UW Milwaukee

HIPAA Self Assessment

Introduction and Explanations

This self assessment is designed to provide covered entities with an idea of how they might fare in a HIPAA audit. It contains
questions to which you will be asked to answer yes, no, uncertain or non-applicable. Questions in this self-assessment a
phrased so that "correct" answers are "yes" or non-applicable. HIPAA has both Privacy rules and Security rules. This selfassessment is also split into those two sets of rules.

There is no "grade" for this self-assessment, nor is there a "poor", "fair", "good" rating scale. There is no prescribed number o
"No" answers that indicate an entity is in trouble. It is important to remember that HIPAA compliance is evaluated using what is
known as "compliance testing". In compliance testing, partial credit is not given for an item. An entity is either in compliance o
in compliance with a particular item. Obviously, some requirements carry more risk or more weight, but the bottom line is that
conditions of a requirement are not met, the auditor will deem the entity not in compliance.

If can answer "Yes" to all 78 questions, you are probably doing a good job of protecting your information and you may well be i
compliance with HIPAA regulations.

On the other hand, if you responded to any questions with a "No" answer, your data security and/or privacy standards are prob
not adequate. The more "No" answers you selected, the more likely it is that you are even further away from compliance with
HIPAA regulations.

How to complete the assessment.

The best way to use this tool is to act as if an auditor is asking the questions of you. Auditors always expect evidence that you
completely answering the question. As a result, during a real audit, you will be required to provide evidence to support your
answers. While for your self-assessment, you do not necessarily need to gather the evidence, you should spend some time c
visualizing how the information should be obtained. For example, rather than simply answering yes to a question of whether y
have developed a particular policy, enter the web site where the policy can be found into the comments section.

If a question is asking whether you train employees, think of how you can prove that - for example, by providing completed
quizzes, or signed attendance records. If an auditor can't verify the training took place with objective proof, it didn't happen. Y
don't have to collect all evidence for the self-assessment, but to answer "Yes" to this question, you should be able to explain h
to obtain the evidence.
The answers!
Yes - this answer is not the end of the tale. Any "Yes" answer must be backed up by solid evidence. Auditors will expect
verification of any "Yes" answer.

No - Even "No" answers can use explanations. For example, if a training program is not yet in place, but is 90% developed an
will be launched soon, it is appropriate to put this fact in the assessment.
Uncertain - answers obviously indicate that there is more work to do. HIPAA auditors will expect firm answers to all question
N/A - If a question is not applicable to your covered entity, provide some justification or evidence to that effect.

Please note that if an item refers to existing campus policy, the covered unit is still responsible for knowing the policy, making s
they are fully addressing the issue, and providing evidence of compliance.
Click on the "Privacy Section" button at the bottom of the screen to continue.
Privacy Section

Security Section

UW Milwaukee HIPAA Self-Assessment

PRIVACY SECTION
Entity:
Date:
Compiled By:
For each item, please provide comments if
appropriate, including:
brief descriptions of implemented practice
plans and timelines for any "No" answers
Questions for clarifying "Uncertain"
answers

Item

Specific Requirement

Please submit to:

Internal Audit
Engelmann Hall

Yes/ No/
Uncertain

Section of
Manual

We are able to identify health information as "protected

health information".

We utilize the University training program for all

employees and volunteers who use PHI. We regularly
verify and retain evidence that all employees using PHI
meet the training requirements.

We have named a privacy officer for our unit, and the

privacy officer is cognizant of the authority and
responsibility inherent in the role.

Our privacy officer has formally acknowledged the

responsibilities as set forth in the UWM HIPAA Polices
and Procedures document.

5
6

We have identified an individual responsible for acting as

a liaison with the University Security Officer and ensuring
on a unit level that we comply with HIPAA security
regulations.
We have an inventory of PHI and EPHI information.

We have mechanisms in place for using and disclosing

only the minimum amount of PHI necessary to
accomplish the purpose of the use or disclosure.

We have physical control of the areas that house PHI,

and have written policies and procedures describing that
access control.

Computer monitors that can access PHI are placed so

that they cannot be seen from any position other than the
primary user.

10

Screen savers are automatically engaged when

workstations are not in active use, and are password
protected.

13

Paper records are shredded, and any unshredded

materials scheduled for destruction are kept in locked
containers.
Fax machines are located in restricted areas, and faxes
are never left on the machine unattended.
Sign-in logs only contain minimal PHI such as a patient's
name and do not contain patient condition.

14

We are aware of the University policies regarding

emergencies, and have developed procedures for
tracking responses in emergency circumstances.

11
12

15
16
17

We utilize a Notice of Privacy Practices (NPP). If we

have a custom NPP, we have consulted with and notified
Legal Affairs.
We have our current Privacy Officer and contact
information on the NPP

D
E

E
E
E

E, F, L

18

If we have a website, the NPP is posted on the website.

