This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Evaluation Policy

Reference: 45 CFR §164.308
Last Updated: July 5, 2023


Goal: Obtain satisfactory assurances from an associate that he will safeguard ePHI that he/she creates, receives, maintains or transmits. Perform a technical and non-technical evaluation in response to legislative, technical, environmental and operational changes affecting the security of ePHI.

The purpose of this policy is to describe the organization’s process to regularly conduct a technical and non-technical evaluation of its security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule.


Procedure: A Security Evaluation is the technical analysis of a system's security features that establishes whether or not the system meets a specific set of requirements. Where possible, evaluations shall be performed by personnel who are independent of the system being evaluated. A security evaluation uses the specified security requirements as the baseline criteria for evaluation. This is determined by the Risk Assessment.

Evaluation of ePHI security shall be performed whenever major changes occur, and no less than once a year. For the purposes of this policy major changes are defined but not limited to:

  • Acquisition, modification or update of new software or hardware;
  • Changes in internet uses, procedures, server;
  • Reconfiguration of the office;
  • Changes in staffing levels.

Whenever any of the previous events occur the Security Manager shall follow the following steps:

  • Identify the type of change.
    • If there have not been any changes a random selection shall be made.
  • Select the most appropriate tool, Risk Management Attachment, and conduct an assessment.
  • Report results and recommendations to Management.
  • Document the prior steps and decision.
    • If required, implement changes.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram