Medicare and Medicaid Programs Emergency Preparedness Requirements For Medicare and Medicaid Participating Providers and Suppliers 2016-21404

Thank you for donwloading a controls mapping from SecurityCheckbox.com!
If you have any questions, or would like ot create your own controls mapping, please re
kbox.com!
s mapping, please reach out to us anytime at info@securitycheckbox.com.

CID Section
164.306(a) Ensure Confidentiality, Integrity and Availability
164.306(b) Flexibility of Approach
164.306(c) Standards
164.306(d) Implementation Specifications
164.306(e) Maintenance
164.308(a)(1)(i) Security Management Process
164.308(a)(1)(ii)(A) Risk Analysis
164.308(a)(1)(ii)(B) Risk Management
164.308(a)(1)(ii)(C) Sanction Policy
164.308(a)(1)(ii)(D) Information System Activity Review
164.308(a)(2) Assigned Security Responsibility
164.308(a)(3)(i) Workforce Security
164.308(a)(3)(ii)(A) Authorization and/or Supervision
164.308(a)(3)(ii)(B) Workforce Clearance Procedure
164.308(a)(3)(ii)(C) Termination Procedures
164.308(a)(4)(i) Information Access Management
164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions
164.308(a)(4)(ii)(B) Access Authorization
164.308(a)(4)(ii)(C) Access Establishment and Modification
164.308(a)(5)(i) Security Awareness Training
164.308(a)(5)(ii)(A) Security Reminders
164.308(a)(5)(ii)(B) Protection from Malicious Software
164.308(a)(5)(ii)(C) Log-in Monitoring
164.308(a)(5)(ii)(D) Password Management

164.308(a)(6)(i) Security Incident Procedures
164.308(a)(6)(ii) Response and Reporting
164.308(a)(7)(i) Contingency Plan
164.308(a)(7)(ii)(A) Data Backup Plan
164.308(a)(7)(ii)(B) Disaster Recovery Plan
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan
164.308(a)(7)(ii)(D) Testing and Revision Procedures
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis
164.308(a)(8) Evaluation
164.308(b)(1) Business Associate Contracts and Other Arrangements
164.308(b)(4) Written Contract
164.310 (a)(1) Facility Access Controls
164.310(a)(2)(i) Contingency Operations
164.310(a)(2)(ii) Facility Security Plan
164.310(a)(2)(iii) Access Control Validation Procedures
164.310(a)(2)(iv) Maintenance Records
164.310(b) Workstation Use
164.310(c) Workstation Security
164.310(d)(1) Device and Media Controls
164.310(d)(2)(i) Disposal
164.310(d)(2)(ii) Media Re-use
164.310(d)(2)(iii) Accountability
164.310(d)(2)(iv) Data Backup and Storage
164.312(a)(1) Access Control
164.312(a)(2)(i) Unique User Identification

164.312(a)(2)(ii) Emergency Access Procedure
164.312(a)(2)(iii) Automatic Logof
164.312(a)(2)(iv) Encryption and Decryption
164.312(b) Audit Controls
164.312(c)(1) Integrity
164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Informatio
164.312(d) Person or Entity Authentication
164.312(e)(1) Transmission Security
164.312(e)(2)(i) Integrity Controls
164.312(e)(2)(ii) Encryption
164.314(a)(1) Business Associate Contracts or Other Arrangements
164.314(a)(2) Business Associate Contracts
164.314(b)(1) Requirements for Group Health Plans
164.314(b)(2)(i) Implement Safeguards
164.314(b)(2)(ii) Ensure Adequate Separation
164.314(b)(2)(iii) Ensure Agents Safeguard
164.314(b)(2)(iv) Report Security Incidents
164.316(a) Policies and Procedures
164.316(b)(1) Documentation
164.316(b)(2)(i) Time Limit
164.316(b)(2)(ii) Availability
164.316(b)(2)(iii) Updates
Summary
Ensure CIA and protect against threats
Reasonably consider factors in security compliance
CEs must comply with standards
Required and Addressable Implementation Specificat
Ongoing review and modification of security measure
P&P to manage security violations
Conduct vulnerability assessment
Implement security measures to reduce risk of securi
Worker sanction for P&P violations
Procedures to review system activity
Identify security official responsible for P&P
Implement P&P to ensure appropriate PHI access
Authorization/supervision for PHI access
Procedures to ensure appropriate PHI access
Procedures to terminate PHI access
P&P to authorize access to PHI
P&P to separate PHI from other operations
P&P to authorize access to PHI
P&P to grant access to PHI
Training program for workers and managers
Distribute periodic security updates
Procedures to guard against malicious software
Procedures and monitoring of log-in attempts
Procedures for password management

P&P to manage security incidents
Mitigate and document security incidents
Emergency response P&P
Data backup planning & procedures
Data recovery planning & procedures
Business continuity procedures
Contingency planning periodic testing procedures
Prioritize data and system criticality for contingency
Periodic security evaluation
CE implement BACs to ensure safeguards
Implement compliant BACs
P&P to limit access to systems and facilities
Procedures to support emergency operations and rec
P&P to safeguard equipment and facilities
Facility access procedures for personnel
P&P to document security-related repairs and modifi
P&P to specify workstation environment & use
Physical safeguards for workstation access
P&P to govern receipt and removal of hardware and
P&P to manage media and equipment disposal
P&P to remove PHI from media and equipment
Document hardware and media movement
Backup PHI before moving equipment
Technical (administrative) P&P to manage PHI access
Assign unique IDs to support tracking

Procedures to support emergency access
Session termination mechanisms
Mechanism for encryption of stored PHI
Procedures and mechanisms for monitoring system ac
P&P to safeguard PHI unauthorized alteration
Mechanisms to corroborate PHI not altered
Procedures to verify identities
Measures to guard against unauthorized access to tr
Measures to ensure integrity of PHI on transmission
Mechanism for encryption of transmitted PHI
CE must ensure BA safeguards PHI
BACs must contain security language
Plan documents must reflect security safeguards
Plan sponsor to implement safeguards as appropriate
Security measures to separate PHI from plan sponsor
Ensure subcontractors safeguard PHI
Plan sponsors report breaches to health plan
P&P to ensure safeguards to PHI
Document P&P and actions & activities
Retain documentation for 6 years
Documentation available to system administrators
Periodic review and updates to changing needs

an implementation specification is addressable, the word "Addressable" appears in parentheses after the
title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes
(a) General
required requirements.specifications,
implementation Covered entities must doentity
a covered the following:
must implement the implementation
(1)
(b) Ensure the
Flexibility
specifications. ofconfidentiality,
approach. integrity, and availability of all electronic protected health information the
covered
(1) Whenentity
(3) Covered creates,
entities
a standard may receives,
in §maintains,
use any
adopted security
164.308, §or164.310,
transmits.
measures that allow the covered entity to reasonably and
(2) Protect
appropriately against any
implement reasonably
the anticipated
standards and
§ 164.312, § 164.314, or § 164.316 includes addressable threats or hazards
implementation to the security
specifications
implementation or integrity
as specified
specifications, of subpart.
inathis suchentity
covered
information.
(2)
must--In deciding which security measures to use, a covered entity must take into account the following
Decription
(3) Protectwhether
factors:
(i) Assess against each
any reasonably anticipated
implementation uses or is
specification disclosures of such
a reasonable and information
appropriate that are notin its
safeguard
permitted
(i) The size,or required
complexity, under
and subpart
capabilitiesE of
ofthis
the part.
covered entity.
environment, when analyzed with reference to the likely contribution to protecting the entity's electronic
(4)
(ii) Ensure
The
protected compliance
covered
health with
entity's thisand
technical
information; subpart by its workforce.
infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(ii) As applicable to the entity--
(iv)
(c) The probability
(A) Standards.
Implement Athe and criticality
covered ofspecification
entity must
implementation potential
comply with risks to electronic
ifthe standardsand
reasonable protected
as provided health orinformation.
in this
appropriate; section and in §
164.308,
(B) If implementing the implementation specification is not reasonable and appropriate--
§(1)164.310,
Document § 164.312, § 164.314,
why it would not beand § 164.316and
reasonable with respect toto
appropriate allimplement
electronic protected health information.
the implementation
specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
(e) Maintenance. Security measures implemented to comply with standards and implementation specification
Implement policies and procedures to prevent, detect, contain and correct security violations
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate l
Apply appropriate sanctions against workforce members who fail to comply with the security policies and pr
Implement procedures to regularly review records of information system activity, such as audit logs, access re
Identify the security official who is responsible for the development and implementation of the policies and
Implement policies and procedures to ensure that all members of its workforce have appropriate access to el
Implement procedures for authorization and/or supervision of workforce members who work with electronic
Implement procedures to determine that the access of a workforce member to electronic protected health in
Implement procedures for termination access to electronic protected health information when the employment
Implement policies and procedures for authorizing access to electronic protected health information that are
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement polices an
Implement policies and procedures for granting access to electronic protected health information, for exam
Implement policies and procedures that, based upon the entity's access authorization policies, establish, doc
Implement a security awareness and training program for all members of its workforce (including manageme
Periodic security updates.
Procedures for guarding against, detecting, and reporting malicious software.
Procedures for monitoring log-in attempts and reporting discrepancies.
Procedures for creating, changing, and safeguarding passwords.

Implement policies and procedures to address security incidents.
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful
A covered(and
Establish entity, in accordance
implement with §policies
as needed) 164.306,
andmay permit a business
procedures associate
for responding to anto emergency
create, receive,
or other occurre
maintain, or transmit electronic protected health information on the covered entity's behalf only if the
covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate
Establish and implement
will appropriately safeguardprocedures to create and maintain retrievable exact copies of electronic protected
the information.
(2) This standard does not apply with respect to -
Establish (and implement
(i) The transmission as needed)
by a covered procedures
entity to restore
of electronic losshealth
protected of data.information to a health care provider
concerning the treatment of an individual.
Establish (and implement
(ii) The transmission as needed)
of electronic procedures
protected healthtoinformation
enable continuation
by a group ofhealth
criticalplan
business
or anprocesses for pr
HMO or health
insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of
Implement
§ 164.314(b)procedures for periodic
and § 164.504(f) applytesting
and areand revision
met; or of contingency plans.
(iii) The transmission of electronic protected health information from or to other agencies providing the
Assess
servicestheat relative criticality of specific
§ 164.502(e)(1)(ii)(C), applications
when the and data
covered entity is ainhealth
support
planofthat
otheris acontingency
governmentplan compone
program
providing public benefits, if the requirements of § 164.502(e)(1)(ii)(C) are met.
Perform
(3) a periodic
A covered entitytechnical and the
that violates nontechnical evaluation,
satisfactory assurances based initiallyas
it provided upon the standards
a business implemented
associate of another und
covered entity will be in noncompliance with the standards, implementation specifications, and
requirements of this paragraph and § 164.314(a).
Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contrac
Implement policies and procedures to limit physical access to its electronic information systems and the facil
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost
Implement policies and procedures to safeguard the facility and the equipment there in from unauthorized p
Implement procedures to control and validate a person's access to facilities based on their role or function, i
Implement policies and procedures to document repairs and modifications to the physical components of a faci
Implement policies and procedures that specify the proper functions to be performed, the manner in which tho
Implement physical safeguards for all workstations that access electronic protected health information, to res
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that
Implement policies and procedures to address the final disposition of electronic protected health informatio
Implement procedures for removal of electronic protected health information from electronic media before
Maintain a record of the movements of hardware and electronic media and any person responsible therefor
Create a retrievable, exact copy of electronic protected health information, when needed, before movement
Implement technical policies and procedures for electronic information systems that maintain electronic prot
Assign a unique name and/or number for identifying and tracking user identity.
(i) Business associate contracts. The contract between a covered entity and a business associate must
provide that the business associate will--
(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect
the confidentiality, integrity, and availability of the electronic protected health information that it creates,
receives, maintains, or transmits on behalf of the covered entity as required by this subpart;
(B) Ensure(and
Establish thatimplement
any agent, as including
needed)a procedures
subcontractor, for to whom itnecessary
obtaining provides such information
electronic protectedagrees
healthto inform
implement reasonable and appropriate safeguards to protect it;
(C) Report to
Implement the covered
electronic entity any
procedures security
that terminateincident of which it
an electronic becomes
session afteraware;
a predetermined time of inactivi
(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the
business
Implement associate has violated
a mechanism to encrypta material term ofelectronic
and decrypt the contract.protected health information.
(ii) Other arrangements.
(A) When a hardware,
Implement covered entity and itsand/or
software, business associate
procedural are both governmental
mechanisms that record and entities, the covered
examine activity in entity is
informatio
in compliance with paragraph (a)(1) of this section, if -
(1) It enterspolicies
Implement into a memorandum
and procedures of understanding with the
to protect electronic businesshealth
protected associate that contains
information terms thatalterat
from improper
accomplish the objectives of paragraph (a)(2)(i) of this section; or
(2) Other law (including regulations adopted by the covered entity or its business associate) contains
Implement
requirements electronic
applicable mechanisms
to the business to corroborate
associate that
that electronic
accomplishprotected healthofinformation
the objectives has not of
paragraph (a)(2)(i) been
this section.
Implement
(i) The
(B) procedures
If a contract
business or othertoarrangement
associate verify
is that aby
required person
law toor
between entity
the seeking
covered
perform access
entity
a function and to
itselectronic
business
or activity protected
associate
on behalf healthentity
required
of a covered informa
by
§ 164.308(b)
or to provide must meetdescribed
a service the requirements of paragraph
in the definition (a)(2)(i)
of business or (a)(2)(ii)
associate of this section,
as specified as applicable.
in § 160.103 of this
Implement
(ii) A covered
subchapter technical
toentity issecurity
a covered notentity, measures
in compliance
the covered to guard
with theagainst
entitystandards unauthorized
may permit in §the access
164.502(e)
business to paragraph
and electronic
associate protected
this health
(a) ofreceive,
to create,
section if the
maintain, covered electronic
or transmit entity knew of a pattern
protected of an
health activity oron
information practice of the
its behalf business
to the extentassociate
necessary that
to
Implement
constituted
comply withsecurity
athe
materialmeasures
legal breach or
mandate towithout
ensure meeting
violation that electronically
of the business transmitted
associate's
the requirements electronic
ofobligation
paragraph protected
under health
theofcontract
(a)(2)(i) this informati
or
section, other
arrangement,
provided unless
that the the covered
covered entity took
entity attempts reasonable
in good faith tosteps to cure
obtain the breach
satisfactory or end the
assurances violation,byas
as required
Implement(a)(2)(ii)(A)
applicable,
paragraph a mechanism
and, to encrypt
if suchofsteps
this electronic
were unsuccessful.
section, protected
and documents the health
attempt information whenever
and the reasons that deemed appropriate.
these assurances
(A) Terminated
cannot the contract or arrangement, if feasible; or
be obtained.
(B) The
(C) If termination is notmay
covered entity feasible, reported
omit from the problem
its other to the authorization
arrangements Secretary. of the termination of the
contract by the covered entity, as required by paragraph (a)(2)(i)(D) of this section if such authorization is
inconsistent
The plan documentswith theof statutory
the group obligations
health plan of the
mustcovered entity or
be amended to its business associate.
incorporate provisions to require the
plan sponsor to--
Except
(i) when the
Implement only electronic
administrative, protected
physical, and health
technicalinformation
safeguardsdisclosed to a planand
that reasonably sponsor is disclosed
appropriately pursuan
protect
the confidentiality, integrity, and availability of the electronic protected health information that it creates,
receives, maintains, or transmits on behalf of the group health plan;
Ensure that the adequate separation required by
§ 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement
Report to the group health plan any security incident of which it becomes aware.
Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be
A covered entity
electronic) form; must,
and in accordance with § 164.306: Implement reasonable and appropriate policies and proce
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written
(which may be electronic) record of the action, activity, or assessment.
Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation
Make documentation available to those persons responsible for implementing the procedures to which the
Review documentation periodically, and update as needed, in response to environmental or operational chang
CID DID DOMAIN Control TYPE_CFR-200
164.308(a)(1)(i) 164.308 164.308 Admin(1)(i) Standar Standard
164.308(a)(1)(ii)(A) 164.308 164.308 Admin(A) Risk analysRequired

164.308(a)(1)(ii)(B) 164.308 164.308 Admin(B) Risk managRequired
164.308(a)(1)(ii)(C) 164.308 164.308 Admin(C) Sanction pRequired

164.308(a)(1)(ii)(D) 164.308 164.308 Admin(D) InformatioRequired
164.308(a)(2) 164.308 164.308 Admin(2) Standard: Standard

164.308(a)(3)(ii) 164.308 164.308 Admin(ii) Implementation specifica

164.308(a)(3)(ii)(A) 164.308 164.308 Admin(A) AuthorizatAddressable
164.308(a)(3)(ii)(B) 164.308 164.308 Admin(B) Workforce Addressable

164.308(a)(3)(ii)(C) 164.308 164.308 Admin(C) TerminatioAddressable

164.308(a)(4)(ii)(A) 164.308 164.308 Admin(A) Isolating Required
164.308(a)(4)(ii)(B) 164.308 164.308 Admin(B) Access autAddressable
164.308(a)(4)(ii)(C) 164.308 164.308 Admin(C) Access est Addressable

164.308(a)(5)(ii) 164.308 164.308 Admin(ii) Implementation specific

164.308(a)(5)(ii)(A) 164.308 164.308 Admin(A) Security r Addressable
164.308(a)(5)(ii)(B) 164.308 164.308 Admin(B) ProtectionAddressable

164.308(a)(5)(ii)(C) 164.308 164.308 Admin(C) Log-in monAddressable
164.308(a)(5)(ii)(D) 164.308 164.308 Admin(D) Password m Addressable
164.308(a)(6)(ii) 164.308 164.308 Admin(ii) ImplementRequired

164.308(a)(7)(ii)(A) 164.308 164.308 Admin(A) Data backuRequired
164.308(a)(7)(ii)(B) 164.308 164.308 Admin(B) Disaster r Required

164.308(a)(7)(ii)(C) 164.308 164.308 Admin(C) EmergencyRequired
164.308(a)(7)(ii)(D) 164.308 164.308 Admin(D) Testing an Addressable

164.308(a)(7)(ii)(E) 164.308 164.308 Admin(E) ApplicationAddressable
164.308(a)(8) 164.308 164.308 Admin(8) Standard: Standard

164.308(b)(1) 164.308 164.308 Admin(b)(1) Standar Standard
164.308(b)(2) 164.308 164.308 Admin(2) This standard does not ap

164.308(b)(3) 164.308 164.308 Admin(3) A covered entity that vi
164.308(b)(4) 164.308 164.308 Admin(4) Implementa Required
164.310(a)(1) 164.31 164.310 Physic(a)(1) StandardStandard
164.310(a)(2) 164.31 164.310 Physic(2) Implementation specifica

163.310(a)(2)(i) 164.31 164.310 Physic(i) ContingencAddressable
164.310(a)(2)(ii) 164.31 164.310 Physic(ii) Facility Addressable
163.310(a)(2)(iii) 164.31 164.310 Physic(iii) Access co Addressable

163.310(a)(2)(iv) 164.31 164.310 Physic(iv) MaintenanAddressable
164.310(b) 164.31 164.310 Physic(b) Standard: Standard
164.310(c) 164.31 164.310 Physic(c) Standard: Standard
164.310(d)(1) 164.31 164.310 Physic(d)(1) Standar Standard
164.310(d)(2) 164.31 164.310 Physic(2) Implementation specifica

164.310(d)(2)(i) 164.31 164.310 Physic(i) Disposal ( Required
164.310(d)(2)(ii) 164.31 164.310 Physic(ii) Media re- Required
164.310(d)(2)(iii) 164.31 164.310 Physic(iii) Accounta Addressable
164.310(d)(2)(iv) 164.31 164.310 Physic(iv) Data back Addressable

164.312(a)(1) 164.312 164.312 Techn(a)(1) Standar Standard
164.312(a)(2)(i) 164.312 164.312 Techn(2) Implementa

Required
164.312(a)(2)(ii) 164.312 164.312 Techn(ii) EmergencyRequired
164.312(a)(2)(iii) 164.312 164.312 Techn(iii) Automati Addressable

164.312(a)(2)(iv) 164.312 164.312 Techn(iv) Encryptio Addressable
164.312(b) 164.312 164.312 Techn(b) Standard: Standard

164.312(c)(1) 164.312 164.312 Techn(c)(1) Standar Standard
164.312(c)(2) 164.312 164.312 Techn(2) Implementa

Addressable
164.312(d) 164.312 164.312 Techn(d) Standard: Standard
164.312(e)(1) 164.312 164.312 Techn(e)(1) Standar Standard
164.312(e)(2) 164.312 164.312 Techn(2) Implementation specifica

164.312(e)(2)(i) 164.312 164.312 Techn(i) Integrity Addressable
164.312(e)(2)(ii) 164.312 164.312 Techn(ii) Encryptio Addressable

164.314(a)(1) 164.314 164.314 Organ(a)(1) Standar Standard
164.314(a)(1)(i) 164.314 164.314 Organ(i) The contract or other arr
164.314(a)(1)(ii) 164.314 164.314 Organ(ii) A covered entity is not
164.314(a)(1)(ii)(A) 164.314 164.314 Organ(A) Terminated the contract o
164.314(a)(1)(ii)(B) 164.314 164.314 Organ(B) If termination is not fea
164.314(a)(2)(i) 164.314 164.314 Organ(2) Implementa

Required
164.314(a)(2)(i)(A) 164.314 164.314 Organ(A) Implement administrative,
164.314(a)(2)(i)(B) 164.314 164.314 Organ(B) Ensure that any agent, i

164.314(a)(2)(i)(C) 164.314 164.314 Organ(C) Report to the covered en
164.314(a)(2)(i)(D) 164.314 164.314 Organ(D) Authorize termination of
164.314(a)(2)(ii) 164.314 164.314 Organ(ii) Other arrangements. (A)
164.314(a)(2)(ii)(1) 164.314 164.314 Organ(1) It enters into a memoran

