What is the HIPAA Security Rule Evaluation Standard?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HIPAA Security Rule contains administrative, technical, and physical safeguard requirements to protect the confidentiality, integrity, and availability of ePHI. The administrative requirements consist of a series of standards. One of these standards is the "Evaluation Standard," found at 45 CFR 164.308(a)(8).  Under the Evaluation Standard, covered entities and business associates must "Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under the Security Rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of the Security Rule."

The Security Rule was implemented in 2003. Now, covered entities and business associates must periodically perform a technical and nontechnical evaluation of their security safeguards. They must do so in response to environmental or operational changes. What kind of changes? Here are two examples: New technology that the CE or BA has adopted, or newly recognized risks to information security.   

The evaluation must establish the extent to which a CE or BA's security policies and procedures meet the Security Rule requirements.

Per HHS guidance, the evaluation should be ongoing, and should be performed on a scheduled basis, such as annually or every two years. 

The guidance notes that an evaluation can be performed upon identifying security incidents, upon changes being made in the organization, and upon implementation of new technology. All of these events can affect whether the CE or BA is following its policies and procedures. All of these events can affect whether the CE or BA is following the Security Rule. 

The guidance also notes that evaluations should be in the form of reports, and that supporting materials considered in the analysis of the evaluation, recommendations taken in response to the evaluation, and subsequent changes made after the evaluation in response to its findings,  be fully documented.

What is the Difference Between the Evaluation Standard and the Requirement to Perform a Security Risk Analysis?
The security management process standard, an administrative safeguard, requires covered entities and business associates to perform a risk analysis. To perform a risk analysis, covered entities and business associates must "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." 

Covered entities and business associates are encouraged to perform a risk analysis in response to environmental or operational changes, but the risk analysis rule does not require such changes occur to trigger the analysis. A risk analysis can be performed at any time (and, according to HHS guidance, should be performed continuously) to identify security risks and the probability of their occurrence.  

In contrast, the evaluation standard specifically requires evaluation to establish the effectiveness of security policies and procedures. Changes to those policies and procedures should be made, if warranted by the evaluation findings. In addition, the evaluation must be performed specifically in response to changes in an entity's environment or operations affecting ePHI security. There is no requirement that a risk analysis be performed in response to such changes, although conducting a risk analysis in response to such changes is certainly recommended and encouraged.