HECVAT Category
HIPAA Compliance
HIPAA Compliance covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do your workforce members receive regular training related to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and the HITECH Act?
This question is asking whether your organization provides regular training to employees (workforce members) specifically about HIPAA Privacy and Security Rules and the HITECH Act.
Have you identified areas of risk?
This question is asking whether your organization has conducted a formal risk assessment to identify potential security vulnerabilities and compliance gaps related to Protected Health Information (PHI) as required by HIPAA regulations.
Have the relevant policies/plans been tested?
This question is asking whether your organization has tested the policies and plans that are relevant to HIPAA compliance.
Have you entered into a Business Associate Agreements with all subcontractors who may have access to protected health information (PHI)?
This question is asking whether your organization has formal Business Associate Agreements (BAAs) in place with all subcontractors who might handle Protected Health Information (PHI).
Do you monitor or receive information regarding changes in HIPAA regulations?
This question is asking whether your organization actively stays informed about updates, changes, or new interpretations of the Health Insurance Portability and Accountability Act (HIPAA) regulations.
Has your organization designated HIPAA Privacy and Security officers as required by the rules?
This question is asking whether your organization has formally appointed specific individuals to serve as HIPAA Privacy and Security Officers, which is a requirement under the Health Insurance Portability and Accountability Act (HIPAA).
Do you comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH)?
This question is asking whether your organization complies with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act expanded and strengthened the privacy and security provisions of HIPAA (Health Insurance Portability and Accountability Act).
Have you conducted a risk analysis as required under the HIPAA Security Rule?
This question is asking whether your organization has conducted a formal risk analysis as required by the HIPAA Security Rule. The HIPAA Security Rule requires covered entities and business associates to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they hold or process.
Have you taken actions to mitigate the identified risks?
This question is asking whether your organization has implemented specific measures to address risks identified during your HIPAA risk assessment process. Under HIPAA, covered entities and business associates must conduct regular risk analyses to identify potential vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). However, simply identifying risks is not enough - the Security Rule requires organizations to implement security measures to reduce these risks to a 'reasonable and appropriate' level.
Does your application require user and system administrator password changes at a frequency no greater than 90 days?
This question is asking whether your application enforces password rotation policies for both regular users and system administrators at least every 90 days.
Does your application require users to set their own password after an administrator reset or on first use of the account?
This question is asking whether your application forces users to create their own password when their account is first created or after an administrator resets their password, rather than continuing to use a temporary or administrator-set password.
Does your application lock out an account after a number of failed login attempts?
This question is asking whether your application implements account lockout mechanisms after a certain number of failed login attempts. This is a fundamental security control that helps prevent brute force attacks, where attackers systematically try many password combinations to gain unauthorized access.
Does your application automatically lock or log-out an account after a period of inactivity?
This question is asking whether your application has an automatic timeout feature that either locks a user's session or logs them out completely after a period of inactivity.
Are passwords visible in plain text, whether when stored or entered, including service level accounts (i.e., database accounts, etc.)?
This question is asking whether passwords are ever visible in plain text (unencrypted, readable form) in your systems, either when they are stored in databases/files or when users are entering them. This includes service accounts like database credentials.
If the application is institution-hosted, can all service level and administrative account passwords be changed by the institution?
This question is asking whether your institution has the ability to change all service level and administrative account passwords for an application that is hosted within your institution's environment (as opposed to being hosted by a vendor or in the cloud).
Does your application provide the ability to define user access levels?
This question is asking whether your application has the capability to implement different levels of user access, often referred to as role-based access control (RBAC). In the context of HIPAA compliance, this is critical because the HIPAA Security Rule requires healthcare organizations to implement technical safeguards that restrict access to Protected Health Information (PHI) based on a user's role within the organization.
Does your application support varying levels of access to administrative tasks defined individually per user?
This question is asking whether your application allows for granular administrative access controls that can be configured differently for each user. In the context of HIPAA compliance, this relates to the principle of 'least privilege' - ensuring users only have access to the minimum information and functions necessary to perform their job.
Does your application support varying levels of access to records based on user ID?
This question is asking whether your application has the capability to implement role-based access control (RBAC) or similar mechanisms that restrict what data users can see based on their identity.
Is there a limit to the number of groups to which a user can be assigned?
This question is asking whether your system places restrictions on how many different security or access groups a single user account can be assigned to. In the context of HIPAA compliance, this relates to access control mechanisms.
Do accounts used for solution provider-supplied remote support abide by the same authentication policies and access logging as the rest of the system?
This question is asking whether the accounts that your organization's solution providers (vendors, contractors, etc.) use for remote support follow the same authentication policies and access logging requirements as all other accounts in your system.
Does the application log record access including specific user, date/time of access, and originating IP or device?
This question is asking whether your application maintains detailed access logs that capture who accessed the system, when they accessed it, and from where. Specifically, it wants to know if your logs record:
Does the application log administrative activity, such as user account access changes and password changes, including specific user, date/time of changes, and originating IP or device?
This question is asking whether your application maintains detailed logs of administrative actions, specifically focusing on user account management activities like creating/modifying accounts and password changes. For each action, the system should record who performed it (the specific user), when it happened (date/time), and where it originated from (IP address or device identifier).
Do you retain logs for at least as long as required by HIPAA regulations?
This question is asking whether your organization maintains system and access logs for the minimum duration required by HIPAA (Health Insurance Portability and Accountability Act) regulations.
Can the application logs be archived?
This question is asking whether your application has the capability to archive its logs, which is an important aspect of HIPAA compliance.
Can the application logs be saved externally?
This question is asking whether the application's logs can be exported, transferred, or stored in an external system outside of the application itself.
Do you have a disaster recovery plan and emergency mode operation plan?
This question is asking whether your organization has two specific plans required by HIPAA regulations:
Can you provide a HIPAA compliance attestation document?
This question is asking whether your organization can provide documentation that attests to your compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Are you willing to enter into a Business Associate Agreement (BAA)?
This question is asking whether your organization is willing to sign a Business Associate Agreement (BAA) with the entity conducting the assessment.
Do your data backup and retention policies and practices meet HIPAA requirements?
This question is asking whether your organization's data backup and retention policies comply with the Health Insurance Portability and Accountability Act (HIPAA) requirements for protecting Protected Health Information (PHI).
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
