Security controls evaluated
Plain English Translation
Organizations must perform periodic technical and non-technical evaluations of their security controls to assess how well they meet the HIPAA Security Rule requirements. Evaluations must also be triggered by significant changes to the operational environment or infrastructure that could affect ePHI security.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Conduct an internal baseline review of implemented security policies and basic technical controls against a standard HIPAA compliance checklist.
Required Actions (scaleup)
- Implement automated vulnerability scanning and conduct annual independent penetration tests of the organization's technical safeguards.
Required Actions (enterprise)
- Establish a continuous compliance monitoring program that automatically triggers technical evaluations upon detecting significant infrastructure changes.
A HIPAA security evaluation is a formal assessment of an organization's technical and nontechnical security controls to ensure they effectively protect ePHI and meet regulatory requirements.
It requires organizations to perform a periodic technical and nontechnical evaluation to establish the extent to which their security policies and procedures meet the requirements of the HIPAA Security Rule.
HIPAA requires evaluations to be performed periodically, and additionally in response to any environmental or operational changes that affect the security of electronic protected health information.
A risk analysis focuses on identifying potential threats and vulnerabilities to ePHI, whereas a security evaluation assesses whether the implemented security controls effectively address those risks and comply with HIPAA standards.
A technical evaluation involves reviewing IT systems, network configurations, and access controls, while a nontechnical evaluation assesses administrative policies, physical security measures, and workforce training procedures.
The designated HIPAA Security Officer, often alongside internal audit teams or external third-party assessors, is responsible for coordinating and performing the comprehensive security evaluation.
An evaluation is triggered by major events such as migrating to a new cloud provider, deploying new core software applications, opening a new physical facility, or following a significant security incident.
Organizations should maintain formal documentation such as risk assessment reports, penetration testing results, vulnerability scan logs, and records of policy reviews to prove evaluations were conducted. Tools like WatchDog Security's Compliance Center can help centralize this evidence and show how each artifact supports HIPAA Security Rule requirements.
Yes, business associates are directly subject to the HIPAA Security Rule and must perform periodic technical and nontechnical evaluations of their own security controls protecting ePHI.
Evaluation results should be documented in a formal report detailing the scope of the review, the specific controls tested, any compliance gaps identified, and the strategic remediation plan to address those deficiencies. Tools like WatchDog Security's Risk Register can help convert evaluation findings into assigned risks, treatment plans, and leadership reporting.
HIPAA security evaluations require organizations to track scope, evidence, findings, and remediation across technical and nontechnical controls. Tools like WatchDog Security's Compliance Center can help map HIPAA requirements to evidence, identify gaps, and maintain an audit-ready record of evaluation activity.
Technical evaluations often produce vulnerability, configuration, and access-control findings that need ownership and follow-up. Tools like WatchDog Security's Vulnerability Management can centralize scan results, support triage workflows, and track remediation progress for control evaluation evidence.
"The company performs a periodic technical and nontechnical evaluation, based initially upon the HIPAA security rule, and subsequently, in response to environmental or operational changes affecting the security of electronic Protected Health Information (ePHI), establishes the extent to which the company's security policies and procedures meet the requirements of the HIPAA security rule (subpart C)."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | WatchDog GRC Team | Initial publication |

