HIPA-03

Have the relevant policies/plans been tested?

Explanation

This question is asking whether your organization has tested the policies and plans that are relevant to HIPAA compliance. In the context of HIPAA, 'relevant policies/plans' typically refers to your organization's security policies, privacy policies, incident response plans, disaster recovery plans, business continuity plans, and any other documented procedures that help ensure the confidentiality, integrity, and availability of Protected Health Information (PHI). 'Testing' these policies means verifying that they work as intended through exercises like tabletop scenarios, simulations, drills, or actual implementations. For example, testing an incident response plan might involve simulating a data breach and ensuring the team follows the documented procedures correctly. This question is being asked because HIPAA requires covered entities and business associates to not just have policies in place, but to periodically evaluate their effectiveness. Under the HIPAA Security Rule, specifically 45 CFR ยง 164.308(a)(8), organizations must perform periodic technical and non-technical evaluations to ensure that security policies and procedures meet the requirements of the Security Rule. To best answer this question, you should: 1. Identify all policies and plans relevant to HIPAA compliance in your organization 2. Document when and how each policy/plan was last tested 3. Describe the testing methodology (e.g., tabletop exercise, simulation, audit) 4. Note any findings from the tests and remediation actions taken 5. Indicate the frequency of testing (e.g., annually, quarterly) If you haven't tested some or all of your policies, it's important to be honest and provide a timeline for when testing will occur.

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, all HIPAA-relevant policies and plans are tested on a regular schedule Our incident response plan is tested quarterly through tabletop exercises involving our security, IT, compliance, and executive teams Our disaster recovery and business continuity plans are tested annually through full simulations, with the most recent test completed on March 15, 2023 Privacy policies are reviewed semi-annually by our compliance team and tested through mock audits All test results are documented, reviewed by our HIPAA Security Officer, and any identified gaps are addressed through our formal remediation process Evidence of these tests and their outcomes can be provided upon request.

Example Response 2

Yes, we conduct comprehensive testing of our HIPAA-relevant policies and plans Our testing program includes: 1) Annual penetration testing of our systems containing PHI, last completed January 2023; 2) Quarterly incident response simulations with scenarios specifically involving PHI breaches, most recently conducted in April 2023; 3) Bi-annual disaster recovery testing that includes restoration of PHI data from backups, last performed in December 2022; and 4) Annual compliance audits by an independent third party to verify adherence to our privacy policies, with the most recent audit completed in March 2023 All test results are documented in our compliance management system, and any findings are tracked to resolution through our risk management process.

Example Response 3

No, not all of our HIPAA-relevant policies and plans have been formally tested yet While we have comprehensive documentation of our policies, we have only conducted partial testing of our incident response procedures through informal walkthroughs We have not yet performed formal testing of our disaster recovery or business continuity plans as they relate to PHI We recognize this gap in our compliance program and have scheduled comprehensive testing of all HIPAA-relevant policies and plans to begin next quarter We have engaged a third-party security firm to assist with this testing, and we have developed a testing schedule that will ensure all policies are tested by the end of this calendar year In the interim, we have implemented additional monitoring controls to help mitigate risks.

Context

Tab
Case-Specific
Category
HIPAA Compliance

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron