by Antonio Stroman Axis Cloud Sync


Forget about a full blown HIPAA audit with over 192 questions for covered entities (CE’s), most organizations fail and are considered out of compliance within the first 10 questions. HIPAA in the past few years has become the latest 5 letter bad word in the healthcare industry. With confusing terminology and enormous fines, non-compliance can be more than a financial setback, you could end up in prison. So how does your organization stack up? We’ve included 10 questions from the HIPAA Security Rule for you to perform a partial self-audit and see for yourself.

10 Questions from the HIPAA Security Rule

10 Questions from the HIPAA Security Rule
Section Key Activity Audit Procedures Implementation Your Answer
§164.308 Conduct Risk Assessment Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Required YES/NO
§164.308 Implement a Risk Management Program Inquire of management as to whether current security measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). Required YES/NO
§164.308 Select a Security Official To Be Assigned Responsibility for HIPAA Security Inquire of management as to whether the organization has assigned responsibility for the HIPAA security to a Security Official to oversee the development, implementation, monitoring, and communication of security policies and procedures. Required YES/NO
§164.308 Develop and Implement Procedures to Respond to and Report Security Incidents Inquire of management as to whether there are formal or informal policies and/or procedures in place for identifying, responding to, reporting, and mitigating security incidents. Required YES/NO
§164.308 Develop Contingency Planning Policy Inquire of management as to whether a formal contingency plan with defined objectives exists. Required YES/NO
§164.308 Data Backup Plan and Disaster Recovery Plan Inquire of management as to whether disaster recovery and data backup plans exist to restore any lost data. Required YES/NO
§164.308 Encryption and Decryption Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Addressable YES/NO
§164.308 Implement Methods for Final Disposal of ePHI Inquire of management as to how the disposal of hardware, software, and ePHI data is managed. Required YES/NO
§164.308 Develop and Implement an Emergency Mode Operation Plan Inquire of management as to whether policy and procedures exist to enable the continuation of critical business processes that protect the security of ePHI while operating in emergency mode. Required YES/NO
§164.308 Develop Recovery Strategy Inquire of management as to whether procedures exist for recovering documents from emergency or disastrous events. Required YES/NO


If you were able to answer yes to each one of these questions, congratulations you’re well on your way to being compliant with the latest changes in the HIPAA laws but if you answered no to just one of these questions, then your organization is considered out of compliance and could possibly face fines of up to $1.5 million and possible jail time. If you noticed, each one of the questions by the auditors is addressed to management and it’s critical that HIPAA compliance becomes a top priority within your organization.

We don’t want you to take our word for it, take a look at some of the latest enforcement actions that have been levied on those for non-compliance.

Explore our web site to see a Demo and learn more about how we can help lower your over-all mileage reimbursement.