Evaluation
164.308(a)(7)
Administrative Safeguards
High Risk
Moderate
Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI.
Implementation Guidance
Develop and implement comprehensive evaluation procedures including:
• Regular security assessments and evaluations
• Technical evaluation of security controls
• Non-technical evaluation of policies and procedures
• Environmental change impact assessments
• Operational change impact assessments
• Evaluation documentation and reporting
• Remediation planning and tracking
Key components:
- Periodic security evaluations
- Technical control assessments
- Policy and procedure reviews
- Change impact assessments
- Documentation of evaluation results
- Remediation planning and tracking
• Regular security assessments and evaluations
• Technical evaluation of security controls
• Non-technical evaluation of policies and procedures
• Environmental change impact assessments
• Operational change impact assessments
• Evaluation documentation and reporting
• Remediation planning and tracking
Key components:
- Periodic security evaluations
- Technical control assessments
- Policy and procedure reviews
- Change impact assessments
- Documentation of evaluation results
- Remediation planning and tracking
NIST References
NIST SP 800-66 Rev. 2: Section 3.1.7
NIST Cybersecurity Framework: DE.AE-1, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5
NIST SP 800-53: CA-1, CA-2, CA-3, CA-4, CA-5, CA-6, CA-7, CA-8, CA-9
NIST Cybersecurity Framework: DE.AE-1, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5
NIST SP 800-53: CA-1, CA-2, CA-3, CA-4, CA-5, CA-6, CA-7, CA-8, CA-9
Best Practices
• Conduct regular security evaluations
• Use standardized evaluation criteria
• Document all evaluation results
• Assess impact of all changes
• Develop remediation plans
• Track remediation progress
• Regular reporting to management
• Continuous improvement of evaluation processes
• Use standardized evaluation criteria
• Document all evaluation results
• Assess impact of all changes
• Develop remediation plans
• Track remediation progress
• Regular reporting to management
• Continuous improvement of evaluation processes
Testing Procedures
• Review evaluation procedures and schedule
• Verify technical evaluation methods
• Test non-technical evaluation processes
• Review change impact assessment procedures
• Verify evaluation documentation
• Test remediation planning procedures
• Review evaluation reporting
• Conduct evaluation exercises
• Verify technical evaluation methods
• Test non-technical evaluation processes
• Review change impact assessment procedures
• Verify evaluation documentation
• Test remediation planning procedures
• Review evaluation reporting
• Conduct evaluation exercises
Frequently Asked Questions
Q: How often should security evaluations be conducted?
A: Security evaluations should be conducted at least annually, or more frequently when significant changes occur.
Q: What should be included in a security evaluation?
A: Security evaluations should include technical controls, policies and procedures, and assessment of changes that may affect security.
Q: What is the difference between technical and non-technical evaluation?
A: Technical evaluation focuses on security controls and systems, while non-technical evaluation focuses on policies, procedures, and administrative controls.
A: Security evaluations should be conducted at least annually, or more frequently when significant changes occur.
Q: What should be included in a security evaluation?
A: Security evaluations should include technical controls, policies and procedures, and assessment of changes that may affect security.
Q: What is the difference between technical and non-technical evaluation?
A: Technical evaluation focuses on security controls and systems, while non-technical evaluation focuses on policies, procedures, and administrative controls.
Control Information
Control ID:
164.308(a)(7)
164.308(a)(7)
Category:
Administrative Safeguards
Administrative Safeguards
Subcategory:
Security Management Process
Security Management Process
Risk Level:
High
High
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
Medium
Medium
Implementation Timeframe:
2-4 months
2-4 months
Views:
4
4
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
• NIST SP 800-66 Rev. 2: Evaluation Guidance
• HHS Evaluation Guidance
• Security Assessment Best Practices
• Change Management Procedures
• Evaluation Documentation Templates
• HHS Evaluation Guidance
• Security Assessment Best Practices
• Change Management Procedures
• Evaluation Documentation Templates