164.308(a)(7) Administrative Safeguards

Evaluation

High Risk Moderate Medium

Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI.

Implementation Guidance

Develop and implement comprehensive evaluation procedures including:
• Regular security assessments and evaluations
• Technical evaluation of security controls
• Non-technical evaluation of policies and procedures
• Environmental change impact assessments
• Operational change impact assessments
• Evaluation documentation and reporting
• Remediation planning and tracking

Key components:
- Periodic security evaluations
- Technical control assessments
- Policy and procedure reviews
- Change impact assessments
- Documentation of evaluation results
- Remediation planning and tracking

Required Documentation

• Evaluation procedures and schedule
• Technical evaluation criteria and methods
• Non-technical evaluation criteria and methods
• Environmental change assessment procedures
• Operational change assessment procedures
• Evaluation documentation templates
• Remediation planning procedures
• Evaluation reporting procedures

Best Practices

• Conduct regular security evaluations
• Use standardized evaluation criteria
• Document all evaluation results
• Assess impact of all changes
• Develop remediation plans
• Track remediation progress
• Regular reporting to management
• Continuous improvement of evaluation processes

Common Violations

• Lack of regular security evaluations
• Inadequate technical control assessments
• Insufficient policy and procedure reviews
• Failure to assess impact of changes
• Inadequate documentation of evaluations
• Lack of remediation planning
• Insufficient evaluation reporting

Testing Procedures

• Review evaluation procedures and schedule
• Verify technical evaluation methods
• Test non-technical evaluation processes
• Review change impact assessment procedures
• Verify evaluation documentation
• Test remediation planning procedures
• Review evaluation reporting
• Conduct evaluation exercises

Implementation Resources

Download expert-developed templates and checklists to implement this control:

Implementation Checklist

Policy Template

Quick Facts

Control ID 164.308(a)(7)

Category Administrative Safeguards

Risk Level High

Difficulty Moderate

Est. Cost Medium

Timeframe 2-4 months

Last Updated Mar 1, 2026

Get Expert Help Free Assessment

Related Controls

Explore other controls in the Administrative Safeguards category.

164.308(a)(1) High

Need Help Implementing This Control?

Our certified HIPAA experts can help you implement this control correctly and efficiently.

Contact Our Experts View All Controls