The HIPAA Security Evaluation Standard: How to Conduct a Periodic Technical and Nontechnical Review (164.308(a)(8))
Executive Summary
Small healthcare practices are increasingly reliant on digital tools to manage patient data, yet a good deal fail to implement a crucial piece of HIPAA compliance: the Security Evaluation Standard under 164.308(a)(8). This regulation requires covered entities to regularly evaluate their security safeguards, both technical and nontechnical, to ensure ongoing protection of electronic Protected Health Information (ePHI). This article breaks down exactly what small practices must do to comply with the standard, offering actionable guidance, common pitfalls, and expert tips for conducting meaningful evaluations without a dedicated IT department.
Introduction
HIPAA’s Security Rule is built on flexibility and scalability, especially for small providers, but there’s one section often overlooked: the Evaluation Standard. Codified at 45 CFR 164.308(a)(8), this requirement mandates periodic technical and nontechnical evaluations of your security measures.
Unlike a one-time risk analysis, the Evaluation Standard is an ongoing obligation. It helps practices confirm that security controls like access restrictions, antivirus tools, or workforce training are still working effectively as your technology, staff, or services evolve.
For small practices, failing to conduct evaluations can lead to serious gaps in protection and liability during audits or breaches. But the good news is that compliance doesn't require expensive consultants or complex systems. With the right tools and structure, small healthcare providers can meet this requirement confidently and cost-effectively.
What Is the HIPAA Security Evaluation Standard?
Under the HIPAA Security Rule, 45 CFR 164.308(a)(8) states:
“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”
This standard requires covered entities to:
- Conduct evaluations regularly (e.g., annually or after major changes)
- Assess both technical controls (e.g., system firewalls, authentication)
- And nontechnical safeguards (e.g., staff training, policy enforcement)
- Use the evaluations to verify continued compliance with the Security Rule
Importantly, the regulation doesn’t prescribe a specific method, giving small practices flexibility. The key is that the evaluation must be systematic, documented, and repeated.
When Should Evaluations Be Conducted?
HIPAA outlines two situations where evaluations are required:
- Initial Evaluation: After implementation of your security policies and controls
-
Subsequent Evaluations:
- On a regular schedule (e.g., annually or biannually)
-
After major changes, such as:
- Migrating to a new EHR system
- Hiring new IT vendors
- Expanding services to telehealth
- Suffering a breach or security incident
Tip: Practices should schedule evaluations at least once per year and maintain a log to track them.
Technical vs. Nontechnical Evaluations, What’s the Difference?
HIPAA requires practices to evaluate both technical and nontechnical aspects of their security program.
| Evaluation Type | What It Involves | Examples |
|---|---|---|
| Technical | Reviews of security hardware, software, and configurations | - Password and encryption settings - Firewalls, antivirus tools - System access logs - Backup system testing |
| Nontechnical | Reviews of administrative and operational controls | - Security policies and procedures - Workforce training records - Business Associate Agreements - Incident response protocols |
Both types must be assessed together to get a full picture of your practice’s compliance.
How to Conduct an Effective HIPAA Security Evaluation
Step 1: Prepare Your Evaluation Scope
Start by defining what will be reviewed. Use your existing Risk Analysis (164.308(a)(1)(ii)(A)) as a guide. Focus on:
- All systems and hardware that store or access ePHI
- Staff roles that interact with PHI
- Physical access points (e.g., storage rooms, front desk)
- Policies on email, texting, portable devices, and remote access
Create an evaluation checklist based on the HHS Security Rule categories:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Requirements
- Policies & Documentation
Step 2: Gather Documentation and System Information
Collect:
- System configurations
- Audit logs
- Network maps (if applicable)
- Training logs
- Past incident reports
- Security policies and SOPs
If your practice uses cloud-based systems (e.g., EHRs, billing), request relevant compliance documentation from vendors.
Step 3: Evaluate Technical Controls
- Are passwords and access controls strong and enforced?
- Is encryption enabled on all devices handling ePHI?
- Are antivirus and anti-malware tools installed and up to date?
- Are system backups completed and tested regularly?
- Are firewall and network configurations documented?
Use automated vulnerability scanners if available (some are free or affordable for small offices).
Step 4: Evaluate Nontechnical Safeguards
- Are staff trained on HIPAA annually?
- Are Business Associate Agreements current?
- Are security incidents documented and investigated?
- Are old devices with PHI properly destroyed?
- Are written policies enforced and up to date?
Interview staff members to understand how procedures are followed in practice, not just on paper.
Step 5: Document the Evaluation and Findings
This is the most critical part of compliance. Your evaluation should be written and dated, including:
- What was reviewed
- Who conducted the evaluation
- What was found (e.g., gaps, strengths)
- Any follow-up actions taken
This documentation proves your practice is continuously monitoring its HIPAA compliance.
Step 6: Remediate Gaps and Track Follow-Ups
- Update or retrain staff on policies
- Patch systems or update security software
- Modify workflows (e.g., prevent PHI faxing without cover sheets)
- Replace or encrypt outdated devices
Track follow-up tasks and assign deadlines to ensure full resolution.
Neglecting Security Reviews After Operational Change
A small behavioral health clinic switched to a new cloud-based EHR system but failed to conduct a required security evaluation under HIPAA 164.308(a)(8). Months later, a former employee used still-active credentials to access and download over 1,100 patient records, including sensitive mental health information.
The practice had no system for monitoring access logs and had not updated its policies or staff training to match the new EHR’s features. OCR investigated and found that the clinic had not evaluated whether its technical and nontechnical safeguards remained effective after the transition, a direct violation of the HIPAA Evaluation Standard.
The clinic faced a monetary settlement and was placed under a corrective action plan requiring regular security evaluations, policy updates, and workforce retraining.
This case shows how skipping evaluations after operational changes, like adopting a new EHR, can expose serious vulnerabilities. A simple post-migration review could have identified the access control failure and prevented the breach. Periodic evaluations aren’t optional, they are essential for maintaining HIPAA compliance.
Common Pitfalls and How to Avoid Them
| Pitfall | Solution |
|---|---|
| Treating the evaluation like a one-time task | Schedule regular evaluations and log each one |
| Focusing only on IT systems | Include staff training, physical access, and administrative procedures |
| No documentation | Use templates and keep clear records of findings and actions |
| Ignoring small operational changes | Evaluate when ANY change may affect PHI—new staff, vendors, locations |
| No accountability | Assign a compliance lead to manage the evaluation and follow-ups |
Sample Security Evaluation Checklist for Small Practices
| Area | Item |
|---|---|
| Administrative | HIPAA training within past year |
| Technical | Antivirus software updated |
| Physical | Locked file cabinets used |
| Organizational | Active Business Associate Agreements |
| Documentation | Security policy updated in 12 months |
Regulatory and Trusted Guidance Sources
Final Recommendations
HIPAA compliance isn’t a checkbox, it’s a cycle. The Evaluation Standard under 164.308(a)(8) ensures that the safeguards your practice put in place years ago still work today. It’s your check-engine light: ignore it, and you could miss dangerous flaws. But respond to it, and you keep your systems and patients safe.
Small practices should treat security evaluations like annual physicals for their operations. Use simple tools, maintain written records, and involve your staff. With a consistent, structured approach, even the smallest provider can meet this critical requirement.
If you haven’t conducted an evaluation in the past year or if you’ve added telehealth, new vendors, or experienced staff turnover—now is the time. HIPAA compliance is about continuous improvement, not perfection.