Core Platform

Medicare Underpayment Audit

Find potential coding & charge-capture leaks in your paid claims, cited to CMS.

HIPAA Kit

Downloadable policy templates covering all 23 required safeguards.

Free Tools

Doc Builder

FREE

Free AI generator for appeal letters, PA requests, and call scripts.

Ask D3

FREE

AI compliance assistant answering HIPAA & billing questions instantly.

GuidesSign In
HelpGuidesStatesTemplatesAsk D3PrivacyTerms
© 2026 D3rx. All rights reserved.

Questions or feedback? [email protected]

HIPAA Templates/Evaluation Policy
Administrative Safeguards (164.308)

Evaluation Policy

45 CFR § 164.308(a)(8)

Requires periodic technical and non-technical evaluations of your HIPAA security program in response to environmental or operational changes. Ensures your policies stay current as technology, regulations, and your practice evolve.

What's Included

  • Policy document
  • Evaluation schedule template
  • Environmental change trigger list
  • Evaluation report template
  • Implementation checklist
  • Annual review template
2 pages · ~816 words · 8 sectionsEstimated customization: ~10 minutesLast updated May 2026

Sample Preview

Administrative Safeguards (164.308)Page 1 of 2

Evaluation Policy

Version 1.0·Effective [EFFECTIVE DATE]·Approved by [PRIVACY/SECURITY OFFICER NAME]

1. Purpose

This policy establishes the requirements for performing periodic technical and non-technical evaluations of [PRACTICE NAME]'s HIPAA security program. Evaluations ensure that security policies and procedures remain effective and responsive to changes in the practice's environment, technology, and regulatory landscape.

2. Scope

This policy applies to all administrative, physical, and technical safeguards implemented by [PRACTICE NAME] under the HIPAA Security Rule. Evaluations shall assess both the written policies and the operational effectiveness of the security measures in practice.

3. Policy Statement

[PRACTICE NAME] shall perform periodic technical and non-technical evaluations to determine the extent to which its security policies and procedures meet the requirements of the HIPAA Security Rule, as required by 45 CFR § 164.308(a)(8). The Security Rule requires periodic evaluations, performed in response to environmental or operational changes that may affect the security of ePHI; it does not mandate a fixed cadence. As a matter of best practice, [PRACTICE NAME] has elected to conduct a comprehensive evaluation at least annually in addition to any change-triggered evaluations.

4. Definitions

Technical Evaluation: An assessment of the technology-based security controls, such as vulnerability scanning, penetration testing, access control review, and encryption validation.

Non-Technical Evaluation: An assessment of administrative and physical safeguards, including policy review, training program effectiveness, workforce compliance, and physical security measures.

Environmental Change: Any change to the practice's operations, technology, facilities, or regulatory environment that may affect the security of ePHI. Examples include new EHR deployment, office relocation, new business associate relationships, or new regulatory guidance from HHS.

5. Procedures

1. ANNUAL EVALUATION

1.1 The Security Officer shall coordinate a comprehensive evaluation of the HIPAA security program at least once per calendar year, to be completed by [MONTH/DATE].

1.2 The evaluation shall include both technical and non-technical components:

Non-Technical Components: - Review of all HIPAA security policies and procedures for accuracy, completeness, and currency - Verification that policies have been distributed to and acknowledged by all workforce members - Review of training records to confirm all workforce members have completed required training - Review of the risk analysis and risk register for currency - Assessment of sanction policy enforcement consistency - Review of incident response log for trends or gaps - Review of business associate agreements for completeness and currency

Technical Components: - Review of access control configurations across all ePHI systems - Audit log review to verify logging is functioning and being reviewed - Verification that encryption is in place for ePHI at rest and in transit - Assessment of anti-malware and patch management status - Vulnerability scan of network and systems (performed internally or by a qualified third party) - Verification that backup procedures are functioning and tested

2. CHANGE-TRIGGERED EVALUATION

2.1 In addition to the annual evaluation, the Security Officer shall initiate an evaluation when any of the following changes occur: new information systems or significant upgrades to existing systems, new or changed business associate relationships, organizational changes (mergers, acquisitions, new practice locations), security incidents or breaches, changes to HIPAA regulations or HHS guidance, and significant changes to the physical environment.

2.2 Change-triggered evaluations may be limited in scope to the area affected by the change.

3. EVALUATION DOCUMENTATION

3.1 Each evaluation shall produce a written report including: the scope of the evaluation, the methods used (interviews, document review, technical testing), findings organized by safeguard category, identified deficiencies or areas for improvement, recommended corrective actions with responsible parties and target dates, and a comparison with prior evaluation findings to identify trends.

3.2 The evaluation report shall be presented to practice leadership and used to update the Risk Register and remediation plan.

3.3 Evaluation reports shall be retained for a minimum of six (6) years.

4. CORRECTIVE ACTIONS

4.1 Deficiencies identified during evaluation shall be entered into the Risk Register with assigned severity, responsible party, and remediation deadline.

4.2 The Security Officer shall track corrective actions to completion and verify their effectiveness.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Plans and coordinates evaluations. Conducts or oversees non-technical and technical assessments. Produces the evaluation report. Tracks corrective actions.

IT Manager/Vendor ([IT CONTACT NAME]): Performs or facilitates technical evaluation components (vulnerability scans, access reviews, encryption verification). Provides system configuration data.

Practice Administrator ([ADMINISTRATOR NAME]): Reviews evaluation findings. Approves and resources corrective actions. Monitors compliance improvement over time.

Privacy Officer ([PRIVACY OFFICER NAME]): Participates in evaluation of privacy-related safeguards. Reviews BAA compliance status.

External Evaluator (if applicable): Qualified third-party security assessor engaged to provide independent evaluation. Not required by HIPAA but recommended for objectivity.

7. Review Schedule

This policy shall be reviewed at least annually as part of the evaluation process itself. The annual evaluation effectively serves as both the required periodic evaluation and the review of this policy.

8. Regulatory References

45 CFR § 164.308(a)(8) — Evaluation (Required) 45 CFR § 164.308(a)(1)(ii)(A) — Risk analysis (related — evaluation should verify risk analysis is current) 45 CFR § 164.316(b) — Documentation requirements 45 CFR § 164.316(b)(2)(i) — Security Rule documentation retention (6 years) NIST SP 800-53A Rev. 5 — Assessing Security and Privacy Controls

Continue reading — unlock the full evaluation policy
D3rx · HIPAA Compliance Templates
Free

while we’re in beta

A professional, CFR-referenced policy template, ready to customize for your practice. Free during the beta.

Open template

Free while we’re in beta

Need more than one?

Get all 23 policies — free

The Complete HIPAA Policy Library — every policy, checklist, and review template. Free while we’re in beta.

Open the library

Free while we’re in beta

Templates require customization and legal review before adoption. Not legal advice. See full disclaimer.