Privacy and Security Compliance Survey

You are here:

Home
Privacy and Security Compliance Survey

Privacy and Security Compliance Survey

This is a general questionnaire about your information management and security practices and particularly, with your degree of HIPAA compliance. You must answer every question or the form will not record results. If you do not have time to complete the survey, go to the end and save it for later. We will not share your results with anyone other than you.

Date*
MM slash DD slash YYYY
Name*
First Last
Email*
Enter Email Confirm Email
Business or Profession*
Please describe your business or profession to assist in determining your compliance obligations.
Address*
Street Address Address Line 2 City State / Province / Region ZIP / Postal Code
Phone
Federal health information privacy regulations (45 C.F.R. § 164.530) and certain state laws require implementation of appropriate administrative, technical and physical safeguards to protect the privacy of personally identifiable health information (also referred to as "protected health information" - PHI). Other federal and state laws also require protection of sensitive personal and financial information.
Organizational and Management Practices
The following questions relate to information management; however, licensed professionals such as health care practitioners should seek competent advice (attorneys, accountants) to ensure the proper licensing, registration, and organization of their business.
1. Privacy Policies and Procedures - Have you created and do you regularly review and update written privacy policies and procedures as required by law?*
- Yes
- No
If Yes above, when did you last review your policies and procedures?*
- This Year
- Last Year
2. Information Management and Security Program - Do you have written policies and procedures for information management and security?*
- Yes
- No
3. Confidentiality Agreements - Do you have signed confidentiality agreements with employees, partners, and other businesses with access to confidential information (such as "business associate agreements") and do you keep copies of these agreements?*
- Yes
- No
4. Notice of Privacy Policy and Procedures - If you are a health care practitioner, do you obtain a signed acknowledgement of receipt of your privacy policies and procedures when required?*
- Yes
- No
- I don't need to obtain an acknowledgement
5. Risk Assessment - Have you conducted an information security risk assessment?*
- Yes
- No
When did you last conduct an information security risk assessment?*
- This Year
- Last Year
6. Annual Review - Do you annually review your information security policy and procedures to ensure the suitability and effectiveness of information security?*
- Yes
- No
When did you last conduct a review of security policies and procedures?*
- This Year
- Last Year
7. Forms Review - Do you annually review your standard forms for compliance with state and federal regulations?*
- Yes
- No
When did you last review or update your practice forms?*
- This Year
- Last Year
8. Authorization - Do you obtain proper authorization for disclosure of personal information when needed and maintain a record of these authorizations?*
- Yes
- No
9. Privacy Official - Have you designated a "privacy official" for your practice responsible for maintaining policies and procedures and receiving complaints?*
- Yes
- No
10. Complaints - Do you have a privacy complaint form that you provide when someone has a problem related to your use or disclosure of information?*
- Yes
- No
Personnel Practices
These questions are limited to information management; but, you should review employment contracts and policies. Make sure you understand the differences between independent contractors and employees.
1. Information Privacy and Security Training - Do you provide annual training to all employees that covers information privacy and security requirements and consequences of legal and policy violations?*
- Yes
- No
When did you last conduct training?*
- This Year
- Last Year
2. Access Limits - Do you have procedures for limiting the disclosure of information to the minimum necessary needed for each job function?*
- Yes
- No
3. Access Termination - Do you have a written checklist that you follow to restrict a person's access to information and the facility (keys, passwords) when the person leaves or changes their employment role?*
- Yes
- No
4. Personnel Screening - Do you request and verify employee background and work history for employees who will have access to confidential or personal information?*
- Yes
- No
Physical Security Practices
1. Physical Assessment - Have you conducted a review of your facility's physical and environmental security, such as building entry controls, alarms, fire detection, and temperature controls?*
- Yes
- No
When did you last conduct this review?*
- This Year
- Last Year
2. Physical Access Control - Do you have procedures to monitor and control physical access to facilities?*
For example, do you have recorded video surveillance or electronic access that logs user access to the facility?
- Yes
- No
3. Environmental Controls - Do you maintain systems for backup power for an orderly computer shutdown process, fire detection, temperature and humidity controls and water damage detection?*
- Yes
- No
Information Security Practices
1. Disaster Recovery Plan - Check each of the following disaster recovery options you have to support your ability to continue your business in the event of a catastrophic loss of information: *
- Regular offsite backup of systems and data, with instructions for restoration.
- Information with a trusted source to access offsite backups.
- Appropriate training of staff for emergency operations.
2. Monitoring - Do you maintain an unalterable computer system log and routinely audit logs, security events and system use?*
- Yes
- No
3. Data Classification - Do you maintain policies and procedures to classify information by its value, sensitivity, and critical need to your business?*
- Yes
- No
4. Access Controls - Check each of the following procedures you use to limit or prevent access to information:*
- Strong Passwords with periodic changes and restrictions on sharing of passwords.
- Control over internet access with strong passwords for routers.
- Encryption of any device with protected information that might leave the office.
- Periodic audit of user access and privileges.
- Network access controls with authentication of users.
5. Data Storage and Portable Media Protection - Do you follow written policies and procedures to protect data on electronic storage media, including CDs and DVDs, USB storage devices and portable hard drives?*
- Yes
- No
6. Lock-Out for Inactive Computing Devices - Do you configure devices to automatically lock after a period of inactivity is enforced?*
- Yes
- No
Information Integrity Practices
1. Anti-Virus Protection - Do you regularly use and update security software to protect against computer viruses and malware?*
- Yes
- No
2. Software Changes - Is your software and systems designed to detect and protect against unauthorized changes to software and information?*
- Yes
- No
3. Information Input - Do you have policies and procedures to verify information for accuracy, completeness, and validity?*
- Yes
- No
4. Information Correction - Do you have a policy and procedure for identification, reporting, and correction of information errors?*
- Yes
- No
Software Management
1. Software Usage Restrictions - Do you have procedures to comply with software usage restrictions in accordance with contact agreements and copyright laws?*
- Yes
- No
2. User Installed Software - Do you have an explicit policy governing the downloading and installation of software by users?*
- Yes
- No
3. Outsourced Information Services - Do you ensure that third-party providers of information system services employ adequate security controls in accordance with applicable laws, your policies and service agreements?*
- Yes
- No
4.Device Security - Do you apply operating system and application updates, patches, and fixes as soon as they become available?*
- Yes
- No
Incident Response Practices
1. Incident Response – Do you have and follow a written information breach notification process and incident response policy and procedure?*
- Yes
- No
2. Breach Assessment - Do you have a procedure and guidelines for conducting a breach assessment to determine whether you must provide breach notification under state or federal law?*
- Yes
- No
Do you want us to contact you?*
- Yes
- No
Comments
This field is for validation purposes and should be left unchanged.