164.314(a)(2)(ii)(2) 164.314 164.314 Organ(2) Other law (including regu
164.314(a)(2)(ii)(B) 164.314 164.314 Organ(B) If a business associate i
164.314(a)(2)(ii)(C) 164.314 164.314 Organ(C) The covered entity may om

164.314(b)(1) 164.314 164.314 Organ(b)(1) Standar Standard
164.314(b)(2) 164.314 164.314 Organ(2) Implementa
Required
164.316(a) 164.316 164.316 Polic (a) Standard: Standard

164.316(b)(1) 164.316 164.316 Polic (b)(1) Standar Standard
164.316(b)(1)(i) 164.316 164.316 Polic (i) Maintain the policies an

164.316(b)(1)(ii) 164.316 164.316 Polic (ii) If an action, activity o
164.316(b)(2) 164.316 164.316 Polic (2) Implementation specifica
164.316(b)(2)(i) 164.316 164.316 Polic (i) Time limit Required
164.316(b)(2)(ii) 164.316 164.316 Polic (ii) Availabil Required
164.316(b)(2)(iii) 164.316 164.316 Polic (iii) Updates Required

Audit HHS-ONC_SRA
Q: Has your organization developed, disseminated, reviewed/updated, and A1,A2
trained on your Risk Assessment policies and procedures?
Q: Does your organization's risk assessment policy address: purpose, scope,
roles and responsibilities management commitment, coordination among
organizational entities, training and compliance?
Q: Has your organization disseminated your Risk Assessment policies and
procedures?
Q: Has your organization disseminated its Risk Assessment procedures to the
work staf/offices with the associated roles and responsibilities?
Q: Has your organization defined the frequency of your Risk Assessment policy
and procedures reviews and updates?
Q: Has your organization reviewed and updated your Risk Assessment policy
and procedures in accordance with your defined frequency?
Q: Has your organization identified the types of information and uses of that
information and the sensitivity of each type of information been evaluated
(also link to FIPS 199 and SP 800-60 for more on categorization of sensitivity
levels)?
Q: Has your organization identified all information systems that house ePHI?
Q: Does your organization inventory include all hardware and software that are
used to collect, store, process, or transmit ePHI, including excel spreadsheets,
word tables, and other like data storage?
Q: Are all the hardware and software for which your organization is responsible
periodically inventoried, including excel spreadsheets, word tables, and other
like data storage?
Q: Has your organization identified all hardware and software that maintains or
transmits ePHI, including excel spreadsheets, word tables, and other similar
data storage and included it in your inventory?
Q: Does your organization's inventory include removable media, remote access
devices, and mobile devices?
Q: Is the current information system configuration documented, including
connections to other systems, both inside and outside your firewall?
Q: Has your organization reviewed all processes involving ePHI, including A3,A4
creating, receiving, maintaining, and transmitting it?
Q: Has your organization reviewed the risk analysis and other implementation
specifications for the security management process?
Q: Does your organization have any prior risk assessments, audit comments,
security requirements, and/or security test results?
Q: What are your organization's current and planned controls? Do you have
them formally documented?
Q: Has your organization assigned responsibility to check all hardware and
software, including hardware and software used for remote access, to
determine whether selected security settings are enabled?
Q: Does your organization have an analysis of current safeguards and their
efectiveness relative to the identified risks?
Q: Are any of your organization's facilities located in a region prone to any
natural disasters, such as earthquakes, floods, or fires? Others?
Q: Does your organization have policies and procedures in place for security? A5,A6,A7,A8
Q: Do your organization's current safeguards ensure the confidentiality,
integrity, and availability of all ePHI?
Q: Do your organization's current safeguards protect against reasonably
anticipated uses and of ePHI that are not permitted by the HIPAA Privacy Rule?
Q: Has your organization protected against all reasonably anticipated threats or
hazards to the security and integrity of ePHI?
Q: Does your organization have a formal and documented system security
plan?
Q: Will your organization's new security controls work with your organization's
existing IT architecture?
Q: Does your organization have formal and documented contingency plan?
Q: Does your organization have a communication plan or a process for
communicating policies and procedures to your appropriate staf member,
office and all your workforce?
Q: Does your organization review and update your policies, procedures and
standards as needed and when appropriate?
Q: Has your organization assured compliance with all policies and procedures
by all your staf and workforce?
Q: Has your organization developed a training schedule for your Risk
Management Program?
Q: Does your organization have in place a formal and documented process, A9,A10
plus policy and procedures that address system misuse, abuse, and any
fraudulent activities with your organization's ePHI?
Q: Has your organization made all your staf, employees, and workforce aware
of your processes, policy and procedures (concerning sanctions for
inappropriate access), use, disclosure, and transmission of ePHI?
Q: Does your organization's sanctions have a tiered structure of sanctions that
takes into consideration the magnitude of harm to your organization and the
individual whose ePHI is at risk, and the possible types of inappropriate
disclosures?
Q: Does your organization have a process, procedure or communication plan of
how and when your managers and staf, employees and workforce will be
notified of suspected inappropriate activity?
Q: Does your organization have a formal, documented systems activity process A11,A12
and procedures?
Q: Who, and which office/department, within your organization is responsible
for overall systems activity process, procedures and results?
Q: How often does your organization review your information systems activity?
What are the exceptions to the process that changes the review period?
Q: How often does your organization analyze your systems activity
reviews/reports?
Q: Does your organization review exception reports and logs?
Q: What mechanisms and measures will your organization implement to assess
the efectiveness of your review process?
Q: Does your organization file, electronic and/or paper, monitoring reports,
and how are these reports monitored?
Q: Does your organization have a sanction policy for staf, employee or
workforce violations?
Q: Does your organization have a complete security official job description that A13,A14,A15,
accurately reflects the security duties and responsibilities? Does it include all
areas outlined and spoken of in the questions outlined for this security
standard?
Q: Have all your organization's staf, employees, workforce, offices and
departments been notified of the name and office to contact with a security
problem?
Q: Has your organization implemented policies and procedures to ensure that anA17,A18,A19,
Q: Has your organization reviewed the workforce security implementation specifXXXXX

Q: Has your organization implemented procedures for authorization and/or A22,A23,A24,
supervision of work force members who work with ePHI or in locations where
it might be accessed?
Q: Has your organization defined roles and responsibilities for all job
functions?
Q: Has your organization assigned appropriate levels of security level oversight,
training and access to each role?
Q: Does your organization have a listing in writing who has the business need,
and who has been granted permission, to view, alter, retrieve, and store ePHI,
and at what times, and under what circumstances and for what purposes?
Q: Does your organization have written job descriptions that are correlated
with appropriate levels of access?
Q: Does your organization have an established set of qualifications for each job
description?
Q: Does your organization check a candidate's qualifications against a specific
job description?
Q: Has your organization made a determination of each candidate for a specific
position can perform the tasks for that position?
Q: Has your organization established chains or command and lines of authority
for workforce security?
Q: Has your organization established a process for maintenance personnel
authorization and maintain a current list of authorized maintenance
organizations and personnel?
Q: Has your organization made your work staf aware of the identity and roles
of their supervisors?
Q: Has your organization provided staf, employees, and workforce members
with a copy of their job descriptions, informed of the access granted to them,
as well as the conditions by which this access can be used?
Q: Does your organization check an applicant's employment and educational A26,A27

references, if this is reasonable for such a job description?
Q: Does your organization do background checks, such as a Criminal Ofender
Record Information (CORI) check, if appropriate in the circumstances?
Q: Does your organization have a process and strategy that supports your
organization's authorizes who are permitted to designate and grant access to
ePHI?
Q: Does your organization have formal and documented procedures for
obtaining the necessary and appropriate sign-ofs within your organizational
structure to both grant and terminate access to ePHI?
Q: Does your organization have a standards set of procedures to recover access A28,A29
control devices, including identification badges, keys access cards from staf,
employees and workforce member where their employment ends?
Q: Does your organization have a procedure to deactivate computer, and other
electronic tools, access accounts, including the process that will disable user
IDs and passwords?
Q: Does your organization need, and have separate termination procedures for
voluntary termination, including retirement, promotion, transfer, or change of
employment internal to your organization, versus involuntary termination,
including for cause, reduction in force, involuntary transfer, and criminal or
disciplinary actions?
Q: Does your organization have a standard checklist of action items for
completion when a staf, employee, workforce member leaves your
employment, such a s the return of all access devices, deactivation of logon
accounts, including remote access, and return of any computers and other
similar electronic tools, such as a PDA, and cell phone, and delivery of any
data/information under this staf, employee of workforce member control?
Q: Has your organization implemented policies and procedures that authorized yo

