(a) A covered entity must, in accordance with § 164.306:
(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
Tell Me More:
If you’re reading this “Tell me more…” item, good news! You’re acting on this implementation specification. The final security rule requires covered entities to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of this subpart. Evaluation replaced the concept and terminology of “certification” in the proposed HIPAA Security Rule. No official or government certification or credentialing bodies for HIPAA Security compliance exist at date of the publication of the final Rule. Evaluation may therefore be done in-house or with the assistance of security and compliance experts.
Once the security policies and procedures are implemented with an appropriate level of risk of that security being breached, the covered entity cannot simply sit back. As the environment changes, risks change. It is the responsibility of the covered entities to conduct an evaluation. Covered entities must assess the need for a new evaluation based on changes to their security environment and operational changes or even regulatory changes since their last evaluation. For example, new technology adopted or responses to newly recognized risks to the security of their information.
There were comments made on whether or not the evaluation needed to be done in house or by an external entity. An Evaluation by an external entity is a business decision that is left to each Covered Entity or Business Associate. Evaluation is required under § 164.308(a)(8), but a Covered Entity or Business Associate may comply with this standard either by using its own workforce or an external accreditation agency, which would be acting as a business associate. External evaluation may be too costly an option for small entities.
To ensure comprehensive coverage in technical evaluation, testing should include both security functional (to ensure the system components are enforcing security policies correctly) and penetration testing (to provide a level of assurance that security controls guard against circumvention).
Questions to Consider:
- Does the organization have formal requirements and verification processes established prior to evaluation?
- Is there adequate separation of duties and oversight by management during the evaluation?
- Does the evaluation process reflect threat, vulnerability and risk assessments, as well as recent test or audit findings, to ensure adequate coverage?
- Does the organization complete a re-evaluation at least once every year or when there is a significant environment change?
- Is there ongoing communications between business operations and IT/security staff before, during and after the evaluation?
- How does your organization evaluate the changing security environment? As discussed in other sections of this white paper, the organization should be tracking security issues and compliance. This information should be used to evaluate evolving and new threats and risk levels.
- Does your organization plan to perform ongoing risk analyses on a periodic basis? It is necessary to periodically ensure the organization is still meeting the security requirements within a changing security environment. Consider whether it is appropriate to periodically be evaluated by a neutral, disinterested third party.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
- NIST SP 800-12 chapter 9 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
- NIST SP 800-55 Security Metrics Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations