assurances from an associate that he will safeguard ePHI that he/she creates, receives, maintains or transmits. Perform a technical and non-technical evaluation in response to legislative, technical, environmental and operational changes affecting the security of ePHI.

The purpose of this policy is to describe the organization’s process to regularly conduct a technical and non-technical evaluation of its security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule.

Procedure: A Security Evaluation is the technical analysis of a system's security features that establishes whether or not the system meets a specific set of requirements. Where possible, evaluations shall be performed by personnel who are independent of the system being evaluated. A security evaluation uses the specified security requirements as the baseline criteria for evaluation. This is determined by the Risk Assessment.

Evaluation of ePHI security shall be performed whenever major changes occur, and no less than once a year. For the purposes of this policy major changes are defined but not limited to:

• Acquisition, modification or update of new software or hardware;
• Changes in internet uses, procedures, server;
• Reconfiguration of the office;
• Changes in staffing levels.

Whenever any of the previous events occur the Security Manager shall follow the following steps:

• Identify the type of change.
  • If there have not been any changes a random selection shall be made.
• Select the most appropriate tool, Risk Management Attachment, and conduct an assessment.
• Report results and recommendations to Management.
• Document the prior steps and decision.
  • If required, implement changes.