A30
Q: Has your organization reviewed the isolating clearinghouse functions impleme
XXXXX
Q: Does your organization have a component that functions as a healthcare XXXXX
clearinghouse?
Q: Has your organization a formal and documented finding that one part of
your organization is a healthcare clearinghouse?
Q: Has your organization healthcare clearinghouse developed and
implemented policies and procedures that protect the clearinghouse ePHI
form unauthorized access by the other parts of your organization?
Q: Does your organization's clearinghouse share hardware or software with
your larger organization of which it is part?
Q: Does your organization's clearinghouse share staf or physical space with
staf from a larger organization?
Q: Has your organization established a separate network or subsystem for your
organization's clearinghouse?
Q: Has your organization's clearinghouse staf, employees, and workforce been
trained to safeguard ePHI from disclosure to your larger organization?
Q: Has your organization formally documented how access to ePHI will be A31
granted to your staf, employees, and workforce members?
Q: Has your organizations formally documented the basis for restricting access
to ePHI?
Q: Has your organization formally documented your ePHI access control
method? Does your organization use identity-based, role-based, biometric
based, proximity based, other means of access, or a combination of access
methods?
Q: Does your organization's job descriptions accurately reflect assigned duties,
responsibilities and enforcement of segregation of duties?
Q: Does your organization grant your staf, employees and workforce members
remote access to ePHI?
Q: Has your organization determined if direct access to ePHI will be granted to
third parties external to your organization, including business partners, other
providers, health plans, patients and members to their own ePHI, and others?
Q: Does your organization's IT systems have the capacity to set access controls?
Q: Does your organization use stronger access controls for sensitive data?
Q: Has your organization formally documented the standards you use to grant A32,A33
a staf, employee, workforce member user's access to a workstation, lap top,
transaction, program, process, and other tools and mechanisms?
Q: Does your organization have security access controls policies and
procedures? Are they updated regularly?
Q: Does your organization provide formal written and documented
authorization from the appropriate manager before granting access to
sensitive information?
Q: Are your organization's staf, employees, and workforce member's duties
separated so that only the minimally necessary ePHI based on the specific job
description is made available upon request?
Q: Does your organization have authentication mechanisms to verify the
identity of the user accessing the system?
Q: Does your organization's management regularly review the list of access
authorizations, including remote access authorizations, to verify that the list is
accurate and has not been inappropriately altered?
Q: Has your organization formally determined and documented your security A34,A35,A36,
trailing needs?
Q: Does your organization interview key staf when assessing your security
training needs?
Q: Did your organization's assessment include the security training needs of
sensitive data, and other similar information?
Q: Has your organization determined what awareness, training and education
programs are needed, and which programs will be required?
Q: Has your organization outlined content and audience training priorities?
Q: What gaps did your organization discover in conducting the training
assessment; outline what needs to be added and updated?
Q: Does your organization's training strategy and plan include an outline of
your organization's specific policies and procedures that require security
awareness and training?
Q: Does your organization's training strategy and plan include scope of the
awareness an training program?
Q: Does your organization's training strategy and plan include the goals?
Q: Does your organization's training strategy and plan include the target
audience(s)?
Q: Does your organization's training strategy and plan include the learning
objectives?
Q: Does your organization's training strategy and plan include the deployment
methods?
Q: Does your organization's training strategy and plan include evaluation of the
training through designated measurement techniques?
Q: Does your organization's training strategy and plan include the frequency of
training?
Q: Does your organization's training strategy and plan include the
consideration of compliance dates and the HITECH Act Updates?
Q: Does your organization have a process, a procedure, in place to ensure that
everyone in your organization receives security awareness training?
Q: Does your organization have a plan in place to for training to address
specific technical topics based on job descriptions and responsibilities?
Q: Does your organization train your non-employees, such as contractors,
Q: Has your organization reviewed the security reminder implementation specifiXXXXX
Q: Does your organization provide periodic security updates to your staf, A39
employees, workforce, business associates and contractors/vendors?
Q: What methods does your organization already have in place or use to keep
your staf, employees, workforce, business associates and contractors/vendors
updated and aware of security other ways?
Q: Does your organization provide security awareness training with all new
hires before they are given access to ePHI?
Q: Has your organization trained your staf, employees, and workforce membersA40,A41
XXXXX A42
XXXXX A43
Q: Has your organization implemented policies and procedures for any security iA44
Q: Has your organization documented incident response procedures that can A45,A46,A47,
provide your organization with a single point of reference to guide the day-to-
day operations of the incident response team?
Q: Has your organization determined how it will respond to a security
incident? Are there a formal documented policy and procedures?
Q: Has your organization incorporated your staf, employee, workforce
members jobs and job descriptions roles and responsibilities in *
Q: Has your organization reviewed incident response procedures with the staf,
employees, or workforce members with the roles and responsibilities related
to incident response, solicit suggestions for improvement, and make changes
to reflect input that is reasonable and appropriate?
Q: Do your organization's staf, employees and workforce members know the
importance of timely application of system patched to protect against
malicious software and exploitation of vulnerabilities?
Q: Does your organization monitor log-in attempts? Do your staf, employees
and workforce members know of this monitoring?
Q: Has your organization analyzed these problems and created a mitigation
plan that it is working to decrease risks and vulnerabilities?
Q: Does your organization have a process, procedure for reporting and
handling security incidents?
Q: Has your organization prioritized your key functions to determine what
would need to be restored first in the event of a disruption?
Q: Does your organization update the incident response procedures when your
organizational needs change?
Q: Has your organization told your staf, employees and workforce members
how to and where to report a security incident?
Q: Has your organization developed standard incident reporting templates to
ensure that all necessary information related to an incident is documented and
investigated?
Q: If you have determined that your organization does not need a standing
incident response team, what other response mechanism are you using?
Q: Has your organization determine what information and when data will be
disclosed to the media?
Q: Does your organization have an identified list of both internal and external
Q: Has your organization defined your overall contingency objectives? Does it A49,A50,A51
include a listing of all areas that use ePHI?
Q: Has your organization established your organization's contingency plan
framework, roles and responsibilities?
Q: Does your organization's contingency policy and plan address scope,
resource requirements, training, testing, plan maintenance and backup
requirements?
Q: Does your organization's policy and plan outline what critical services must
be provided within specific timeframes?
Q: Does your organization's policy and plan identify and outline cross-
functional dependencies to determine how failure in one systems impacts
other system(s)?
Q: Has your organization outlined scenarios and identified preventive
measures, measures you can do now, for each scenario that could result in the
loss of a critical service involving the use of ePHI?
Q: Has your organization brain stormed and outlined alternatives for
continuing operations for your organization if you lose a critical function or a
critical resource? Remember there are physical resources like offices and desks
and copiers and paper, electronic recourses,
Q: Has you organization researched the cost of preventive measures being
considered?
Q: Are the preventable measures you are considering afordable and practical
for the environment?
Q: Does your organization have an emergency coordinator who manages,
maintains and updates the contingency plan? Does your organization's staf,
employees, and workforce members know who this individual is and how to
contact your coordinator?
Q: Does your organization have an emergency call list? Has it been distributed
to all staf, employees, and workforce members?
Q: Does your organization have a determination of when your contingency
plan needs to be activated? Is it triggered by anticipated duration of outage,
loss of capability, or impact on service delivery? Other?
Q: Does your organization have plans, procedures, and agreements initiated or
in place if the preventive measures need to be implemented?
Q: Has your organization reviewed the data backup plan and disaster recovery pXXXXX
Q: Does your organization's contingency plan address disaster recovery and A52
back up?
Q: Has your organization established and implemented procedures to create
and maintain retrievable exact copies of ePHI?
Q: Has your organization established and implemented procedures to restore
any loss of ePHI?
Q: Has your organization documented all your data backup procedures and
made them available to all your staf, employees, and workforce members?
Q: Does your organization have individuals/office named and responsibilities
assigned to conduct backup activities?
XXXXX A53
Q: Has your organization established, and implemented when needed, A54
procedures to enable continuation of critical business processes for the
security of ePHI while your organization is operating in emergency mode?
Q: Has your organization identified your key activities and developed
procedures to continue these key activities during an emergency?
Q: Has your organization also identified critical functions that use ePHI?
Q: During the emergency would diferent staf/employees, facilities or systems
be needed to perform these critical functions during the emergency?
Q: Can your organization assure the security of the ePHI in the alternative
mode(s) operation?
Q: Has your organization established and implemented as needed periodic A55

