This article explores section §164.308(a)(8) of HIPAA, which deals with HIPAA policy evaluation and periodic examination of security requirements. Policies must be re-evaluated to ensure they are sufficient and appropriate for HIPAA compliance. This is required for changes in the general security climate as well as changes in a covered entity’s use of electronic protected health information (ePHI).

HIPAA Policy Evaluation

Bound papers representing HIPAA Policy Evaluation“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”

There is no implementation specification provided for this requirement. However, there are several audit procedures that will determine compliance. First, an auditor will meet with management to determine whether periodic evaluations are conducted internally or by hired consultants. The auditor will view copies of the HIPAA policy evaluation and determine who performed the assessment. If the evaluations were performed by a third party, the auditor will then determine whether an agreement between the covered entity and the third party exists and if it includes verification of the consultants’ qualifications.

Second, there are several policy requirements that the auditor must examine. The auditor will determine if the covered entity has policies and procedures in place to ensure the following:

  • Periodic evaluations consider all elements of the HIPAA Security Rule
  • Preparation of materials and documents takes place in advance of a HIPAA policy evaluation
  • The results of evaluations are documented, including remediation recommendations and plans
  • Evaluations are repeated whenever there are changes within the organization that affect the security of ePHI.

Finally, the auditor will determine from management whether all of the above policies are reviewed and approved on a periodic basis.

Changes in the 2013 HIPAA Update

No changes to the HIPAA contingency planning requirements were included in the 2013 HIPAA Omnibus Rule. However, as described in this article, business associates of covered entities are also liable for complying with the Security Rule. Therefore, these requirements also apply to business associates.


Periodic HIPAA policy evaluation is important for ensuring continued legal compliance. As a covered entity’s business environment and business relationships evolve, policies and procedures must be re-examined to ensure the continued security of ePHI used by the covered entity.