The Medical Center must regularly conduct a technical and non-technical evaluation of its security controls and processes to document its compliance with its security policies and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
To ensure compliance with HIPAA.
This standard applies to the Medical Center.
- Either an appropriate internal group or a third party may carry out the evaluation. The process must be formal and defined, and must be documented.
- After the initial evaluation, the Medical Center must conduct a thorough technical and non-technical evaluation of its security controls and processes on a periodic basis or when environmental or operational changes significantly impact the confidentiality, integrity or availability of its Electronic Protected Health Information (EPHI).
- STS will perform this evaluation. The documented results of each evaluation cycle will be provided to the Chief Information Technology Officer.
Additional Policies and Resources may be found in the Summary of HIPAA Security Rule, University of Virginia Institutional Data Protection Standards and Medical Center Risk Assessment