Below is our HIPAA Risk Level Evaluation.  It has 31 privacy and security questions for you to answer and will take approximately 10 minutes to complete. As part of the SIMBUS system, the results will be made available immediately after the evaluation.

Please be sure to answer each question as truthfully and accurately as possible.  Your answers are critical to the success of the overall report.

At the end we will ask for your name, company name and email and give you a detailed report immediately. The report is a graphical analysis that shows where you are with compliance.  For each question answered, the report will give you a risk level, a detailed explanation and full recommendations based on how you answered each question.  Enjoy!

PHI Types
  • PHI Items: To which of the following items of PHI do you have access? Please check all that apply.
    Names All geographic subdivisions/addresses smaller than a State
    All elements of dates (except year) Telephone numbers
    Fax Numbers Electronic mail addresses
    Social Security Numbers Medical record numbers
    Health plan beneficiary numbers Account numbers
    Certificate/License Numbers Vehicle identifiers and serial numbers, including license plate numbers
    Device Identifiers and Serial Numbers Web Universal Resource Locators (URLs)
    Internet protocol (IP) address numbers Biometric identifiers, including finger and voice prints
    Full face photographic images and and any comparable images Genetic data
    Additional PHI Items: Please list any previously unmentioned PHI to which you have access (separate by commas). If none exist, leave blank.
PHI Access
  • PHI Access: Select one of the following which best describes your company's access to your client's protected health information (PHI).
    You store the PHI on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with the PHI for your client. The PHI *IS* encrypted.
    You store the PHI on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with the PHI for your client. The PHI is *NOT* encrypted.
    You store the PHI for your client in a type of data warehouse, but you do not access the data to do any business processing, and the data *is* encrypted. PHI in your possession is never stored on endpoints (e.g. laptops, USB drives, etc.).
    You store the PHI for your client in a type of data warehouse, but you do not access the data to do any business processing, and the data is *NOT* encrypted.
    You access PHI on your client's system through some type of secured remote access connection (e.g. VPN or dedicated line), but you never store the PHI on any of your own systems or storage devices.
    You must go to your client's facilities to access the PHI, but you cannot remove any PHI or access it from a remote location.
Compliance Questions
  • Assigned Responsibilities: Name the formally designated person or position that serves as your organization's privacy and security officer, or otherwise has assigned responsibility for privacy and security. If none, leave blank.
    Policies & Procedures Maintenance: When was the last time you updated your documented privacy and information security policies and procedures?
    Less than 12 months ago
    1 - 2 years ago
    3 - 5 years ago
    More than 5 years ago
    We do not have any documented policies or procedures
    Policies & Procedures Communications: Describe how the privacy and information security policies and procedures are communicated to all personnel, and made available for them to review at any time. Check all that apply.
    Via Email Put on Company Intranet
    Put on Internet Site Distribute Printed Copies
    Make Available in Management Policy Binders Some Other Method
    Policies and Procedures are Not Communicated or Provided
    Security & Privacy Training: When was your most recent information security and privacy training?
    Less than 6 months ago
    6 - 12 months ago
    1 - 2 years ago
    More than 2 years ago
    Security Risk Assessments: When did you perform your most recent information security risk assessment? NOTE: This compliance assessment you are currently taking is NOT a full security risk assessment, so do not count this as your most recent security risk assessment.
    Less than 12 months ago
    1 - 2 years ago
    3 - 5 years ago
    More than 5 years ago
    We've never done a risk assessment
    Vulnerability Assessments & Penetration Test: When was the last time you performed a vulnerability assessment or penetration scan on your networks and systems? NOTE: These are typically automated scans, and are not the same as a full security risk assessment. Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Less than 12 months ago
    1 - 2 years ago
    3 - 5 years ago
    More than 5 years ago
    We've never performed a vulnerability assessment or penetration scan on our networks and systems.
    Encryption: Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?
    Yes. We have processes in place to encrypte data in storage and in transit.
    No. We usually do not use encryption.
    In some storage or through public networks, but not both, or in some cases but not others.
    Information Disposal: Do you require information, in all forms, to be disposed of using secure methods? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We have information disposal requirements established for all forms of information media (paper, digital, audio, video, etc.).
    No. We do not have information disposal requirements established.
    We have disposal requirements for disposal of some forms information, but not all.
    Security Incidents and Breach Response: Do you have a documented security event monitoring (e.g. using security information and event management (SIEM) software), a documented security incident plan, documented breach response and notification plans, and teams or staff to support the plans? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We have all our security incident and breach response policies, procedures and supporting practices in place.
    No. We do not have security incident or breach response plans documented or otherwise in place as described.
    We have around half of these things in place, but have more work to do.
    Contracted Third Parties: Do you outsource any activities involving protected health information (PHI) or other confidential information obtained from the covered entity, or business associate if you are a subcontractor? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We use outsourced vendors to perform activities for us involving PHI.
    No, we do not outsource activities involving PHI (such as to cloud services, apps providers, backup services, etc.).
    We're not sure if we outsource any activities involving PHI.
    BA Agreements: Does your organization have Business Associate (BA) agreements in place with each of the third parties that you contract to do work for your organization, that involves their access to PHI? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We follow policies to obtain signed agreements from all our BAs.
    No. We do not use BA agreements.
    We're not sure; we may have some in place but probably not for all BAs.
    Legal Compliance Awareness: Do you follow a process to identify new data protection legal requirements? (e.g., new state breach notification requirements)? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We follow procedures to stay up-to-date with legal requirements for data protection.
    No. We do not follow any formal processes to stay up-to-date with legal requirements for data protection.
    We have an outside lawyer that we depend upon to tell us our legal requirements. We do not know if they have a formally documented procedure to do so, though, and hope that they would let us know when some new data protection requirement comes up.
    We try to do what we're supposed to, but it is not a formal comprehensively documented procedure.
    Data Protection Legal Compliance: Check all the following standards and regulations for which you can verify compliance. If a legal requirement is not applicable to your organization, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the \"Add Files\" option.
    Health Insurance Portability & Accountability Act (HIPAA) & the accompanying HITECH Act ISO/IEC 27001/27002
    Payment Card Industry (PCI) Data Security Standard (DSS) Children's Online Privacy Protection Act (COPPA)
    Applicable state breach notice laws (in 2018 there were at least 54) Other
    None EU General Data Protection Regulation (GDPR)
Personnel Security
  • Worker Background Checks: Does your organization perform background checks to examine and assess an employee's or contractor's work and criminal history? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We perform background checks following our documented policies and procedures.
    No. We do not perform background checks on potential or current employees or contractors.
    We are a small organization of 1-5 persons, know each other well, and are not planning to hire anyone in the future, so this action is not applicable to our business.
    Employee NDAs: Are your employees required to sign a non-disclosure agreement (NDA) upon hire, and then again annually? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes, we have documented employee confidentiality policies & procedures, and all our workers sign NDAs.
    No, we do not require our employees to sign NDAs.
    We are a small organization of 1-5 persons, know each other well, and are not plannng to hire anyone in the future, so this action is not applicable to our business.
    Off-boarding Security: Do you have a formal process to manage the termination and/or transfer of employees? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We have formal processes for off-boarding workers.
    No. We do not have processes for off-boarding workers.
    We are a small organization of 1-5 persons and are not planning to hire anyone in the future, so this action is not applicable to our business.
    Physical Security: Do you have physical security controls (e.g., door locks) to prevent unauthorized access to facilities and a facility security plan? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We have implemented physical controls to protect access to PHI.
    No. We do not have formal physical security controls in place to prevent access to PHI.
    We are a completely mobile business and use no office space; all our employees work from their home. So this action is not applicable to our business.
    Data Protection: Do you have controls on systems and networks that host, process and/or transfer sensitive information, including the use of firewalls and controls for protecting network devices from unauthorized access and data-theft? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We have data protection controls implemented, and associated policies & procedures.
    No, do not have such controls in place, or we only have one or two that we've implemented.
    We have some of these controls in place, but not all of them.
    We use a managed systems provider (MSP) that is responsible for and manages all the systems and networks we use for our business. So this action is not applicable to our business; it is the responsibility of the MSP.
    Access Controls: Do you have a formal access authorization process based on 'least privilege' (employees are granted the least amount of access possible in order to perform their assigned duties) and need to know (access permissions are granted based upon the legitimate business need of the user to access the information)? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We follow formally documented access authorization procedures.
    No. We do not have a formal access authorization process in place.
    We have a loose rule about this, but we do not have a formal access authorization procedure in place.
    We are a small organization of 1-5 persons, do not use an MSP, and we all perform generally the same types of activities with the same data, so this action is not applicable to our business.
    ID Management: Do you require each user ID to be unique and not shared with others, and have a process to remove them when the user leaves the organization? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We have policies and procedures prohibiting IDs from being shared.
    No. We have no restrictions on ID sharing.
    For the most part we do not share IDs. But we have one or a very few IDs we share.
    Malicious Code Controls: Have you implemented anti-malware (e.g., anti-virus, spam filters, etc.) on your computers and supporting systems? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We have Have you implemented anti-malware (e.g., anti-virus, spam filters, etc.) software and technologies on our computing and storage devices, and have documented policies and procedure in place for their use, and to keep them updated.
    No. But this is something we should do, or we do not believe this is necessary for our environment.
    We have some anti-malware tools in place on our systems and personal computers, but we should implement more to cover all computing and digital storage devices.
    We use a managed services provider (MSP) to do all our computing activities, so they need to have anti-malware in place, not us.
    Media handling: Do procedures exist to protect documents (e.g., paper files, prescription labels, print materials, etc.) and computer media (e.g., tapes, disks, CD-ROMs, etc.), from unauthorized disclosure, modification, removal, and destruction? Is sensitive data encrypted when stored on laptop, desktop and server hard drives, flash drives, backup tapes, etc.?If the answer is "No" to either of these questions, answer "No". Or, is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes, we have documented media handling policies and procedures implemented, and can provide upon request.
    No. We do not have documented media handling policies and procedures. See our reasons why below.
    We use a managed services provider (MSP) to do all our computing activities, so they need to have media handling procedures in place, not us. See more information about this in the text field below.
    Segregation of Computing Environments: Are development, test and production environments separated from operational IT environments to protect production (actively used) applications from inadvertent changes or disruption? Are the data files of your business clients segregated from one another? If the answer to either question is "No" indicate "No" as your answer. Or, is this not applicable at your organization?
    Yes. They are separated.
    No. They are not separated. Provide an explanation for why in the field below.
    We use a managed systems provider (MSP) and are not sure, but we think they are using segregation of computing environments management procedures.
    We are a small organization of 1-5 persons, do not use an MSP, and we do not create software, so this action is not applicable to our business.
    Segregation of Duties: Are duties separated, where appropriate, to reduce the opportunity for unauthorized modification, unintentional modification or misuse of the organization's IT assets? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider.
    Yes. They are separated.
    No. They are not separated. Provide an explanation for why in the text field below.
    We are a small (e.g., 1 - 5 person) business and we all know each other well and perform many different duties, so this action is not feasible to our business.
    Change Management: Do formally documented change management procedures exist for networks, systems, desktops, software releases, deployments, and software vulnerability (e.g., virus or spyware) patching activities? Or, is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We follow formally established change management procedures.
    No. We do not have, or need to have, change management procedures. See our reasons why below.
    We use a managed systems provider (MSP) and are not sure, but we think they are using change management procedures.
    Controls: How would you evaluate your current implementation of all the information security and privacy controls needed within your organization to effectively mitigate risks and meet all legal requirements?
    We have fully implemented all the controls and we are now managing ongoing compliance.
    We have around half to most of the controls implemented, but still have some work to do.
    We are just getting started, and no to some of the controls fully implemented.
    Documentation: Could you provide documentation (e.g., information security policies, supporting business documentation, etc.) for all your organization's information security and privacy controls within 24 hours or request?
    Yes, we have everything well documented and can provide upon request.
    Yes, we could for most of our information security and privacy controls. However, some would take longer.
    No, we still need to do a lot of documentation, but we're working on it.
    Digital Connectivity: Are connections to your networks and systems logged and monitored? Or, do you believe that is this not applicable at your organization? If not applicable, provide information for why in the text box below. Also provide any additional information in the text box you believe is important to consider. And, if you have documentation to support your answers that you would like to provide, please attach them using the "Add Files" option.
    Yes. We consistently monitor all networks and systems connections
    No. We do not monitor networks and systems connections.
    We do some logging, but we do not log everything involving all types of access to PHI on systems and networks.
    We use a managed services provider (MSP) so we are not sure, but we think they are logging connections to the systems and networks.
Final Step: Please enter your name & email so we can let you know when we have more helpful information security and privacy tools available for you to use.
  • Contact Name  (Optional,but we use this to personalize your printable report)
  • Email (Required to send you notices when we have more tools for you to use.)