We give patients the opportunity to object before
disclosing PHI to those involved in patient care.

19

We follow University policy regarding facility patient

directories, and retain evidence that patients have been
given an opportunity to object to such disclosure.

20

We use the UWM Authorization Form for disclosure of

PHI, and it is updated with current Departmental name
and contact information. If we have developed our own
form, it has been approved by Legal Affairs.

21

We use the UWM Authorization Form for disclosure of

Psychotherapy Notes, and it is updated with current
Departmental name and contact information. If we have
developed our own form, it has been approved by Legal
Affairs.

22

We have a process for patients to revoke authorization

for disclosure of PHI or Psychotherapy Notes

Page 2 of 5

Subsection

Comments

Item

Specific Requirement

Yes/ No/
Uncertain

Section of
Manual

23

We have determined if and how we will create deidentified health information, pursuant to the University
policy. We have identified the circumstances and
process used to decide on release of de-identified
information. This process also includes adherence to
other applicable regulations such as FERPA and GLBA.

24

We have determined if and how we will allow disclosure

of limited data sets. If we allow disclosure of limited data
sets, we enter into a Data Use Agreement with the
recipient, and follow the University policy as to Limited
Data Sets.

25

We maintain an accounting of disclosures of PHI

requests pursuant to University policy.

26

Unauthorized disclosures are logged and reviewed.

Unauthorized disclosures are immediately disclosed to
Legal Affairs. If unauthorized disclosures involve
electronic records, the Security Officer (see section D) is
informed.

27

We follow University policy to allow patients to request

that their health information not be used or disclosed for
treatment, payment, or healthcare operations (such
requests may be denied).

28

We follow University policy to allow patients to request

receipt of communications of PHI by alternate means or
at an alternative location.

29

We follow University policy to allow patients to access,

photocopy, and inspect PHI upon request.

30

We follow University policy to allow patients to request

amendment or correction of PHI that is inaccurate or
incomplete.

33

We follow University policy to allow patients to request an

accounting of disclosures.
We follow University policy to allow patients to revoke
authorization to disclose or use PHI at any time.
We follow University policy to allow individuals to file
complaints about possible violations of privacy.

34

We have included HIPAA provisions in contracts with

business partners. We utilize the University's Business
Associate Agreement. All Business Associate
Agreements are on file in both the unit and Legal Affairs.

35

We have notified employees of the University's policies

and procedures regarding disciplinary processes and
potential sanctions for individuals violating HIPAA-related
polices.

36
37

We have informed all employees and supervisors of the

prohibition against retaliatory action and intimidation.
We retain relevat HIPAA records for at least six years

38

We regularly review policy and procedure documentation.

39

We have developed and implemented an ongoing

internal audit process for reviewing records of system
activity (e.g. logins, file accesses, security incidents).

31
32

Totals:
Yes
No
Uncertain
N/A
Not Answered
No comments

L
L
L

0
0
0
0
0
0

Privacy SectionSecurity Section

Page 3 of 5

Subsection

Comments

UW Milwaukee HIPAA Self-Assessment

SECURITY SECTION
Entity:
Date:
Compiled By:
For each item, please provide comments if
appropriate, including:
brief descriptions of implemented practice
plans and timelines for any "No" answers
Questions for clarifying "Uncertain"
answers

Item

Specific Requirement

Please submit to:

Internal Audit
Engelmann Hall

Yes/ No/
Uncertain

Standards

Specs

Is a documented Risk Analysis process used to ensure

cost-effective security measures are used to mitigate
expected losses?

Security
Management
Process
164.308(a)(1)

Risk Analysis

Are security measures implemented to reduce risks and

vulnerabilities to an appropriate level for the
organization?

Security
Management
Process
164.308(a)(1)

Risk Management

Do documented policies and procedures exist regarding

disciplinary actions (stipulations for misuse or
misconduct)?

Security
Management
Process
164.308(a)(1)

Sanction Policy

Have procedures been implemented to regularly review

information system activity?

Security
Management
Process
164.308(a)(1)

Information
System Activity
Review

Has the security responsibility for the unit been assigned

to an individual or group?

Assigned Security No
Responsibility
Implementation
164.308(a)(2)
Specifications

Is there a formal process in place to allow the reporting of

security breaches?

Security Incident
Procedures
164.308(a)(6)(i)

Response and
Reporting

Are formal procedures followed for timely responding to

incidents?

Security Incident
Procedures
164.308(a)(6)(i)

Response and
Reporting

Are procedures followed for mitigating incidents that may

occur?

Security Incident
Procedures
164.308(a)(6)(i)

Response and
Reporting

At the conclusion of an incident, are procedures followed

to document and maintain the outcome of the incident
investigation?

Security Incident
Procedures
164.308(a)(6)(i)

Response and
Reporting

Has a Data Backup Plan been documented,

implemented and followed within your organization?

