Have the relevant policies/plans been tested?
Explanation
Testing of HIPAA-relevant policies and plans is what this examines, confirming that your documented safeguards have actually been exercised rather than left on paper.
In the context of HIPAA, 'relevant policies/plans' typically refers to your organization's security policies, privacy policies, incident response plans, disaster recovery plans, business continuity plans, and any other documented procedures that help ensure the confidentiality, integrity, and availability of Protected Health Information (PHI).
'Testing' these policies means verifying that they work as intended through exercises like tabletop scenarios, simulations, drills, or actual implementations. For example, testing an incident response plan might involve simulating a data breach and ensuring the team follows the documented procedures correctly.
This question is being asked because HIPAA requires covered entities and business associates to not just have policies in place, but to periodically evaluate their effectiveness. Under the HIPAA Security Rule, specifically 45 CFR § 164.308(a)(8), organizations must perform periodic technical and non-technical evaluations to ensure that security policies and procedures meet the requirements of the Security Rule.
To best answer this question, you should:
- Identify all policies and plans relevant to HIPAA compliance in your organization
- Document when and how each policy/plan was last tested
- Describe the testing methodology (e.g., tabletop exercise, simulation, audit)
- Note any findings from the tests and remediation actions taken
- Indicate the frequency of testing (e.g., annually, quarterly)
If you haven't tested some or all of your policies, it's important to be honest and provide a timeline for when testing will occur.
Guidance
Refer to HIPAA regulations documentation for supplemental guidance in this section.
Example Responses
Example Response 1
Yes, all HIPAA-relevant policies and plans are tested on a regular schedule Our incident response plan is tested quarterly through tabletop exercises involving our security, IT, compliance, and executive teams Our disaster recovery and business continuity plans are tested annually through full simulations, with the most recent test completed on March 15, 2023 Privacy policies are reviewed semi-annually by our compliance team and tested through mock audits All test results are documented, reviewed by our HIPAA Security Officer, and any identified gaps are addressed through our formal remediation process Evidence of these tests and their outcomes can be provided upon request.
Example Response 2
Yes, we conduct comprehensive testing of our HIPAA-relevant policies and plans Our testing program includes: 1) Annual penetration testing of our systems containing PHI, last completed January 2023; 2) Quarterly incident response simulations with scenarios specifically involving PHI breaches, most recently conducted in April 2023; 3) Bi-annual disaster recovery testing that includes restoration of PHI data from backups, last performed in December 2022; and 4) Annual compliance audits by an independent third party to verify adherence to our privacy policies, with the most recent audit completed in March 2023 All test results are documented in our compliance management system, and any findings are tracked to resolution through our risk management process.
Example Response 3
No, not all of our HIPAA-relevant policies and plans have been formally tested yet While we have comprehensive documentation of our policies, we have only conducted partial testing of our incident response procedures through informal walkthroughs We have not yet performed formal testing of our disaster recovery or business continuity plans as they relate to PHI We recognize this gap in our compliance program and have scheduled comprehensive testing of all HIPAA-relevant policies and plans to begin next quarter We have engaged a third-party security firm to assist with this testing, and we have developed a testing schedule that will ensure all policies are tested by the end of this calendar year In the interim, we have implemented additional monitoring controls to help mitigate risks.
Context
- Tab
- Case-Specific
- Category
- HIPAA Compliance
Related questions
- Do your workforce members receive regular training related to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and the HITECH Act?
- Have you identified areas of risk?
- Have you entered into a Business Associate Agreements with all subcontractors who may have access to protected health information (PHI)?
- Do you monitor or receive information regarding changes in HIPAA regulations?
- Has your organization designated HIPAA Privacy and Security officers as required by the rules?
- Do you comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH)?

