HIPAA Security Risk Assessment for Clinic Sites

Inspection template for evaluating administrative, physical, and technical safeguards protecting electronic protected health information (ePHI) across clinic sites, with emphasis on identifying deficiencies, non-conformances, and remediation priorities.

Assessment Scope and Site Identification

• Clinic site name, address, and department(s) in scope are documented
• Assessment date, inspector name, and site contact are recorded
• ePHI systems, devices, and workflows in scope are identified
• Assessment scope includes all clinic locations, remote access points, and third-party connections

Administrative Safeguards and Governance

• Security risk analysis has been performed and is documented
• Risk management plan addresses identified threats, vulnerabilities, and remediation timelines
• Security officer or responsible privacy/security lead is designated
• Workforce HIPAA security awareness training is current
• Policies for access control, password management, and acceptable use are available and current
• Business associate agreements are documented for vendors handling ePHI

Physical Safeguards and Facility Controls

• Public access to areas containing ePHI is controlled by badge, lock, or reception screening
• Workstations displaying PHI are positioned to prevent casual viewing by patients or visitors
• Screens automatically lock after an appropriate inactivity period
• Paper PHI is stored in locked cabinets or secure rooms when unattended
• Portable devices containing ePHI are secured against theft or unauthorized access
• Visitor management controls are in place for non-workforce persons in restricted areas

Technical Safeguards

• Unique user IDs are assigned to each workforce member with access to ePHI
• Multi-factor authentication is enabled for remote access and privileged accounts
• Access rights are reviewed and removed promptly for terminated or transferred users
• Audit logs are enabled and reviewed for unauthorized access or unusual activity
• Encryption is enabled for laptops, mobile devices, and data at rest where feasible
• Transmission of ePHI over email, portals, or other networks uses secure methods
• Backups are performed and restoration testing is documented

Incident Response, Breach Readiness, and Remediation

• Security incident response procedure is documented and accessible to staff
• Recent security incidents, if any, were investigated and closed with documented corrective actions
• Breach notification decision-making process is defined and understood by responsible staff
• Open deficiencies have owners and target completion dates