1

Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of a significant event or change in your business organization or environment?

Yes
No
Don't know
2

Does your practice have a formal documented program to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis?

Yes
No
Don't know
3

Does your practice formally document a security plan?

Yes
No
Don't know
4

Is your practice's security point of contact qualified to assess its security protections as well as serve as the point of contact for security policies, procedures, monitoring, and training?

Yes
No
Don't know
5

Does your practice assure that its policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer?

Yes
No
Don't know
6

Does your practice categorize its information systems based on the potential impact to your practice should they become unavailable?

Yes
No
Don't know
7

Does your practice have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access?

Yes
No
Don't know
8

Has your practice chosen someone whose job duty is to decide who can access ePhi (and under what conditions) and to create ePHI access rules that others can follow?

Yes
No
Don't know
9

Does your practice have policies and procedures for the assignment of a unique identifier for each authorized user?

Yes
No
Don't know
10

Does your practice require that each user enter a unique user identifier prior to obtaining access to ePHI?

Yes
No
Don't know
11

Does your practice have policies and procedures for verification of a person or entity seeking access to ePHI is the one claimed?

Yes
No
Don't know
12

Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal?

Yes
No
Don't know
13

Do you have procedures that describe how your practice should remove ePHI from its storage media/ electronic devices before the media is re-used?

Yes
No
Don't know
14

Does your practice back up ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage, such as a cloud environment?

Yes
No
Don't know
15

Does your practice have a formal and documented process or regular human resources policy to discipline workforce members who have access to your organization's ePHI if they are found to have violated the office's policies to prevent system misuse, abuse, and any harmful activities that involve your practice's ePHI?

Yes
No
Don't know
16

Does your practice create Sanction Policies and procedures as part of its security awareness and training programs?

Yes
No
Don't know
17

Does your practice have a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact?

Yes
No
Don't know
18

Does your practice have a job description for its security point of contact that includes that person's duties, authority, and accountability?

Yes
No
Don't know
19

Does your practice have a list that includes all members of its workforce, the roles assigned to each, and the corresponding access that each role enables for your practice's facilities, information systems, electronic devices, and ePHI?

Yes
No
Don't know
20

Does your practice know all business associates and the access that each requires for your practice's facilities, information systems, electronic devices, and ePHI?

Yes
No
Don't know
21

If your practice is the business associate of another covered entity and your practice has subcontractors performing activities to help carry out the activities that you have agreed to carry out for the other covered entity that involve ePHI, does your practice require these subcontractors to provide satisfactory assurances for the protection of the ePHI?

Yes
No
Don't know
22

Does your practice execute business associate agreements when it has a contractor creating, transmitting or storing ePHI?

Yes
No
Don't know
23

Do the terms and conditions of your practice's business associate agreements state that the business associate will implement appropriate security safeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the practice and timely report security incidents to your practice?

Yes
No
Don't know
24

Does your practice have policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster?

Yes
No
Don't know
25

Does your practice have policies and procedures for contingency plans to provide access to ePHI to continue operations after a natural or human-made disaster?

Yes
No
Don't know
26

Does you practice have policies and procedures to enable access to ePHI in the event of an emergency?

Yes
No
Don't know
27

Does your practice define what constitutes an emergency and identify the various types of emergencies that are likely to occur?

Yes
No
Don't know
28

Does your practice have policies and procedures for creating an exact copy of ePHI as a backup?

Yes
No
Don't know
29

Does your practice have back up information systems so that it can access ePHI in the event of an emergency or when your practice's primary systems become unavailable?

Yes
No
Don't know
30

Does your practice have the capability to activate emergency access to its information systems in the event of a disaster?

Yes
No
Don't know
31

Does your practice regularly review information system activity?

Yes
No
Don't know
32

Does your practice have incident response policies and procedures that assign roles and responsibilities for incident response?

Yes
No
Don't know
33

Does your practice identify members of its incident response team and assure workforce members are trained and that incident response plans are tested?

Yes
No
Don't know
34

Does your practice's incident response plan align with its emergency operations and contingency plan, especially when it comes to prioritizing system recovery actions or events to restore key processes, systems, applications, electronic device and media, and information (such as ePHI)?

Yes
No
Don't know
35

Does your practice implement the information system's security protection tools to protect against malware?

Yes
No
Don't know
36

Has your practice designated a Security Officer to develop and implement security policies and procedures?

Yes
No
Don't know
37

Does your practice conduct periodic training for employees, specifically related to the HIPAA Security Rule, so each employee is aware of security measures to reduce the risk of improper use of ePHI?

Yes
No
Don't know
38

Does your practice keep track and records of employees training?

Yes
No
Don't know
39

Does your practice have policies and procedures for implementing encryption and decryption of ePHI?

Yes
No
Don't know
40

Does your practice implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted?

Yes
No
Don't know
41

Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?

Yes
No
Don't know
42

Does your practice have specific policies and procedures to safeguard computer workstations, Including remote access?

Yes
No
Don't know
43

Does your organization have a plan for backing up critical data?

Yes
No
Don't know
44

Does your practice have offsite backup for its critical data?

Yes
No
Don't know
45

Does you practice currently use email encryption service when sending PHI ?

Yes
No
Don't know
46

Does your practice currently carry any insurance that covers your practice in case of Cybertheft, HIPAA or PCI Non-Compliance, or an unforeseen data breach or loss?

Yes
No
Don't know
47

Does your IT perform system updates/patches on a regular basis?

Yes
No
Don't know
48

Do you have the main WIFI separated from your guest WIFI?

Yes
No
Don't know
49

Do you keep your charts, server in a lockable cabinet/room?

Yes
No
Don't know
50

If you take credit cards as a form of payment, do you know if your practice PCI compliant?

Yes
No
Don't know