Contingency Plan
164.308(a)(7)(i)

Data Backup Plan

Does the Data Backup Plan contain procedures for

testing and revision?

Contingency Plan
164.308(a)(7)(i)

Data Backup Plan

Does the organization follow Data Backup Plan

procedures that allow for an exact copy of information to
be retrieved?

Contingency Plan
164.308(a)(7)(i)

Data Backup Plan

Does the Data Backup plan call for either full or

incremental backups?

Contingency Plan
164.308(a)(7)(i)

Data Backup Plan

Is the backup media safely stored for an appropriate

period of time?

Contingency Plan
164.308(a)(7)(i)

Data Backup Plan

Do physical protection mechanisms exist for local and

remote copies of backups?

Contingency Plan
164.308(a)(7)(i)

Data Backup Plan

Has a Disaster Recovery Plan been developed and

documented?

Contingency Plan
164.308(a)(7)(i)

Disaster Recovery
Plan

Contingency Plan
164.308(a)(7)(i)

Emergency Mode
Operation Plan

17

Has an Emergency Mode Operation Plan been

documented and tested to determine continual
operations?

Contingency Plan
164.308(a)(7)(i)

Emergency Mode
Operation Plan

18

Do the Emergency Mode Operation Plan and Disaster

Recovery Plan address physical access to appropriate
personnel?

Evaluation
164.308(a)(8)

No
Implementation
Specifications

19

Has an internal or external entity performed a

documented assessment on any network or individual
system(s) within the network to determine if they meet a
pre-specified set of security standards?

9
10
11

12
13
14
15
16

Comments

Does the organization maintain a history of Technical

Evaluations for computer system(s) and network(s)?

Evaluation
164.308(a)(8)

No
Implementation
Specifications

Has an documented inventory of all electronic data

exchanges with third parties, vendors or business
partners taken place and a Business Associate
Agreement been executed, when needed?

Business
Associate
Contracts and
Other
Arrangements
164.308(b)(1)

Written Contract
or Other
Arrangement

If there are any trusted internal or external business

connections, or any third party connections or accesses,
has a Business Associate Agreement or Memorandum of
Understanding been completed?

Business
Associate
Contracts and
Other
Arrangements
164.308(b)(1)

Written Contract
or Other
Arrangement

Does the organization follow procedures for defined

acceptable workstation use?

Workstation Use
164.310(b)

No
Implementation
Specifications

Has the organization implemented physical safeguards to

eliminate or minimize unauthorized access/viewing of
health information on workstations?

Workstation
Security
164.310(c)

No
Implementation
Specifications

Does the organization implement console locking

features?

Workstation
Security
164.310(c)

No
Implementation
Specifications

Device and Media

Controls
164.310(d)(1)

Disposal

26

Does the organization follow procedures for the final

disposition of electronic data (including PHI) and the
hardware that it resides on?

Device and Media

Controls
164.310(d)(1)

Media Re-use

27

Have procedures been developed for removing electronic

Protected Health Information from media before it is
scheduled for re-use?
Are unique user id(s) in place/use (network and
application)?
Are there NO shared ID's or non-unique ID's in use?

Access Control
164.312(a)(1)

Unique User
Identification

Access Control
164.312(a)(1)

Unique User
Identification

Do all end users of network resources have a unique

user ID?
Is an emergency access procedure documented and
followed?

Access Control
164.312(a)(1)

Unique User
Identification

Access Control
164.312(a)(1)

Emergency
Access
Procedures

Are networked systems configured to allow event

reporting?

Audit Controls
164.312(b)

No
Implementation
Specifications

Are auditing capabilities enabled for file/record accesses,

modifications, or deletions?

Audit Controls
164.312(b)

No
Implementation
Specifications

Are software or hardware solutions in place that will

provide notification of abnormal conditions that may
occur in a networked system?

Audit Controls
164.312(b)

No
Implementation
Specifications

Is the signature on the document/data verified as trustworthy?

Person or Entity
Authentication
164.312(d)

No
Implementation
Specifications

Are Business Associate contracts in place between the

unit and any business associate that might come in
contact with the organizations electronic Protected
Health Information?

Business
Associate
Contracts and
Other
Arrangements
164.314(a)(1)

Business
Associate
Contracts

We follow University guidelines regarding security of

electronic information.

Policy and
Procedures
164.316(a)

No
Implementation
Specifications

Documentation
164.316(b)(1)

Time Limit

38

Are documents related to electronic Protected Health

Information maintained for the time period prescribed by
this rule?

Documentation
164.316(b)(1)

Availability

39

Is documentation available to those persons responsible

for implementing the various procedures required by the
HIPAA security rule?

20

21

22
23

24
25

28
29
30
31
32
33

34
35

36
37

Totals:
Yes
No
Uncertain
N/A
Not Answered
Blank comments

Privacy SectionSecurity Section

0
0
0
0
0
0