Evaluation process to determine level of compliance with Health Insurance Reform Security Rule

OSU will perform annual technical and non-technical evaluations, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of EPHI, that establishes the extent to which an entity's security policies and procedures meet the requirements of the subpart listed above. The policies and procedures shall be evaluated and edited as needed. Documentation of such evaluation shall be maintained by the designated HIPAA Official.

Documentation resulting from all evaluations will be kept in the appropriate compliance area for each campus.

1. At Stillwater, the Office of IT Systems Security will perform the review of technical safeguards. Such evaluation may include but not be limited to: penetration analysis, password integrity and compliance.
   
   
2. The evaluation shall include review of pertinent records include any security incidents and breaches, personnel polices, direct observation of workplace practices and observation of compliance with policies and procedures.

SWC will seek input from OSU IT to ensure policy is followed and that SWC is implementing best practices.