testing procedures and for the revision of your organization's contingency
plan?
Q: Has your organization tested its contingency plan on a predefined cycle?
Q: Has your organization trained your staf/employees with defined plan
responsibilities in their roles?
Q: Does your organization include external entities, including vendors,
alternative site and service providers, in your testing exercises?
Q: Has your organization determined how the plan will be tested? Will it be a
table top exercise, or a real operational scenario?
Q: Does your organizational testing lend itself to phased testing? Based on the
assessment of business impact and acceptability of sustained loss of service?
Q: Does your organization test during normal business hours?
Q: Or must testing take place during of hours?
Q: How frequently does your organization test its plan?
Q: Has your organization a timeline on when the contingency plan should be
revised?
Q: Has your organization identified the critical services or operations, and the A56
manual and automated processes that support them, involving ePHI?
Q: Has your organization determined what hardware and software and
personnel are critical to your organization's daily business operations?
Q: Has your organization determined the impact on desired service levels if
these critical assets are not available?
Q: Has your organization outlined the nature and degree of impact on your
operations if any of the critical resources are not available?
Q: Has your organization determined the amount of time your organization can
tolerate disruption to these operations, material or services?
Q: Has your organization determine what, if any, support is or can be provided
by external providers, including ISPs, utilities, or contractors?
Q: Has your organization established cost-efective strategies for recovering
these critical services, resources, or processes?
Q: Does your organization have any existing reports or documentation that you A57,A58,A59
had previously prepared or created by your organization addressing
compliance, integration, or maturity of a particular or many security
safeguard(s) deployed to protect ePHI that your can leverage for this
evaluation?
Q: Has your organization established a frequency for security evaluations, and
disseminated this information to your entire organization?
Q: Does your organization's security policies specify that security evaluations
will be repeated when environmental and operational changes, such as
technology updates, are made that afect the security of ePHI?
Q: Does your organization's frequency of security evaluation policies reflect
any and all federal laws, regulations, and guidance documents that impact
environmental or operational changes afecting the security of ePHI?
Q: Does your organization's corporate, legal, and regulatory compliance staf,
employees, or workforce members participate when you conduct your
analysis?
Q: Has your organization considered management, operational, and technical
issues in your evaluation?
Q: Has your organization performed a periodic technical and nontechnical
evaluation, based initially upon the standards implemented?
Q: Has your organization decided if your evaluation will be conducted by your
internal staf and resources or by external consultants, or by a combination of
internal and external resources?
Q: Do any of your organization's staf, employee or workforce members have
the technical experience to evaluate your systems?
Q: Do your staf, employees, or workforce members have the training
necessary on security technical and non-technical issues?
Q: Has your organization outlined the necessary factors to be considered in
selecting an outside vendor, including credentials and experience?
Q: Does your organization use a strategy and tool that considers all the
elements of the HIPAA Security Rule, including all standards and
implementation specifications?
Q: Do the elements of each of your organization's evaluation procedure,
including questions, statement and other components, address individual,
Q: Does your organization have business associate contracts? A60,A61,A62
Q: Does your organization's business associate agreements (as written and
executed) contain sufficient language to ensure that required information
types are protected? Including the 2009, 2010, and 2011 HITECH Act updates
and inclusions?
Q: Has your organization identified the individual or department who is
responsible for coordinating the execution of your organization's business
associate agreements and other such agreements?
Q: Does your organization periodically review and reevaluate your list of
business associates to determine who has access to ePHI in order to assess
whether your list is complete and current?
Q: Has your organization named your systems and functions covered by the
contract/ agreement?
Q: Are your organization's outsourced functions also covered by
contracts/agreements?
Q: Are your organization's of-shore functions also covered by
contracts/agreements?
Q: Has your organization executed new and updated existing agreements or
arrangements when necessary and appropriate?
Q: Does your organization's agreements and other arrangements include your
business associate(s) roles and responsibilities for the ePHI?
Q: Does your organization's agreements and other arrangements include
security requirements that address confidentiality, integrity and availability of
ePHI?
Q: Do your organization's agreements and other arrangements include security
requirements meet all the HIPAA Security Rule requirements per the HITECH
Act?
Q: Do your organization's agreements and other arrangements include the
appropriate training requirements, as necessary?
Q: Who/which office within your organization is responsible for coordinating
and preparing the final agreement(s) or arrangement(s)?
Q: Do your organization's agreements and other arrangements specify how
ePHI is to be transmitted to and from the business associate?
Q: Do your organization's agreements and other arrangements specify
XXXXX A63
XXXXX A64
XXXXX XXXXX
Q: Does your organization have facility access controls , policies and PH1,PH2,PH3,
procedures?
Q: Does your organization have policies and procedures regarding access to
and use of your facilities and equipment?
Q: Does your organization have facility access control policies and procedures
already in place?
Q: Has your organization developed, disseminated, and periodically
reviewed/updated a formal, documented a physical and environmental
protection policy that address the purposes, scope, roles, responsibilities,
management commitment, coordination among organizational entities and
functions, and compliance?
Q: Does your organization have formal, documented procedures to facilitate
implementation of the physical and environmental protection policy and
associated physical and environmental controls?
Q: Does your organization have an inventory of your facilities and have
identified the vulnerabilities in your current physical security capabilities?
Q: Has your organization assigned degrees of significance to each vulnerability
that you have identified?
Q: Has your organization determined which types of locations require access
controls to safeguard ePHI, such as: Data centers, Peripheral equipment
centers, IT staf offices, Workstation locations, and Others?
Q: Does your organization have locks and cameras in nonpublic areas and are
these reasonable and appropriate security controls?
Q: Are all your organization's workstations protected from public access and
viewing?
Q: Are all your organization's entrances and exits that lead to locations with
ePHI secured?
Q: Do normal and usual physical protections exist, such as locks on doors and
windows?
Q: Has your organization identified and assigned responsibility for the
measures and activities necessary to correct deficiencies and ensure that
proper access is allowed?
Q: Has your organization developed and deployed policies and procedures to
ensure that repairs, upgrades and or modifications are made to your buildings
Q: Does your organization have a contingency operations plan? XXXXX
Q: Has your organization determined who needs access to your facilities and PH5,PH6,PH7
offices in the event of a disaster?
Q: Who is named in your contingency plan as responsible for access to ePHI
during a disaster?
Q: Who in your organization is responsible for implementing the contingency
plan for access to ePHI in each department, unit, and other office designation?
Q: Will your organization contingency plan be appropriate for all types of
potential disasters, such as fire, flood, earthquake?
Q: Will your organization contingency plan be appropriate for all your facilities?
Q: Does your organization have a backup plan for access to the your facility and
/ or the ePHI?
Q: Has your organization implemented measures to provide physical protection PH8,PH9,PH10
for the ePHI in your possession?
Q: Does your organization have documentation of your facility inventory,
physical maintenance record, the history of physical changes, upgrades, and
other modifications?
Q: Does your organization's inventory identify points of access to your facilities
and the existing security controls used in these areas?
Q: Does your organization have procedures for security your facilities, including
the exterior, the interior, and your equipment?
Q: Is a workforce member of your organization other than the security official
responsible for the facility plan?
Q: Does your organization have a facility security plan in place, under revision,
or under development?
Q: Does your organization periodically review your security plan for the
information system?
Q: Does your organization have policies and procedures in place for controlling PH12,PH13,PH
and validating access to your facilities by staf, employees, workforce
members, visitors, and probationary employees?
Q: Does your organization monitor physical access to the information system to
detect and respond to physical security incidents?
Q: Does your organization periodically review physical access logs?
Q: Has your organization developed and implemented polices and procedures PH17,PH18
to document repairs and modification to the physical components of your
facilities specifically related to security?
Q: Has your organization developed, disseminated, and periodically
reviewed/updated your formal, documented information system maintenance
policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organization entities, and compliance?
Q: Does your organization have formal, documented procedures to facilitate
the implementation of your information system maintenance policy and
associated system maintenance controls?
Q: Does your organization maintain records of repairs to hardware, walls,
doors, and locks?
Q: Has your organization assigned responsibility to an individual or office for
the maintenance to repair and modification records?
Q: Does your organization control all maintenance activities, whether
performed on site or remotely and whether the equipment is serviced on site
or removed to another location?
Q: Does your organization require that the designated official explicitly
approve the removal of the information system or system components from
your organization's facilities fro of-site maintenance or repairs?
Q: Does your organization sanitize equipment to remove all information from
associated media prior to removal from your organization's facilities for of-site
maintenance?
Q: Does your organization obtain support and/or spare parts for you
organization's security- critical information systems components or key
information technology components with in a designated time period of
failure?
Q: Does your organization have workstation use policies and procedures? PH19,PH20,PH
Q: Has your organization developed and implemented polices and procedures
for proper use and performance of all types of workstations, including for day-
to-day operations?
Q: Does your organization have an inventory of workstation types and locations
within your organization?
Q: Has your organization included all types of computing devices in your
inventory of workstations, such as laptops, PDAs, tablets (iPads), smart phones,
and others?
Q: Has your organization named an individual or office responsible for this
inventory and its maintenance?
Q: Has your organization developed and implemented policies and procedures
for each type of workstation device, including accommodating their unique
issues?
Q: Has your organization classified your workstations based on their
capabilities, and defined the tasks commonly performed on a given
workstation or type of workstation?
Q: Has your organization identified key operational risks that could result in a
breach of security from all types of workstations, and trained your staf,
employees, and workforce members on predictable breaches?
Q: Does your organization have policies and procedures that will prevent
unauthorized access of unattended workstations, limit the ability of
unauthorized persons to view sensitive information, and to dispose of sensitive
information an needed?
Q: Has your organization trained your staf, employees or workforce members
in the security requirements for ePHI use in their day-to-day jobs?
Q: Does your organization:1) document allowed methods or remote access to
the information system?
Q: Does your organization: 3) monitor for unauthorized remote access to the
information system?
Q: Does your organization: 4) authorize remote access to the information
system prior to the connection?
Q: Does your organization: 1) establish usage restrictions and implementation
guidance for organization-controlled mobile devices?
Q: Does your organization have workstation security physical safeguards in PH22,PH23,PH
place?
Q: Has your organization documented the diferent ways workstations are
accessed by staf, employees workforce members, and non-employees?
Q: Are any of your organization's workstations located in public areas?
Q: Does your organization use lap tops and tablets (iPads) as workstations? Do
you have specific policies and procedures for such workstations?
Q: Has your organization determined which type(s) of access holds the greatest
threat to security?
Q: Has your organization reviewed the areas of your workstations to determine
which areas are more vulnerable to unauthorized use, theft, or viewing of the
data? Do you do this review periodically?
Q: Has your organization implemented physical safeguards and other security
measures to minimize the possibility of inappropriate access of ePHI through
workstations, including locked door, screen barriers, cameras, guards?
Q: Does your organization protect information system media until the media
are destroyed or sanitized using approved equipment, techniques, and
procedures?
Q: Does your organization have device and media controls, policies and PH30,PH31,PH
procedures?
Q: Does your organization: 1) protect and control your defined types of digital
and non-digital media during transport outside of controlled areas using your
organizational security measures?
Q: Does your organization: 2) maintain accountability for information system
media during transport outside of controlled areas?
Q: Does your organization: 3) restrict the activities associated with transport of
such media to authorized personnel?
Q: Does your organization have disposal policies and procedures? XXXXX

Q: Has your organization developed and implemented policies and procedures PH34
that address the disposal of ePHI and / or the hardware and electronic media
on which it is stored, including the appropriate methods to dispose of
hardware, software and the data itself?
Q: Does your organization have a process to assure that ePHI is properly
destroyed and cannot be recreated?
Q: Does your organization keep ePHI on removable devices such as CDs, DVDs,
zip drives, tablets (iPads)? Does your organization have policies and procedures
for data disposal on these tools?
Q: Does your organization have procedures for the removal of ePHI from PH35
electronic media before the media are made available for reuse, including
assuring that ePHI is properly destroyed and cannot be recreated?
Q: Does your organization have one individual or department responsible for
coordinating data disposal and reuse of hardware and software across your
enterprise?
Q: Does your organization train your staf, employees, and workforce members
on the security and risks of ePHI destruction and reuse of software and
hardware?
Q: Does your organization keep a record of the movement of hardware and PH36,PH37
software both inside your organization and when it leave your facility, and do
you have an individual or office responsible for this task?
Q: Does your organization have an inventory of the type of media that are used
to store ePHI, and is it updated periodically?
Q: Does your organization permit your staf, employees, and workforce
members to remove electronic media that contains or can be used to access
ePHI; does your organization have procedures to track the media externally?
Q: Does your organization create an exact copy of ePHI if needed before you PH38
move the equipment?
Q: Does your organization maintain backup files ofsite to assure data
availability in the event of data is lost while transporting or moving electronic
media containing ePHI?
Q: Does your organization have an inventory of what business process would
be impacted and for how long if data were unavailable while media was being
moved?
Q: Does your organization have access to technical policies and procedures? T1,T2,T3,T4
Q: Has your organization identified all applications, systems, servers and other
electronic tools that hold and use ePHI?
Q: Has your organization outlined the user roles for the applications, systems,
servers and other electronic identified above?
Q: Has your organization determined where the ePHI supporting the electronic
tools is currently housed (i.e. lap top, network, etc.)?
Q: Are any of your organization's systems, networks, or data accessed
remotely?
Q: Has your organization identified an approach for access control?
Q: Has your organization determined the access capabilities of all your
electronic tools that hold and create ePHI, such as viewing data, modifying
data, deleting data, and creating data?
Q: Does your organization have a formal access control policy that guided the T5,T6
development of access control procedures?
Q: Has your organization developed and implemented access control
procedures?
Q: Do your organization's access control procedures include: 1) initial access, 2)
increased access, 3) access to diferent systems and applications that user
currently has?
Q: Has your access control policy, including the rules of user behavior, been
communicated to your system users?
Q: Has your organization outlined how user compliance with your access
control policy will be enforced?
Q: Has your organization determined who will manage the access control
procedures?
Q: Does your organization train your users in access control procedures and
management?
Q: Does your organization train new employees/users in your access control
policy and procedures, and other instructions for protecting ePHI?
Q: Does your organization have procedures for new employee/user access to
your data and systems?
Q: Does your organization have procedures for reviewing and, as appropriate,
modifying access authorization for existing users?
Q: Has your organization determined how a user identifier should be
established, such as length and content, and communicated this information to
your staf, employees, and workforce members?
Q: Has your organization determined if the user identifier should be self-
selected or randomly generated? Is it diferent for diferent types of data?
Q: Can your organization trace all system activity, viewing, modifying, deleting
and creating of ePHI, to a specific user?
Q: Does your organization record each time ePHI is viewed, modified, deleted
or created in an audit tool to support audit and other business functions?
Q: Does your organization have procedures for obtaining necessary access to T7,T8,T9,T10,T
ePHI during an emergency?
Q: Does your organization have a policy on when access procedures should be
activated?
Q: Does your organization policy name the person/role/office that makes the
decision to activate your emergency access procedures?
Q: Does your organization have procedures and a method for supporting
continuity of operations when normal access procedures are disabled or
unavailable due to system problems?
Q: Will your organization's systems automatically default to settings and
functionalities that will enable the emergency access procedures or will it
need to be activated by a system's administrator/authorized individual?
Q: Does your organization have an electronic procedure that automatically T17,T18,T19

terminates electronic session after a predetermined time of activity?
Q: Has your organization inventoried your electronic tools for automatic logof
capabilities?
Q: Has your organization determined the period of activity prior to triggering
the automatic logof?
Q: Has your organization determined the period of activity prior to triggering
the automatic log-of is deferent for specific parts of your organization?
Q: Has your organization developed and built in-house tool(s) have automatic
log-of capabilities or can they be modified to include automatic log-of
capabilities?
Q: Does your organization have a process/mechanism to encrypt and decrypt ePT20,T21,T22
Q: Has your organization determined the appropriate scope of audit controls T23,T24,T25,T
that are be necessary to protect your information systems and tools that
contain ePHI, based on your risk assessment?
Q: Has your organization determined what data will need to be captured by
your audit controls and in your audit logs, user ID, event type/date/time?
Q: Has your organization determined where your ePHI is at risk within your
organization and when you transmit it outside your organization?
Q: Does your organization have an inventory of what systems, applications,
processes, servers, laptops, PDAs, tablets (iPads) and other electronic tools
make data vulnerable to unauthorized or inappropriate tampering, uses or
disclosures of ePHI?
Q: What activities will your audit controls monitor, creation, review, updating,
deleting, other of ePHI?
Q: Has your organization evaluated your existing systems capabilities in the last
12 months and determined if any changes of upgrades are necessary?
Q: Does your organization have tools in place for auditing data review, creating,
deleting and updating, plus for firewall system activity and other similar
activities?
Q: Has your organization determined what are the most appropriate
monitoring tools for your organization, such as third party tools, freeware,
operating-system provided, or home grown?
Q: Does your organization's evaluation include determination of what changes
and upgrades to your monitoring tools is reasonable and appropriate?
Q: Does your organization have a process and communication plan to tell your
staf, employees, and workforce members about your organization's decisions
re audit and review of their use of ePHI?
Q: Has your organization named a person, role or office as the responsible
party for your overall audit process and its results?
Q: Has your organization determined the period when audits will be
performed?
Q: Has your organization determined the type of audit trail data it will need,
and the monitoring procedures to derive exception reports, other reports?
Q: Has your organization determined how your exception reports and logs will
be reviewed?
Q: Does your organization have integrity policies and procedures? T32
Q: Does your organization a list of all your organization users are authorized to
access ePHI?
Q: Has your organization an established basis for assigning specific individuals
and roles access to the ePHI based on need, such as necessary for job task?
Q: Has your organization identified all approved users with the ability to alter
or destroy data?
Q: Have your organization's users been trained on how to use ePHI?
Q: Does your organization have audit trails established for all accesses to ePHI?
Q: Has your organization determined what can be done to protect the ePHI
when is it at rest in your systems and tools?
Q: Does your organization have policies and procedures that are used to
decrease or eliminate alteration of ePHI during transition, such as encryption?
Q: Does your organization have a formally documented set of integrity
requirements that is based on your analysis of use, users and misuses of ePHI
and your risk analysis?
Q: Does your organization have a written policy related to your integrity
requirements and has it been communicated to your system(s) users?
Q: Are your organization's current audit, logging, and access control techniques
and methods sufficient to address the integrity of ePHI?
Q: If your organization's current techniques and methods are not sufficient,
what additional techniques and methods can you apply to check ePHI integrity,
such as quality control process, transaction and output reconstruction?
Q: Can your organization provide additional training to decrease instances
attributable to human errors?
Q: Does your organization have in place electronic mechanisms to corroborate T33

that ePHI has not been altered or destroyed in an unauthorized manner?
Q: Does your organization use both electronic and non-electronic mechanisms
to protect ePHI?
Q: Does your organization use authentication mechanisms, such as error-
correcting memory, magnetic disc storage, digital signatures, check sum
technology? Others?
Q: Does your organization's information integrity process, as currently
implemented, provide that a high level of assurance that information integrity
is being maintained?
Q: Does your organization have person and entity authentication polices and T34,T35,T36,T
procedures?
Q: Has your organization established formal documented authentication policy
and procedures and communicated them to your organization's staf,
employees, and workforce members?
Q: Do your organization authentication procedures include ongoing system,
applications, network, and tool maintenance and update of your
authentication methods?
Q: Do your organization's identity methods corroborate that the person is the
one claimed?
Q: What authentication methods does your organization use?
Q: Do your authentication methods require the validity of a transmission
source and/or verifying an individual's claim of authorization privileges to
ePHI?
Q: Does your organization have trained staf to maintain the system or is this
work outsourced?
Q: Does your organization use passwords for individual access to ePHI?
Q: If your organization uses passwords for individual access to ePHI are they
unique by individual?
Q: Has/does your organization use outside third party vendor support to
implement your organization's authentication methods?
Q: Has your organization implemented the selected authentication methods
into your organization's systems, networks, applications, and tools?
Q: Has your organization completed user and support staf training?
Q: Does your organization have transportation policies and procedures? T38,T39
Q: Does your organization have formal documented policies and procedures
for transmission of ePHI, and have they been communicated to your staf,
employees, and workforce members?
Q: Do your organization policies and procedures identify methods of
transmission that will used to safeguard ePHI?
Q: Do your organization policies and procedures identify tools and techniques
that will be used to support the transmission security policy?
Q: Has your organization implemented procedures for transmitting ePHI using
hardware or software?
Q: Does your organization have formal documented set of requirements for
transmitting ePHI?
Q: What measures does your organization have in place to protect ePHI during
transmission?
Q: Does your organization have in place an auditing process during
transmission that verifies that the ePHI has been protected against
unauthorized access?
Q: Does your organization have trained staf that monitor transmissions?
Q: Does your organization have integrity controls policies and procedures? XXXXX
Q: Does your organization have measures planned or implemented to protect T40,T41,T42
ePHI during transmission?
Q: Does your organization have assurance that the information is not altered
during transmission?
Q: Has your organization implemented encryption for ePHI transmission? T44,T45

Q: Does your organization believe encryption necessary to protect ePHI during
transmission?
Q: Is encryption feasible and cost-efective for your organization?
Q: What, if any, encryption algorithms and mechanism are available to your
organization?
Q: Does your organization have staf skilled in the use of encryption?
Q: Does your organization have staf to maintain a process for encrypting ePHI
during transmission?
Q: Does your organization have business associate agreements or other contracts XXXXX
Q: Does your organization's business associate agreements include mandated r O1
Q: Do your organization's business associate agreements includes specified paraXXXXX
Q: Does your organization's business associate agreements includes specified p XXXXX
Q: Does your organization's business associate agreements includes specified XXXXX
paragraphs if termination of business associates is not feasible, the issues is
reported to the Office for Civil Rights?
Q: Does your organization include the following requirements and/or
specifications, explicitly or by reference, in information acquisition contracts
based on the assessment of risk and in accordance with applicable laws,
regulations, and related guidance documents:1) security functional
requirements/specifications?
regulations, and related guidance documents: 2) security- related
documentation requirements?
regulations, and related guidance documents:3) developmental and
evaluation-related assurance requirements?
XXXXX O2
Q: Does your organization's business associate contract(s) provide the business XXXXX
associates that will implement administrative, physical and technical
safeguards to protect the ePHI?
Q: Does your organization's business associate contract(s) address functions
related to creating, receiving, maintaining, and transmitting ePHI?
Q: Do your organization's business associate contracts provide that the
business associates conduct a risk assessment that addresses administrative,
physical and technical risks?
Q: Do your organization's business associate contracts provide that any agent, XXXXX
Q: Does your organization's business associate contract(s) provide that the XXXXX
business associate will report any security incidents of which it becomes aware
to the covered entity?
Q: Has your organization identified the key business associate staf/point of
contact in the event of a security incident?
Q: Does your organization have in place a procedure including a reporting
mechanism for reporting security incidents by a business associate?
Q: Does your organizations business associate contract include standards and XXXXX
thresholds for termination of contract?
Q: Do the conditions for termination within your organization's business
associate contract include material breach of the contract, and that the breach
cannot be cured?
Q: Does your organizations business associate contract include reporting the
problem to Office for Civil Rights (OCR) if contract termination is not possible?
Q: If your organization and the organization you are contract with are both XXXXX
governmental agencies do you use a memorandum of understanding (MOU)?
Q: Does your organization's MOU/agreement provide protection for the ePHI
equivalent to those provided in at HIPAA business associate contract?
Q: If your organization's MOU cannot be terminated, are other enforcement
mechanisms in place that are reasonable and appropriate?
Q: Does your organization use memorandum of understanding (MOU) with certai XXXXX
Q: Does your organization have other laws similar to business associate agree XXXXX
Q: If your organization has an MOU have you made a good faith efort to obtain XXXXX
satisfactory assurances that the HIPAA Security Standards are met?
Q: Does your organization make the attempt to obtain satisfactory assurances,
and the reasons that they cannot be obtained documented?
Q: Does your organization or your contact partners have statutory obligations O3

