Skip to content
John S Conniff PLLC
Compliance Solutions
The Regulatory Stew
Services
Resources
Privacy and Security Compliance Survey
HIPAA FAQs
Firm
John S Conniff, Attorney
Contact
Search:
The Regulatory Stew
Services
Resources
Privacy and Security Compliance Survey
HIPAA FAQs
Firm
John S Conniff, Attorney
Contact
Privacy and Security Compliance Survey
You are here:
Home
Privacy and Security Compliance Survey
Privacy and Security Compliance Survey
This is a general questionnaire about your information management and security practices and particularly, with your degree of HIPAA compliance. You must answer every question or the form will not record results. If you do not have time to complete the survey, go to the end and save it for later. We will not share your results with anyone other than you.
Date
*
Date Format: MM slash DD slash YYYY
Name
*
First
Last
Email
*
Enter Email
Confirm Email
Business or Profession
*
Please describe your business or profession to assist in determining your compliance obligations.
Address
*
Street Address
Address Line 2
City
State / Province / Region
ZIP / Postal Code
Phone
Federal health information privacy regulations (45 C.F.R. § 164.530) and certain state laws require implementation of appropriate administrative, technical and physical safeguards to protect the privacy of personally identifiable health information (also referred to as "protected health information" - PHI). Other federal and state laws also require protection of sensitive personal and financial information.
Organizational and Management Practices
The following questions relate to information management; however, licensed professionals such as health care practitioners should seek competent advice (attorneys, accountants) to ensure the proper licensing, registration, and organization of their business.
1. Privacy Policies and Procedures - Have you created and do you regularly review and update written privacy policies and procedures as required by law?
*
Yes
No
If Yes above, when did you last review your policies and procedures?
*
This Year
Last Year
2. Information Management and Security Program - Do you have written policies and procedures for information management and security?
*
Yes
No
3. Confidentiality Agreements - Do you have signed confidentiality agreements with employees, partners, and other businesses with access to confidential information (such as "business associate agreements") and do you keep copies of these agreements?
*
Yes
No
4. Notice of Privacy Policy and Procedures - If you are a health care practitioner, do you obtain a signed acknowledgement of receipt of your privacy policies and procedures when required?
*
Yes
No
I don't need to obtain an acknowledgement
5. Risk Assessment - Have you conducted an information security risk assessment?
*
Yes
No
When did you last conduct an information security risk assessment?
*
This Year
Last Year
6. Annual Review - Do you annually review your information security policy and procedures to ensure the suitability and effectiveness of information security?
*
Yes
No
When did you last conduct a review of security policies and procedures?
*
This Year
Last Year
7. Forms Review - Do you annually review your standard forms for compliance with state and federal regulations?
*
Yes
No
When did you last review or update your practice forms?
*
This Year
Last Year
8. Authorization - Do you obtain proper authorization for disclosure of personal information when needed and maintain a record of these authorizations?
*
Yes
No
9. Privacy Official - Have you designated a "privacy official" for your practice responsible for maintaining policies and procedures and receiving complaints?
*
Yes
No
10. Complaints - Do you have a privacy complaint form that you provide when someone has a problem related to your use or disclosure of information?
*
Yes
No
Personnel Practices
These questions are limited to information management; but, you should review employment contracts and policies. Make sure you understand the differences between independent contractors and employees.
1. Information Privacy and Security Training - Do you provide annual training to all employees that covers information privacy and security requirements and consequences of legal and policy violations?
*
Yes
No
When did you last conduct training?
*
This Year
Last Year
2. Access Limits - Do you have procedures for limiting the disclosure of information to the minimum necessary needed for each job function?
*
Yes
No
3. Access Termination - Do you have a written checklist that you follow to restrict a person's access to information and the facility (keys, passwords) when the person leaves or changes their employment role?
*
Yes
No
4. Personnel Screening - Do you request and verify employee background and work history for employees who will have access to confidential or personal information?
*
Yes
No
Physical Security Practices
1. Physical Assessment - Have you conducted a review of your facility's physical and environmental security, such as building entry controls, alarms, fire detection, and temperature controls?
*
Yes
No
When did you last conduct this review?
*
This Year
Last Year
2. Physical Access Control - Do you have procedures to monitor and control physical access to facilities?
*
For example, do you have recorded video surveillance or electronic access that logs user access to the facility?
Yes
No
3. Environmental Controls - Do you maintain systems for backup power for an orderly computer shutdown process, fire detection, temperature and humidity controls and water damage detection?
*
Yes
No
Information Security Practices
1. Disaster Recovery Plan - Check each of the following disaster recovery options you have to support your ability to continue your business in the event of a catastrophic loss of information:
*
Regular offsite backup of systems and data, with instructions for restoration.
Information with a trusted source to access offsite backups.
Appropriate training of staff for emergency operations.
2. Monitoring - Do you maintain an unalterable computer system log and routinely audit logs, security events and system use?
*
Yes
No
3. Data Classification - Do you maintain policies and procedures to classify information by its value, sensitivity, and critical need to your business?
*
Yes
No
4. Access Controls - Check each of the following procedures you use to limit or prevent access to information:
*
Strong Passwords with periodic changes and restrictions on sharing of passwords.
Control over internet access with strong passwords for routers.
Encryption of any device with protected information that might leave the office.
Periodic audit of user access and privileges.
Network access controls with authentication of users.
5. Data Storage and Portable Media Protection - Do you follow written policies and procedures to protect data on electronic storage media, including CDs and DVDs, USB storage devices and portable hard drives?
*
Yes
No
6. Lock-Out for Inactive Computing Devices - Do you configure devices to automatically lock after a period of inactivity is enforced?
*
Yes
No
Information Integrity Practices
1. Anti-Virus Protection - Do you regularly use and update security software to protect against computer viruses and malware?
*
Yes
No
2. Software Changes - Is your software and systems designed to detect and protect against unauthorized changes to software and information?
*
Yes
No
3. Information Input - Do you have policies and procedures to verify information for accuracy, completeness, and validity?
*
Yes
No
4. Information Correction - Do you have a policy and procedure for identification, reporting, and correction of information errors?
*
Yes
No
Software Management
1. Software Usage Restrictions - Do you have procedures to comply with software usage restrictions in accordance with contact agreements and copyright laws?
*
Yes
No
2. User Installed Software - Do you have an explicit policy governing the downloading and installation of software by users?
*
Yes
No
3. Outsourced Information Services - Do you ensure that third-party providers of information system services employ adequate security controls in accordance with applicable laws, your policies and service agreements?
*
Yes
No
4.Device Security - Do you apply operating system and application updates, patches, and fixes as soon as they become available?
*
Yes
No
Incident Response Practices
1. Incident Response – Do you have and follow a written information breach notification process and incident response policy and procedure?
*
Yes
No
2. Breach Assessment - Do you have a procedure and guidelines for conducting a breach assessment to determine whether you must provide breach notification under state or federal law?
*
Yes
No
Do you want us to contact you?
*
Yes
No
Name
This field is for validation purposes and should be left unchanged.
2013 Final HIPAA Regulations
HHS Website – Health Information Privacy
Federal Health Information Technology Website
CMS HIPAA Website
Integrating Security into your Health Care Practice
Health Information Privacy and Security Guide
Go to Top