First Name
Last Name
Dr. Name
Practice Name
Phone Number
Email
Code (optional)
Continue 1. Does your practice create and implement HIPAA Policies and Procedures for assessing and managing risk to its Electronic Protected Health Information (ePHI)? Yes No Uncertain 2. When was the last time you updated your HIPAA Policies and Procedures? Within the last 12 months Over 12 months ago We do not maintain a current set of HIPAA Policies and Procedures
3. Does your practice maintain a formal program to mitigate the threats and vulnerabilities identified through the risk analysis? Are the implementation safeguards well documented? Yes No Uncertain
4. Does your practice create and maintain Workstation Use, Acceptable Use, and Sanction Policies for its workforce members? Yes No Uncertain
5. Does your practice have policies and procedures to review information system activity? Yes No Ask IT
6. Has your practice designated a Security Officer to develop and implement security policies and procedures? Does the Security Officer fully understand what HIPAA safeguards are required? Yes No Uncertain
7. Does your practice maintain records to identify each employee's access to your practice's facilities, information systems, electronic devices, and ePHI? Yes No Ask IT
8. Has your practice identified all Business Associates and executed the required Business Associate Agreements with persons or entities that you share ePHI with? Yes No Ask IT
9. If so, does your Business Associate Agreements include an 'Indemnification Clause' to protect the practice from a data breach caused by your Business Associates? Yes No Not Sure
10. Do you screen employees (i.e. run background checks) prior to enabling access to your facilities, information systems, and/or ePHI? Yes No Uncertain
11. When was the last time you conducted security and awareness training for workforce members involved with access to protected health information? Within the last 12 months Over 12 months ago We do not conduct security and awareness training
12. How was your security and awareness training conducted? A HIPAA Advisor comes to our office We conduct our training internally through a purchased set of content We take online courses We do not conduct security and awareness training
13. Does your practice have incident response policies and procedures that assign specific roles and responsibilities in case of an incident or emergency? Yes No Ask IT
14. Does your practice's incident response prioritize system recovery actions or events to restore key processes, systems, applications, electronic device and media, and information (such as ePHI)? Yes No Ask IT
15. Does your practice have formal policies and procedures when employees or Business Associates are terminated? Yes No Uncertain
16. Does your practice assure that its policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer? Yes No Uncertain
17. Does your practice maintain documentation identifying which HIPAA Safeguards have been implemented, and a history of Employee Acknowledgements showing proof of Security and Awareness Training and their understanding of HIPAA Policies and Procedures? Yes No Uncertain
18. Does the practice understand the requirements under the HIPAA Breach Notification Rule in case you are required to notify the Health and Human Services in response to a patient data breach? Yes No Uncertain
Back Continue 19. Does your practice have policies and procedures to assign a unique ID for each authorized system user? Yes No Ask IT 20. How are you currently backing up your protected health information? Offsite backup solution Inside my Practice Management Software Onsite backup solution
21. How many consecutive days of data backup sets do you currently maintain? We have multiple sets (days) of data backup One. We backup daily Not Sure
22. Does your practice have policies and procedures for restoring an exact copy of ePHI as a backup in case of a ransomware attack or other security incident? Yes No Ask IT
23. Have you ever tested if your practice can effectively recover from an emergency and resume normal operations and access to ePHI? Yes No Ask IT
24. Does your practice have audit controls that can monitor, record and/or examine information system activity? Yes No Ask IT
25. Does your practice protect the confidentiality of authorized users and their passwords? Do you have proper password policies and procedures in place? Yes No Ask IT
26. Does your practice implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted? Yes No Ask IT
27. Are you utilizing e-mail scanning software to guard against malicious e-mail phishing techniques? Yes No Ask IT
28. Who is responsible for insuring that all firewalls, anti-virus software, software applications, and data backup systems are functioning and up to date? IT Provider Office Manager I'd like a system review just to make sure
29. We do not use mobile devices for e-mail or texting of protected health information. True False
30. We do not use laptops to store or transmit protected health information. True False
Back Continue 31. Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI? Yes No Ask IT 32. Have you developed policies and procedures for your employees to gain access to your facility and its ePHI during a disaster? Yes No Uncertain
33. Does your practice have specific policies and procedures to safeguard computer workstations, including remote access? Yes No Ask IT
34. Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI? Yes No Uncertain
Back Continue 35. How does your organization primarily accept credit card payments? —Please choose an option— Credit Card Terminal Practice Management Software QuickBooks Software Payment Gateway 36. Has your practice taken a Self Assessment Questionnaire (SAQ) and attested to your Payment Card Industry compliance within the last 12 months? Yes No Uncertain
37. Have you performed a scan of your IP address (vulnerability testing) within the last quarter? Yes No Ask IT
38. Do you have a copy of your PCI Certificate on file? Yes No Ask IT
39. Would you be interested in a complimentary merchant account security, functionality, and rate review? Yes No Ask IT
40. Does your practice currently carry any insurance that covers your practice in case of a ransomware attack, HIPAA or PCI fine, loss of business profits, or expenses related to a data breach? Yes No Uncertain 41. Would you be interested in learning how to obtain $250,000 in cyber insurance and access to an Incident Response Team in case of a ransomware attack, identity compromise, or patient data breach? —Please choose an option— Yes. Please contact me I already have cyber insurance, but would be interested in learning more Not today. But please contact me in the next month No thank you.
42. Approximately, how many patient records are you responsible for? —Please choose an option— 1-500 501 to 1,000 1,001 to 5,000 5,001 to 10,000 Over 10,000
43. How many locations do you see patients and/or accept payments in? 1 2 3 or more
44. Approximately how many years has your practice been in business? Less than 5 5 to 10 11 to 20 21 or more
Back Continue 45. Do you have COVID-19 employee training, and have you created a COVID-19 safety plan? Yes No Back
