When did you last conduct a review of security policies and procedures?

Privacy Policies and Procedures – Have you created and do you regularly review and update written privacy policies and procedures as required by law?

Information Management and Security Program – Do you have written policies and procedures for information management and security?

Confidentiality Agreements – Do you have signed confidentiality agreements with employees, partners, and other businesses with access to confidential information (such as “business associate agreements”) and do you keep copies of these agreements?

Notice of Privacy Policy and Procedures – If you are a health care practitioner, do you obtain a signed acknowledgement of receipt of your privacy policies and procedures when required?

Risk Assessment – Have you conducted an information security risk assessment?

When did you last conduct an information security risk assessment?

Annual Review – Do you annually review your information security policy and procedures to ensure the suitability and effectiveness of information security?

Forms Review – Do you annually review your standard forms for compliance with state and federal regulations?

When did you last review or update your practice forms?

Authorization – Do you obtain proper authorization for disclosure of personal information when needed and maintain a record of these authorizations?

Authorization – Do you obtain proper authorization for disclosure of personal information when needed and maintain a record of these authorizations?

Complaints – Do you have a privacy complaint form that you provide when someone has a problem related to your use or disclosure of information?

Information Privacy and Security Training – Do you provide annual training to all employees that covers information privacy and security requirements and consequences of legal and policy violations?

When did you last conduct training?

Access Limits – Do you have procedures for limiting the disclosure of information to the minimum necessary needed for each job function?

Access Termination – Do you have a written checklist that you follow to restrict a person’s access to information and the facility (keys, passwords) when the person leaves or changes their employment role?

Personnel Screening – Do you request and verify employee background and work history for employees who will have access to confidential or personal information?

Physical Assessment – Have you conducted a review of your facility’s physical and environmental security, such as building entry controls, alarms, fire detection, and temperature controls?

When did you last conduct this review?

Physical Access Control – Do you have procedures to monitor and control physical access to facilities?

Environmental Controls – Do you maintain systems for backup power for an orderly computer shutdown process, fire detection, temperature and humidity controls and water damage detection?

Disaster Recovery Plan – Check each of the following disaster recovery options you have to support your ability to continue your business in the event of a catastrophic loss of information:

Monitoring – Do you maintain an unalterable computer system log and routinely audit logs, security events and system use?

Data Classification – Do you maintain policies and procedures to classify information by its value, sensitivity, and critical need to your business?

Access Controls – Check each of the following procedures you use to limit or prevent access to information:

Data Storage and Portable Media Protection – Do you follow written policies and procedures to protect data on electronic storage media, including CDs and DVDs, USB storage devices and portable hard drives?

Lock-Out for Inactive Computing Devices – Do you configure devices to automatically lock after a period of inactivity is enforced?

Anti-Virus Protection – Do you regularly use and update security software to protect against computer viruses and malware?

Software Changes – Is your software and systems designed to detect and protect against unauthorized changes to software and information?

Information Input – Do you have policies and procedures to verify information for accuracy, completeness, and validity?

Information Correction – Do you have a policy and procedure for identification, reporting, and correction of information errors?

Software Usage Restrictions – Do you have procedures to comply with software usage restrictions in accordance with contact agreements and copyright laws?

User Installed Software – Do you have an explicit policy governing the downloading and installation of software by users?

Outsourced Information Services – Do you ensure that third-party providers of information system services employ adequate security controls in accordance with applicable laws, your policies and service agreements?

Device Security – Do you apply operating system and application updates, patches, and fixes as soon as they become available?

Incident Response – Do you have and follow a written information breach notification process and incident response policy and procedure?

Breach Assessment – Do you have a procedure and guidelines for conducting a breach assessment to determine whether you must provide breach notification under state or federal law?