Q: Is your organization a group health plan? XXXXX
Q: Does your organization only share summary health information or disclose
whether an individual is a participant or enrolled/unenrolled to the health plan
sponsor?
Q: Does your organization have group health plan documents that include plan XXXXX
sponsor requirements?
Q: Does your organization amend your plan documents to incorporate
provisions that require a health plan sponsor to implement administrative,
physical and technical safeguards to protect the ePHI. Also, does the plan
sponsor create, receive, maintain or transmit on your behalf?
Q: Does your organization's plan document and ensure adequate separation
between the group health plan and the plan sponsor, including sponsor's
employees, classes of employees, or other persons who will be given access to
the ePHI?
Q: Do your organization's plan documents include provisions to require plan
sponsor's agents, including subcontractors, to whom it provides ePHI agrees to
implement all reasonable and appropriate security measures to protect the
ePHI?
Q: Do your organization's plan documents include provisions to require plan
sponsor to report to the group health plan ay security incident of which it
becomes aware?
Q: Does your organization have a procedure in place that includes a
mechanism for reporting security incidents by a plan sponsor?
Q: Does your organization have a procedure in place that includes a reporting
mechanism for responding to security incidents by a plan sponsor?
Q: Does your organization have policies and procedures for administrative PO1
safeguards, physical safeguards, and technical safeguards?
Q: Does your organization have in place reasonable and appropriate polices
and procedures that comply with the standards and implementation
specifications of the HIPAA Security Rule?
Q: Does your organizations security policies and procedures take into
consideration: 1) your organization's size, complexity and the services you
provide. 2) your organization's technical infrastructure, hardware and software
capabilities, 3) the cost of your organization's security measures, 4) the
potential risks to day-to-day operation including which functions, and tools are
critical to operations?
Q: Does your organization have procedures for periodic revaluation of your
security polices and procedures, and update them when necessary?
Q: Does your organization change security policies and procedures at any
appropriate time, and document the changes and implementation?
Q: Does your organization have a documentation policy and procedures? XXXXX
Q: Has your organization documented all security policies and procedures?
Q: Has your organization documented your decisions concerning the security
management, operational, and technical controls to mitigate your identified
risks?
Q: Does your organization update your security documentation following
breaches, security incidents, new acquisitions, change in technology and other
similar times?
Q: Does your organization have an individual or office that maintains and is
responsible for your HIPAA Security documentation?
XXXXX PO2
XXXXX PO3
Q: Does your organization have a data retention policy and procedure(s) that co XXXXX
Q: Has your organization aligned HIPAA documentation retention requirements wi PO4
Q: Has your organization communicated with all staf that need access to your PO5
security documentation where it is found?
Q: Does your organization's education, training and awareness activities
include the availability of your security documentation?
Q: Does your organization have a process in place to solicit input from the staf,
employees, and workforce impacted, into your updates of your security
policies and procedures?
Q: Does your organization have a version control for your procedure(s) and proces
PO6
HHS-ONC_SRAHHS-ONC_SRATK_W_LINEBREAKS TYPE_HHS-ONC_SRATK
(A1): Does you(A1): Does your practice develop, document, and implement Standard
policies and procedures for assessing and managing risk to its
Electronic Protected Health Information (ePHI)?
(A2): Does your practice have a process for periodically
reviewing its risk analysis policies and procedures and making
updates as necessary?
(A3): Does you(A3): Does your practice categorize its information systems Required
based on the potential impact to your practice should they
become unavailable?
(A4): Does your practice periodically complete an accurate and
thorough risk analysis, such as upon occurrence of a significant
event or change in your business organization or environment?
(A5): Does you(A5): Does your practice have a formal documented program Required
to mitigate the threats and vulnerabilities to ePHI identified
through the risk analysis?
(A6): Does your practice assure that its risk management
program prevents against the impermissible use and disclosure
of ePHI.
(A7): Does your practice document the results of its risk
analysis and assure the results are distributed to appropriate
members of the workforce who are responsible for mitigating
the threats and vulnerabilities to ePHI identified through the
risk analysis?
(A8): Does your practice formally document a security plan?
(A9): Does you(A9): Does your practice have a formal and documented Required
process or regular human resources policy to discipline
workforce members who have access to your organizationÕs
ePHI if they are found to have violated the officeÕs policies to
prevent system misuse, abuse, and any harmful activities that
involve your practice's ePHI?
(A10): Does your practice include its sanction policies and
procedures as part of its security awareness and training
program for all workforce members?
(A11): Does yo(A11): Does your practice have policies and procedures for the Required
review of information system activity?
(A12): Does your practice regularly review information system
activity?
(A13): Does yo(A13): Does your practice have a senior-level person whose job Required
it is to develop and implement security policies and
procedures or act as a security point of contact?
(A14): Is your practiceÕs security point of contact qualified to
assess its security protections as well as serve as the point of
contact for security policies, procedures, monitoring, and
training?
(A15): Does your practice have a job description for its security
point of contact that includes that person's duties, authority,
and accountability?
(A16): Does your practice make sure that its workforce
members and others with authorized access to your ePHI
know the name and contact information for its security point
of contact and know to contact this person if there are any
security problems?
(A17): Does y (A17): Does your practice have a list that includes all members Required
of its workforce, the roles assigned to each, and the
corresponding access that each role enables for your
practiceÕs facilities, information systems
electronic devices, and ePHI?
(A18): Does your practice know all business associates and the
access that each requires for your practiceÕs facilities,
information systems, electronic devices, and ePHI?
(A19): Does your practice clearly define roles and
responsibilities along logical lines and assures that no one
person has too much authority for determining who can access
your practice's facilities, information systems, and ePHI?
(A20): Does your practice have policies and procedures that
make sure those who need access to ePHI have access and
those who do not are denied such access?
(A21): Has your practice chosen someone whose job duty is to
decide who can access ePHI (and under what conditions) and
to create ePHI access rules that others can follow?
XXXXX XXXXX XXXXX

(A22): Does yo(A22): Does your practice define roles and job duties for all job Addressable
functions and keep written job descriptions that clearly set
forth the qualifications?
(A23): Does your practice have policies and procedures for
access authorization that support segregation of duties?
(A24): Does your practice implement procedures for
authorizing users and changing authorization permissions?
(A25): Do your practiceÕs policies and procedures for access
authorization address the needs of those who are not
members of its workforce?
(A26): Does yo(A26): Does your organization have policies and procedures Addressable
that authorize members of your workforce to have access to
ePHI and describe the types of access that are permitted?
(A27): Do your practiceÕs policies and procedures require
screening workforce members prior to enabling access to its
facilities, information systems, and ePHI to verify that users are
trustworthy?
(A28): Does yo(A28): Does your practice have policies and procedures for Addressable
terminating authorized access to its facilities, information
systems, and ePHI once the need for access no longer exists?
(A29): Does your practice have formal policies and policies and
procedures to support when a workforce memberÕs
employment is terminated and/or a relationship with a
business associate is terminated?
(A30): Do your(A30): Do your practiceÕs policies and procedures describe the Smtandard
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
(A31): Does yo(A31): Does your practice have policies and procedures that explRequired
(A32): Do the (A32): Do the roles and responsibilities assigned to your Addressable
practiceÕs workforce members support and enforce
segregation of duties?
(A33): Does your practiceÕs policies and procedures explain
how your practice assigns user authorizations (privileges),
including the access that are permitted?
(A34): Does yo(A34): Does your practice have a training program that makes Standard
each individual with access to ePHI aware of security measures
to reduce the risk of improper access, uses, and disclosures?
(A35): Does your practice periodically review and update its
security awareness and training program in response to
changes in your organization, facilities or environment?
(A36): Does your practice provide ongoing basic security
awareness to all workforce members, including physicians?
(A37): Does your practice provide role-based training to all
new workforce members?
(A38): Does your practice keep records that detail when each
workforce member satisfactorily completed periodic training?
XXXXX XXXXX XXXXX

(A39): As part (A39): As part of your practiceÕs ongoing security awareness a Addressable
(A40): Does yo(A40): Does your practiceÕs awareness and training content Addressable
include information about the importance of implementing
software patches and updating antivirus software when
requested?
(A41): Does your practiceÕs awareness and training content
include information about how malware can get into your
systems?
(A42): Does yo(A42): Does your practice include log-in monitoring as part of i Addressable
(A43): Does yo(A43): Does your practice include password management as partAddressable
(A44): Does yo(A44): Does your practice have policies and procedures designedStandard
(A45): Does yo(A45): Does your practice have incident response policies and Required
procedures that assign roles and responsibilities for incident
response?
(A46): Does your practice identify members of its incident
response team and assure workforce members are trained and
that incident response plans are tested?
(A47): Does your practiceÕs incident response plan align with
its emergency operations and contingency plan, especially
when it comes to prioritizing system recovery actions or events
to restore key processes
systems, applications, electronic device and media, and
information (such as ePHI)?
(A48): Does your practice implement the information
systemÕs security protection tools to protect against malware?
(A49): Does yo(A49): Does your practice know what critical services and ePHI Standard
it must have available to support decision making about a
patientÕs treatment during an emergency?
(A50): Does your practice consider how natural or man-made
disasters could damage its information systems or prevent
access to ePHI and develop policies and procedures for
responding to such a situation?
(A51): Does your practice regularly review/update its
contingency plan as appropriate?
XXXXX XXXXX XXXXX

(A52): Does yo(A52): Does your practice have policies and procedures for the Required
(A53): Does yo(A53): Does your practice have policies and procedures for contRequired
(A54): Does yo(A54): Does your practice have an emergency mode operations plan
Required
(A55): Does yo(A55): Does your practice have policies and procedures for testi Addressable
(A56): Does yo(A56): Does your practice implement procedures for identifying Addressable
(A57): Does yo(A57): Does your practice maintain and implement policies and Standard
procedures for assessing risk to ePHI and engaging in a
periodic technical and non-technical evaluation in response to
environmental or operational changes afecting the security of
your practiceÕs ePHI?
(A58): Does your practice periodically monitor its physical
environment, business operations, and information system to
gauge the efectiveness of security safeguards?
(A59): Does your practice identify the role responsible and
accountable for assessing risk and engaging in ongoing
evaluation, monitoring, and reporting?
(A60): Does yo(A60): Does your practice identify the role responsible and Standard
accountable for making sure that business associate
agreements are in place before your practice enables a service
provider to begin to create, access, store or transmit ePHI on
your behalf?
(A61): Does your practice maintain a list of all of its service
providers, indicating which have access to your practiceÕs
facilities, information systems and ePHI?
(A62): Does your practice have policies and implement
procedures to assure it obtains business associate
agreements?
(A63): If your (A63): If your practice is the business associate of another cove Required
(A64): Does yo(A64): Does your practice execute business associate agreements Required
XXXXX XXXXX XXXXX
(PH1): Do you (PH1): Do you have an inventory of the physical systems, Standard
devices, and media in your office space that are used to store
or contain ePHI?
(PH2): Do you have policies and procedures for the physical
protection of your facilities and equipment? This includes
controlling the environment inside the facility.
(PH3): Do you have policies and procedures for the physical
protection of your facilities and equipment? This includes
controlling the environment inside the facility.
(PH4): Do you have physical protections in place to manage
physical security risks, such as a) locks on doors and windows
and b) cameras in nonpublic areas to monitor all entrances
and exits?
XXXXX XXXXX XXXXX

(PH5): Do you (PH5): Do you plan and coordinate physical (facilities) and Addressable
technical (information systems, mobile devices, or
workstations) security-related activities (such as testing) before
doing such activities to reduce the impact on your practice
assets and individuals?
(PH6): Have you developed policies and procedures that plan
for your workforce (and your information technology service
provider or contracted information technology support) to gain
access to your facility and its ePHI during a disaster?
(PH7): If a disaster happens, does your practice have another
way to get into your facility or ofsite storage location to get
your ePHI?
(PH8): Do you (PH8): Do you have policies and procedures for the protection Addressable
of keys, combinations, and similar physical access controls?
(PH9): Do you have policies and procedures governing when to
re-key locks or change combinations when, for example, a key
is lost, a combination is compromised, or a workforce member
is transferred or terminated?
(PH10): Do you have a written facility security plan?
(PH11): Do you take the steps necessary to implement your
facility security plan?
(PH12): Do you(PH12): Do you have a Facility User Access List of workforce Addressable
members, business associates, and others who are authorized
to access your facilities where ePHI and related information
systems are located?
(PH13): Do you periodically review and approve a Facility User
Access List and authorization privileges, removing from the
Access List personnel no longer requiring access?
(PH14): Does your practice have procedures to control and
validate someoneÕs access to your facilities based on that
personÕs role or job duties?
(PH15): Do you have procedures to create, maintain, and keep
a log of who accesses your facilities (including visitors), when
the access occurred, and the reason for the access?
(PH16): Has your practice determined whether monitoring
equipment is needed to enforce your facility access control
policies and procedures?
(PH17): Do you(PH17): Do you have maintenance records that include the Addressable
history of physical changes, upgrades, and other modifications
for your facilities and the rooms where information systems
and ePHI are kept?
(PH18): Do you have a process to document the repairs and
modifications made to the physical security features that
protect the facility, administrative offices, and treatment
areas?
(PH19): Does y(PH19): Does your practice keep an inventory and a location Standard
record of all of its workstation devices?
(PH20): Has your practice developed and implemented
workstation use policies and procedures?
(PH21): Has your practice documented how staf, employees,
workforce members, and non-employees access your
workstations?
(PH22): Does y(PH22): Does your practice have policies and procedures that Standard
describe how to prevent unauthorized access of unattended
workstations?
(PH23): Does your practice have policies and procedures that
describe how to position workstations to limit the ability of
unauthorized individuals to view ePHI?
(PH24): Have you put any of your practice's workstations in
public areas?
(PH25): Does your practice use laptops and tablets as
workstations? If so, does your practice have specific policies
and procedures to safeguard these workstations?
(PH26): Does your practice have physical protections in place
to secure your workstations?
(PH27): Do you regularly review your workstationsÕ locations
to see which areas are more vulnerable to unauthorized use,
theft, or viewing of the data?
(PH28): Does your practice have physical protections and other
security measures to reduce the chance for inappropriate
access of ePHI through workstations? This could include using
locked doors, screen barriers, cameras, and guards.
(PH29): Do your policies and procedures set standards for
workstations that are allowed to be used outside of your
facility?
(PH30): Does y(PH30): Does your practice have security policies and Standard
procedures to physically protect and securely store electronic
devices and media inside your facility(ies) until they can be
securely disposed of or destroyed?
(PH31): Do you remove or destroy ePHI from information
technology devices and media prior to disposal of the device?
(PH32): Do you maintain records of the movement of
electronic devices and media inside your facility?
(PH33): Have you developed and implemented policies and
procedures that specify how your practice should dispose of
electronic devices and media containing ePHI?
XXXXX XXXXX XXXXX

(PH34): Do you(PH34): Do you require that all ePHI is removed from equipmentRequired
(PH35): Do you(PH35): Do you have procedures that describe how your practiceRequired
(PH36): Does y(PH36): Does your practice maintain a record of movements of Addressable
hardware and media and the person responsible for the use
and security of the devices or media containing ePHI outside
the facility?
(PH37): Do you maintain records of employees removing
electronic devices and media from your facility that has or can
be used to access ePHI?
(PH38): Does y(PH38): Does your organization create backup files prior to the Addressable
(T1): Does you(T1): Does your practice have policies and procedures Standard
requiring safeguards to limit access to ePHI to those persons
and software programs appropriate for their role?
(T2): Does your practice have policies and procedures to grant
access to ePHI based on the person or software programs
appropriate for their role?
(T3): Does your practice analyze the activities performed by all
of its workforce and service providers to identify the extent to
which each needs access to ePHI?
(T4): Does your practice identify the security settings for each
of its information systems and electronic devices that control
access?
(T5): Does you(T5): Does your practice have policies and procedures for the Required
assignment of a unique identifier for each authorized user?
(T6): Does your practice require that each user enter a unique
user identifier prior to obtaining access to ePHI?
(T7): Does you(T7): Does your practice have policies and procedures to Required
enable access to ePHI in the event of an emergency?
(T8): Does your practice define what constitutes an emergency
and identify the various types of emergencies that are likely to
occur?
(T9): Does your practice have policies and procedures for
creating an exact copy of ePHI as a backup?
(T10): Does your practice back up ePHI by saving an exact copy
to a magnetic disk/tape or a virtual storage such as a cloud
environment?
(T11): Does your practice have back up information systems so
that it can access ePHI in the event of an emergency or when
your practiceÕs primary systems become unavailable?
(T12): Does your practice have the capability to activate
emergency access to its information systems in the event of a
disaster?
(T13): Does your practice have policies and procedures to
identify the role of the individual accountable for activating
emergency access settings when necessary?
(T14): Does your practice designate a workforce member who
can activate the emergency access settings for your
information systems?
(T15): Does your practice test access when evaluating its ability
to continue accessing ePHI and other health records during an
emergency?
(T16): Does your practice efectively recover from an
emergency and resume normal operations and access to ePHI?
(T17): Does yo(T17): Does your practice have policies and procedures that Addressable
require an authorized userÕs session to be automatically
logged-of after a predetermined period of inactivity?
(T18): Does a responsible person in your practice know the
automatic logof settings for its information systems and
electronic devices?
(T19): Does your practice activate an automatic logof that
terminates an electronic session after a predetermined period
of user inactivity?
(T20): Does yo(T20): Does your practice have policies and procedures for Addressable
implementing mechanisms that can encrypt and decrypt ePHI?
(T21): Does your practice know the encryption capabilities of
its information systems and electronic devices?
(T22): Does your practice control access to ePHI and other
health information by using encryption/decryption methods to
deny access to unauthorized users?
(T23): Does yo(T23): Does your practice have policies and procedures Standard
identifying hardware, software, or procedural mechanisms
that record or examine information systems activities?
(T24): Does your practice identify its activities that create,
store, and transmit ePHI and the information systems that
support these business processes?
(T25): Does your practice categorize its activities and
information systems that create, transmit or store ePHI as high,
moderate or low risk based on its risk analyses?
(T26): Does your practice use the evaluation from its risk
analysis to help determine the frequency and scope of its
audits, when identifying the activities that will be tracked?
(T27): Does your practice have audit control mechanisms that
can monitor, record and/or examine information system
activity?
(T28): Does your practice have policies and procedures for
creating, retaining, and distributing audit reports to
appropriate workforce members for review?
(T29): Does your practice generate the audit reports and
distribute them to the appropriate people for review?
(T30): Does your practice have policies and procedures
establishing retention requirements for audit purposes?
(T31): Does your practice retain copies of its audit/access
records?
(T31): Does your practice retain copies of its audit/access
records?
(T32): Does yo(T32): Does your practice have policies and procedures for prot Standard
(T33): Does yo(T33): Does your practice have mechanisms to corroborate that Addressable
(T34): Does yo(T34): Does your practice have policies and procedures for Required
verification of a person or entity seeking access to ePHI is the
one claimed?
(T35): Does your practice know the authentication capabilities
of its information systems and electronic devices to assure that
a uniquely identified user is the one claimed?
(T36): Does your practice use the evaluation from its risk
analysis to select the appropriate authentication mechanism?
(T37): Does your practice protect the confidentiality of the
documentation containing access control records (list of
authorized users and passwords)?
(T38): Does yo(T38): Does your practice have policies and procedures for Standard
guarding against unauthorized access of ePHI when it is
transmitted on an electronic network?
(T39): Do your practice implement safeguards, to assure that
ePHI is not accessed while en-route to its intended recipient?
XXXXX XXXXX XXXXX

(T40): Does yo(T40): Does your practice know what encryption capabilities Addressable
are available to it for encrypting ePHI being transmitted from
one point to another?
(T41): Does your practice take steps to reduce the risk that
ePHI can be intercepted or modified when it is being sent
electronically?
(T42): Does your practice implement encryption as the
safeguard to assure that ePHI is not compromised when being
transmitted from one point to another?
(T44): Does yo(T44): Does your practice have policies and procedures for Addressable
encrypting ePHI when deemed reasonable and appropriate?
(T45): When analyzing risk, does your practice consider the
value of encryption for assuring the integrity of ePHI is not
accessed or modified when it is stored or transmitted?
XXXXX XXXXX XXXXX
(O1): Does you(O1): Does your practice assure that its business associate agre Standard
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
(O2): Do the te(O2): Do the terms and conditions of your practiceÕs business Required
associate agreements state that the business associate will
implement appropriate security safeguards to protect the
privacy, confidentiality, integrity
and availability of ePHI that it collects, creates, maintains, or
transmits on behalf of the practice and timely report security
incidents to your practice?
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX

XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX

XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
(O3): If your p(O3): If your practice is the business associate of a covered ent Required
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
(PO1): Do your(PO1): Do your practiceÕs processes enable the development and

Standard
m
XXXXX XXXXX XXXXX
(PO2): Does yo(PO2): Does your practice assure that its policies and procedur Standard
(PO3): Does yo(PO3): Does your practice assure that its other security progra Standard
XXXXX XXXXX XXXXX
(PO4): Does yo(PO4): Does your practice assure that its policies, procedures, a Required
(PO5): Does yo(PO5): Does your practice assure that its policies, procedures a Required
(PO6): Does yo(PO6): Does your practice assure that it periodically reviews a Required
PE_HHS-ONC_SRATK

Medicare and Medicaid Programs Emergency Preparedness Requirements For Medicare and Medicaid Participating Providers and Suppliers 2016-21404

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Medicare and Medicaid Programs Emergency Preparedness Requirements For Medicare and Medicaid Participating Providers and Suppliers 2016-21404

Загружено:

Авторское право:

Доступные форматы

Thank you for donwloading a controls mapping from SecurityCheckbox.com!

s mapping, please reach out to us anytime at info@securitycheckbox.com.

164.306(a) Ensure Confidentiality, Integrity and Availability

164.306(b) Flexibility of Approach

164.306(d) Implementation Specifications

164.308(a)(1)(i) Security Management Process

164.308(a)(1)(ii)(A) Risk Analysis

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(1)(ii)(C) Sanction Policy

164.308(a)(1)(ii)(D) Information System Activity Review

164.308(a)(2) Assigned Security Responsibility

164.308(a)(3)(i) Workforce Security

164.308(a)(3)(ii)(A) Authorization and/or Supervision

164.308(a)(3)(ii)(B) Workforce Clearance Procedure

164.308(a)(3)(ii)(C) Termination Procedures

164.308(a)(4)(i) Information Access Management

164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions

164.308(a)(4)(ii)(B) Access Authorization

164.308(a)(4)(ii)(C) Access Establishment and Modification

164.308(a)(5)(i) Security Awareness Training

164.308(a)(5)(ii)(A) Security Reminders

164.308(a)(5)(ii)(B) Protection from Malicious Software

164.308(a)(5)(ii)(C) Log-in Monitoring

164.308(a)(5)(ii)(D) Password Management

164.308(a)(6)(ii) Response and Reporting

164.308(a)(7)(i) Contingency Plan

164.308(a)(7)(ii)(A) Data Backup Plan

164.308(a)(7)(ii)(B) Disaster Recovery Plan

164.308(a)(7)(ii)(C) Emergency Mode Operation Plan

164.308(a)(7)(ii)(D) Testing and Revision Procedures

164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis

164.308(b)(1) Business Associate Contracts and Other Arrangements

164.308(b)(4) Written Contract

164.310 (a)(1) Facility Access Controls

164.310(a)(2)(i) Contingency Operations

164.310(a)(2)(ii) Facility Security Plan

164.310(a)(2)(iii) Access Control Validation Procedures

164.310(a)(2)(iv) Maintenance Records

164.310(b) Workstation Use

164.310(c) Workstation Security

164.310(d)(1) Device and Media Controls

164.310(d)(2)(ii) Media Re-use

164.310(d)(2)(iv) Data Backup and Storage

164.312(a)(1) Access Control

164.312(a)(2)(i) Unique User Identification

164.312(a)(2)(iii) Automatic Logof

164.312(a)(2)(iv) Encryption and Decryption

164.312(b) Audit Controls

164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Informatio

164.312(d) Person or Entity Authentication

164.312(e)(1) Transmission Security

164.312(e)(2)(i) Integrity Controls

164.314(a)(1) Business Associate Contracts or Other Arrangements

164.314(a)(2) Business Associate Contracts

164.314(b)(1) Requirements for Group Health Plans

164.314(b)(2)(i) Implement Safeguards

164.314(b)(2)(ii) Ensure Adequate Separation

164.314(b)(2)(iii) Ensure Agents Safeguard

164.314(b)(2)(iv) Report Security Incidents

164.316(a) Policies and Procedures

164.316(b)(2)(i) Time Limit

Ensure CIA and protect against threats

Reasonably consider factors in security compliance