Perform periodic technical and non-technical evaluations of security controls in response to environmental or operational changes
Security controls that were effective last year may not be effective today. Systems change, new threats emerge, and organizations evolve. HIPAA requires periodic evaluation of your security safeguards to determine whether they continue to meet the requirements of the Security Rule. Technical evaluations assess whether your controls actually work as intended. Non-technical evaluations assess whether policies, procedures, and workforce practices remain aligned with the current environment. Both types of evaluation should be performed when significant changes occur and on a regular schedule.
Implementation steps
- 1
Schedule and conduct technical security evaluations
Conduct periodic technical assessments such as vulnerability scans, penetration tests, or security configuration reviews of systems containing ePHI. Technical evaluations verify that controls are functioning as intended. For organizations subject to significant risk, annual penetration testing is a best practice. Document findings and remediate identified issues.
tenable qualys rapid7 crowdstrike-falcon-spotlight - 2
Conduct non-technical (policy and procedure) evaluations
Periodically review security policies, procedures, and workforce compliance with those policies. Assessments may include review of access control practices, observation of physical security controls, review of incident logs, or interviews with workforce members. Evaluate whether documented procedures reflect actual practice and whether policies remain appropriate.
confluence excel - 3
Trigger evaluations when significant changes occur
Define what constitutes a significant operational or environmental change that triggers a re-evaluation: new systems, new workforce roles, mergers or acquisitions, office moves, new business processes involving ePHI, or regulatory changes. Evaluate the impact of those changes on your security posture before or promptly after they occur.
jira confluence
Evidence required
Technical evaluation reports
Results of technical security assessments such as vulnerability scans or penetration tests.
- - Vulnerability scan reports
- - Penetration test report
- - Security configuration review findings
Non-technical evaluation documentation
Evidence of periodic reviews of security policies and procedures.
- - Annual security review report
- - Policy review sign-off records
- - Assessment findings and action items
Related controls
Implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule
Policy Implementation
Implement a security management process to prevent, detect, contain, and correct security violations
Security Management Process
Designate a security official responsible for developing and implementing security policies and procedures
Assigned Security Responsibility
Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access
Workforce Security