HIPAA Security Risk Assessment Checklist

Use this HIPAA Security Risk Assessment Checklist to evaluate physical, technical, and administrative safeguards to protect sensitive healthcare data.

HIPAA Security Risk Assessment Checklist



Office Access

1. Is there a “gatekeeper” (e.g., receptionist) on duty to control access to the office during business hours?


Photo Comment

2. Are restricted office areas secured with locks or key card entry?


Photo Comment

3. Are all vendors escorted while visiting areas of the office?


Photo Comment

4. Is there a formal document retention and disposal policy for protected health information (PHI)?


Photo Comment

5. Does the office have access to and use cross-cut shredders for convenient disposal of paper records? Alternatively, does the office contract with off-site shredding services?


Photo Comment

6. How does the office dispose of electronic records (e.g., CDs, DVDs, hard drives)?


Photo Comment

7. Is there an exit interview or process to ensure return or destruction of all PHI upon termination/leave/resignation of office personnel?


Photo Comment
Office Workstations And Remote/Mobile Devise Access

1. Are office workstations (i.e., computers) restricted to office personnel (i.e., nurses, physicians, office assistants, PAs, etc.)?


Photo Comment

2. Is there an on-site server that stores PHI for the office? If so, is the server area locked or accessible only by designated office employees?


Photo Comment

3. Does the office use a cloud-based service or off-site server to store PHI for the office?


Photo Comment

4. Does the office dispose of or recycle old computers/hard drives/fax machines? Is the information contained on those old computers/hard drives wiped clean before disposal or recycling?


Photo Comment

5. Do office workstations/laptops use unique login/user names for each individual?


Photo Comment

6. Do office workstations require passwords?


Photo Comment
Emergency/Contingency Plans

1. Is there a plan or service in place for backup and recovery of PHI in the event of an emergency or disaster?


Photo Comment
Workstation Security And Encryption

1. Do office workstations all have anti-virus software and use firewalls?


Photo Comment

2. Is the anti-virus software regularly updated?


Photo Comment

3. How complex are office workstation passwords?


Photo Comment

4. How often do workstation passwords need to be changed?


Photo Comment

5. Do office workstations time out and log out automatically after a period of inactivity?


Photo Comment
Remote And Mobile Access

1. Does the office use laptops/tablets/mobile devices/flash drives to access office e-mails or PHI?


Photo Comment

2. Are the laptops/tablets/mobile devices secured with password protection?


Photo Comment

3. Are flash drives secured with encryption?


Photo Comment

4. Does the office have a method to track workstation access by office personnel?


Photo Comment

5. Does the office have the ability to terminate remote access to office workstations if laptops/tablets/mobile devices are stolen or lost?


Photo Comment

6. Does the office have the ability to remotely wipe office data and PHI from lost or stolen laptops/tablets/mobile devices?


Photo Comment

7. Does the office send e-mails with PHI to patients? Are e-mails with PHI encrypted? If not, are patients provided with confidentiality statements about the risks of unencrypted e-mails?


Photo Comment
Hospital/Medical Center

1. Does anyone on your medical office staff (e.g., physicians or nurses) work at the hospital(s) or in conjunction with outside medical groups?


Photo Comment

2. If so, does the hospital or outside medical group provide your medical staff with access to the hospital/medical group PHI network or system?


Photo Comment

3. Is your medical staff aware of the hospital/medical group’s network or system access rules and requirements?


Photo Comment

4. Does your medical staff allow any other individuals (including other members of the office) to use his/her access to the network or system without the hospital/medical group’s knowledge/consent?


Photo Comment
Office Training And Awareness

1. Has the office designated an individual to be in charge of HIPAA training?


Photo Comment

2. Has the office conducted a HIPAA risk assessment previously?


Photo Comment

3. Has the entire office had HIPAA training?


Photo Comment

4. How often does the office undergo HIPAA training?


Photo Comment

5. Has every member of the office reviewed and executed a confidentiality agreement?


Photo Comment
Reporting Of Incidents

1. Is there a policy or procedure for reporting potential office privacy of security incidents?


Photo Comment

2. Has the office received training on the recognition of potential privacy or security incidents?


Photo Comment
Vendor Contracts And Agreements

1. Does the office use any outside vendors to provide any medical or support services to the office?


Photo Comment

2. If so, is there a written contract/agreement in place with these outside vendors?


Photo Comment

3. Do these contracts/agreements expressly address HIPAA privacy and security rule issues?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists