PK DID DOMAIN CID TYPE HHS-ONC_SRATK_ID

26 164.308 Administrativ 164.308(a)(1)(i) Standard A1,A2

27 164.308 Administrativ 164.308(a)(1)(ii)(A) Required A3,A4
28 164.308 Administrativ 164.308(a)(1)(ii)(B) Required A5,A6,A7,A8
29 164.308 Administrativ 164.308(a)(1)(ii)(C) Required A9,A10
30 164.308 Administrativ 164.308(a)(1)(ii)(D) Required A11,A12
31 164.308 Administrativ 164.308(a)(2) Required A13,A14,A15,A16
32 164.308 Administrativ 164.308(a)(3)(i) Required A17,A18,A19,A20,A21
33 164.308 Administrativ 164.308(a)(3)(ii)(A) Addressable A22,A23,A24,A25
34 164.308 Administrativ 164.308(a)(3)(ii)(B) Addressable A26,A27
35 164.308 Administrativ 164.308(a)(3)(ii)(C) Addressable A28,A29
36 164.308 Administrativ 164.308(a)(4)(i) Standard A30
37 164.308 Administrativ 164.308(a)(4)(ii)(B) Required A31
38 164.308 Administrativ 164.308(a)(4)(ii)(C) Addressable A32,A33
39 164.308 Administrativ 164.308(a)(5)(i) Standard A34,A35,A36,A37,A38
40 164.308 Administrativ 164.308(a)(5)(ii)(A) Addressable A39
41 164.308 Administrativ 164.308(a)(5)(ii)(B) Addressable A40,A41
42 164.308 Administrativ 164.308(a)(5)(ii)(C) Addressable A42
43 164.308 Administrativ 164.308(a)(5)(ii)(D) Addressable A43
44 164.308 Administrativ 164.308(a)(6)(i) Standard A44
45 164.308 Administrativ 164.308(a)(6)(ii) Required A45,A46,A47,A48
46 164.308 Administrativ 164.308(a)(7)(i) Standard A49,A50,A51
47 164.308 Administrativ 164.308(a)(7)(ii)(A) Required A52
48 164.308 Administrativ 164.308(a)(7)(ii)(B) Required A53
49 164.308 Administrativ 164.308(a)(7)(ii)(C) Required A54
50 164.308 Administrativ 164.308(a)(7)(ii)(D) Addressable A55
51 164.308 Administrativ 164.308(a)(7)(ii)(E) Addressable A56
52 164.308 Administrativ 164.308(a)(8) Standard A57,A58,A59
53 164.308 Administrativ 164.308(b)(1) Standard A60,A61,A62
54 164.308 Administrativ 164.308(b)(2) Required A63
55 164.308 Administrativ 164.308(b)(3) Required A64
14 164.310 Physical Safeg164.310(a)(1) Standard PH1,PH2,PH3,PH4
15 164.310 Physical Safeg164.310(a)(2)(i) Addressable PH5,PH6,PH7
16 164.310 Physical Safeg164.310(a)(2)(ii) Addressable PH8,PH9,PH10,PH11
17 164.310 Physical Safeg164.310(a)(2)(iii) Addressable PH12,PH13,PH14,PH15,PH16
18 164.310 Physical Safeg164.310(a)(2)(iv) Addressable PH17,PH18
19 164.310 Physical Safeg164.310(b) Standard PH19,PH20,PH21
PH22,PH23,PH24,PH25,PH26
20 164.310 Physical Safeg164.310(c) Standard ,PH27,PH28,PH29
21 164.310 Physical Safeg164.310(d)(1) Standard PH30,PH31,PH32,PH33
22 164.310 Physical Safeg164.310(d)(2)(i) Required PH34
23 164.310 Physical Safeg164.310(d)(2)(ii) Required PH35
24 164.310 Physical Safeg164.310(d)(2)(iii) Addressable PH36,PH37
25 164.310 Physical Safeg164.310(d)(2)(iv) Addressable PH38
1 164.312 Technical Saf 164.312(a)(1) Standard T1,T2,T3,T4
2 164.312 Technical Saf 164.312(a)(2)(i) Required T5,T6
T7,T8,T9,T10,T11,T12,T13,T14
3 164.312 Technical Saf 164.312(a)(2)(ii) Required ,T15,T16
4 164.312 Technical Saf 164.312(a)(2)(iii) Addressable T17,T18,T19
5 164.312 Technical Saf 164.312(a)(2)(iv) Addressable T20,T21,T22
T23,T24,T25,T26,T27,T28,T29,
6 164.312 Technical Saf 164.312(b) Standard T30,T31,T31
 7 164.312 Technical Saf 164.312(c)(1) Standard T32
8 164.312 Technical Saf 164.312(c)(2) Addressable T33
9 164.312 Technical Saf 164.312(d) Required T34
10 164.312 Technical Saf 164.312(d) Required T35,T36,T37
11 164.312 Technical Saf 164.312(e)(1) Standard T38,T39
12 164.312 Technical Saf 164.312(e)(2)(i) Addressable T40,T41,T42
13 164.312 Technical Saf 164.312(e)(2)(ii) Addressable T44,T45
56 164.314 Organizationa164.314(a)(1)(i) Standard O1
57 164.314 Organizationa164.314(a)(2)(i) Required O2
58 164.314 Organizationa164.314(a)(2)(iii) Required O3
59 164.316 Polices And P 164.316(a) Standard PO1
60 164.316 Polices And P 164.316(b)(1)(i) Standard PO2
61 164.316 Polices And P 164.316(b)(1)(ii) Standard PO3
62 164.316 Polices And P 164.316(b)(2)(i) Required PO4
63 164.316 Polices And P 164.316(b)(2)(ii) Required PO5
64 164.316 Polices And P 164.316(b)(2)(iii) Required PO6
associates
practice assureand the access that each requires for your practice’s facilities, information
Is
for
(A3):your
document,
(A9): your practice’s
Does
Does and that
your
practice’s
your security
implement
practice its risk
facilities,
practice point
have management
categorize a of
policies formal
information andand management
contact
its contact
document,
(A9):
systems,
(A3): Does
Does qualified
and
your
electronic
your
program to devices,
implement
practice
practice assess prevents
have its and
categorize
against
security
policies
a formal
ePHI? andand
its
the
program
qualified
procedures
documented prevents
to assess
for against
assessing
process its security and
or regular the impermissible
protections
managing
human riskas impermissible
protections
procedures
documented as
for use
well
assessing
process and
as disclosure
serve and
or regular as the
managing
humanof ePHI.
point of
risk
systems,
information
use and electronic
disclosuresystems ofdevices,
based
ePHI., onand the
(A7): ePHI?,
potential
Does your (A19):
information
(A7): Doesyour
Does your
systems practice
practice based clearly
on the
document define
potential
the
well
to
(A19):
impactits
resources as serve
Electronic
Does policy
todocument
your as
your the
Protected
to point
discipline
practice
practice of contact
Health
clearly
should workforce
they define for
become roles contact
to its
resources
impact and for
Electronic security
policy
to responsibilities
your Protected
to
practice policies,
discipline along
should procedures,
Healthworkforce
logical
they lines
become
practice
security policies, the
procedures, results of
to monitoring,its risk results of its risk analysis and to assure the
Information
members
roles andand
unavailable?,
analysis
who (ePHI)?,
have
responsibilities
(A4):
assure Does
the
(A2):
access yourDoes
along
results
your your
logical
practice
are lines monitoring,
Information
members
and assures
unavailable?
(A22):
results Does
are
who and
(ePHI)?
that
your
have
distributed
training?
no access
one
practice to person
define
appropriate
your has
roles tooand
and
practice training?,
organization’s
and assures havecomplete
that (A15):
aePHIprocess
no Does
ifone anfor
they your
are
person practice
periodically
foundhas to have (A15):
too (A2): Doesyour
Does
organization’s your ePHI practice
practiceif they have
have are afound aprocess
job to for
have
periodically
(A22):
distributed
have
reviewing
violated Does
aauthority
job the toyour
description
its risk
office’s practice
appropriate
analysis for
policies
accurate
define
members
its
policies
tosecurity
prevent
and
roles
andof the much
and
point
(A4):
job
members
description
periodically
violated
authority
Does
duties the
your
for
of for allits
the
reviewing
office’s
for
practice
job determining
workforcefunctions
security
periodically
its risk
policies who
point
to and
analysis
who
of keep
are
prevent
can
contact
much
thorough
HHS-ONC_SRATK
job duties
workforce risk
for
who for
analysis,
allincludes
are determining
jobresponsible such
functions as upon
and who
for keep can access
complete
written
responsible your
job an
HHS-ONC_SRATK_W_LINEBREAKS practice's
accurate
descriptions
for mitigating facilities,
and that thorough
the clearlyinformation
threats risk
setand
of
system
accesscontact
procedures
occurrence misuse,
your that
and
practice's
of making
abuse,
athreats
significant and that
updates
facilities, any person's
event as
harmful
information
or change that
policies
system
systems,
analysis,includesand
misuse,
and
such that
procedures
ePHI?
as abuse, person's
upon andand
occurrence duties,
any makingharmful authority,
of a
written
mitigating
duties,
necessary?
activities job
authority,descriptions
the
thatePHI?, involve and and that
accountability?,
your practice's clearly
vulnerabilities set to forth
and
updates
(A34): the
vulnerabilities qualifications?
accountability?
Doesas to
necessary?
your ePHI
practice identified
have a through
training
systems,
in
forth
ePHI your the and
business
identifiedqualifications?,
through (A20):
organization the Does
(A23): riskorDoes yourePHI?,
analysis?,
activities
yourits (A20):
(A23):
the riskDoes
significant Does
that your
event
analysis? your
involve practice
or yourhave
change
practice
practice's
havein your policies
policies
ePHI?
business and
and
(A16):
(A10):
practice
environment? Does
Doeshave your
yourpolicies practice
practice and make
include
procedures sure its that that (A16):
program
(A10):
procedures
organization Does
Does that your
your
that
ormakes practice
each
practice
make
environment? sure make
individual
include
those surewho that
its with need its
(A11):
practice
(A8):
workforce Does
Does have your
your
members policies practice
practice andand have
procedures
formally
others policies
document
with and
for (A11):
procedures
(A8):
workforce Does
Does your
for
your
members accesspractice
practice and have
authorization
formally
others policies
with that
document and
(A34):
(A26):
sanction
make
procedures Does
sure policiesyour
those practice
organization
and
who
for thetoreview procedures
need have access a
have
of information training
as topolicies
part
ePHI of access
(A26):
sanction
access
(A28):
procedures to
Does
to
Does ePHI
policies
ePHI your
your aware
have
for thetoreviewand of
organization security
procedures
access
practice and
have have measures
thoseas
policies
of information policies
part
whoandof
access
aprogram
security
authorized authorization
plan?
that access
makes that
your
each support
ePHI
individual know the of support
with aand
security
authorized segregation
plan?
access of
your duties?
ePHI know the
and
its
have
(A28):
system procedures
security
access
segregation
name Does
andactivity?,awareness
and
your
of
contact
that
those
practice
(A12):
duties?,
authorize
information
and
whoDoes
(A24):
training
have doyour members
not
policies
Does
for
program
are
practice
itsyour and to its
do reduce
procedures
security
not
procedures
system
(A24):
name
are the
activity?
Does
and for
your
contact
risk
awareness
denied that of
such
terminating
practice
improper
authorize
and
information
access? trainingaccess,
members
authorized
implement for its and
uses,
program of
access
your
for
deniedall
procedures
regularly to
workforce
such ePHI
workforce
review aware
access?,
for to have
members?
terminating
information of
(A21): security
access Has to
authorized
system measures
ePHI
your and and
your
for
(A21):
access
(A12): disclosures?
allworkforce
workforce
Has
to
Does itsyour to have
members?
practice
facilities,
your access
chosen
information
practiceand regularly to ePHI
someone
systems,
review
practice
security implement
point ofsomeone ofofprocedures
contact and know for toduty procedures
security point for ofauthorizing users and
to reduce
describe
practice
access
activity?
authorizing
the
tothis thefacilities,
chosen
its users
risk
types
and
improper
access
information
changing whose thataccess,are
job
systems, uses, is (A35):
describe
whose
and ePHI
information
changing
Does
job the
once your
duty types
system
authorization theiscontact
practice
toofactivity?
need access
decide for
know
periodically
that
who
access
permissions?
are
can toaccess
no
contact
and disclosures?,
permitted?,
to decide who person
(A27): can Doif
(A35):
access there
your DoesePHI are yourany
practice’s
(and security
practice
under contact
review
permitted?
ePHI (and this
and underperson
update what if
its there
security
conditions) are any
awareness andsecurity
to
and ePHI
authorization
problems? once the
permissions?, need for access
(A25): no
Do your (A25): longer
problems? exists?
Do your practice’s policies and
periodically
policies
what
longer and
conditions)
exists?, review
procedures
(A29): and and to
Does update
require
create your its
ePHI security
screening
practice access and
(A27):
create
(A29): training
Do
ePHI
Does your program
access
your practice’srules
practice in response
policies
that
have others
formal to
and can
practice’s
awareness policies
and andprior
training procedures
program in for access changes
response procedures in your for access
organization, authorization facilities address
workforce
rules
have that others
formal
authorization
members
policies
address canand follow? to enabling
thepolicies
needs facilitiesand
of those or (A45):
procedures
follow?
policies
the needs Does
and require
ofyour
policies
those
screening
practice
whoandare have
procedures workforce
notincident
members toor of
to changes
access
(A45):
procedures to
Does its inyour
to your
facilities,
support organization,
practice information
when have incident
a workforce systems, environment?
members
response
support prior
policies
when to enabling
and
a workforce procedures access
member’s thatits
to
(A32):
who are
environment?,
and ePHI Donot tothe roles
members
verify (A36): and
that of
Does responsibilities
usersits workforce?
yourare practice (A32):
its Do
workforce?
(A36):
facilities, Does theyour
information roles and
practice responsibilities
systems, provide and ongoing
response
member’s
assigned policies
employment
to your basic and
practice’s procedures
is terminated
workforce that assign
employment
assigned roles tousersand
youris responsibilities
terminated
practice’s and/or
workforce for aePHI
incident to
provide
trustworthy?
assign
and/or ongoing
roles
a and
relationship security
responsibilities
with a awareness
business for incident to basic
verify
response? security
that
relationship withawareness
are
a business to
trustworthy? all workforce
associate is
members
(A30):
all Do
workforce support
your and
practice’s
members, enforce
policies
including segregation
and and members, members
(A30): Do your support and
practice’s enforce
policies segregation
and and
(A31):
response?,
associate
of duties?,
procedures
Does your
(A46):
is(A33):
terminated?
describe
practice
Does
Does theyour your have
methods
policies
practice
practice’s it uses
(A31):
to (A46):
terminated?
of duties?
procedures Doesincludingyour practice
describe
physicians?
thehow
have policies
identify
methods members
it uses to
physicians?,
procedures (A37):
that explainDoes your
how practice
it grants access (A37):
procedures Does your
that practice
explain provide it grants role-
identify
policies
(A40):
limit
provide access members
and
Does procedures
your
to
role-based its of its
practice’s
ePHI?training
incident
explain awareness
to all
response
hownew your
and of its
(A33):
(A40):
limit
based
incident
Does
access
training your
to response
its
to practice’s
ePHI?
all new
team and
policies
awareness
workforce andaccess
assure and
to
team ePHI and to its workforce
assure workforce members members andare to to ePHI to its workforce are members and to
practice
training
workforce
other
assigns
content
entities members?, user
include
(business
authorizations
information
(A38):
associates)? Does your about workforce procedures
training
members?
other
members
content
entities
explain include
(business
how trained
your practice
information
associates)?
and that
about
trained
(A39):
(privileges),As
the importance and part that of
including incident
your
of implementing the response
practice’saccess ongoing
that plans
software are are incident
(A39):
assigns
(A49): As response
userpart
Does your
the importance of
authorizations
yourofpractice plans
your
practice are
practice’s
implementing tested?
knowrecords ongoing
(privileges),
what
software critical
practice
tested?, keep
(A47): records
Doesactivities, thatpractice’s
your detail when each (A38):
incident (A47): Does
Does keep yourthat
security
permitted?
patches
workforce
awareness
and updating
member antivirusdoes
satisfactorily softwareyour
completed
security
including
services
patches
detail when andtheyour
awareness access
ePHI
updating
each
practice’s
it activities,
that
must
workforce are
have
antivirus incident
does
permitted?
memberavailable
software to
response
practice
(A49):
when Does plan
prepare
requested?, your align and with
practice
(A41): its
communicate know
Does emergencywhat
your critical response
periodic practice
support
when plan align
prepare
decision
requested? and
makingwith its
communicate
about emergency periodic
a training?
patient’s
periodic
operations training?
and contingency plan, especially satisfactorily completed periodic
security
practice’sreminders
services and ePHI
awareness itto must communicate
and have
training available about
content to operations
security
treatment
(A41): Does and
remindersyourcontingency
during antoemergency?
practice’scommunicate plan, especially
awareness about
and
when
new
support
include or it comes
important
decision
information to prioritizing
issues?
making about abouthow system
a patient’s
malware can when
new
(A50):
training orit comes
important
Does
content your to prioritizing
issues?
practice
include consider
informationsystem how about
(A42): Does
recovery actions your or practice
events include
to restore log-in key (PH22):
(A42): Does
recovery Doesyour youror practice
practice have
include policies
log-in
treatment
get into your
monitoring during
as systems?
part anof emergency?,
its awareness (A50):
and natural
how
and
(A57): oractions
malware
procedures
monitoring Does man-made
your
as can
part that getevents
disasters
ofdescribe
practice its
to
intoawareness
your
maintain
restore
howcould
systems?toand
and
key
processes,
(A43):
Does Does
your systems,
your
practice applications,
practice
consider include
howpolicies electronic
password
natural processes
(A43):
or damage Does your
its information practice include
systems password
or prevent
(PH22):
(A57): Does
Does yourpractice
your practice have prevent programs?unauthorized access of unattended
training
device
management
man-made
(A44):
and
Does
programs?
media,as that
disasters
your part and
practice could itsmaintain
ofinformation awareness
damage
have policies
and
(such
its andand
as implement
training
systems,
management
access
(A44): Does ePHI
policies
toapplications,
yourasand part and
develop
practice
procedures
ofelectronic
itshaveawareness
policies device
policies
forand
and and
and
ePHI)?,
training
procedures
implement (A48): policies
programs? Does anddescribe
your procedures
practice how to for workstations?
assessing
media,
training and risk
programs? to
information ePHI and (suchengaging as ePHI)? in aand
information
procedures
prevent
assessing systems
designed
unauthorized
risk ePHIor
toinformation to prevent
help
access
and of access
prevent,
engaging unattendedin ato procedures
(PH12):
procedures
(PH23):
periodic
(T7): Does Do
Does for
you
designed
technical
your yourresponding
have practice
and
practice help
have to
atonon-technical
Facility have such
User
prevent,
policies aAccess
policies and
implement
ePHI and the
develop policies and system’s
procedures (A48):
situation? Does your practice implement the
detect
workstations?,
periodic
(A52):
security and
Does respond
technical
protectionyour (PH23): and to
practice
tools security
Does
non-technical
tohave your
protectincidents?
practice
policies against and List
detect
and
(A52): of
procedures
information workforce
and
procedures
evaluation Does respond
in response
your
to enable
system’s members,
that to
practice security
describe
to
access
security business
how
environmental
have to incidents?
policies
ePHI
protection to in and
theor
(A60):
for Does
responding
(PH12): Do in your
you to
have practice
such identify
atosituation?,
a Facility User the role (A60):
(PH1):
(A51):or associates,
Access (A51): Does
Does your
Doworkstations
you your
and have practice
an
practice
others who identify
inventory
regularly
are the
authorizedtherole
ofability
have
evaluation
procedures
malware? policies
responsible for
and and
response
the procedures
creation
accountable that
environmental
andforanmaking describe
secure position
operational
procedures
event
tools of
to
responsible an
protect changes
for
and the
emergency? against to
affecting
creation
accountable limit
malware? andthe
for security
secure
making of
(PH1):
Does
List
(A54):
how ofto
operational
storage Do
your
workforce
Does you
positionpractice
ofbusiness
an your
changeshave an
regularly
members,
practice
workstations
electronic inventory
affectingcopyhave business
to
the
of ofsecurity
review/update
limit
ePHI the the
that physical
review/update
to access
(A54):
unauthorized
(PH5):
of your
storage Does
Do systems,
your
you
practice’s
of an your its
electronicdevices,
contingency
facilities and where
practice
individuals
plan ePHI? copy and
have
to
coordinate view media
plan
ofePHI
an ePHI?
ePHI in your
asthat
and
physical
sure
(A53):
physical
its thatDoes
contingency
associates,
emergency systems, your
and
mode plan
others associate
practice
devices, as
operations have
and
appropriate?
who agreements
areplanpolicies
media
authorized
to in and
ensure are (T8):
your sure
(A53):
office
related
emergency
Does
thatDoes
space
appropriate?
your
business
informationyour
that
mode
practice
areassociate
practiceused
systems
operations
define
have
to store
are
plan
what
agreements
policies or
located?
to and
ensure are
ability
of
would
in yourof
(PH5):
place
procedures Do
be unauthorized
you
practice’s
used
before for plan
in
your
contingencyand
ePHI?,
the case individuals
practicecoordinate
(A58):
ofplans Does
system
enables toto view
physical
your
a
provide (PH24):
(facilities)
(A58):
would
constitutes
in place
procedures be Have
Does and
used
before your
an
for you
technical
in
emergency
your putpractice
practice
the
contingency any(information
case of your
periodically
ofplans
and system
identify
enables practice's
to a the
provide
office
(A56):
to
theaccess
ePHI?,
(facilities)
practice
breakdown space
Does
continuation your
(PH24): and that
your
periodically Have are
practice
facilities
technical
or disaster? used
of critical
you
monitorwhere
put to store
implement
any
(information ePHI
business
its orand
of access,
physicalyour contain
(A56):
(PH13):
the continuation
workstations
systems,
monitor
breakdown ePHI?
Does
Domobile
its your
you
orin
physical practice
periodically
of critical
public
devices,
disaster? areas?
environment, implement
or review
business
workstations) andlikely
business
(T7):
service Does provideryour practice
tocontinue
begin have
toand policies
create, and various types of emergencies that are
access
contain
procedures
related
processes
practice's
systems,
environment,
procedures
to ePHI
ePHI?,
information
thatfor
workstations
mobile to
to
(PH2):
identifying
must
business
enabledevices, Do
systems
occur in
access
you
or
operations
to
public
operations, have
are assessing
protect policies
located?,
areas?,
workstations)
to ePHI and in
after
the thethe service
access
(PH2):
procedures
approve
processes
(PH25): Doprovider
to
security-related
operations,
to occur? aePHI
Does you
thatfor
Facility
and
to
have
yourmusttocontinue
begin
identifying
Userpolicies
activitiesoccur
practice
information
toand
Access to create,
operations
and
use
(such protect
systemlaptops
as
access,
procedures
assessing
List and after
tothe
testing) the
and
store
a(PH13):
andnaturalor transmit
procedures
criticality Do or
of human-made
its
you for ePHI
information the
periodically on your
disaster?
physical system
reviewbehalf?,
protection
and (T23):
store
a natural
for the or
criticality Does
authorization transmit
or
physical
of your
human-made
its practice
ePHI
protection
information
privileges, on have
your
disaster?
of policies
behalf?
your
system
removing and
facilities
from the
(A63):
availability
(PH25): If
security-related
information
event
(A55): of your
Does
an and practice
your
system security
emergency?, practice
activities to is the
of
gauge ePHI
(such
(T8):
have business
use the immediately
laptops
as
Does
policiestesting)
your and (A63):
availability
tablets
before
gauge
(T9): DoesIfasyour
doing
the and practice
workstations?
such
effectiveness
your security is
activities
practice the
of If
have ePHI
so,business
to
security doesimmediately
reduce
policies yourthe
and
(A61):
of your a Does
applications facilities your
and practice
and
the equipment?
storage maintain aand
This listand (A55):
of procedures
(A61):
and a Does
equipment? identifying
your practice
Thisstorageincludeshave
hardware,
maintain policies
controlling listand
software,
aand of
approve
associate
after
tablets
before
effectiveness
practice
procedures
all of its
aof
crisis
as
doing
defineFacility
service
another
situation?
workstations?
forsuch
oftesting User
activities
security
what
providers,
Access
covered toof
Ifcontingency
so,
safeguards?,
constitutes
its indicating
data
List
entity
does
reduceanand your plans Access
the
(A59):
which
applications
associate
after
practice
impact
safeguards?
procedures
or
all procedural
(PH8):
of its
List
crisis
Doonhaveyou
service forand
personnel
ofyour another
situation?
specific the
practice
creating
testing
mechanisms
have
no
covered
policies
providers,
longer
policies
assets
an
itsthe
of
exact
contingency
that
and
indicating
data
entity
and
andrequiring
copy
record
procedures of
plans
or
which
includes
containing
authorization
your
practice
impact
Does practice
youron controlling
have ePHI
your
practice that
privileges,
has
specific
practice thewould
subcontractors environment
removing
policies
identify assets be
the accessed
and
and
role from
performing insidethe the
access?
your environment
containing
practice
procedures
individuals?
(A59): Does ePHI
to
yourhas inside
that would
subcontractors
safeguard
practice these facility.
be
identify accessed
performing
the role
emergency
on afacility.,
(PH8): periodic
Do youand basis?identify
have policies the various
and types
procedures of ePHI
on athe
examine as ainformation
periodic backup? basis? systems activities?
have
the
through
Access access
activities
procedures
individuals?,
responsible
emergencies
(T23):
List
Does
the
to to
(PH3):
to
andthat
your
your
implementation
personnel
help carry
safeguard
(PH6): are
Do practice’s
Have
accountable
practice
noyou
outlonger
likely
have
the
these
you
have to
facilities,
of policies
its
requiring
activities
developed
for assessing
occur?,
policies (T9):that for
and
and
have
(PH3):
through
(PH14):
activities
workstations?
(PH6):
responsible
(T10):
(T24):
protection
access
Do
Have
Does
the
Does
toyou to
help
you
and
your
your
have
implementation
your of
carry
developed
keys,
practice’s
policies
practice
accountable
practice
combinations,
outidentify
the
back
and
haveoffacilities,
for procedures
its
procedures
activities
policies
up andby
assessing
ePHI
its that
for the
information
procedures
contingency
access?,
you have protection
(PH14):
agreed systems
for
plans? the Does
to ofphysical
keys,
and
carry your outcombinations,
ePHI?, protection
practice
for (A62):
the have
otherDoes and
of similar
information
for the
contingency
to
you control
have physical
andphysical
agreed systems
plans? protection
validate
to access
and
carry someone’s
out controls?
ePHI?
of your
for the facilities
accessother to
workstations?,
policies
risk
Does and
procedures
and
your your
similar and
engaging
practice practice (PH26):
procedures
identifying
physical
have in ongoing
have
access
policies Does
that
policies
hardware, your
plan
evaluation,
controls?,
and andpractice
for
software,
implement your
(PH9): (PH26):
procedures
risk
saving and
activities
(PH30):
(PH9):
(A62): an
Do Does
Doesengaging
exact
that
Does you that
youryour
your plan
copy
create,
have inpractice
for
ongoing
to
policies
practice a
store,
practice your have
magnetic
have and
have physical
workforce
evaluation,
transmit
security
procedures
policies and
covered
have
workforcefacilities
procedures entity
physical
monitoring, to
(andand and
control
that
protections
your equipment?
involve
reporting? and
information invalidate
ePHI,
place This does
to your
secure
technology and
your
covered equipment?
facilities
protections
(and your
monitoring, entity in based
information
and that
place This on includes
involve
to
reporting? that
secure
technology ePHI, controlling
person’s
your does
servicerole
your or
procedures
or
Do procedural
you have
procedures
includes for creating
mechanisms
topolicies
controlling assure theand an exact
that
procedures
itsubcontractors
obtains
environment copy
record
business ofor
inside disk/tape
ePHI
policies
governing
implement
the and and
environment or
thewhen a virtual
information
procedures
procedures to storage
re-key
inside to
the systems
tolocks such
physically
assure
facility. as
that
oritchange a
obtains
someone’s
practice
your
service
ePHI
(A64): as a
Doesrequire
workstations?,
provider access
backup?,
your these
or to your
(PH27):
contracted
(T10):
practice facilities
Does Do
execute you based
information
your to
practice
business on job duties?
practice
workstations?
provider
cloud
(A64): require
or
environment?
Does contracted
your these
practice subcontractors
information
execute businessto
examine
(PH30):
governing
associate
the
that facility.,
person’s information
Does when your
agreements?
(PH4):
role to practice
or re-key
Do systems
job you have
locks
have
duties?, activities?,
or security
change
physical
(PH15): support
protect
combinations
business
(PH4): Do these
and
associate
you business
securely
when,
have store
for
agreements?
physical processes?
electronic
example, protections toaarecords
key isin
provide
regularly
technology
back
associate
(T24):
policies upDoes
combinations
protections
satisfactory
and review
ePHI support)
by
agreements
your
procedures
in when,
place
your
saving
practice assurances
toworkstations’
for
to
gain
an
when to
example,
manage
access
exact
it has
identify
physically
for
copy athe
its
a
physical
tokey your
to aDo (PH15):
is
provide
(PH27):
technology
(T11):
(PH17):
associate
(T25):
devices
lost,
place a Does
Do
Do
and
you
satisfactory
support)
you
agreements
combination
to manage your
media
have
regularly
have practice
procedures
assurances
to
inside
is
physical
gain
when review
maintenancehave
your
compromised, access
it has
categorize
security
for
backyour
facility(ies)
create,
the
to oryour
up
its
risks, asuch
you have
protection
locations
facility
magnetic
(PH17):
contractor and
Do procedures
to of see
its
disk/tape
you the
creating,ePHI
have ePHI?
which or toaareas
during create,
aand
virtual
maintenance
transmitting maintain,
arestorage,
disaster?,more
or records
storing maintain,
protection
workstations’
facility
information
that and
include
contractor and
of
itsthe
creating,keep
the
locations
ePHI
systems ePHI?
historyatransmitting
logto
during
so that
of ofsee
awho which
disaster?
it
physicalcan accesses
or accessareas
changes,
storing
activities
protect
lost,
security
and a
keep and that
combination
risks,
a log create,
securely
such
of who is
as store,
store
compromised,
a) locks
accesses electronic
on transmit
yourdoors or a
and activities
until
workforce
as
youra) they
locks
facilitiesand
can
member
on information
be
doors
(includingsecurely
is
and systems
disposed
transferred
windows
visitors), or that
and
when of or
b) the
vulnerable
(PH7):
such
that as Ifaand
include athe tomedia
disaster
cloud theunauthorized happens,
environment?,
history ofin use,
does
physical theft,
(T11): your or
Does
changes, are
(PH7):
ePHI more
upgrades, avulnerable
inIftransmit
the disaster
event to
happens,
ofpractice
an unauthorized
emergency does or use,
your when
ePHI?
ePHI
devices
workforce
windows and
facilities
viewing
practice andmember
(including
of
have
information
b)
the(PH10): cameras
data?,
another
inside
is transferred
visitors),
(PH28):
way
systems
your
to when
Does
get into
that
facility(ies)
nonpublic or
the
your your
ePHI?
areas create,
destroyed?
terminated?
(PH19):
cameras
access
theft,
practice or inand
Does
occurred,
viewing
have
other
your
nonpublic
another
or
and
of the
modifications
store areas
the
way
ePHI keep
reason
data? totogetas high,
an
monitor
for
into
for
the
your
all
your
your
upgrades,
support
until practice
they
terminated?,
(PH19):
to monitor these
Does and
canall have
yourother
business
be
entrances back
securely
practiceDo up
modifications
you
and information
processes?,
disposed
keephave
exits? an afor
(T25):
of your
or
written your
moderate
(PH31):
(PH10):
inventory
entrancespractice’s
facilities and
Do or
and
andyou the
low a primary
rooms
risk
remove
have
location
exits? abasedsystems
where
or
written on
destroy
record become
information
its
facility
of risk
ePHI
all of its
access
practice
facility
systems
facilities occurred,
or have
so
andoffsite
that physical
the and
storage
itlocation
can
rooms the
access reason
protections
location
where ePHI for
toand
in
information the
get
the other access?
(PH28):
your analyses?
facility
unavailable?
systems orDoes
andoffsite your
ePHI practice
storage
are kept? have
location physical
to get your
Does
inventory
access?, your
destroyed?,
facility security practice
and
(PH16): (PH31):
aplan?,
Has categorize
Do you
(PH11):
your record
practiceits
remove
Do activities
allor
you
ofchance take
of its (T1):
from
security Does
information
workstation
(PH16): plan?
Has your devices?
your practice
technology
practice have policies
devices
determined and
and
security
ePHI?
event
systems
and
destroy
the of measures
an
and
information
steps ePHI emergency
ePHI
necessaryfrom to
are
systems reduce
information or
kept?,
tomonitoring
implementwhen the
that(PH18): your
create,
technology
your for
Do you (T26): protections
ePHI?
(T12):
(PH18):
procedures
media
(PH11): DoesDo
prior
Do and
your
you
requiring
you other
have
to disposal
take practice security
asafeguards
the process
of have
use
thethe
steps measures
the
toto
device?
necessarydocument
evaluation
limit to
workstation
determined
inappropriate devices?,
whether
access of (PH20):
ePHI Has
through equipment (PH20):
whether
reduce Has
the your
monitoring
chance practice
for equipment developed
inappropriate isaccess andto
needed
access
practice’s
have
transmit
(T1):
devices
facility
practice a
Doesprocess
or
and primary
security store
your
developed media to systems
document
ePHI
practice
plan? prior
and as have become
high,
tofacility
implemented the repairs
moderate
policies
disposal ofand and
or capability
the
from
access
the implemented
(PH32):repairs
implement its riskto
toDoePHI and
you
youractivate
analysis
tomodifications emergency
to
thoseaccess
maintain
facility
workstation help
persons
records
security made
determine
use control and to
of theand
plan?
policies to
the
the
is needed
workstations? to enforce
This your access to enforce your facility
unavailable?,
modifications
low riskpolicies
procedures
device?,
workstation
control based
(PH32): (T12):
made
on
requiring
use Do itscould
policies
and
Does
to
risk
you the
procedures?
include
your
physical
analyses?,
safeguards
maintain
and practice
to
procedures?,
using
security
(T26):
limit
records have of
of its ePHI
information
physical
frequency
software
movement
procedures?
policies
through
security
and and
programs workstations?
systems
scope
ofprocedures? features
electronic of in
appropriateits the
that
audits,
devices This
event
protect
forand when could
of
their a
the
media
locked
the
Does
access
the doors,
capability
features your that
toHas
movement practice
ePHI screen
to
protect
to activate
those
ofpractice use barriers,
the
electronic the emergency
facility,
persons cameras,
evaluation
devices accessand
from
and andhow role? include
disaster?
facility,
identifying
inside using
administrative
the locked
activities doors,
offices,
that screen
and
will be barriers,
(PH21):
guards., (PH29): your documented (PH21):your Has facility?
your practice documented how
to its
media
(PH36):
staff, information
administrative
its riskemployees,
software analysis
insideprograms
Does your
your toDo
offices,help your
systems
facility?,
practice
workforce and policies
determine
appropriate in thefor
treatment
(PH33):
maintain
members,
and
event
the
their
Havea of a cameras,
areas?
and (T13):
treatment
tracked?
(T2):
(PH33):
(PH36):
staff, Does
Does and
Have
Does
employees, youryour
areas? guards.
you
your practice
practice
developed
practice
workforce have
have policies
policies
and
maintain
members, aandand
and
procedures
disaster?,
frequency
role?,
you (T2):
developed andset scope
(T13):
Does standards
and Does
your of yourits
practice
implemented for workstations
practice
audits, have whenhave
policies
policies (PH29):
procedures
(T27):
procedures
implemented DoesDo your to
your
to grant policies
identify
policies practice the
access
and and role
haveto procedures
of the
audit
ePHI
procedures control
based that set
record
non-employees
(PH34):
that of
are Do movements
allowed you access
require
togrant of
bespecifyyourhardware
that
used workstations?
all ePHIthe
outside and is your
of record
non-employees
(PH34):
standards of movements
Dofor you access
require for
workstations ofyourhardwareworkstations?
thatactivating
all ePHI
that are and is
allowed
policies
identifying
and
media and
procedures
andfrom theprocedures
activities
the equipmentto
that
person responsible to
that
accessidentify
will
how to beePHI
your
for before role
the media individual
mechanisms
on the
specify person
how
andfrom accountable
that
your or
the equipment
person can
software
practice monitor, programs
should
responsible record dispose theof
for before
removed
facility?
of the individual accountable andfor media activating removed
to be used
emergency outside
access ofrole?
your
settings and media
facility?
when necessary?
tracked?,
based
practice
use
you and on
remove (T27):
the
should
security person
thehave Does
dispose
of
equipment the your
or software
of
devices practice
electronic
or mediaor have
programs
media from you and/or
appropriate
electronic
use and
remove examine
security for
devices
thehave information
their
of and
the
equipment media
devices system
containing
or mediaor media
emergency
(PH35):
audit
appropriate
devices Do ePHI
control
and access
you
formechanisms
media their settings
procedures
role?,
containing thethatwhen
(T3): can
ePHI? that
Does monitor, (T14):
(PH35):
your activity?
(T3):
ePHI?
(T17): Does
Does
DoesDoyour your
you
your practice
practice
practiceprocedures designate
analyze
have thata from
the
policies
containing
your
describe facilities
necessary?, how for
(T14):
your
outside
offsite
Does
practice maintenance
your
facility?,
practice
should remove or containing
your
workforce
describe facilities
how
ePHI
member for
your
outside
offsite
who
practice
the
can
facility?
maintenanceactivate
should remove orand
the
record
practice
(T17):
(PH37):
disposal? and/or
Does analyze
Do your
you examine
the
practice
maintain information
activities have
records performed
policies
of system and by (T28):
activities
procedures
(PH37):
disposal? DoesDo your
performed
that
you practice
require
maintain by all
an have
of its policies
authorized
records workforce
of and
designate
ePHI
all of from
activity?,
procedures
employees its aits
(T28):
workforceworkforce
thatstorage
removing Does and
require member
media/
your service
an who
electronic
practice providers
authorized
electronic create havecan
devices and employees to emergency
ePHI
and
user’s from
procedures
service
session itsaccess
for storage
providers
removingtocreating,
be settings
media/
to for
retaining,
identify
automatically
electronic create your
electronic
the and extent
logged-off
devices and
(PH38):
activate
devices
policies Does
the extent
before
and your
emergency
the
procedures organization
media access
for settings
is creating,
re-used? for (PH38):
information
devices Does
before your
systems? organization
thefacility
media is re-used?
identify
user’s
media
(T5):
(T20):
backup from
Does
Does
the
session
files youryour
your
priorto be
practice toautomatically
facility
practice
to
which
the that
have
have
movement
each
has
policies needs
or
policieslogged-off
can
of and be distributing
and
to which
after
media
(T5):
(T20):
backup aDoes
Does each
files youraudit
predetermined
from your
your
prior
needs reports
practice
practice
to
access
the period to
that
have
have
movement
appropriate
to ofePHI?
has
policiesinactivity?
or can
policies and
ofwhen be
and
your
access
after
used information
retaining,
a
to to and distributing
ePHI?,
predetermined
access ePHI? systems?,
(T4): Does
period (T15):
audit
your of Does your
reports
practice
inactivity?, (T15):
to workforce
(T4):
(T18):
used Does
Does
toDoesaccessyouryour
members
a practice
practice
responsible
ePHI? for review? test
identify
person access the
in your
procedures
equipment
practice testor foraccessthe assignment
implementing
mediawhen tomembers
ensure
evaluating of
mechanisms
that a unique
data
its procedures
is (T29):
equipment
evaluating for
orability
its the
media assignment
implementing totocontinue
ensure of
mechanisms
that a unique
data
accessing is
appropriate
identify
(T18):
identifier Does the workforce
forasecurity
responsible
each settings person for for
each
in your of its security
practice Does foryour
settings
know the practice
for each
automatic generate
of its information
logoff the audit
settings
that
review?,can
available
ability
information to encrypt
when
continue
(T29): systems it and
Does isauthorized
decrypt
needed?
accessing
your
and
user?,
ePHI?,
ePHI
practice
electronic and (T6):
(T21):
generate other
devices
identifier
that
ePHI
reports
systems can
availableand encrypt
andwhen
other
and
each
distribute
electronic isauthorized
and
ithealth decrypt
needed?records
them
devices to
user?
ePHI?
during
the
that an
control
practice
Does your know practice the automaticrequire
know the that logoffeachsettings
encryption user for
(T6): itsDoes
information
Doesyour systems
practice and electronic
require that each
health
the
that
for
enter audit
its records
control reports
information
a unique access?during
user andsystems an emergency?,
distribute
identifier andsystems them
electronic
prior to
(T16):
to the (T21):
emergency?
appropriate
access?
devices?
user enter a
your
people
unique
practice
for
user
know
review?
identifier
the
prior to
capabilities
Does your(T19): of
practice its information
effectively recover and
from encryption
(T16): capabilities of its information
effectively
appropriate
devices?,
obtaining
electronic accesspeople
devices?, Does
toresumeforyour
ePHI? review?,
(T22): Does practice (T30):
your activateDoes (T30):(T19): Does
obtaining
systems Does and
your
your
access electronic
practice
practice
to ePHI? have
activate
devices?
policies anrecover and
an
your
an emergency
practice
automatic and
have
logoff policies
that normal
and
terminates procedures an from
procedures
automatic an emergency
establishing
logoff that and resume
retention
terminates normal
an
practice
operations control and accessrequirements
access totoePHI?
ePHI and other (T22):
operations Doesand your practice
access control access to
establishing
electronic
health information
retention
session after
by using a predetermined for requirements
electronic
ePHI and session
other
for
health afterto
audit a ePHI?
purposes?
predetermined
information by using
audit
period purposes?,
of user inactivity? (T31): Does your practice (T31):
period Does your
of user inactivity? practice retain copies of its
encryption/decryption
retain copies of its audit/access records?, methods to deny encryption/decryption
audit/access records? methods to deny
access
(T31): Does to unauthorized
your practice users?
retain copies of its access (T31): Does to unauthorized
your practice users?
retain copies of its
audit/access records? audit/access records?
authentication capabilities of its authentication capabilities of its
information systems and electronic devices information systems and electronic devices
to assure that a uniquely identified user is (T40): Does
to assure that your practice identified
a uniquely know whatuser is
(T40):
the one Does your practice
claimed?, (T36): Does knowyour whatpractice encryption
the one claimed? capabilities are available to it for
encryption
(T32):
use theDoes capabilitiesfromare
your practice
evaluation available
itshave
riskpolicies
analysis to it tofor encrypting
and (T32):
(T36):
(T33): Does ePHI
your being
practice transmitted
havethe fromand
policies one
(T33):
(T38): Does
encrypting
procedures your
ePHI
for practice
being
protecting have
transmitted
ePHI
mechanisms
policies
from fromand one (T38):
point Does
to
procedures your
another?
for practice use
protecting have
ePHI from
evaluation
mechanisms
policies and
select
to the
corroborate
procedures appropriate
for that ePHI
guarding authentication
has
against not been from
to its risk
corroborate analysis
that to
ePHI select
has the
not been
(T34):
point Does
to your
another?, practice have policies and procedures
(T34): Does for your guarding
practiceagainsthave policies and
unauthorized
mechanism?,
altered,
unauthorized
procedures modified
for
(T37):
accessor(T41):
modification
Does
destroyed
of ePHI
verification
Does
your
of when
a
your anitpractice
or destruction?
practice
in
person is can
or
(T41):
unauthorized
appropriate
altered,
procedures modified
unauthorized for
modification
authentication
access or destroyed
of ePHI
verification
take
or
of
steps
when
a in anitto
destruction?
mechanism?
person is or
take steps
protect
(T44): to reduce
the confidentiality
Does your the risk that
of network?,
the ePHI reduce
(T37): the risk that ePHI can
protectbe intercepted
the and
unauthorized
transmitted
entity
be seeking
intercepted anpractice
onmanner?
access
or electronic
to ePHI
modified
have
whenispolicies
theitcontrol
one and (T44):
entity
or
Does your
unauthorized
is being transmitted seeking
modified on
when anpractice
manner?
accesselectronic
it tobeinghave
ePHI
isdocumentation ispolicies
network?
sent theof one
documentation
procedures
(T39): Do yourfor containing
encrypting
practice access
ePHI
implement when (O2): Do
procedures
(T39): Do the
confidentiality
your terms
for of the and
encrypting
practice conditions
ePHI
implement when your
claimed?
sent
(O2):
recordselectronically?,
Do the
(list terms
of authorized(T42):
and Does
conditions
users your
and of your claimed?
electronically?
practice’s
containing business
access associate
control agreements
records
deemed
(O3): If
safeguards,
practice
reasonable
your practice and
is
to assureencryption
implement theappropriate?,
business
that ePHI as is not
the
deemed
(O3):
(T42): If reasonable
your
safeguards,
Does practice
to
your assure and
is
practice the ePHI is not of
appropriate?
business
thatimplement (list
practice’s
passwords)?
(T45): When
associate
accessed business
of
while aanalyzing
covered associate
en-route risk,
entity
to agreements
does
itsdo your
the
intended terms state
(T45):that
authorized
When
associate
accessed the
of users
while a business
covered
en-route associate
and passwords)?
analyzing risk,
entity
to does
itsdo willterms
your
the
intended
safeguard
state that
practice to assure
the
consider business
the that ePHI
associate
value of is not
will
encryption for encryption
implement
practice as the the
appropriate
consider safeguard security
value ofto assure
safeguards
encryption that
and conditions
recipient?
compromised of
when yourbeingpractice’s
transmitted business from and conditions
recipient?
ePHI is not of
compromisedyour practice’s
when businessfor
being
implement
assuring
associate the appropriate
integrity
agreements of security
ePHI
state thatis notsafeguards
yourenable to protect
assuring
associate thethe privacy,
integrity
agreements ofconfidentiality,
ePHI
state thatis notyourenable
(O1):
(PO1):
one Does
Door
point your
your
to practice
practice’s
another? assure
processes that its (O1):
(PO1): Does
Door
transmitted your
yourfrom practice
practice’s
one when assure
pointprocesses
to that its
to protect
accessed
subcontractor
business
the
associate
privacy,
modified
(business confidentiality,
when
agreements it isinclude
associate) stored
will or integrity
accessed
subcontractor
business modified
associate (business
agreements it isanother?
associate) stored
includewill or
the development
integrity,
transmitted? and and
availability maintenance
of ePHI that of it the
and development
availability
transmitted? of and
ePHI maintenance
that it collects, of
implement
satisfactory
policies and appropriate
assurances
procedures security
for
that safeguards
safeguarding implement
satisfactory appropriate
assurances security
for safeguards
safeguarding
collects,
to protect creates, maintains,
the privacy, orimplement
confidentiality,transmits risk on policies
creates,
to protect
and procedures
maintains,
the privacy,
that
or transmits implement
confidentiality, on behalfrisk of
ePHI?
analysis,
behalf of informed
the practicerisk-based
and timelydecision
report ePHI?
analysis,
the practiceinformed
and risk-based
timely report decision
security
integrity,
making and availability
for securitytorisk of ePHI
mitigation, thatand it integrity, and
making fortosecurity availability of ePHI
risk mitigation, and that it
security
collects, incidents
creates, your
maintains, practice?
or transmits on incidents
collects, creates, your maintains,
practice? or transmits on
effective
(PO2): mitigation
Does your and monitoring
practice assure that thatits effective
(PO2): mitigation
Does your and monitoring
practice assure that thatits
behalf
protects ofthe
theprivacy,
coveredconfidentiality,
entity? behalf
protects ofthe
theprivacy,
coveredconfidentiality,
entity?
(PO4):
policies Does your
and procedures practice are assure
maintainedthat its (PO4): Does your practice assure that its
(PO3):
integrity,
policies, Doesandyour practice
availability
procedures, of
andother assure
ePHI?
other that itsin a policies
security (PO3):
integrity,
policies,
and procedures
Doesandyour practice
availability
procedures,
are
of
andother
maintained
assure
ePHI?
other that itsin a
security
manner
other consistent
security programwith documentation business is manner
other consistent
security programwith documentationbusiness is
program
records?
(PO5): documentation
Does your practice are retained
assure that for
its at program
records?
(PO5): documentation
Does your practice are retained
assure that for
its at
maintained
least six (6) in written
years from manuals
the or
datesecurity in
when it was least maintained
six (6) in written
years from manuals
the or
datesecurity in
when it was
policies,
electronic procedures
form? and other policies,
electronic procedures
form? and other
created
program ordocumentation
last in effect, whichever
are available is to created
program ordocumentation
last in effect, whichever is
(PO6):
longer? Does your practice assure that it (PO6):
longer? Does your practice assure that itto
are available
those who need
periodically reviewsit toandperform
updates the(when those who need
periodically reviews it toandperform
updates the(when
responsibilities
needed) its policies, associated
procedures,with their and role?
other responsibilities
needed) its policies, associated with their
procedures, and role?
other
security program documentation? security program documentation?
PK DID DOMAIN CID CFR-2007-TITLE45-VOL1-PART164
1 164.308 164.308 Administrative 164.308(a)(1)(i) (1)(i) Standard: Security management process. Implem
2 164.308 Safeguards
164.308 Administrative 164.308(a)(1)(ii)(A) (A) Risk analysis (Required). Conduct an accurate and
3 164.308 Safeguards
164.308 Administrative 164.308(a)(1)(ii)(B) (B) Risk management (Required). Implement security m
4 164.308 Safeguards
164.308 Administrative 164.308(a)(1)(ii)(C) (C) Sanction policy (Required). Apply appropriate sa
5 164.308 Safeguards
164.308 Administrative 164.308(a)(1)(ii)(D) (D) Information system activity review (Required). Im
6 164.308 Safeguards
164.308 Administrative 164.308(a)(2) (2) Standard: Assigned security responsibility. Ident
7 164.308 Safeguards
164.308 Administrative 164.308(a)(3)(i) (3)(i) Standard: Workforce security. Implement polic
8 164.308 Safeguards
164.308 Administrative 164.308(a)(3)(ii) (ii) Implementation specifications:
9 164.308 Safeguards
164.308 Administrative 164.308(a)(3)(ii)(A) (A) Authorization and/or supervision (Addressable).
10 164.308 Safeguards
164.308 Administrative 164.308(a)(3)(ii)(B) (B) Workforce clearance procedure (Addressable). I
11 164.308 Safeguards
164.308 Administrative 164.308(a)(3)(ii)(C) (C) Termination procedures (Addressable). Implement
12 164.308 Safeguards
164.308 Administrative 164.308(a)(4)(i) (4)(i) Standard: Information access management. Impl
13 164.308 Safeguards
164.308 Administrative 164.308(a)(4)(ii) (ii) Implementation specifications:
14 164.308 Safeguards
164.308 Administrative 164.308(a)(4)(ii)(A) (A) Isolating health care clearinghouse functions (R
15 164.308 Safeguards
164.308 Administrative 164.308(a)(4)(ii)(B) (B) Access authorization (Addressable). Implement po
16 164.308 Safeguards
164.308 Administrative 164.308(a)(4)(ii)(C) (C) Access establishment and modification (Addressab
17 164.308 Safeguards
164.308 Administrative 164.308(a)(5)(i) (5)(i) Standard: Security awareness and training. I
18 164.308 Safeguards
164.308 Administrative 164.308(a)(5)(ii) (ii) Implementation specifications. Implement:
19 164.308 Safeguards
164.308 Administrative 164.308(a)(5)(ii)(A) (A) Security reminders (Addressable). Periodic secur
20 164.308 Safeguards
164.308 Administrative 164.308(a)(5)(ii)(B) (B) Protection from malicious software (Addressable)
21 164.308 Safeguards
164.308 Administrative 164.308(a)(5)(ii)(C) (C) Log-in monitoring (Addressable). Procedures for
22 164.308 Safeguards
164.308 Administrative 164.308(a)(5)(ii)(D) (D) Password management (Addressable). Procedures
23 164.308 Safeguards
164.308 Administrative 164.308(a)(6)(i) (6)(i) Standard: Security incident procedures. Imple
24 164.308 Safeguards
164.308 Administrative 164.308(a)(6)(ii) (ii) Implementation specification: Response and Repo
25 164.308 Safeguards
164.308 Administrative 164.308(a)(7)(i) (7)(i) Standard: Contingency plan. Establish (and im
26 164.308 Safeguards
164.308 Administrative 164.308(a)(7)(ii) (ii) Implementation specifications:
27 164.308 Safeguards
164.308 Administrative 164.308(a)(7)(ii)(A) (A) Data backup plan (Required). Establish and imple
28 164.308 Safeguards
164.308 Administrative 164.308(a)(7)(ii)(B) (B) Disaster recovery plan (Required). Establish (an
29 164.308 Safeguards
164.308 Administrative 164.308(a)(7)(ii)(C) (C) Emergency mode operation plan (Required). Estab
30 164.308 Safeguards
164.308 Administrative 164.308(a)(7)(ii)(D) (D) Testing and revision procedures (Addressable). I
31 164.308 Safeguards
164.308 Administrative 164.308(a)(7)(ii)(E) (E) Applications and data criticality analysis (Addres
32 164.308 Safeguards
164.308 Administrative 164.308(a)(8) (8) Standard: Evaluation. Perform a periodic technic
33 164.308 Safeguards
164.308 Administrative 164.308(b)(1) (b)(1) Standard: Business associate contracts and ot
34 164.308 Safeguards
164.308 Administrative 164.308(b)(2) (2) This standard does not apply with respect to— (i) The transm
35 164.308 Safeguards
164.308 Administrative 164.308(b)(3) (3) A covered entity that violates the satisfactory assurances
36 164.308 Safeguards
164.308 Administrative 164.308(b)(4) (4) Implementation specifications: Written contract
37 164.31 Safeguards
164.310 Physical Safeguards 164.310(a)(1) (a)(1) Standard: Facility access controls. Implement p
38 164.31 164.310 Physical Safeguards 164.310(a)(2) (2) Implementation specifications:
39 164.31 164.310 Physical Safeguards 163.310(a)(2)(i) (i) Contingency operations (Addressable). Establish
40 164.31 164.310 Physical Safeguards 164.310(a)(2)(ii) (ii) Facility security plan (Addressable). Implement
41 164.31 164.310 Physical Safeguards 163.310(a)(2)(iii) (iii) Access control and validation procedures (Addres
42 164.31 164.310 Physical Safeguards 163.310(a)(2)(iv) (iv) Maintenance records (Addressable). Implement po
43 164.31 164.310 Physical Safeguards 164.310(b) (b) Standard: Workstation use. Implement policies an
44 164.31 164.310 Physical Safeguards 164.310(c) (c) Standard: Workstation security. Implement physica
45 164.31 164.310 Physical Safeguards 164.310(d)(1) (d)(1) Standard: Device and media controls. Implemen
46 164.31 164.310 Physical Safeguards 164.310(d)(2) (2) Implementation specifications:
47 164.31 164.310 Physical Safeguards 164.310(d)(2)(i) (i) Disposal (Required). Implement policies and proce
48 164.31 164.310 Physical Safeguards 164.310(d)(2)(ii) (ii) Media re-use (Required). Implement procedures
49 164.31 164.310 Physical Safeguards 164.310(d)(2)(iii) (iii) Accountability (Addressable). Maintain a reco
50 164.31 164.310 Physical Safeguards 164.310(d)(2)(iv) (iv) Data backup and storage (Addressable). Create
51 164.312 164.312 Technical Safeguards 164.312(a)(1) (a)(1) Standard: Access control. Implement technical
52 164.312 164.312 Technical Safeguards 164.312(a)(2)(i) (2) Implementation specifications: (i) Unique user id
53 164.312 164.312 Technical Safeguards 164.312(a)(2)(ii) (ii) Emergency access procedure (Required). Establi
54 164.312 164.312 Technical Safeguards 164.312(a)(2)(iii) (iii) Automatic logoff (Addressable). Implement elect
55 164.312 164.312 Technical Safeguards 164.312(a)(2)(iv) (iv) Encryption and decryption (Addressable). Imple
56 164.312 164.312 Technical Safeguards 164.312(b) (b) Standard: Audit controls. Implement hardware, s
57 164.312 164.312 Technical Safeguards 164.312(c)(1) (c)(1) Standard: Integrity. Implement policies and p
58 164.312 164.312 Technical Safeguards 164.312(c)(2) (2) Implementation specification: Mechanism to auth
59 164.312 164.312 Technical Safeguards 164.312(d) (d) Standard: Person or entity authentication. Imple
60 164.312 164.312 Technical Safeguards 164.312(e)(1) (e)(1) Standard: Transmission security. Implement t
61 164.312 164.312 Technical Safeguards 164.312(e)(2) (2) Implementation specifications:
62 164.312 164.312 Technical Safeguards 164.312(e)(2)(i) (i) Integrity controls (Addressable). Implement secu
63 164.312 164.312 Technical Safeguards 164.312(e)(2)(ii) (ii) Encryption (Addressable). Implement a mechani
64 164.314 164.314 Organizational 164.314(a)(1) (a)(1) Standard: Business associate contracts or oth
65 164.314 Requirements
164.314 Organizational 164.314(a)(1)(i) (i) The contract or other arrangement between the covered entit
66 164.314 Requirements
164.314 Organizational 164.314(a)(1)(ii) (ii) A covered entity is not in compliance with the standards in
67 164.314 Requirements
164.314 Organizational 164.314(a)(1)(ii)(A) (A) Terminated the contract or arrangement, if feasible; or
68 164.314 Requirements
164.314 Organizational 164.314(a)(1)(ii)(B) (B) If termination is not feasible, reported the problem to the S
69 164.314 Requirements
164.314 Organizational 164.314(a)(2)(i) (2) Implementation specifications (Required). (i) Bu
70 164.314 Requirements
164.314 Organizational 164.314(a)(2)(i)(A) (A) Implement administrative, physical, and technical safeguards
71 164.314 Requirements
164.314 Organizational 164.314(a)(2)(i)(B) (B) Ensure that any agent, including a subcontractor, to whom
72 164.314 Requirements
164.314 Organizational 164.314(a)(2)(i)(C) (C) Report to the covered entity any security incident of which
73 164.314 Requirements
164.314 Organizational 164.314(a)(2)(i)(D) (D) Authorize termination of the contract by the covered entity,
74 164.314 Requirements
164.314 Organizational 164.314(a)(2)(ii) (ii) Other arrangements. (A) When a covered entity and its busin
75 164.314 Requirements
164.314 Organizational 164.314(a)(2)(ii)(1) (1) It enters into a memorandum of understanding with the busi
76 164.314 Requirements
164.314 Organizational 164.314(a)(2)(ii)(2) (2) Other law (including regulations adopted by the covered enti
77 164.314 Requirements
164.314 Organizational 164.314(a)(2)(ii)(B) (B) If a business associate is required by law to perform a func
78 164.314 Requirements
164.314 Organizational 164.314(a)(2)(ii)(C) (C) The covered entity may omit from its other arrangements aut
79 164.314 Requirements
164.314 Organizational Require 164.314(b)(1) (b)(1) Standard: Requirements for group health plans
80 164.314 164.314 Organizational Require 164.314(b)(2) (2) Implementation specifications (Required). The pl
81 164.316 164.316 Polices And 164.316(a) (a) Standard: Policies and procedures. Implement rea
82 164.316 Procedures And And Procedure 164.316(b)(1)
164.316 Polices
Documentation Requirements (b)(1) Standard: Documentation.
83 164.316 164.316 Polices And Procedure 164.316(b)(1)(i) (i) Maintain the policies and procedures implemented to comply with
84 164.316 164.316 Polices And Procedure 164.316(b)(1)(ii) (ii) If an action, activity or assessment is required by this sub
85 164.316 164.316 Polices And Procedure 164.316(b)(2) (2) Implementation specifications:
86 164.316 164.316 Polices And Procedure 164.316(b)(2)(i) (i) Time limit (Required). Retain the documentation re
87 164.316 164.316 Polices And Procedure 164.316(b)(2)(ii) (ii) Availability (Required). Make documentation av
88 164.316 164.316 Polices And Procedure 164.316(b)(2)(iii) (iii) Updates (Required). Review documentation perio
 you
sanction
and
basic
(PH30):
someone
of
available
awareness
practice’s
procedures
accountabl a have
non- (PH30): ePHI?
sanction
technical
security
someone
of
to
awareness
practice’s
procedures
accountabl asupport
sand
identified
assigned
practice
(informatio
know
analysis
response
authorizati
policies
technical
security
Does
whose
significant in place the
your
job sand
identified
assigned
practice
n
know
analysis
response
on
(PH2):
policies
evaluation
awareness
Does
whose
significant in place
systems, the
Do
your
job
eto
and
policies
for
authorizati
through
have
to
n
name
policies
plan
support
for the
your
secure
systems, and
align
decision
and
policies
for
e
authorizati
through
have
to
mobile
name
policies
plan for the
your
secure and
align
on
and
evaluation
awareness
practice
duty
event
decision
training
and
review is orto
of permission
you
and
in
to
practice
duty
event
making
training
and
review allhave
is or to
TYPE_CFR- making
on
the
practice’s
your
formal
mobile
contact
and
with
permission
procedures
in
to
have
decide
change
making
content
procedures all
risk
its in have on
the
practice’s
your
formal
devices,
contact
and
with
s?
policies
procedures
response
workforce
decide
change
about
content
procedures itsaof
risk
inor
2007- informatio
sure
privileges,
analysis?,
workforce
workstatio
policies
devices,
informatio
procedures
emergency that informatio
HHS-
sure
privileges,
analysis?
workforce
or workstatio
policies
informatio
procedures
emergency that
TITLE45- HHS- s?,
for
as
response
workforce
security
who
your
about
include
require
n
HHS-
business (A25):
the
part
systemcan a of (A25):
and
as
to
members,
security
who
your
patient’s
include
require
n
ONC_SRAT
business part
system can Doof
removing
(A8):
members
ns?,
and
workstatio
n
operations
Do
physical
its
to foryourDoes ns?
its
security removing
(A8):
members
and
ns)
n
operations
your
procedures
its
environme for Does
its
security
VOL1- members,
ONC_SRAT policies
access
business
patient’s
informatio
screening
activity?,
associate
ONC_SRAT
from
your the including
policies
access
business
treatment
informatio
screening
activity?
associate
K_W_LINE
from
your theDo
support
(PH27):
policies
ns)
security
making
and
practice’s
awareness
protection
environme
including
and
ePHI
organizatio (and Do support
(PH27):
policies
security-
security
making
and
practice’s
awareness
for
ntal
physicians
and
ePHI
organizatio theor(and
PART164 NIST_HIPAA_SECURITY_RULE_TOOLKIT_W K_ID treatment
n
workforce
(A12):
agreement
K
Access
practice
and
you
security-
point
updates
contingenc
about List
ofDo
during
n
workforce
(A12):
agreement
BREAKS
Access
practice
and
you
related
point
as procedures
updates
contingenc
about an
List
ofDo as TYPE_HHS-ONC_SRATK
_LINEBREAKS policies
and
of
ntal
physicians
procedures
under
(PH8):
n
during
the
(A31):
members
Does
s your
or
are orin an
your policies
and
physical
operationa
?
under
(PH8):
n
emergency
the
(A31):
members
Does
s or
are your
in
Standard Q: Has your organization developed, A1,A2 personnel
formally
yenforce
regularly
procedures
related
contact
necessary?
and
training
facilities
operationa plan, personnel
formally
enforce
regularly
procedures
activities
contact
necessary?
y
and
training
protection
l?importanc plan,
changes Standard
?,
to
what
you
environme
emergency
importanc
Does
prior
practice
place
no
document (A37):
have
longeryour Does
to (A37):
to
what
you
environme
prior
practice
place
no
document have
longeryour
to
disseminated,
Q: Has your reviewed/updated,
organization reviewed and
all A3,A4 segregatio
review
to
activities
and
especially
procedures
program
and
l
Does support
changes know
your segregatio
review
to
(such
and
especially
procedures
program
of
affecting
Does support
yourknow as
your
Required trained on your Risk Assessment policies physically
conditions)
policies
nt?
?,
epractice
enabling
regularly
before
requiring
aequipment of(A50):
security physically
conditions)
policies
nt?
(A50):
epractice
enabling
regularly
before
requiring
afacilities of
security Required
n
your
to
(such
when of
contact a
as
it n
your
to
testing)
when ofcontact a
it
Required Q:
processes
and Does your
procedures?
involvingorganization ePHI, including have policies A5,A6,A7, for affecting
practice
protect
and
Does
implemen
have
access
review
your
access?,
plan?
duties?,
workstatio
workforce
this
testing)
access
all
toyour
personto for
the
practice
protect
and
Does
implemen
have
access
review
your
access?
plan?
duties?
workstatio
workforce
this
before
access
all
toyour
person to
toof Required
creating,
and procedures receiving, in place maintaining,forhave security? and A8 ?(A63):
comes
(A39):
authorizati
workforce
the
provide
(A30):
and
procedures
create
ting
policies
its
informatio
practice This If
to and
As
Do (A63):
comes
(A39):
authorizati
workforce
security
provide
(A30):
procedures
create
ting
policies
its
informatio
practice
If
As
Do
Required transmittingQ: Does your it?organization's
organization risk in place a A9,A10 (PH14):
(A33):
member’s
ns’
if
before
your
prioritizing
part
on
members?
includes
security there of
address are (PH14):
(A33):
member’s
ns’
if
doing
your
prioritizing
part
on
members?
equipment there of
addresssuch are Required
Q: Do your
assessment
formal and organization's
policy
documented address: current
process,purpose, plus
role-based
your
securely
for
ePHI
consider
software
and
facilities,
n
enables
Does
employme
locations
any
doing
practice
system
theyour
system such aof
is
your
role-based
securely
for
ePHI
consider
software
and
facilities,
n
enables
Does
employme
locations
any
activities
practice
system
your
theyour
system ais
Required safeguards Q: Has
Doesroles your
your organization
ensureorganization the that reviewed the
have a formal, A11,A12 practice
confidentiality, risk the
controlling
your
training
store
practice’s
protection
access
how
patches
procedures
informatio
activity?
service needs to the
?
practice’s
training
store
protection
access
how
patches
procedures
informatio
activity?
service needs
This to Required
scope,
policy
analysis and and and
procedures
other responsibilities
implementation address nt
to
security
activities
the
recovery
practice’s
of see
is
those practice
nt
to
security
the
recovery
practice’s
of
includes
ePHI? see
is
reduce
those
documented
integrity,
Q: Does and
your systems
availability
organization activity of all
have process
ePHI?
a and A13,A14,A natural all
electronic
policies
of
rules
and
that
n
provider
have new
keys,
systems,thatorto natural all
electronic
policies
of
rules
and
that
n
provider
have new
keys,
systems, that orto
Standard system management
specifications misuse,for commitment,
abuse,
the security coordination
and any fraudulent A17,A18,A policies
terminated
which
problems?
to
business
actions
ongoing
who
environme
ePHI?, reduce
are or devices policies
terminated
which
problems?
the
business
actions
ongoing
who
controlling
(A58): impact
are or Required
procedures?
Q: Do your organization's current 15,A16 workforce
devices
and
combinatio
others
man-made
updating
explain
and ePHItocan workforce
and
combinatio
others
man-made
updating
explain
and ePHI can
Standard activities
complete
among
Q:
Q: Has
management
Who, yourand
security
organizational
with yourofficial
organization
process?
which
entities,
organization's job
implemented
office/department,
description
training ePHI? 19,A20,A2 begin procedures
and
and/or
areas
the
associate
events
security
not
nt
(A58):
members?,
and
procedures
ns,
follow?
disasters inside are
impact
media
and a begin
to procedures
and
and/or
areas
on
associate
events
security
not
the
Does
members?
and
procedures
ns,
follow?
disasters your to
are
your
media
and a Required
to
safeguards
that
and accurately
compliance? protect reflects against the reasonably
security duties antivirus
how
to
create,
to
procedures
relationshi
more it
verify
control antivirus
how
to
create,
to
procedures it
verify
control
Q:
withinHas
policies
Q: Does your
and
youryouruses organization
procedures
organization
organization tomade
is ensure
have
responsible all
any your
thatprior for 1 on
of
restore
awareness
members
the
Does
(A38):
inside
describe
similar
could
software
grants
that
your
anotheryourkey more
your
users
relationshi
practice
of
restore
awareness
members
environme
practice
(A38):
inside
describe
similar
could
software
grants
that
another
users key
your
Q:
and
Q:
staff,Has
anticipated
Hasresponsibilities?
your
employees, and
organization and of
Does
workforcereviewed
ePHI it that
include
disseminated are
aware the allnotof XXXXX XXXXX
access,
and
explain
p
vulnerable
practice
covered
processes, with a XXXXX
access,
and
explain
p
vulnerable
assets
covered
processes with a
and XXXXX
Addressabl any risk
overall and
workforce all
assessments,
systems staff,
security employees,
audit
activity comments,
process,
implementation and A22,A23,A activities,
of
facility.,
practice
Does
facility(ies)
the
physical
damage
when
access
are its your
to its activities,
of
nt
periodicall
Does
facility(ies)
the
physical
damage
when
access
are its
inside your
to its
permitted
areas
your outlined
Risk by the
Assessment and HIPAA spoken Privacy
policies of in
and Rule?
the store
validate
how
to
business or
your store
validate
how
to
business or
your
eAddressabl Q: Has
workforce
security
procedures
specifications?
Q: Has your
your
processes, organization
members
requirements,
and policy
results?
organization have and implemented
and/or procedures
appropriate,security 24,A25
assets
entity
systems,
does
workforce?
(PH3):
periodicall
practice
until
methods
access
informatio
requested?
ePHI
trustworth they
to
and
and
your
Do itsitis until
individuals
entity
ysystems,
does
workforce?
the
practice
methods
access
informatio
requested?
ePHI
trustworth monitor they
to
andit Addressable
your
facility. its
questions
procedures?
procedures
(concerning
and
test only
results? outlined
for authorization
sanctions
appropriate, thisprotected
for access
for security
and/or
inappropriate
to ePHI; and
transmit
someone’s
unauthoriz
associate
individuals
your
application
practice
you
y have
monitor
transmit
someone’s
unauthoriz
associate
?your
application
practice
(PH3):
its physical Do is Addressable
eAddressabl Q: Does
How
against
standard? your
often
all organization
does
reasonably your anticipated check
organization an threats A26,A27 keep
can
uses
controls?,
n
,
workforce
y?
ePHI
access beto
systems
(A41): on to keep
can
uses
controls?
n
(A41):
workforce
y?
ePHI
access be
systemsto
on to
Q:
to
Q: Has
supervision
access),
prevent
Whatyour your
use,
aretotheorganization
of
your work
disclosure,
staff, force
employees,
organization's disseminated
and members transmission
and
current who its assigns
ed
terminated
?,
practice
s,
prepare
policies
its use,
(PH6):
physical assigns
ed
terminated
(PH6):
practice
s,
prepare
you
environme use,
have
applicant's
review
or hazards employment
information
the security and
systems
and educational activity?
integrity records
securely
limit
(PH9):
or
Does
members prevent Do securely
your records
limit
(PH9):
or
Does
members prevent Do
your
e Q:
Risk
work
of Does
Have
workforce
and Assessment
ePHI? with
planned
references,
What are
your
all your
ePHI
members
the if
organization
or
controls?
this
organization's
procedures
exceptionsis inreasonable
locations
who Do todohave
youthe
to
not ahave
staff,
the
where
have
for
process
work
them
such it ofa
A28,A29 your user
theft,
?disposed
Have
has
electronic
and
environme
that
you or your
you
detail
have user
theft,
?disposed
Have
has
electronic
and
policies
nt,
that
you or Addressable
you
detail
have
ePHI?
standards
employees,
staff/offices set of
workforce,
with procedures
the offices
associated to andrecover
roles and access
practice’s
and
behalf?,
facilities
(A56):
authorizati
viewing to to of access
practice’s
and
behalf?
facilities
(A56):
authorizati
viewing to toof
Standard Q: might
accessDoes
Has
formally
job
that be your
to
description?
changes accessed?
yourePHI
documented? organization's
organization
thefrom review obtaining period? sanctions
implemented access to A30 developed
subcontrac
(A54):
device
communic
procedures
nt,
(A52):
when
its
of
policies or
ePHI? and of
each developed
subcontrac
(A54):
device
communic
and
business
(A52):
when
its
policies or
ePHI? and Standard
each
Q:
accessDoes
departments
responsibilities? your
control organization
devices,
been notified includinghave a
ofauthorized
theroles formal
name ePHI
awareness
other
(A61):
based
Does
ons
the andon
your
data?, ePHI
awareness
other
(A61):
based
Does
ons
the and
data? on
your
Q:
Q: Has
have
policies
ePHI? Has
Does
How your
a tiered
and
your
your
often organization
structure
procedures
organization
organization
does your defined
ofthat sanctions
assigned
do
organization background that policies
tors
Does
media,
ate
(PH17):
for
business
Does
workforce
destroyed?
and
develop the your
yourand
Do policies
tors
Does
media,
ate
(PH17):
procedures
operations
Does
workforce
destroyed?
and
develop your
yourand
Do XXXXX
Q:
Q:
takes Has
identification
and Hasoffice your
documented
your
responsibilities
into organization
badges,
toorganization
contact
consideration system keys
with
for all reviewed
security
the access
ajob
defined security
functions?
magnitude thethe
plan?
cards of XXXXX entities
XXXXX
Does
that
practice
(A42):
(privileges)
(PH28):
and
performing your (PH28): entities
XXXXX
Does
that
practice
(A42):
(privileges)
and
performing your
your
checks,
analyze staff,
responsibility such
your employees
asto
systemsa check
Criminal andall
activity workforce
hardware
Offender to
and practice
informatio
periodic
you
physical
operations
practice
member
,
procedures
policies
training
(business (PH31):have practice
informatio
periodic
you
for
,
practice
member
(PH31):
procedures
policies
training
(business and have
the Do
Required Q: isolating
Q:
from Will
problem?
frequency
Does your
staff, clearinghouse
your organization's
employees
oforganization
your
organizationRisk and functions
Assessment new
workforce
have security
a if policy XXXXX practice
(A44):
person’s
implement
,XXXXX
Does including your practice
(A44):
person’s
implement
,XXXXX including
Addressabl access
harm Hastoto
software,
Record
reviews/reports?
implementation
your ePHI
including
Information to providehardware
(CORI)
specifications?
assigned
and
protection
check, andthe for procedures
activities
have
n
security
maintenan
protection
,
have
(A43):
satisfactori
Do
governing
and
content
associates) (such
and you an as Does procedures
activities
have
n
security
maintenan
physical
informatio
have
(A43):
satisfactori
you
governing
and
content
associates) (such your
an as XXXXX
controls
member work
where with their your organization's
employment maintain
(A53):
Does joba practice
your maintain
(A53):
Does yourjoba
eAddressabl Q:
and
component
software
Has
procedures
appropriate
individual
the use
appropriate
Does
existing and
your whose
used
your
IT
that
levels
disclosure
for reviews
functions
organization ePHI
inorganization
the
architecture?
of
remote ofand
security
is
circumstances? atthe as
access,
formally
review
updates?
risk, aePHI? and toends?
healthcare
level the A31 role
procedures
the
practice
that
to
emergency
ePHI)?,
reminders
ce
of
informatio
policies
Does
ly
remove
when
procedures
include
?have
list
Does
practice
help
youror
access
plan
records
ofareyour
toor
all
your of remove
role
procedures
the
that
to
emergency
ePHI)?
reminders
ce
protection
n
policies
Does
ly
when
procedures
include
?have
list
Does
practice
help
systemor
access
plan
records
ofareyour
toor
all
your of Required
Q: Does
Has
clearinghouse?
oversight,
possible
determine your
yourtypestraining
whetherorganization
organization
of and
inappropriate
selectedaccess have
reviewed to a
security each and duties?,
include
that
for
carry
mode
(A48):
to
that
facilities
n
and your
system out duties?
include
that
for
carry
mode
(A48):
to
that
of
and your
your
gauge out
documented
Q:
Q: Does
exception
Does
Has
procedure your
your
your reports
to how access
organization
and
organization
organization
deactivate logs? tohave
have
formally
computer, ePHI will
aformal
process
and be practice
completed
destroy
re-key
for
informatio
its
practice
have
(PH15): service Do practice
completed
destroy
re-key
for
informatio
(PH19):
its
practice
have
(PH15): service Do
e updated
Q:
role? Has
disclosures?
settings your your
are Risk
organization
enabled? Assessment a formal policy and and A32,A33 identifying
log-in
permitted?
physical
workforce
the
operations
Does
communic
include
and yourthe ePHI identifying
log-in
permitted?
physical
workforce
the
operations
Does
communic
include
facilities your the Addressable
granted
and
Q:
and
other strategy
What
documented
documented
procedures to
electronic your
mechanisms
in that
the staff,
supports employees,
contingency
standards
tools,
accordance and
access your
measures
you
with plan?use
accounts,
your and will A34,A35,A ePHI
to
to
procedures
periodic
locks
responding
n
(PH19):
providers,
have
policies
you
and
gauge
about from
or
have
the
procedures
periodic
locks
responding
n
Does
providers,
have
policies
you
and about from
haveor
your
Standard workforcedocumented
Q: Does
Has
Does your
your
your finding
organization
organization
organization that onehave
formally
have part a
an of
listing
process, your in monitoring
protection
(and
activities
plan
practice
ate
history
equipment
36,A37,A3 informatio
the
for
password
training? your
to
about
theyour of monitoring
protection
(and
activities
plan
practice
ate
history
and
effectivene
for
password
training? your
to
about
the of
organization's
your
Q:
grant Does
including organization
your
a staff, members? authorizes
implement
organization
employee, whohave
workforce toare aassess change
to
how
Does
indicating
policies
and such a informatio change
to
how
practice
indicating
policies
and such a Standard
defined
organization
writing
procedure
determined
analysis
Q: Has
permitted
the
communication ofthe
frequency?
who
your
effectiveness or is
has
and
current
to
process
a the
healthcare
communication
documented
organizations
designate
organization of
plan
that
business
safeguards
your
or and
a
will
formally
review
reviewed
processgrant
disable
need,
plan
your
and ofand
their
access
process?
forthe
how 8
XXXXX
procedures
assessing
sas
informatio
that
ensure
implement
new
physical
?effectivene
creation
manageme
n
combinatio
situation?,
malware
XXXXX
practice
which
and
procedures
andpart
This you
or theof
have
procedures
assessing
sas
informatio
that
ensure
implement
new
physical
equipment
ss
creation
manageme
n
combinatio
situation?
malware
XXXXX
keep
which
and
procedures
andpart
of you
or
an
of
the
have XXXXX
member
user
Q:
and
Addressabl security Has IDs
clearinghouse?
who has
when
effectiveness your user's
and
beenyour
trailing access
passwords?
organization
granted
managers
needs?
relative to
tofor thea andworkstation,
identified
permission, staff,
identified the
to to
the
its
other
n
have
continuati
the
important
changes,
includes
ss create,
of to
the
its
other
n
have
continuati
the
important
changes,
?security create,
This
documented
to
Q: ePHI?
Does
security
communicating
lap top, your
reminder
transaction, the basis
organizationimplementation
policies program, and restricting
file, electronic
procedures
process, and
nt
technology
ns
(A51):
can
keep
access
procedures
designed as secure
when,
getpart
an to and
nt
technology
ns
(A51):
can
inventory
access
procedures
designed as secure
when,
getpartto
types
Q:
view, Does
Has of
alter, information
your
your organization
organization
retrieve, and
and store need,
uses
provide
healthcare of and
that have maintain,
criticality
awareness
security maintain,
criticality
awareness
security
eAddressabl Q: employees
risks?
access
Q:
and/orDoes
Does
specifications?
to your to your
your
paper, and
ePHI?
appropriate
workforce
organization
organization
monitoring staff haveePHI,
will
interview
reports,
member,
beformal and and
notified
key A39
office
technology
agreed
on
informatio
issues?
upgrades,
controlling
security
storage
of
devices
for
Does
into
inventory
your
for
to
ofyour
its
help yourto
of devices technology
agreed
on
informatio
issues?
upgrades,
includes
safeguards
storage
of
for
Does
into
and
your
for
ofyour
its your
akeep
toof Addressable
eAddressabl staff
and
separate
Q:
and
how Are
Has
other
information
periodic
clearinghouse
at
of what
suspected
when
are any
your
documented these
tools
termination
security
times, and
assessing
of and
your and
the
organization
reportsupdates
developed
inappropriate mechanisms?
under procedures
sensitivity
your
organization's
procedures to
and
what your
activity?
security
trained
formally
monitored? for
ofyour for
each
staff,
training
facilities A40,A41
and
of
measures
service
carry
critical
n
the
safeguards
an
awareness
and
example,
practice
systems?
its
system’sout aa to
keep
other
media
and
of
measures
service
carry
critical
n
controlling
?
an
awareness
and
example,
practice
systems?
help
its
system’s out aa Addressable
other
media
and
Q:
voluntary
type all
Does
employees,of your
your workforce?
organization
termination,
information been includinghave
evaluated security (also and
practice’s
contingenc
prevent,
log
informatio
training ofa who location
practice’s
contingenc
prevent,
log
informatio
training of who
implemented
circumstances
needs?
located
staff,
documented
obtaining
Q:
Q:
XXXXX Does
Does in
employees,
your
your a workforce,
the policies
regionandand
your
necessary
organization
organization
for
prone
ePHI andbusiness
what
workforce to
access
and procedures
havepurposes?
any
review natural
amembers
control
appropriate sanction
and
to
provider
for
business
security
modificatio
environme
?,
electronic
and
prior
key
yregularly
location
facilities,
detect
reduce
the
(A59):
plansisto or to
to prior
lost,
and
provider
for
business
security
modificatio
the
(A59):
electronic
and
key
yregularly
record
facilities,
detect
reduce
the
plansisto lost,
of
or
to Addressable
and
eAddressabl access
retirement,
link
Q:
in to
associates
that Did
disasters,
procedures
method?
sign-offs
controls
FIPS
protect
Does youryour and
such
Does
within
promotion,
199the policies
and
organization's
as
for...
your
your
SP
contractors/vendors?
clearinghouse
organization
earthquakes,
*
and
Guarding
transfer,
800-60
organization
organizational haveprocedures?
assessment for
ePHIor
floods,
against, more
written
use form or A42 accesses
n
programs?
the
contracted
other
processes
protection
ns
nt
Does
copy
training
disposal
a
system
chance
for
insideofyour
your of
accesses
n
programs?
the
contracted
other
processes
protection
ns
environme
Does
copy
training
disposal
a
system
chance
for of your
your of
policy
update
Are
change
on they for your
of
categorization staff,
updated
employment employee
policies, procedures
regularly?
of or
internal
sensitivity workforce toand
levels)? your (A55):
review/up
record
informatio
provide
respond
your
application ofto for (A55):
review/up
all
informatio
provide
respond
your
application ofmust its to
e Q:
job
XXXXX What
unauthorized
include
fires? descriptions
the
Others? methods access
security that does by
are
training your
thecorrelatedorganization
other
needs parts
withof A43
of for
informatio
covered
that
tools
facilities
practice
ePHI
programs? must
to
that informatio
covered
that
tools
facilities
nt
practice
ePHI
programs? inside to
that
detecting,
identity-based,
structure
violations?
standards
Q: Does
organization,
your Has
already
sensitive your
your
have
organization?
appropriate
toand
as
data,
both reporting
neededrole-based,
versus
organization
in
levelsandplace
grant
organization of and and
involuntary
other or
access?
malicious
when biometric
terminate
provide
identified
usesimilar to keep formal
allyour
the
combinatio
Does
date
all
n
access
security
facilities
s
inappropri
n
entity
occur
protect andof its
systems itsto the
your
the
that
to
combinatio
Does
date
workstatio
n
access
security
facilities
s
inappropri
n
entity
occur
protect systems
and its to Addressable
your
the
that
to
software
based,
access
Q: Has
appropriate? to
your *
proximity Monitoring
ePHI? organization based, log-in
other
implementedattempts
means of A44 and
facility.,
identify
would
device?,
n
practice
contingenc
workstatio
and
ePHI is the be
ePHI?,
to the and
the
identify
would
device?
n
practice
contingenc
and
ePHI is the
facility.
devices?
ePHI?be
to the
Standard staff,written
termination,
information and
employees, documented
including
systems workforce,that forauthorization
cause,
house ePHI? incidents?
(including
storage of ate incidents?
(including
storage of Standard
Q:
and Does
information?
access,
policies
Q: Hasreporting
oryour
and
your
organization's
organization
discrepancies
a combination
procedures
organization forofhave
assured *business
clearinghouse
access
any
an
Creating
security A45,A46,A (PH32):
ate
technology
involve
protect
against
rooms
(PH4):
the
used
compromis
have
yof
n
(A62):
continue plan
access
role
devices?, Do
inas the
Do (PH32): technology
involve
protect
against
rooms
(PH4):
the
used
compromis
have
yof
(PH20):
(A62):
continue plan
access
role Do
inas the
Do
Required from reduction
Q:
Q: Does
Has
associates
share
established
Has
changing
methods?
incidents?
the
hardware
your appropriate
your
your in
and
and
force,
set organization
organization
organization
safeguarding
manager
involuntary
contractors/vendors
ofor software
qualifications inventory
documented
with
determined
passwords?
before
transfer,
foryour each 47,A48
visitors),
data
support)
ePHI,
availability
malware?
where
responsibl
case
you
ed,
policies
appropriat
(PH20):
ePHIhave
orof does
a to visitors),
data
support)
ePHI,
availability
malware?
where
responsibl
case
you
ed,
policies
appropriat
Has
ePHIhave
or of
your
does
a to Required
compliance
granting
and
include
incident
updated
larger
job criminal access
all
response
and
organization
description? with
or
hardware
aware toall
disciplinarypolicies
sensitive
ofand
procedures
of security
which and
information?
actions?
software that
isother
it educationpart?that
can A49,A50,A through Does
operations
when
containing
gain
your
and your
the through
access Does
operations
when
containing
gain
your
and your
the
access
Standard Q: what
Q: Has
Does awareness,
your
your organization training
organization's and
defined job your informatio
physical
e
system
maintain
workforce
(A64):
and
e? and informatio
physical
e
system
maintain
workforce
(A64):
and
e? and
procedures
are Are
provide
ways?
Q: used
Does your
yourtoare
your by all your
organization's
organization
collect,
organization
organization's store, staff and
staff,
have
process,
with aasingle
aDoes
clearinghouse or it 51 Has
practice
after
access
ePHI
workstatio your
a of practice
that after
access
ePHI a of Standard
that
programs
overall
descriptions
workforce?
Q: Has
employees,
standard
transmit
contingency
your ePHI,
organization
needed,
accurately
organization
and
checklist workforce
including of
and
objectives?
action reflect check
which
reviewed
excel member's
items assigned the
for XXXXX
to
practice
security
n
protection
accountabl
breakdown
records
member
Does
procedures
practice
have
natural
XXXXX
occurred,
would
your
systems your
be ofis workstatio
or
to
practice
security
n
protection
accountabl
breakdown
records
member
Does
procedures
developed
have
natural
XXXXX
occurred,
would
your
systems your
be ofis XXXXX
or
point
Q:
share Does
candidate's
programs
include
duties, of
staffareference
your or
will
listing
responsibilities organization
physical
qualifications to
beofrequired?
all guide
space
areas
and the
provide
againstwith
that
enforcementday-to-day
use staff
a ePHI? ns?
facility
srequire
eePHI
and
or
the in This
ePHI
place
fortesting and the ns?
facility
srequire
eePHI
and
or in This
ePHI
place
fortesting and
Q:
data
dutiesHas
completionbackup
spreadsheets, your
separated organization
plan
when word and
so that
a training
staff,disaster
tables, developed
only
employee,
and recovery
the other a like A52 transferred
practice
for
developed
policies
human-
and
accessed the transferred
practice
for
and
policies
human-
and
accessed the
Required Q: operations
security
from
Q:
of Hasa your
specific
Does
segregation job
your of
awareness
larger the incident
organization?
description?
organization's
organization
of duties? response
outlinedwith
contingency
established allcontent
new your could
its
these
immediate
are
to
assessing
disaster?
movement ePHI
kept?,
manage could
its
these
immediate
are
to
assessing
disaster?
movement ePHI
kept?
manage Required
training
plan
minimally
workforce schedule
implementationnecessary
member forleaves your Risk
specifications?
ePHI based
your ontobackthe or
execute
its
and
made
reason for or
execute
its
implement
and
made
reason
data
team?
hires
Q:
plan
and Has storage?
before
your
address
audience
organization's
Q:
XXXXX Does your they
organization
disaster
training are
contingency
organization given
recovery made
priorities? access
established
plan
grant a
and your astaff, through
include
during
subcontrac
ly
(PH18):
physical
risk
of
terminated
business
contingenc after
and aaDo through
include
during
subcontrac
ly
(PH18):
physical
risk
of
terminated
business
contingenc after
and afor
aDo
Management
Required specific
employment,
Q:
ePHI? Are all
Has
separate
determination job
your theroles
network Program?
description
such
hardware
organization
of ora subsystem
each s the is
and made
candidate return
software
determined available
for of
foryourall
afor
how A53 implement
disaster?
the
using
disaster?,
tors
crisis to ona using ed
implement
disaster?
the
disaster?
tors
crisis to ona Required
up?
Q: What
framework,
employees gaps and did your
and
workforce organization
responsibilities?
members you
security
engaging
electronic
?,
associate
yed have
(PH10):
plans you
?security
engaging
electronic
associate
yworkstatio
plans have
upon
access
which
Q:
it Has
will request?
organization's
specific devices,
your
your
respond
position deactivation
organization
organization
to a security
clearinghouse? is of
responsible
established,
incident? logon and
Are A54 procedures
access?,
implement
locked procedures
access?
implement
locked
Required
Addressabl Q: Has
discover
Q:
remoteDoes your in conducting
your
access tocan
organization
organization's
ePHI? perform
theestablished
trainingthe tasks
contingency and for (PH7):
provide
situation?
process
risks,
in
devices ongoing Ifto
such a process (PH7):
provide
situation?
risks,
in ongoing Ifto
such a Required
Q: Does
accounts,
periodically
implemented
there
Q:
that Has aand your
formal
your
position? includingorganization
inventoried,
when
documented
organization's remote
needed, have
access,
including procedures
policy
clearinghouse toexceland
and
Do
agreement
a(PH16):
to
ation
doors,
disaster
satisfactor
you
periodic
workstatio
assure of itsit devices (PH10):
agreement
a(PH16):
n
to
ation
doors,
periodic
disasteruse
assure
satisfactor of Do itsit
eAddressabl implemented
assessment;
Q:
policyHas
authentication
return
spreadsheets,
your
of anyplan procedures
outline
organization
address
mechanisms
computers
word
what
and
to
needs create
established
scope,
determined
toother resource
verify
and
be and
if
the
similar A55 document
as
have
s
basis?
n
obtains
Has
a)
evaluation,
and when locks
media
a it
useyour policies document
as
and
you
s
basis?
obtains
Has
a)
evaluation,
when locks
media
have
your a Addressable
it
to
Q: enable
procedures?
staff,Has
maintain
added
implementedemployees,
requirements,
direct your
and
access continuation
organization
retrievable
updated?
toas andtables,
needed
training,
ePHI exact
will of
workforce
periodic
testing,
be
and
critical
established
copies
granted
other
plan business
beenof
testing to
like
ePHI? contingenc
screen
happens,
ymonitoring
the
on
inside
written
has repairs
doors
a your
contingenc
screen
happens,
ymonitoring
the
on
inside
written
has repairs
doors
a your
e Q: Has
identity
electronic
data
processes
trained
chains your
storage?
ortoof the
for organization
tools, user
thefor
safeguard
command such accessing
security ePHI
and identified
asrevision
alinesPDA,
of
from the
ePHI
incorporated and
ofdisclosure the
system?
while
authoritycell A56 policies
business
practice
yand plans?
barriers,
does
assurances your barriers, and
business
practice
yand
does plans?
assurances your Addressable
Q: Has
Does
procedures
maintenance
third your
parties your organization
and organization's
and
external the
backup to established
your training
requirements? of your and , and
facility?,
facility
contractor , and
facility?
facility
contractor
critical
Q:
phone,Does
Has services
your
and
your orinclude
isoperations,
organization's
delivery
organization ofworkforce
any and
management
identified the
all A57,A58,A and associate
determine procedures
associate
determine
Standard your to
foryour
Q: Does
strategy organization
staff,
workforce
implemented
organization's
Q: Does
organization, larger
your
and
your employee,organization?
security?
organization
procedures
plancontingency
organization's
including operating to
anhave in
restore
outline
plan?
policy members
any and any
of cameras,
practice
for the
modificatio
windows
reporting? cameras,
practice
for the
modificatio
windows
reporting? Standard
manual
regularly
data/information
hardware
emergency
jobs
Q:
loss
your Has
existing and
of and
your
ePHI? review
joband
reports
organization's automated
mode? the
software
descriptions
organization
or under listbusiness
documentation
specific processes
of
this
that access
roles staff,
maintains
established
policies and
partners,
that
that
and a or 59
A60,A61,A
(PH33):
security
creating,
procedures
agreement
d
and
have whether
protection
ns
and made
b) to
(PH33):
?security
creating,
agreement
d
and
have whether
protection
ns
and madeb) to
plan
other
Q:
Standard support Has
Does
authorizations, your
outline
providers,
your
them, organization
what critical
health
organization
involving
including tested
services
plans,
ePHI? have
remote its
patients must
business
access be Have
plan?,
transmittin
?,
s? (PH21):you Have
plan?
transmittin
(PH21):
s? you Standard
employee
transmits
Q:
you
Q: Has
responsibilities
process had
Has
procedures
contingency your
for
your ofmaintenance
ePHI,
previously workforce
organization
in
organization
that
plan * prepared
require
on a own member
excel
identified
personnel
documented
security
predefined or created control?
your
cycle? all 62 monitoring
guards.,
another
of
(PH34):
the
camerasthe Do in monitoring guards.
another
of the Do
(PH34):
the
cameras in
provided
and
associate
Q: Hasmembers
authorizations, your within
contracts? to specific
organization
to their
verify timeframes?
ePHI,
determined
that the and
list islist A63 developed
(PH11):
gequipment
Has or your Do developed
(PH11):
gequipment
Hasor your Do
spect to— (i) The transm XXXXX
spreadsheets,
key
Q: activities
Has
authorization your andword
organization
and tables,
developed
maintain and
reviewed
a other
procedures
current (PH29):
way
ePHI? to Do
get (PH29):
way
ePHI? to getDo
by
your
Q:
what
your
awareness
Does
accurate
similar
data
Hashardware
others? organization
your
your
data
backup
and
andtheseorganization
organization's
has
storage and not
addressing
procedures
training?
software
andbeen trained
included
and
policy
business
and
made
yourand
it the
inofan
you
physical
nonpublic
and
you
storing
practice
is take and
needed
you
physical
nonpublic
you
storing
practice
is take Required
needed
sfactory assurances to of
them
Q:
XXXXX
plan
Q: continue
incident
authorized
compliance,
Does
Does
associate
personnel identify
inappropriately
your
emergency?
staff,
response
available
staff/employees your
your
inventory?
employees,
and
agreements
are
to with
critical
key
maintenance
integration, procedures
all
organization's
outline
organization's
altered?
or
activities
your
defined
(asyour
to
workforce
or staff,IT
written
with
training
plan
cross-functional during
organizations
maturitysystems
members and a A64 your
into
require
security
areas
implement
the
ePHI?
document
to
yourto
steps document
enforce
your
into
require
security
areas
implement
the
ePHI?
to
your
steps
enforce
to Required
and
strategy personnel?
particular
employees,
responsibilities
dependencies
have
executed) the and or
capacity
containmany
and
plantoin security
workforce
include
their
determine
to set
sufficient roles?
access safeguard(s)
members?
scope how
language of the
failure
controls? to in policies
facility
that
features
monitor
ed all
policies
necessary orall that policies
facility
features
monitor
ed all
policies
necessary orall
XXXXX
Required organization's
Q:
with Does
Has
deployed the your
your roles
toan daily
organization's
organization
and
protect business
responsibilities
ePHI also
made
that operations?
inventory
identified
youryour related
canwork XXXXX ed
XXXXX
your
and
offsitehow ed
XXXXX
your
and
offsitehow XXXXX
awareness training program? have ePHI is Do ePHI is Do
Q:
one
ensure
Q: Does
Has
include
critical
to
staff
Q:
systems
incident
Does
leverage aware
your
that
your
removable
functions
individuals/office your
for
organization
impacts
required
organization
response,
ofthis the that media,
identity
organization
evaluation?
named
organization's
other
information
use
solicit and
include
system(s)?
use
determined
remote
ePHI?
and
have
stronger
suggestions
trainingroles
types
access
facility of the PH1,PH2,P that entrances
and
to
(PH35):
staff,
facility
procedures
storage
that
entrances
and
to
(PH35):
staff,
facility
procedures
storage
Standard are external
Q:
accessHas yourentities,
controls
protected? forincluding
organization
Including sensitive vendors,
outlined
the data?
2009, 2010, removed
protect
and
procedures
implement
you
employees exits?
have the you removed
protect
and have
procedures
implement exits? the Standard
impact
devices,
Q:
for
their
accessDuring
responsibilities
strategy
alternative
scenarios
Q:
and Does
2011
on
improvement,
Has and
supervisors?
controls
yourand
your
desired
the
andsite
HITECH
mobile
emergency
plan assigned
and
service
and
, policies
organization include
identified
organization
Act
devices?
servicemake
updates and
to levels
would
the changes
established
conduct
preventive
have goals?
providers,
and a
ifdifferent
procedures? these ato H3,PH4
in XXXXX access
set
location
from
facility,
that
your
XXXXX to employees access
set
location
from
facility,
that
your
XXXXX to XXXXX
Addressabl Q: critical
Is the
staff/employees,
reflect
Has
Does assets
input
your current
your are
that
organization not
information
facilities available?
is reasonable
organization or
provided
have system
systemsand staff,
policies be procedures
, workforce
control
standards
get your equipment procedures
, workforce
control
standards
get your
frequency
backup
your
measures, testing
contingency
inclusions? for
activities?
measuressecurity
organization's
exercises?
operations you evaluations,
can
plan? training
do now, and for PH5,PH6,P equipment
administra
specify
facility administra
specify
facility
eAddressabl Q:neededHas
configuration
appropriate?
employees, your
to organization
perform
and documented,
workforcetheseresult outlined
determined
including
critical
members the
functions who
with that
members,
policies
for
ePHI? that
members,
policies
for
ePHI?
and
strategy
Q:
each
nature
needs
Hasprocedures
disseminated
connections
your
scenario
and
access
and
degree
to
this
plan
to
regarding
organization
that
your
other
information
include
could
ofand impact
facilities
systems,
access
the
determined
identified on
to
target
and
inyour
both
to
your
the and
the
offices
how
inside
loss H7PH8,PH9,P
and
tive
how
security
describe
and
and
media
your and
non- tive
how
security
describe
and
and your Addressable
media
non-
during
Q:
a
use
entireDo
copyof
audience(s)? the
your
of
your emergency?
organization?organization's
their job
facilities descriptions, staff,
equipment? employees
informed workstatio
before
offices, you workstatio
before
offices, you Addressable
eAddressabl Q:
the
of aHas
plan
operations
in
Q: the
Can
your
critical
individual event
outsideyour
will
or organization
be
service tested?
department
iforganization
any
of
your of
aadisaster?
involving
the
firewall?
implemented
Will who
critical
assure
it
the be
is usea
resources
the
table
of PH12,PH13
H10,PH11 procedures practice
plan?
how
employees your practice
plan?
how
employees
procedures your
and
of
Q:
measures
top
ePHI? workforce
Does access
exercise, your to members
granted
organization
organization's
provide
or real to
physical know
them,
operational havesecurity
training the
as well
facility
protection as ns
remove
and
should that are ns
remove
and
shouldthat are
responsible for coordinating thepolicies of can be ,PH14,PH1 practice
eAddressabl Q:
are
Q:
accessDoes
security
policies
strategy
for
not
Who
importance
the conditions
the
scenario?
Q: Has
execution
your
available?
is
of
control named
specify
ePHI
yourand of
theof organization
plan
in
your
ePHI
timely
by
policies
that
your
organization in
which
include your
in the
and
security
possession?
organization's
have
contingency
application
thisthe
brainalternative
access
procedures
evaluations
learning
stormed
business
access
?treatment
allowed
the
dispose to practice
of
access
?treatment
allowed
the
dispose to Addressable
of
and
Q:
plan Has
mode(s)
system
used?
Q: Has
already procedures
your
asrepeated
responsible
your
inoperation?
patched in
organization
to
organization
place? place
protect for controlling
determined
for environmental
access against
developed to ePHI andthe 5,PH16 should
your
be used should
your
be used
e will
Q:
and be
objectives?
Does
associateoutlined youragreements when
organization
organizational
alternatives and have
for testing
other continuingsuch lend and PH17,PH18 equipment
areas?
electronic remove equipment
areas?
electronic Addressable
and
amount
during
maliciousvalidating
implemented
Q: Has
operational
Does
documentation
itself
operations
Q: Does
agreements?to
of
ayour
your
phased
your
time
disaster?
software access
changes,
for
your
polices
organization
organization's
yourof and
your
testing?
organization
to
and
such your
organization
exploitation
procedures
developed,
facility
organizationBased
facilities
astraining
have technology
inventory,
on if
can
the
you ofto PH19,PH20 remove
by PH22,PH23 workstatio
outside
or media
devices of workstatio outside
or media
devices of
Standard vulnerabilities?
staff,
tolerate
Q: Who
document employees,
disseminated, disruption
in your
repairs and workforce
to these
organization
and modification
periodically members,
operations,
isdeployment to the ,PH24,PH2
,PH21 ePHI
ns?
your from ePHI
ns?
your from Standard
updates,
strategy
physical
assessment
lose a
workstation
Q: Does critical are
and
maintenance
your ofmade
plan
use business
function that
include
policies and
organization or affect
record, the
impact
a criticalthe
the and
procedures?
periodically security
history from
andstorage your
media its from
andstorage your
media
Standard visitors,
material
responsible
Q: Does
physical
reviewed/updated
of ePHI?
methods?
physical
acceptability
and
your
components probationary
or services?
for
changes,
of implementing
organization
sustained of
a upgrades,
formal, your employees?
have
monitor
loss the
facilities
documented
ofand log-in
other
service? 5,PH26,PH its facility?
facilities
containing facilities facility?
containing Standard
resource?
Q:
review
Q: Has
Does
Has
workstation
contingency your
andyour
your Remember
organization
reevaluate
organization
organization
security
plan for
there
your
physical
access
are
developed
list
monitor
determine
to
physical
of
safeguards
ePHI and PH30,PH31
what,
in 27,PH28,P media/ media/
Standard Q:attempts?
specifically
aresources
physical
Does
modifications?
implemented your Do
andrelated
like your
environmental
organization's
organization
offices
polices staff,
to and
and employees
security? have
test
desks
procedures protection
frequency
training device
during
and and of ,PH32,PH3 for
for ePHI? offsite for ePHI? offsite Standard
business
physical
if
in any,
eachplace?
workforce department,associates
access
support members istoor the to
can
unit,know determine
information
bedeveloped,
and provided
of other
this who
system
officeby has H29 electronic electronic
Q:
Q: Has
policy
security
strategy
and media
Does
normal
copiers
proper
access your
that
use
to evaluation
and
your
business
and ePHI organization
address
and plan
controls,
organization's
paper,in hours? the
policies
include policies
electronic
performance
order purposes,
to reflect
evaluation
and
inventory
assess recourses,
of all scope,
any
types
whether of 3 maintenan maintenan
Q:
to
Q: Does
detect
external
Has your
your organization
andorganization
providers, respond including have
to documented
physical ISPs, disposal
security
utilities, XXXXX devices
XXXXX devices
XXXXX XXXXX
designation?
monitoring?
disseminated,
roles,
and
the
Q:
of
your Or
Hasall responsibilities,
training
procedures?
identify mustfederal
points
you
workstations,
policies list
incidents? isways
and testing and
laws,
throughofincluding
organization
complete
procedures?
periodically
access
takeand management
regulations,
designatedto
place your
researched
for
current? during and
facilities
day-to-day offthe
the ce
beforeor the ce or the
before
Required or Q:
Q:
and
contractors?
different
Will
Has
Does
hours?
cost Hasthe
of your
operations?
Q: Does
your
reviewed/updated
commitment,
guidance
measurement yourdocuments
existing
preventive
your
workstations
organization
coordination
techniques?
organization: your
security
organization
organizationmeasuresthat formal,
named
are
contingency
analyzed
developed
among
impact
1)being
controls accessed
protect
periodically
these
used
your and and
in PH34 disposal?
media is media is Required disposal?
Q:
by
plan Has
staff,
problems be
implemented
documented
organizational
environmental
Q: Does your
employees
appropriate
your and organization
created
policies
information
entities
or workforce
for
operational
organization's aand
and allestablished
types
mitigation
procedures
system members,
functions,
changes
training of plan cost-
and
control
these
Required review How
considered?
Q: Does
systems your
areas?
frequently
your
and
physical defined
organization
functions
access does types your
covered of
have digital
organization
byan the and PH35 re-used? re-used? Required
effective
and
that
strategyit is
address
maintenance
compliance?
affecting
non-digital
Q:
test Does
its
Are
procedures
inventory
contract/ the
strategies
non-employees?
potential and
your
plan? disasters,
working
the
of the
policy
security
plan
media
preventable
for the
workstation
agreement?
to for
disposalsuch
include
during
organization thatoflogs?
removal
recovering
decrease as of
the fire,
addresses
ePHI? ePHI
transport
measureshave
types of risks flood,
frequency
ePHI
and
these
and
and
you from / or
are
critical
Q: Are
earthquake?
purpose,
Q:
of Does
training? services,
any
vulnerabilities?
the hardware of
scope,
your your
and resources,
organization organization's
electronic
roles,
organization's or
responsibilities,
have processes?
media
corporate, formal, on
outside
procedures
Q: Has
considering
electronic
locations
Are of
your controlled
withinfor security
organization
affordable
media before
your
organization's areas your
and the
organization? using
facilities,
a outsourced
timeline
practical
media your on
arefor
workstations
Q:
whichWill
Does
management
documented
legal,
Q: Does
including
when and
organizational
theyour
your
ityour
isthe
your stored,located
organization
organization
commitment,
procedures
regulatory including
organization's
contingencysecurity
exterior, in public
compliance contingency
to
measures?
the
plan have
the areas?
facilitate
training
interior,
should a staff,
coordination process,
and
be
the
made
Q: environment?
Has
functions
Q: Does available
your also for
organization
covered
organization reuse, by including
included
use lap all
plan
procedure
among
strategy
Q:
your Does
revised?
assuring
types
be
appropriate appropriate
oforganization
implementation
employees, and
your
equipment? that for
computing
contracts/agreements?
reporting
methods
orplan ofinclude
workforce
organization:
organization
ePHI isthefor
properly
devices
all
and
tophysical
entities, disposeyour
members
the 2)
haveinhandling
and and
maintain
an oftops
facilities?
destroyed
your
and
Q:
securitytablets
Does
hardware, your (iPads)
incidents?
softwareorganization as and workstations?
the have data a backup Do
compliance?
environmental
participate
consideration
accountability
Q:
and
Q:
you
plan
Is
emergency
Are a workforce
cannot
inventory
have your
forduring
when
be
specific
access
ofprotection
for
ofcoordinator you
compliance
recreated?
workstations,
organization's
to policies
the
conduct
information
member
your
who policy
and
of
such dates
youryour
manages,
off-shore
facility asitself?
systemand
procedures
and
and / or
Q:
the
mediaHas
Does
associated
analysis?
HITECH
organization
maintains your
your and organization
Act organization
physical
other
Q: Does your organization have one Updates?
transport
updates and
than prioritized
outside
thethe have
environmental
security
contingency a
of your
process
formal,
 ?,
(T31):
settings
eassociate (T16): (T16):
purposes?
for associate
settings for
Does
and
that
practice
against
of
(O3):
deemed
Does
each
agreement If its authentica
your
media
ePHI
your
of
Does
and
can
practice
against
of
(O3):
reasonable
Does
(T31):
each
agreement
your
media
be If its
your
of
authentica
practice
from
can
require
unauthoriz
control
equipment
your be your tion
practice
from
intercepte
require
unauthoriz
control
equipment
your your
reasonable
(T33):
practice
informatio
stion
activate
facility state that
an and
(T33):
practice
Does
informatio
smechanis
activate
facilitystate your
that
an
intercepte
(T32):
that
ed
access
or
practice
and
Does
effectively mediaeach
access to
your is d
(T32):
that
ed
access
or
practice or
appropriat
Does
effectively each
access
media to
your is
retain
n
the
mechanis
automatic
has
d
Does
user systems
or or can
your
enter practice
n
the
m?
automatic
has
modified
Does
user systems
or can
your
enter
of
ePHI
to
the
appropriat
practice
recover
copies
and ePHI
ensureand of of
ePHI
to
the
e?
practice
recover
retain
and ePHI and
ensure
business
m?,
logoff
abe
modified
practice
when (T37):
used
unique that
it business
(T37):
logoff
istois when
abe
when
practice used
unique that
it
it isto
Addressabl
other
that
business
e?,
have
from
its
electronic
associate
Does
terminates
access
when
have
user
data
(T45):
an
your
it is
other
that
business
(T45):
have
from
copies
electronic
associate
Does
terminates
access
being
have
user
data
an ofisis
your
sent
transmitte
health
available
associate
When
mechanis
emergency
audit/acce
devices transmitte
health
available
associate
When
mechanis
emergency
its
devices
eAddressabl Q: Does your organization keep a record PH36,PH37 will practice
an
ePHI?
being
policies
identifier
d
informatio
when
of onatoan sent will
it is practice
an
ePHI?
electronica
policies
identifier
d on
informatio
when
of atoan it is Addressable
of the movement of hardware and analyzing
ms
and
ss
that
implement
protect
electronic the analyzing
ms
and
audit/acce
that
implement
protect
electronic the
e Q: Does your organization create an exact PH38 electronica
and
prior
electronic
n
needed? by to
using lly?
and
prior
electronic
n
needed? by to
using
software
copy of ePHIbothif inside needed your before organization
you move
covered
risk,
corroborat
resume
records?,
control
appropriat
confidentia
session
lly?,
procedures
obtaining
does
(T42):
covered
risk,
resume
ss
control records? Addressable
corroborat
appropriat
confidentia
session
(T42):
procedures
obtaining
does
Standard Q: and Does
when yourit leaveorganization
your facility, haveand access do you network?,
eencryption
to T1,T2,T3,T4 entity
your
normal
(T31):
access? that do
ePHI entity network?
eencryption
your
normal
(T31):that
access? do
ePHI Standard
the equipment? eDoes
lity
after
for
access
(T39): security
/decryptio of to eDoes
the
ayour
Do lity
after
for
access
(T39):security
/decryptio of the
ayour
to
Do
technical
have an policies
individual andor procedures?
office responsible the
practice
has
operations
Does
safeguards terms
not your the
practice
has
operations
Does
safeguards terms
not your
Required Q: Q: Does
Does your organization
yourorganization
organizationidentified have
maintain a formal T7,T8,T9,T1 T5,T6 document
predetermi
practice
protecting
ePHI?
your
n
and methods document
predetermi
practice
protecting
ePHI?
your
n
and methods Required
Q:
for Has
access your
thiscontrol
task? policy that guided the all consider
been
practice
to
ation
ned
0,T11,T12,T implement access
protect
period consider
been
practice
to
ation
ned access
protect
period
Required backup
Q: Does files
your offsite
organization to assure have data ePHI
practice
to
conditions
the
altered,
to deny from
value
ePHI? the implement
ePHI
practice
to deny
conditions
the
altered,
to from
value
ePHI? Required
Addressabl applications,
Q: Does your
development
availability
procedures
systems,
infororganization
ofobtaining
the access
event
servers
controlhave
ofnecessary
data
and other 13,T14,T15, the
isanlost access
retain
T17,T18,T1 containing
of
encryption
unauthoriz
implement
access user
yourof
retain
to containing
of user
encryption
unauthoriz
implement
access yourof to
eAddressabl electronic
Q: Does
inventory yourtools
of that
organization
the type hold
of and
mediahave use an
that ePHI?
are of
modified
copies
privacy,
access
inactivity? of
modified
copies
privacy,
access
inactivity?
procedures?
while
to
Q: ePHI
Has transporting
during
your or moving
an emergency?
organization outlined electronic the
T16
9 as
ed
safeguards
unauthoriz
practice’s
encryption
or
(PO1): the Do as
ed the Do Addressable
safeguards
unauthoriz
practice’s
encryption
or
(PO1):
electronic
used Has to store
your procedureePHI,
organization and that
ePHI? developed is automatically
it updated T20,T21,T2
and T23,T24,T2 (O1): its
confidentia
control
safeguard its
confidentia
control
safeguard
e Q:
media
Q:
user Does
Doesroles
terminates
periodically?
your
containing
yourfor organization
organization
the
electronic applications,
session
have
have aa policy
systems,
after a 2 ,modificatio
ed tousers?
business
for
destroyed
your
audit/acce Does (O1):
assure ,modificatio
ed tousers?
business
for
destroyed
your
audit/acce Does Addressable
assure
implemented
process/mechanism
Q: Does your access
organization control
to encrypt have procedures?
and
an 5,T26,T27,T lity,
records
to
n
your
that orassure
ePHI lity,
records
to
n
your
that orassure
ePHI
Standard Q: on when
Has
servers your
and access procedures
organization
other electronic should
determined
identified be the associate
assuring
in an
practice’s
ss records? associate
assuring
in an
practice’s
ss records?
predetermined
Q: Does
Do your
decrypt
inventory
activated?
appropriate
above?
your
ePHI? what
scope
time
organization
oforganization's of activity?
business
of1)audit
permit
access
process
controls
your
control
would
that 28,T29,T30, integrity,
(list
that
destructio
practice
is
the not
agreement
unauthoriz
processes
ofePHI integrity (list
that
destructio
practice
is not
agreement
the
unauthoriz
processes
ofePHI Standard
Standard Q: Has
staff,
Does
procedures your
employees,
your organization
and
organization
include: workforce inventoried
initial have access, members
integrity your
2) T32 and
authorized
is
n? not and
authorized
is
n? not
be
Addressabl Q:
are
Q: impacted
Does
Has
electronic
to remove
policies
increased youryour
be necessary
and tools
and forprotect
organization
to
organization
electronic for
procedures?
access,
howdetermined
3)automatic
media
access
long
policy
your
tothat
if data
logoff name
contains
different
T31,T31 sassure
accessed
edstateand
integrity
enable
availability
users
that
the of sassure
accessed
edstateand
integrity
enable
availability
users
that
the of Standard
e were
Q:
the Does unavailable
information
where the your
person/role/office
ePHIsystems while
organization
supporting and media
that have
tools makes
the was
thatin being T33
place
the
electronic compromis
its
while
your
ePHI
manner?
developme isen-not compromis
its
while
your
ePHI
manner?
developme isen-not Addressable
capabilities?
or
Q: can
Doesbeand
systems used
your to access ePHI;
organization
applications a listuser
that does
of allyour your T34,T35,T3 ed of ePHI
passwords)
when of ePHI
passwords)
moved?
electronic
decision
contain
tools is tomechanisms
ePHI,
currently activate
based housed your
on to
your corroborate
emergency
(i.e. risk
lap top, business
route
subcontrac
accessed
nt and to its ed business
route
accessed
nt when
subcontrac
and to its
Standard Q: Does
Has
organization
currently youryour
has? organization
organization
have
users procedures
are authorized have
determined to person
track
to the
the that
?
being
associate it that
?
being
associate it Required
that
access
period
media
access
Q: Has
ePHI
assessment?
network,
and entity
Does ofyour
your
has
procedures?
etc.)?
activity
externally?
ePHI?
not prior
authentication
access
been
organization control
altered
to polices
triggering
policy,
have
or and the 6,T37 T38,T39
intended
tor
or
maintenan
collects,
transmitte
intended
tor
or
maintenan
collects,
transmitte
Standard destroyed
Q:
Q: Does
Has
Are youryour in an unauthorized
organization
oforganization have
determined manner? agreement
recipient?
(business
modified agreement
recipient?
(business
modified Standard
Q: Has any
procedures?
automatic
including
transportation
procedures your log-
the and
youroff?
organization
rules
policies
a
organization's
of user
method and anfor
use established
behavior,
procedures?
both
systems,
supporting been ce of
creates,
d
s fromitone
include
associate)
ce of
creates,
d
s fromitone
include
associate)
Q:
what
Q:
basisDoes
networks,
Hasfordata
communicated youryour will
or
assigning organization
need
data
organization to
accessed
to your specific be
system have
captured
remotely?
established
determined
individuals integrity
users? by the
and XXXXX when
XXXXX
policies
maintains, is when
XXXXX
policies
maintains, is XXXXX
Addressabl Q: Does
electronic
continuity
controls
your
Q: Has audityouryourand
of
policies organization
controls non-electronic
operations
and
organization and when
procedures?
in have
your
identified formal
normal
audit an logs, T40,T41,T4 point
satisfactor
will
stored
and toor point satisfactor
will
stored
and toor
formal
period
Q:
rolesDoes
Hasaccess
eAddressabl documented documented
of activity
your to prior
organization
your organization the ePHIauthentication
to triggering
basedhave
outlined on measurespolicy
the
need,
howfor or or
mechanisms
access
user
approach ID, procedures
event policies
to protect are
type/date/time? and ePHI?
disabledprocedures or 2 yanother?
implement
transmitte yanother?
implement
transmitte Addressable
and
planned
such
user
Q: Has
procedures
automatic
Doesasyour
compliance
transmission
unavailable orfor
your
log-off
necessary access
of and
implemented isfor
with
ePHI,
organization
dueorganization
to
control?
communicated
deferent
system job
your
and to
task? forthey
protect
access
have
implemented
use
problems?
them
specific
ePHI
control
been T44,T45
procedures
transmits
assurances
procedures
transmits
assurances
e Q: Has your organization determined appropriat
d? appropriat
d?
thatbehalf Addressable
to your
parts
during
Q: Has
policy of
communicated
encryption
authentication
Q: Will
organization's
your
transmission?
your
will
your be for
organization?
organization
enforced?
toisyour
ePHI
mechanisms,
organization's
staff,
staff,
transmission?
employees,
identified
employees,
such
systems asallthe thatbehalf on
on
for
e security for
eXXXXX
security
Standard Q:where
access
Q:
and Does
Has
Does
approved
Has your
capabilities
workforce
your
youryour
yourusersePHI
organization
members?
organization
organization
with
organization at
of risk
all
the yourwithin
have
developed
have
ability
determined to your
electronic
business
assuranceand
alter who or XXXXX implement
XXXXX
of the implement
of the XXXXX
and
Q: workforce
Does
error-correcting
automatically
organization
tools that yourhold and members?
organization
andmemory,
default when createto you believe
magnetic
settingstransmit
ePHI, and
such disc
itas safeguardi
safeguards
risk safeguardi
safeguards
risk
associate
Q:
built
that Do
destroy
will
Q: the your
in-house
manage
Does agreements
organization
information
data?
your the tool(s)
access
organization's is or
have not other
authentication
control automatic
altered
businesscontractsduringlog- practice practice
etween the covered entity Do
encryption
storage, your
functionalities digitalorganization
necessarysignatures,
that will to policies
protect
enable check the and
sum to O1
ePHI ng
to ePHI? ng ePHI? Standard
outside
viewing
with other
procedures
off
transmission?
Q: Have
procedures?
associate
procedures
during
technology?
your
data,
capabilitiesyour healthorganization?
agreements
transmission?
modifying
includeor
identify
Others?
care
can
organization's ongoing
they data,
entities?
include
methods be usersdeleting
system,
modified
mandated
of been andprotect
analysis, timely analysis, to
andprotect
timely
emergency
Q: Do
with the standards in applications,
data,Does
include your
and your access
organization's
creating
automatic organization
network, procedures
data?
log-off business
have
andcapabilities?
tool or will
an users it XXXXX the
XXXXX
informed report the
XXXXX
informed XXXXX
trained
Q:
Q: Does
requirements?
transmission
Is
Does onyour
encryption
your how that to
organizationuse
will
feasible
organization's ePHI?
used and train
to your
safeguard
cost-effective
information report
need
associate
inventory
maintenanceto be ofactivated
agreements
what systems,
andprocedures
update by a of
includes system's
your specified
applications, privacy,
risk-based privacy,
risk-based
ment, if feasible; or Q:
in Does
your your
access
ePHI?
for
integrity control organization's
organization
organization?
process, aslaptops,
currently havebusiness
and audit XXXXX security
XXXXX security
XXXXX XXXXX
administrator/authorized
paragraphs
processes,
authentication on
servers, disclosures
methods? individual?
of business
PDAs, tablets confidentia
decision confidentia
decision
associate
trails
Q: Does
What,established
management?
Do your agreements
your
if organization
any, for
organization's
encryption all includes
accesses
policies businessspecified
algorithms to
and ePHI? XXXXX incidents
XXXXX incidents
XXXXX XXXXX
d the problem to the S associates?
implemented,
(iPads)
Q:
Q: Do your
paragraphs
Has and
your other provide
organization's
on electronic
termination
organization
thatidentityatools
of
determined
high make
business
level of lity,
making
to your for making lity,
to your for
and Does
procedures
associate
mechanism
assurance yourthat organization
identify
agreements are
information toolsincludes
available train
and to
integrity new
techniques
specified
your is integrity, integrity,
data
XXXXX
methods
Required associates?
what vulnerable
can
employees/users corroborate
beifuseddone tointo unauthorized
thataccess
protect
your thethe person or
ePHI is O2
control security
practice? security
practice? Required
that
being will
paragraphs
organization? be
maintained?
inappropriate to support
termination
tampering, of the
uses business
or and and
risk and
risk
and technical safeguards the
when
policy
Q: one
Does
transmissionis
and claimed?
it
yourat rest
procedures, in
organization's
security your and
policy? systemsother
business XXXXX XXXXX XXXXX XXXXX
associates
Q: Does
disclosures
Q: What your isofnot ePHI?
authentication feasible,
organization the
have
methods issues staff
does is availability
(PO4):
mitigation, availability
(PO4):
mitigation,
tools?
instructions
associate
Q: Has
reported
skilled your
in to
the for
contract(s)
theuse protecting
organization
Office
of provide
for
encryption? ePHI?
Civil the
implemented Rights? business of ePHI of ePHI
bcontractor, to whom Q: your
Q:
Do
What
Does
your
organization
associates
procedures your
organization's
activities
that
will yourbusiness
willuse?
fororganization implement
transmitting
auditpolicies
haveePHIstaff
controls XXXXX
using
XXXXX
Does
and your and XXXXX
Does your XXXXX
Q: Does
associate
monitor,
Do your your
contracts
creation, organization
authentication provide
review, include
havethat
updating,
methods any theto that
practice
effective it that
practice
effective it
Q: Does
urity incident of which administrative,
and procedures your organization's
thatfor are business
usedtechnicalto decrease XXXXX XXXXX
(PO5): XXXXX XXXXX
procedures
hardware
following
maintain
agent,
deleting,
require
associate including
the other
for
orprocess
validity
contract(s)
new
physical
software?
arequirements ofa ePHI? employee/user
subcontractor,
of a
provide
and
and/or
encrypting
transmission that
ePHI
to
the
access
whom collects,that (PO5):
assure
mitigation collects,that
assure
mitigation
t by the covered entity,Q: or
to eliminate
your
safeguards
Does data to alteration
and
protect
yourorganization systems?
organization
organizations theof ePHI
ePHI?
have
businessduring
formal Does your Does your
specifications,
during
the
Q:
source
business
transition,
transmission?
business
Has your
and/or
associate
such
explicitlyprovides
associate
verifying will
asofinclude
encryption?
orevaluated
an
report
by reference,
individual's
any ePHI, your
security or XXXXX XXXXX
(PO2):
creates,
its
and
(PO3): policies, (PO2): XXXXX
its
and
(PO3):policies, XXXXX
creates,
Q: Doesto
documented
associate
in information your
contract organization
organization's
setacquisition requirements havebusiness
standards
contracts for and
based practice
Does your practice
Does
ered entity and its busin access
existing
Q:
claimIf
incidents
Q: Doesyour
procedures of your such
systems
organization
authorization
of which
for
ePHI.
organization
reviewing
agrees
capabilities and
privileges
itofbecomes haveto
thein implement
the last
asatoformally
aware ePHI?
to 12 XXXXX maintains,
procedures
monitoring
XXXXX
Does your
assure that assure Does your
maintains,
procedures
monitoring
XXXXX that XXXXX
your
associate
transmitting
thresholds
on the assessment
reasonable
months
organization
Q: Does and contract(s)
your for
andePHI?
termination
appropriate
determined
you are
organization riskifand,
address
contract and
any
have
functions
ofsafeguards
contract?
in
withchanges are
trained to
of practice
or
,
thatand other practice
or
, and
that other
erstanding with the busin the
related
Q: covered
documented
appropriate,
Q: Does
What
Do the toyour
measures entity?
set
modifyingof
organization
creating,
conditions integrity
foraccess
receiving,
does your use requirements
termination organization XXXXX practice
its
XXXXX policies, its practice
XXXXX policies, XXXXX
accordance with applicable laws, assure
protect
upgrades
both
staff
Q:
that Hasis
authorization
memorandum
maintaining,
have
within in
the
based
place
your
are
governmental
to maintain
your ePHI?
necessary?
on
for
and
to the
organization
your agencies
existing
ofprotect system
analysis
understanding
transmitting
organization's
or
identified
users?
ePHI do
business of isyou
ePHI?
during this
use,
(MOU) use a
the assure that
transmits
security
protects
procedures that security assure
assure that
transmits
protects
procedures that
pted by the covered enti regulations,
Q: Does
memorandum
work your
outsourced? and related
organization
of understanding guidance
have other
tools
(MOU)? laws
in XXXXX (PO6):
its
on
XXXXX
program
the
its policies
behalf
other (PO6):
its
on
XXXXX policies
program
the
its behalf XXXXX
other
key
users
with
Q: Dobusiness
Has andyour
certain
your
transmission?
associate
documents:1) misusesassociate
organization
business
organization's
contract security of
include ePHIstaff/point
and
determined
associates?business
material
functional your ofbreach
riskhow and other and other
Does
and
of theyour Does and
of theyour XXXXX
law to perform a func similar
place
Q: Does
If
acontact
analysis?
Q:
ofuser
associate
Does
the
for
your
requirements
to
in business
auditing
yourtheorganization's
identifier
contracts
your
contract,
requirements/specifications? that
data
organization
organization
eventshould
organization
and
associate
of has
itprovide
that
must
review,
abe the
use
an
security agreement
creating,
passwords
MOU
established,
havethat
breach
implement? the
in have XXXXX
place
document
privacy,
XXXXX
security
practice
procedures
covered
document
privacy,
XXXXX
security
practice
procedures
covered
deleting
MOU/agreement
for
you
Q:
such individual
made
incident?
Doesas be and
your
lengtha updating,
access
good provide
faith
organization
and content, to plus
ePHI?
effort havefor
protection
to
and firewall
obtain
a written for ation
confidentia
program are ation
confidentia
program are
other arrangements autho business
an
Q: auditing
Does
cannot
system associates
your
activity process
cured? organization
and conduct
duringsimilar
other or ayour
include risk
transmission contact
the in O3 assure
entity?that retained
are assure
entity?that Required
are
the
Q: IfePHI
Does
policy your
satisfactory
communicated equivalent
organization
your
related assurances
organization
to your
this to those
uses
that
integrity
information have provided
passwords
the HIPAA
in
to place
your fora retained
lity,
document lity,
document
assessment
that that addresses administrative,
Q:
at Is verifies
Standard partners
Does
following
activities?
Q: HIPAAyour
individual
Security
procedure
requirements
have
your that
requirements
organization
business
access
Standards
including
and
the ePHI
statutory
organizations
to associate
ePHI
are
has aof aand/or
itmet?
has been
obligations
arebusiness
group
reporting
been they health
contract? which
unique XXXXX it
maintaine
for
XXXXX
ation at is
integrity, least it
are
maintaine
for
XXXXX
ation at is
integrity, least XXXXX
staff,
physical
protected
requires
associate
by Has
plan?
Q: If
employees,
specifications,
your your
individual?
mechanism
and
theagainst
contracttechnical
removal and
organization
organization's
for
include
explicitly
reporting
workforce
unauthorizedrisks?
the
or by termination
reporting
determined
MOU make
security cannot
access?
reference,
the
the be periodicall
d
six
and in
maintaine a
(6) d
six
and a are
periodicall
in(6)
maintaine
Required Q: communicated
members?
Does
requirement?
problem
in information your
to Office to your
organization
for
acquisition Civilsystem(s)
have
Rights
contracts users?
group
trained
(OCR)based if XXXXX available
XXXXX
ymanner
reviews available
XXXXX XXXXX
what
Q: Does
attempt
incidents
Q: Are
Has
health are
terminated,
Has/does your
plantothe
your
byobtain most
organization
are
ayour other
business
organization's
organization
documents appropriate
organizationenforcement
satisfactory only
associate?
that current
determined share
use
assurances,
include audit, if
plan years
availability
d
to inthose from ymanner d
to
reviews
years
availability
inthose from
staff
contract
on
Q: the
Doesthat
monitoring monitor
termination
assessment
your transmissions?
organization
tools for of isrisk
your not and possible?
have in policies PO1 and
consistent and
consistent
Standard summary
mechanisms
outside
and the third
logging,
the user
sponsor health
reasons
and
identifierin
party
access
requirements? information
place
that should that organization,
vendor
they
control are
cannot
be or
support
techniques disclose
reasonablebeto
self-selected the
of
written
who date
ePHI?need the
of
written
who date
ePHI?
need Standard
accordance with applicable laws, updates
with other updates
with other
Standard andsuch
whether
and
Q: procedures
obtained
and
or
Q: as
methods
randomly
Does
regulations,
third
an
appropriate?
implement
Does your party for
individual
yourorganization
documented?sufficient
generated?
yourphysicalorganization
and related
administrative
tools,
organization's is toa freeware,
participant
have
Isaddress
it different
amend
guidance a thefor
your or XXXXX when
manuals
XXXXX
it to it or when
manuals
XXXXX
it to it or XXXXX
safeguards,
operating-system
enrolled/unenrolled
authentication
documentation methods?
policy safeguards,
provided,
toand the or home
health
procedures? and plan (when
business
was
in (when
business
was
in
integrity
different
plan
lemented to comply withtechnical
XXXXX documents
documents: of
types ePHI?
safeguards? of to data?incorporate
2) security- related provisions PO2 perform
needed)
records? perform
its needed)
records? its Standard
grown?
sponsor?
Q:
thatHas
If
Can your your
require organization
organization's
aorganization
health plan implemented
documented
current
trace
sponsor all to all
system created
electronic
the or created
electronic
the or
required by this sub documentation
Q: Does
XXXXX
the selected
security
techniques
activity,
implement your
policies
viewing, and
requirements?
organization's
authentication
and
methods
modifying,
administrative, procedures? are
haveevaluation
methods
not the
deleting
physical
in place
and into
and PO3 policies,
last
form? in
responsibil
policies,
last
form? in
responsibil Standard
Q: Does
reasonable
include
your your and
determination
organization's organization
appropriate
systems, of include
what policeschanges
networks, and procedures
effect, procedures
effect,
Q: Has
sufficient,
creating
Does youryour
of what organization
ePHI, additional
organization
to a specific documented
techniques
have user? a data and XXXXX ities
XXXXX ities
XXXXX
technical
following
procedures
and upgrades
safeguards
requirements
thatto comply
your
to protect
and/or
with
monitoring the the ePHI.
tools ,whichever
and other ,whichever and other XXXXX
applications,
your
methods
Q:
Also,
Q: Has
decisions
retention
Does
standardsdoes
specifications,
your can
your
policy
the
and
and
youplan tools?
concerning
apply
organization
and
explicitly
organization
implementation to
procedure(s)
sponsor or the
check
record
by
aligned
security
create,
reference, that is PO4
ePHI
each
HIPAA associated
security associated
security
reasonable
Required management,
Q:
timeHas
integrity,
consider
receive,ePHI your allisand
such
maintain HIPAAas
viewed, appropriate?
organization
operational,
quality
orretention
modified,
transmit completed
and
control technical
process,
ondeletedyour user or is
withlonger?their is withlonger?their Required
in information
documentation
specifications ofacquisition
retention
the HIPAA contracts
requirements
Security based
Rule? program program
Required Q: and
Q: Does
Hassupport
controls
transaction
requirements?
created
behalf?
on the
youryour
to
in an andorganization
staff
organization
mitigate
audit training?
output your
tool have
communicated
identified
reconstruction?
to support a process
risks?
audit PO5 role?
document document Required role?
with
Q:
and
with
Q:
and
Q:
Does
Does
Can allassessment
all
other
Does
other
your
communication
staff
your
your
yourbusiness
dataneed
organizations
that
organization
organization
organization's
organization
ofplan risk
retention
functions?access and
toupdate
provide
haveplan
inyour
polices?
security
tellto a your
your
version
staff,
PO6
accordance
Required policies
employees,
security and with
procedures
and
documentation applicable
workforce take
where laws,
into
members it isprocess ation? ation? Required
additional
document
control
regulations, for training
and
yourand ensure to decrease
procedure(s)
related following
adequate
guidance and instances
consideration:
about
found?
breaches, your 1) your
organization's
security incidents,organization's
decisions
new re size,
attributable
separation
for theand verification todevelopmental
between human the errors?
group health ofplan
documents:3)
complexity
audit
Q:
and Does
acquisitions,
the your
plan
and
review the ofof
organization's
change
sponsor,
the
services
their
inand
timeliness
use
technology
including
you and
of
education, provide.
ePHI? and
sponsor's
your
Q: security
evaluation-related
2) your
Hassimilar organization's
your policies
organization assurancetechnical procedures?
named ainclude person,
training
other
employees, andclasses awareness
times?of employees, activities or
requirements?
infrastructure,
role orpersons
office hardware and software
the
Q: Does
other your as
availability ofthe your
organization
who responsible
will security
be have
given party
an
access forto
capabilities,
your overall
documentation?
individual or 3)
audit theprocess
office cost
that of your
and
maintains its results?
and is
the ePHI?
organization's security measures, 4) the
Q:
Q: Has
Does
responsible
Q: Do your youryour organization
fororganization
your HIPAA
organization's determined
have
planSecurity a process
documents the
potential
period
in place when
documentation? to risks
solicit to day-to-day
audits input will be
from operation
performed?
the staff,
include
including provisions
which to require
functions, and plan tools are
Q: Has your
employees,
sponsor's organization
and
agents, workforce
including determined
impacted, the
into
critical
type
your of to
updatesauditoperations?
trail
of data
your it
security will need,
policies and and
subcontractors,
Q: Does your organization to whom it provides
have ePHI
the
agreesmonitoring
procedures? to implement procedures all to deriveand
reasonable
procedures
exception for periodic
reports, otherrevaluationreports? of
appropriate
your security security
polices measures and determined
procedures, to protect and
Q:
the Has
ePHI? your organization how
update
your them when
exception reports necessary?
and logs will be
Q:
Q: Do
Does your your organization's
organizationplan change documentssecurity
reviewed?
include provisions to require plan sponsor
policies
Q: Where and will procedures
your organization at any file
to report to the
appropriate time, groupand documenthealth planthe ayand
maintain
security your
incident monitoring
of which reports?
it becomes
changes
Q: Does your and implementation?
organization have a formal
aware?
documented process in place to address
DID DOMAIN SRATK_ID CID TYPE
164.312 Technical Safeguards T1 §164.312(a)(1) Standard
164.312 Technical Safeguards T2 §164.312(a)(1) Standard
164.312 Technical Safeguards T3 §164.312(a)(1) Standard
164.312 Technical Safeguards T4 §164.312(a)(1) Standard
164.312 Technical Safeguards T5 §164.312(a)(2)(i) Required
164.312 Technical Safeguards T6 §164.312(a)(2)(i) Required
164.312 Technical Safeguards T7 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T8 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T9 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T10 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T11 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T12 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T13 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T14 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T15 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T16 §164.312(a)(2)(ii) Required
164.312 Technical Safeguards T17 §164.312(a)(2)(iii) Addressable
164.312 Technical Safeguards T18 §164.312(a)(2)(iii) Addressable
164.312 Technical Safeguards T19 §164.312(a)(2)(iii) Addressable
164.312 Technical Safeguards T20 §164.312(a)(2)(iv) Addressable
164.312 Technical Safeguards T21 §164.312(a)(2)(iv) Addressable
164.312 Technical Safeguards T22 §164.312(a)(2)(iv) Addressable
164.312 Technical Safeguards T23 §164.312(b) Standard
164.312 Technical Safeguards T24 §164.312(b) Standard
164.312 Technical Safeguards T25 §164.312(b) Standard
164.312 Technical Safeguards T26 §164.312(b) Standard
164.312 Technical Safeguards T27 §164.312(b) Standard
164.312 Technical Safeguards T28 §164.312(b) Standard
164.312 Technical Safeguards T29 §164.312(b) Standard
164.312 Technical Safeguards T30 §164.312(b) Standard
164.312 Technical Safeguards T31 §164.312(b) Standard
164.312 Technical Safeguards T31 §164.312(b) Standard
164.312 Technical Safeguards T32 §164.312(c)(1) Standard
164.312 Technical Safeguards T33 §164.312(c)(2) Addressable
164.312 Technical Safeguards T34 §164.312(d) Required
164.312 Technical Safeguards T35 §164.312(d) Required
164.312 Technical Safeguards T36 §164.312(d) Required
164.312 Technical Safeguards T37 §164.312(d) Required
164.312 Technical Safeguards T38 §164.312(e)(1) Standard
164.312 Technical Safeguards T39 §164.312(e)(1) Standard
164.312 Technical Safeguards T40 §164.312(e)(2)(i) Addressable
164.312 Technical Safeguards T41 §164.312(e)(2)(i) Addressable
164.312 Technical Safeguards T42 §164.312(e)(2)(i) Addressable
164.312 Technical Safeguards T44 §164.312(e)(2)(ii) Addressable
164.312 Technical Safeguards T45 §164.312(e)(2)(ii) Addressable
164.310 Physical Safeguards PH1 §164.310(a)(1) Standard
164.310 Physical Safeguards PH2 §164.310(a)(1) Standard
164.310 Physical Safeguards PH3 §164.310(a)(1) Standard
164.310 Physical Safeguards PH4 §164.310(a)(1) Standard
164.310 Physical Safeguards PH5 §164.310(a)(2)(i) Addressable
164.310 Physical Safeguards PH6 §164.310(a)(2)(i) Addressable
164.310 Physical Safeguards PH7 §164.310(a)(2)(i) Addressable
164.310 Physical Safeguards PH8 §164.310(a)(2)(ii) Addressable
164.310 Physical Safeguards PH9 §164.310(a)(2)(ii) Addressable
164.310 Physical Safeguards PH10 §164.310(a)(2)(ii) Addressable
164.310 Physical Safeguards PH11 §164.310(a)(2)(ii) Addressable
164.310 Physical Safeguards PH12 §164.310(a)(2)(iii) Addressable
164.310 Physical Safeguards PH13 §164.310(a)(2)(iii) Addressable
164.310 Physical Safeguards PH14 §164.310(a)(2)(iii) Addressable
164.310 Physical Safeguards PH15 §164.310(a)(2)(iii) Addressable
164.310 Physical Safeguards PH16 §164.310(a)(2)(iii) Addressable
164.310 Physical Safeguards PH17 §164.310(a)(2)(iv) Addressable
164.310 Physical Safeguards PH18 §164.310(a)(2)(iv) Addressable
164.310 Physical Safeguards PH19 §164.310(b) Standard
164.310 Physical Safeguards PH20 §164.310(b) Standard
164.310 Physical Safeguards PH21 §164.310(b) Standard
164.310 Physical Safeguards PH22 §164.310(c) Standard
164.310 Physical Safeguards PH23 §164.310(c) Standard
164.310 Physical Safeguards PH24 §164.310(c) Standard
164.310 Physical Safeguards PH25 §164.310(c) Standard
164.310 Physical Safeguards PH26 §164.310(c) Standard
164.310 Physical Safeguards PH27 §164.310(c) Standard
164.310 Physical Safeguards PH28 §164.310(c) Standard
164.310 Physical Safeguards PH29 §164.310(c) Standard
164.310 Physical Safeguards PH30 §164.310(d)(1) Standard
164.310 Physical Safeguards PH31 §164.310(d)(1) Standard
164.310 Physical Safeguards PH32 §164.310(d)(1) Standard
164.310 Physical Safeguards PH33 §164.310(d)(1) Standard
164.310 Physical Safeguards PH34 §164.310(d)(2)(i) Required
164.310 Physical Safeguards PH35 §164.310(d)(2)(ii) Required
164.310 Physical Safeguards PH36 §164.310(d)(2)(iii) Addressable
164.310 Physical Safeguards PH37 §164.310(d)(2)(iii) Addressable
164.310 Physical Safeguards PH38 §164.310(d)(2)(iv) Addressable
164.308 Administrative Safeguards A1 §164.308(a)(1)(i) Standard
164.308 Administrative Safeguards A2 §164.308(a)(1)(i) Standard
164.308 Administrative Safeguards A3 §164.308(a)(1)(ii)(A) Required
164.308 Administrative Safeguards A4 §164.308(a)(1)(ii)(A) Required
164.308 Administrative Safeguards A5 §164.308(a)(1)(ii)(B) Required
164.308 Administrative Safeguards A6 §164.308(a)(1)(ii)(B) Required
164.308 Administrative Safeguards A7 §164.308(a)(1)(ii)(B) Required
164.308 Administrative Safeguards A8 §164.308(a)(1)(ii)(B) Required
164.308 Administrative Safeguards A9 §164.308(a)(1)(ii)(C) Required
164.308 Administrative Safeguards A10 §164.308(a)(1)(ii)(C) Required
164.308 Administrative Safeguards A11 §164.308(a)(1)(ii)(D) Required
164.308 Administrative Safeguards A12 §164.308(a)(1)(ii)(D) Required
164.308 Administrative Safeguards A13 §164.308(a)(2) Required
164.308 Administrative Safeguards A14 §164.308(a)(2) Required
164.308 Administrative Safeguards A15 §164.308(a)(2) Required
164.308 Administrative Safeguards A16 §164.308(a)(2) Required
164.308 Administrative Safeguards A17 §164.308(a)(3)(i) Required
164.308 Administrative Safeguards A18 §164.308(a)(3)(i) Required
164.308 Administrative Safeguards A19 §164.308(a)(3)(i) Required
164.308 Administrative Safeguards A20 §164.308(a)(3)(i) Required
164.308 Administrative Safeguards A21 §164.308(a)(3)(i) Required
164.308 Administrative Safeguards A22 §164.308(a)(3)(ii)(A) Addressable
164.308 Administrative Safeguards A23 §164.308(a)(3)(ii)(A) Addressable
164.308 Administrative Safeguards A24 §164.308(a)(3)(ii)(A) Addressable
164.308 Administrative Safeguards A25 §164.308(a)(3)(ii)(A) Addressable
164.308 Administrative Safeguards A26 §164.308(a)(3)(ii)(B) Addressable
164.308 Administrative Safeguards A27 §164.308(a)(3)(ii)(B) Addressable
164.308 Administrative Safeguards A28 §164.308(a)(3)(ii)(C) Addressable
164.308 Administrative Safeguards A29 §164.308(a)(3)(ii)(C) Addressable
164.308 Administrative Safeguards A30 §164.308(a)(4)(i) Standard
164.308 Administrative Safeguards A31 §164.308(a)(4)(ii)(B) Required
164.308 Administrative Safeguards A32 §164.308(a)(4)(ii)(C) Addressable
164.308 Administrative Safeguards A33 §164.308(a)(4)(ii)(C) Addressable
164.308 Administrative Safeguards A34 §164.308(a)(5)(i) Standard
164.308 Administrative Safeguards A35 §164.308(a)(5)(i) Standard
164.308 Administrative Safeguards A36 §164.308(a)(5)(i) Standard
164.308 Administrative Safeguards A37 §164.308(a)(5)(i) Standard
164.308 Administrative Safeguards A38 §164.308(a)(5)(i) Standard
164.308 Administrative Safeguards A39 §164.308(a)(5)(ii)(A) Addressable
164.308 Administrative Safeguards A40 §164.308(a)(5)(ii)(B) Addressable
164.308 Administrative Safeguards A41 §164.308(a)(5)(ii)(B) Addressable
164.308 Administrative Safeguards A42 §164.308(a)(5)(ii)(C) Addressable
164.308 Administrative Safeguards A43 §164.308(a)(5)(ii)(D) Addressable
164.308 Administrative Safeguards A44 §164.308(a)(6)(i) Standard
164.308 Administrative Safeguards A45 §164.308(a)(6)(ii) Required
164.308 Administrative Safeguards A46 §164.308(a)(6)(ii) Required
164.308 Administrative Safeguards A47 §164.308(a)(6)(ii) Required
164.308 Administrative Safeguards A48 §164.308(a)(6)(ii) Required
164.308 Administrative Safeguards A49 §164.308(a)(7)(i) Standard
164.308 Administrative Safeguards A50 §164.308(a)(7)(i) Standard
164.308 Administrative Safeguards A51 §164.308(a)(7)(i) Standard
164.308 Administrative Safeguards A52 §164.308(a)(7)(ii)(A) Required
164.308 Administrative Safeguards A53 §164.308(a)(7)(ii)(B) Required
164.308 Administrative Safeguards A54 §164.308(a)(7)(ii)(C) Required
164.308 Administrative Safeguards A55 §164.308(a)(7)(ii)(D) Addressable
164.308 Administrative Safeguards A56 §164.308(a)(7)(ii)(E) Addressable
164.308 Administrative Safeguards A57 §164.308(a)(8) Standard
164.308 Administrative Safeguards A58 §164.308(a)(8) Standard
164.308 Administrative Safeguards A59 §164.308(a)(8) Standard
164.308 Administrative Safeguards A60 §164.308(b)(1) Standard
164.308 Administrative Safeguards A61 §164.308(b)(1) Standard
164.308 Administrative Safeguards A62 §164.308(b)(1) Standard
164.308 Administrative Safeguards A63 §164.308(b)(2) Required
164.308 Administrative Safeguards A64 §164.308(b)(3) Required
164.314 Organizational Requirements O1 §164.314(a)(1)(i) Standard
164.314 Organizational Requirements O2 §164.314(a)(2)(i) Required
164.314 Organizational Requirements O3 §164.314(a)(2)(iii) Required
164.316 Polices And Procedures And D PO1 §164.316(a) Standard
164.316 Polices And Procedures And D PO2 §164.316(b)(1)(i) Standard
164.316 Polices And Procedures And D PO3 §164.316(b)(1)(ii) Standard
164.316 Polices And Procedures And D PO4 §164.316(b)(2)(i) Required
164.316 Polices And Procedures And D PO5 §164.316(b)(2)(ii) Required
164.316 Polices And Procedures And D PO6 §164.316(b)(2)(iii) Required
HHS-ONC_SRATK
Does your practice have policies and procedures requiring safeguards to limit access
to
DoesePHI
yourto those
practice persons and software
have policies programs to
and procedures appropriate
grant access for to
their
ePHI role?
based on the
person or software programs appropriate for their role?
Does your practice analyze the activities performed by all of its workforce and service
providers
Does yourto identifyidentify
practice the extent to whichsettings
the security each needs
for eachaccess to information
of its ePHI? systems
and electronic devices that control access?
Does your practice have policies and procedures for the assignment of a unique
identifier
Does yourfor each authorized
practice require that user?
each user enter a unique user identifier prior to
obtaining access to ePHI?
Does your practice have policies and procedures to enable access to ePHI in the event
of
Doesan your
emergency?
practice define what constitutes an emergency and identify the various
types of emergencies
Does your practice have that are likely
policies andtoprocedures
occur? for creating an exact copy of ePHI as
aDoes
backup?
your practice back up ePHI by saving an exact copy to a magnetic disk/tape or a
virtual storage,
Does your suchhave
practice as aback
cloudupenvironment?
information systems so that it can access ePHI in the
event
Does your practice have the capabilitypractice’s
of an emergency or when your to activate primary
emergencysystems become
access to itsunavailable?
information
systems in the event of a disaster?
Does your practice have policies and procedures to identify the role of the individual
accountable for activating
Does your practice designate emergency
a workforce access settings
member whowhencannecessary?
activate the emergency
access settings for your information systems?
Does your practice test access when evaluating its ability to continue accessing ePHI
and
Doesother
your health
practicerecords during
effectively an emergency?
recover from an emergency and resume normal
operations and access to ePHI?
Does your practice have policies and procedures that require an authorized user’s
session to be automatically
Does a responsible person inlogged-off
your practiceafterknow
a predetermined
the automatic period
logoffofsettings
inactivity?
for its
information systems and electronic devices?
Does your practice activate an automatic logoff that terminates an electronic session
after
Does ayour
predetermined
practice haveperiod policiesof user inactivity? for implementing mechanisms that
and procedures
can encrypt and decrypt ePHI?
Does your practice know the encryption capabilities of its information systems and
electronic
Does your devices?
practice control access to ePHI and other health information by using
encryption/decryption
Does your practice havemethods policies to anddeny access toidentifying
procedures unauthorized users?software, or
hardware,
procedural mechanisms
Does your practice identifythatitsrecord or examine
activities that create,information
store, and systems
transmit activities?
ePHI and the
information systems that support these business processes?
Does your practice categorize its activities and information systems that create,
transmit
Does yourorpractice
store ePHI useas thehigh, moderate
evaluation from or its
lowrisk
riskanalysis
based on its risk
to help analyses?the
determine
frequency and scope of its audits, when identifying
Does your practice have audit control mechanisms that can monitor, record the activities that will beand/or
tracked?
examine
Does yourinformation
practice have system activity?
policies and procedures for creating, retaining, and
distributing audit reports to appropriate
Does your practice generate the audit reports workforce membersthem
and distribute for review?
to the appropriate
people for review?
Does your practice have policies and procedures establishing retention requirements
for audit purposes?
Does your practice retain copies of its audit/access records?
Does
Does your
your practice
practice retain copies of
have policies anditsprocedures
audit/access forrecords?
protecting ePHI from
unauthorized modification or destruction?
Does your practice have mechanisms to corroborate that ePHI has not been altered,
modified
Does yourorpractice
destroyed haveinpolicies
an unauthorized
and proceduresmanner? for verification of a person or entity
seeking access to ePHI is the one claimed?
Does your practice know the authentication capabilities of its information systems
and
Doeselectronic
your practice devicesuse totheassure that afrom
evaluation uniquely identified
its risk analysisuser is thethe
to select oneappropriate
claimed?
authentication
Does your practice mechanism?
protect the confidentiality of the documentation containing access
control records
Does your practice (listhave
of authorized
policies and users and passwords)?
procedures for guarding against unauthorized
access
Do your practice implement safeguards, to assure thatnetwork?
of ePHI when it is transmitted on an electronic ePHI is not accessed while en-
route to itspractice
Does your intended recipient?
know what encryption capabilities are available to it for encrypting
ePHI
Does being transmitted
your practice take from
stepsone point to
to reduce theanother?
risk that ePHI can be intercepted or
modified when it is being sent electronically?
Does your practice implement encryption as the safeguard to assure that ePHI is not
compromised
Does your practice whenhave being transmitted
policies from one point
and procedures to another?
for encrypting ePHI when deemed
reasonable and appropriate?
When analyzing risk, does your practice consider the value of encryption for assuring
the integrity
Do you have of an ePHI is notof
inventory accessed or modified
the physical systems,when it is and
devices, stored or transmitted?
media in your office
space that are used to store or contain ePHI?
Do you have policies and procedures for the physical protection of your facilities and
equipment? This includes
Do you have policies controllingfor
and procedures thetheenvironment inside theoffacility.
physical protection your facilities and
equipment? This includes controlling the environment inside the facility.
Do you have physical protections in place to manage physical security risks, such as a)
locks
Do you onplan
doorsand and windowsphysical
coordinate and b) cameras in and
(facilities) nonpublic
technical areas to monitorsystems,
(information all
entrances
mobile and
devices, exits?
or workstations)
Have you developed policies and security-related
procedures thatactivitiesplan for your(suchworkforce
as testing)(and
beforeyour
doing such activities
information technology to reduce
servicethe impactoron
provider your practice
contracted assets and
information individuals?
technology
support)
If a disaster to gain accessdoes
happens, to your
yourfacility
practice and its ePHI
have during
another wayato disaster?
get into your facility or
offsite
Do you storage
have location
policies and to get your
procedures ePHI?
for the protection of keys, combinations,
Do you have policies and procedures governing when to re-key locks or changeand
similar physical access controls?
combinations when, for example, a key is lost, a combination is compromised, or a
workforce member is transferred or terminated?
Do you have a written facility security plan?
Do you have a Facility User Access List of workforce members, business associates,
Do
andyou takewho
others the are
steps necessarytotoaccess
authorized implement your facility
your facilities where security
ePHI and plan?related
information systems are located?
Do you periodically review and approve a Facility User Access List and authorization
privileges, removinghave
Does your practice fromprocedures
the AccesstoList personnel
control no longer
and validate requiringaccess
someone’s access? to your
facilities based on that person’s role or job duties?
Do you have procedures to create, maintain, and keep a log of who accesses your
facilities
Has (including
yourhavepractice visitors), when
determined whetherthe access occurred, and theisreason fortothe access?
Do you maintenance records that monitoring
include the equipment
history of physical needed changes,enforce
your facility
upgrades, andaccess control
other modificationspolicies and procedures?
Do you have a process to documentfor theyour facilities
repairs and the roomsmade
and modifications where toinformation
the
systems and ePHI are kept?
physical security features that protect the facility, administrative offices, and
treatment areas? keep an inventory and a location record of all of its workstation
Does your practice
devices?
Has your practice developed and implemented workstation use policies and
procedures?
Has your practice documented how staff, employees, workforce members, and non-
employees access your
Does your practice haveworkstations?
policies and procedures that describe how to prevent
unauthorized access
Does your practice have of unattended
policies andworkstations?
procedures that describe how to position
workstations to limit the ability of unauthorized individuals to view ePHI?
Have
Does youyourput any ofuse
practice your practice's
laptops workstations
and tablets in public areas?
as workstations? If so, does your practice
have specific policies and procedures to safeguard these workstations?
Does
Do youyour practice
regularly have your
review physical protectionslocations
workstations’ in placeto tosee
securewhichyour workstations?
areas aretomore
Does your practice have physical protections and other security measures reduce
vulnerable to unauthorized use, theft, or viewing of the
the chance for inappropriate access of ePHI through workstations? This could include data?
using
Do locked
your doors,
policies screen
andhave
proceduresbarriers, cameras, and
for guards.
Does your practice security set standards
policies workstations
and procedures that areprotect
to physically allowed andto be
used outside of your facility?
securely store electronic devices and media inside your facility(ies) until they can be
securely
Do you removedisposed or of or destroyed?
destroy ePHI from information technology devices and media prior
to disposal of the device?
Do you maintain records of the movement of electronic devices and media inside
your
Have facility?
you developed and implemented
Do you require that all ePHI is removedpolicies and procedures
from equipment and media that before
specifyyouhow your
practice should dispose of electronic devices and media
remove the equipment or media from your facilities for offsite maintenance or containing ePHI?
disposal?
Do you have procedures thatadescribe
Does your practice maintain record ofhow your practice
movements should remove
of hardware and media ePHIandfrom
theits
storage media/ electronic devices before the media is re-used?
person responsible for the use and security of the devices or media containing ePHI
outside the facility?
Do you maintain records of employees removing electronic devices and media from
your facility that
Does your organization has or create
can be backup
used tofiles access
priorePHI?
to the movement of equipment or
media to ensure that data is available
Does your practice develop, document, and implement when it is needed? policies and procedures for
assessing
Does your practice have a process for periodically reviewing itsInformation
and managing risk to its Electronic Protected Health risk analysis(ePHI)?
policies
and
Does procedures
your and
practice making
categorize updates
its as
informationnecessary?
systems based on the potential impact
Does your practice periodically complete an accurate and thorough risk analysis, such
to your practice should they become unavailable?
as upon occurrence of a significant event or change in your business organization or
environment?
Does your practice have a formal documented program to mitigate the threats and
vulnerabilities
Does to ePHI identified itsthrough the risk analysis?
Does your
your practice
practice assure
document thatthe risk
resultsmanagement programand
of its risk analysis prevents
assure against the are
the results
impermissible use and disclosure of ePHI.
distributed to appropriate members of the workforce who are responsible for
Does your the
mitigating practice
threatshaveand a formal and documented
vulnerabilities process or
to ePHI identified regular
through thehuman
risk analysis?
resources policy to discipline workforce members who have access to your
Does your practice formally document a security plan?
organization’s ePHI if they are found to have violated the office’s policies to prevent
system
Does your misuse, abuse,
practice and its
include anysanction
harmfulpolicies
activities that
and involve your
procedures practice's
as part ePHI?
of its security
awareness and training program for all workforce members?
Does your practice have policies and procedures for the review of information system
activity?
Does
Does your practice regularly review information system activity?
Is youryour practice
practice’s have apoint
security senior-level
of contact person whose
qualified tojob it is to
assess its develop
security and
protections
implement security policies and procedures or act
as well as serve as the point of contact for security policies, procedures, as a security point of contact?
monitoring,
and training?
Does
Does youryour practice
practice have makeasure job description
that its workforcefor its security
memberspoint and of contact
others withthat includes
authorized
that
access person's
to your duties,
ePHI have authority,
knowathe and accountability?
Does your practice list name and contact
that includes information
all members of itsfor its security
workforce, thepoint
rolesof
contact
assignedand knowand
to each, to contact this person ifaccess
the corresponding therethat are any eachsecurity
role enablesproblems?
for your
practice’s
Does facilities, know
information systems, electronic anddevices, and ePHI?
Does youryour practice
practice clearlyalldefine businessrolesassociates
and responsibilities the accessalongthat eachlines
logical requires
and for
your practice’s facilities, information systems,
assures that no one person has too much authority for determining electronic devices, andwho ePHI? can access
your
Doespractice's
your practice facilities,
have information
policies and systems,
procedures andthat ePHI?make sure those who need
access to ePHI have access and those
Has your practice chosen someone whose job duty is to who do not are denied
decide suchwho access?
can access ePHI
(and under what conditions) and to create ePHI access
Does your practice define roles and job duties for all job functions and keep rules that others can written
follow?
job descriptions that clearly set forth the qualifications?
Does your practice have policies and procedures for access authorization that support
segregation
Does your practice of duties? implement procedures for authorizing users and changing
authorization
Do your practice’s permissions?
policies and procedures for access authorization address the needs
of
Doesthoseyourwho are not members
organization have of its and
policies workforce?
procedures that authorize members of your
Do your practice’s policies and procedures require screening workforce members
workforce to have access to ePHI and describe the types
prior to enabling access to its facilities, information systems, and ePHI to verify that of access that are permitted?
users
Does are trustworthy?
Does youryour practice
practice have have policies and procedures
formal policies and policies for and
terminating
procedures authorized
to support access
whento
its facilities, information systems, and ePHI once
a workforce member’s employment is terminated and/or a relationship with a the need for access no longer exists?
business associate policies
Do your practice’s is terminated?
and procedures describe the methods it uses to limit
access to its ePHI?
Does your practice have policies and procedures that explain how it grants access to
ePHI
Do the toroles
its workforce members and
and responsibilities to other
assigned entities
to your (business
practice’s associates)?
workforce members
support
Does and enforce segregation of duties?
Does youryour practice’s
practice have policies and procedures
a training program that explain
makes how your
each practice with
individual assigns userto
access
authorizations
ePHI aware of security (privileges), including
measures the access
to reduce thatofare
the risk permitted?
improper access, uses, and
disclosures?
Does your practice periodically review and update its security awareness and training
program
Does yourinpractice
response to changes
provide ongoing in your
basicorganization,
security awareness facilitiestoorallenvironment?
workforce
members, including physicians?
Does
Does your
your practice
practice provide
keep records role-baseddetail training to all new workforce members?
As part of your practice’s ongoingthat when
security awareness each workforce
activities, doesmember
your practice
satisfactorily
prepare completed periodic training?
Does your practice’s awareness and training content include informationabout
and communicate periodic security reminders to communicate aboutnew the or
important
importanceissues? of implementing software patches and updating antivirus software when
requested?
Does your practice’s awareness and training content include information about how
malware
Does yourcan get into
practice your systems?
include log-in monitoring as part of its awareness and training
programs?
Does your practice include password management as part of its awareness and
training
Does your programs?
practice have policies and procedures designed to help prevent, detect and
respond to
Does your practicesecurityhave incidents?
incident response policies and procedures that assign roles
Does
and your practice’sfor
responsibilities incident
incident response
response? plan align with its emergency operations and
Does
contingency plan, especiallymembers
your practice identify when it comes of its incident response
to prioritizing systemteam and assure
recovery actions or
workforce members are trained and that incident
events to restore key processes, systems, applications, electronic device response plans are tested?
and media,
and
Doesinformation
your practice (such as ePHI)?the information system’s security protection tools to
implement
protect
Does against malware?
Does youryour practice
practice know consider whathow critical
natural services and ePHIdisasters
or man-made it must have couldavailable
damageto its
support
information decision
systems making about aaccess
or prevent patient’s treatment
to ePHI and develop duringpolicies
an emergency?
and procedures
for responding to such a situation?
Does your practice have policies and procedures for the creation and secure storage
Does
of an your practice
electronic copy regularly
of ePHIreview/update
that would be its usedcontingency
in the caseplan as appropriate?
of system breakdown or
disaster?
Does
Does youryour practice
practice have have policies
an emergency and procedures
mode operationsfor contingency plans tothe
plan to ensure provide
access to ePHIoftocritical
continuation continue operations
business processesafterthat
a natural or human-made
must occur to protect the disaster?
availability
and
Does security
your of ePHI
practice immediately
have policies after a crisis
and procedures situation?
for testing itsassessing
contingency plans on a
Does
Does your
your practice
practice implement
maintain and procedures
implement forpolicies
identifying and
and procedures forthe criticality
assessing risk
periodic
of its basis?
information system applications and the storage of data containing ePHI that
to ePHI and engaging in a periodic technical and non-technical evaluation in response
would be accessedorthrough
to environmental operational the implementation
changes affecting oftheits contingency
security of your plans?practice’s
ePHI?
Does your practice periodically monitor its physical environment, business operations,
and
Does information system to gauge the effectiveness of security safeguards?
Does youryour practice
practice identify
identify the the role
role responsible
responsible and and accountable
accountable for for assessing
making sure riskthat
and
engaging in ongoing evaluation, monitoring, and reporting?
business associate agreements are in place before your practice enables a service
provider
If youryour
Does topractice
begin
practice tomaintain
is the create,
business access, ofstore
associate
a list or
all ofof transmit
itsanother
servicecoveredePHI onentity
providers, your behalf?
and your
indicating practice
which have
has
accesssubcontractors
to your performing
practice’s activities
facilities, to help
information carry out
systems and the
ePHI?activities that you have
Does your practice have policies and implement procedures
agreed to carry out for the other covered entity that involve ePHI, does your practice to assure it obtains
business
require these associate agreements?
subcontractors to provide satisfactory assurances for the protection of
the ePHI?
Do
Does theyour
terms and conditions
practice of your associate
execute business practice’s agreements
business associate
when itagreements state
has a contractor
that
If yourthepractice
creating, business is associate
transmitting
the or
businesswillassociate
storing implement
ePHI? of appropriate
a covered security
entity do safeguards
the terms andto protect
Does
the your practice
privacy, assure that its business
confidentiality, associate of
agreementsthat itinclude satisfactory
conditions
assurances of
foryour practice’sintegrity,
safeguarding businessand
ePHI?
availability
associate ePHI state
agreements collects,
that your creates,
maintains,
subcontractor or transmits
(business on behalf
associate) of the practice and timely report security incidents
Do
to yourpractice?
your practice’s processes enablewill theimplement
development appropriate security safeguards
and maintenance of policies to
protect the privacy,
and procedures thatconfidentiality,
implement riskintegrity,
analysis,and availability
informed of ePHI
risk-based that it collects,
decision making for
creates,
security maintains, or transmits
risk mitigation, on behalf
and effective of theand
mitigation covered entity?that protects the
monitoring
privacy,
Does your confidentiality,
practice assure integrity,
that itsand availability
policies of ePHI? are maintained in a manner
and procedures
consistent
Does with other business records?
Does your
your practice
practice assure
assure that
that its
its other security
policies, program
procedures, anddocumentation
other securityisprogram
maintained
documentation in written manuals
areassure
retained or in electronic
foritsatpolicies, form?
least sixprocedures
(6) years from
Does your practice that andthe datesecurity
other when itprogram
was
created or last inare
documentation effect, whichever
available to those is longer?
who need it to perform the responsibilities
associated with their
Does your practice role?that it periodically reviews and updates (when needed) its
assure
policies, procedures, and other security program documentation?
DID DOMAIN CID CONTROL
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i) Standard: Security
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(i) management process.
164.308(a)(1)(i) Standard: Implement
Security
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(i) policies
management and procedures
164.308(a)(1)(i) process.
Standard: toSecurity
prevent,
Implement
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(i) 164.308(a)(1)(i)
violations. Standard: Security
SAFEGUARDS detect,
policies contain,
and and
procedures
management process. correctto security
prevent,
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii) 164.308(a)(1)(ii)
violations. Implementation
SAFEGUARDS detect,
policies contain,
and and
procedures
specifications: Implementationcorrectto security
prevent,
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii) 164.308(a)(1)(ii)
violations.
SAFEGUARDS detect, contain, and
specifications: Implementationcorrect security
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii) 164.308(a)(1)(ii)
violations.
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii) specifications: Implementation
164.308(a)(1)(ii)
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii) specifications: Implementation
164.308(a)(1)(ii)
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii) specifications: Implementation
164.308(a)(1)(ii)
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii) specifications: Implementation
164.308(a)(1)(ii)
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) specifications:
164.308(a)(1)(ii)(B) Risk management
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) (Required). Implement
164.308(a)(1)(ii)(B) Risksecurity
management
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) measures
(Required).sufficient
Implement
164.308(a)(1)(ii)(B) to reduce
Risk security risks and
management
SAFEGUARDS vulnerabilities
measures to
sufficient
(Required). Implement a reasonable
to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
appropriate level Risk management
toreasonable
comply with
SAFEGUARDS vulnerabilities
measures
(Required). to
sufficient
Implementa to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
164.306(a).
appropriate level Risk management
toreasonable
comply with
SAFEGUARDS vulnerabilities
measures
(Required). to
sufficient
Implementa to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
164.306(a).
appropriate level Risk management
toreasonable
comply with
SAFEGUARDS vulnerabilities
measures
(Required). to
sufficient
Implementa to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
164.306(a).
appropriate level Risk management
toreasonable
comply with
SAFEGUARDS vulnerabilities
measures
(Required). to
sufficient
Implementa to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
164.306(a).
appropriate level Risk management
toreasonable
comply with
SAFEGUARDS vulnerabilities
measures
(Required). to
sufficient
Implementa to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
164.306(a).
appropriate level Risk management
toreasonable
comply with
SAFEGUARDS vulnerabilities
measures
(Required). to
sufficient
Implementa to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
164.306(a).
appropriate level Risk management
toreasonable
comply with
SAFEGUARDS vulnerabilities
measures
(Required). to
sufficient
Implementa to reduce
security and and
risks
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(B) 164.308(a)(1)(ii)(B)
164.306(a).
appropriate level Risk management
toreasonable
comply with
vulnerabilities
measures to
sufficient a to reduce and
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(C) (Required). Implement
164.308(a)(1)(ii)(C)
164.306(a).
appropriate level
security
Sanction
toreasonable
comply policy and
risks
with
vulnerabilities
measures to
sufficient a to reduce and
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(C) (Required). Apply appropriate
164.308(a)(1)(ii)(C)
164.306(a).
appropriate level to Sanction
comply with policy and
risks
SAFEGUARDS vulnerabilities
sanctions
(Required). againstto a reasonable
workforce
Apply appropriate and
members
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(C) 164.308(a)(1)(ii)(C)
164.306(a).
appropriate level to Sanction
comply policy
with
SAFEGUARDS who fail
sanctions
(Required).to comply
against with
workforce
Apply appropriate the security
members
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(C) 164.308(a)(1)(ii)(C)
164.306(a).
policies Sanction policy
SAFEGUARDS who fail and
sanctions
(Required).
procedures
toagainst
comply
Apply with the
workforce
appropriate
of the covered
security
members
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
entity.
policies and proceduresInformation
of the system
covered
SAFEGUARDS who failreview
sanctions
activity toagainst
comply with theImplement
workforce
(Required). security
members
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
entity.
policies and proceduresInformation
of the system
covered
SAFEGUARDS who failreview
procedures
activity to comply
to with review
regularly
(Required). the security
records
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
entity.
policies andto proceduresInformation system
of the such
covered
SAFEGUARDS of information
procedures
activity review system activity,
regularly
(Required). review records
Implement as
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
entity.
audit logs, access Information
reports, system
and such
security
SAFEGUARDS of information
procedures
activity review to system
regularly
(Required). activity,
review records
Implement as
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
incident
audit logs,tracking
access Information
reports.
reports, system
and such
security
SAFEGUARDS of information
procedures
activity review to system
regularly
(Required). activity,
review records
Implement as
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
incident
audit logs,tracking
access Information
reports.
reports, system
and such
security
SAFEGUARDS of information
procedures
activity review to system
regularly
(Required). activity,
review records
Implement as
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
incident
audit logs,tracking
access Information
reports.
reports, system
and such
security
SAFEGUARDS of information
procedures
activity review to system
regularly
(Required). activity,
review records
Implement as
164.308 164.308 ADMINISTRATIVE 164.308(a)(1)(ii)(D) 164.308(a)(1)(ii)(D)
incident
audit logs,tracking
access Information
reports.
reports, system
and such
security
SAFEGUARDS of information
procedures
activity review to system
regularly
(Required). activity,
review records
Implement as
164.308 164.308 ADMINISTRATIVE 164.308(a)(2) 164.308(a)(2)
incident
audit logs,trackingStandard:
access reports.
reports, Assigned
and such
security
SAFEGUARDS of information
procedures
security to system
regularly
responsibility. activity,
review
Identify the as
records
164.308 164.308 ADMINISTRATIVE 164.308(a)(2) 164.308(a)(2)
incident
audit logs,trackingStandard:
access reports.
reports, Assigned
and such
security
SAFEGUARDS of information
security
security official system
who
responsibility. is activity,
responsible
Identify the foras
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(i) 164.308(a)(3)(i)
incident
audit logs,tracking
access Standard:
reports.
reports, Workforce
and security
SAFEGUARDS the development
security
security. official
Implement whoand is implementation
responsible
policies and for
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(ii) 164.308(a)(3)(ii)
incident
of the tracking
policies andImplementation
reports.
procedures
SAFEGUARDS the development
procedures
specifications: and
to ensurethat implementation
all members
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(A) 164.308(a)(3)(A)
required
of the by thisand
policies Authorization
subpart
proceduresfor theand/or
entity.
SAFEGUARDS of its workforce
supervision have
(ADDRESSABLE).appropriate
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(A) 164.308(a)(3)(A)
required
access to by Authorization
this subpart
electronic and/or
for thehealth
protected entity.
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) Implement
supervision
164.308(a)(3)(A)procedures
(ADDRESSABLE). for the and/or
Authorization
information,
authorization as provided
and/or supervisionunder of
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) Implement
supervision
164.308(a)(3)(A)
paragraph procedures
(ADDRESSABLE).
(a)(4) for
Authorization
of this the and/or
section, and to
workforce
authorization
Implement members
and/or
procedures who work
supervision
for the with
ofwho
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) supervision
prevent
164.308(a)(3)(A)
electronic (ADDRESSABLE).
thoseworkforce
protected members
Authorization
health and/or
workforce
authorization
Implement
do not have members
and/or
procedures
access who
under forwork
supervision
the with
paragraphof
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) supervision
164.308(a)(3)(A)
information
electronic (ADDRESSABLE).
or inAuthorization
protected locations
health whereand/or
it
workforce
authorization
(a)(4) of
Implement thismembers
and/or
section
procedures who work
supervision
fromobtaining
for the with
of
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) supervision
might be
information
electronic (ADDRESSABLE).
accessed.
164.308(a)(3)(A) or in
protected Authorization
locations
health whereand/or
it
workforce
access
authorization
Implement members
to electronic who
and/orprotected
procedures forwork
supervision
the with
health
of
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) supervision
might be
information
information.
electronic (ADDRESSABLE).
accessed.
164.308(a)(3)(A) or in
protected Authorization
locations
health whereand/or
it
workforce
authorization
Implement members
and/orwho
procedures forwork
supervision
the with
of
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) supervision
might be
information
electronic (ADDRESSABLE).
accessed.
164.308(a)(3)(A) or in
protected Authorization
locations
health whereand/or
it
workforce
authorization
Implement members
and/orwho
procedures forwork
supervision
the with
of
SAFEGUARDS supervision
might be
information
electronic (ADDRESSABLE).
accessed.
or in
protected locations
health where it
workforce
authorization
Implement members
and/orwho
procedures forwork
supervision
the with
of
might be
information
electronic accessed.
or in
protected locations
health where it
workforce
authorization members
and/orwho work with
supervision of
might be
information accessed.
or
electronic protected in locations
health where it
workforce members who work with
might be
information accessed.
or in locations
electronic protected health where it
might be accessed.
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(A) 164.308(a)(3)(A) Authorization and/or
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) supervision (ADDRESSABLE).
164.308(a)(3)(A) Authorization and/or
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(3)(A) Implement
supervision procedures
164.308(a)(3)(A) (ADDRESSABLE). for the and/or
Authorization
SAFEGUARDS authorization
Implement and/or
procedures
supervision (ADDRESSABLE). supervision
for the of
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(B) 164.308(a)(3)(B)
workforce members Workforce
who clearance
work with
SAFEGUARDS authorization
Implement
procedure and/or
procedures
(ADDRESSABLE). supervision
for the of
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(B) 164.308(a)(3)(B)
electronic
workforce protected
members Workforce
health
who clearance
work with
SAFEGUARDS authorization
procedures
procedure to and/or
determine
(ADDRESSABLE). supervision
that the of
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(B) information
164.308(a)(3)(B)
electronic
workforce or inWorkforce
protected
members locations
health
who where
clearance
work withit
SAFEGUARDS access
procedures
might
procedure of
be a workforce
to
accessed. determine
(ADDRESSABLE). member
that to
the
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(B) 164.308(a)(3)(B)
information
electronic
electronic or
protectedin Workforce
locations
health clearance
where it
SAFEGUARDS access
procedures
might
procedure be aprotected
of accessed.
workforce
to determine
(ADDRESSABLE).
health
member
that to
the
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(C) 164.308(a)(3)(C)
information
information
electronic or in Termination
locations
is appropriate. where it
SAFEGUARDS access
procedures
might be aprotected
of accessed.
workforce
to determine
(ADDRESSABLE).
health
member
that theto
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(C) 164.308(a)(3)(C)
information
electronic Termination
is appropriate.
SAFEGUARDS access
Implement
procedures of aprotected
workforce
procedures
(ADDRESSABLE).
health
member to
for terminating
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(C) 164.308(a)(3)(C)
information
electronic is Termination
appropriate.
protected health
SAFEGUARDS access
Implement
procedures to electronic
procedures
(ADDRESSABLE). protected
for health
terminating
164.308 164.308 ADMINISTRATIVE 164.308(a)(3)(C) 164.308(a)(3)(C)
information
information Termination
is appropriate.
when the employment
SAFEGUARDS access
Implement
procedures to electronic
procedures
(ADDRESSABLE). protected healthof
for Information
terminating
164.308 164.308 ADMINISTRATIVE 164.308(a)(4)(i) 164.308(a)(4)(i)
aaccess
workforce
information member
when Standard:
the ends or as
employment
Implement to electronic protected healthof
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii) access
aaccess
workforce
information byprocedures
management.
164.308(a)(4)(ii)
required determinations
member
when the
for terminating
Implement
Implementation
ends made
or as
employment asof
SAFEGUARDS policies toand
electronic
specifications:
specified in procedures
paragraph protected health
for authorizing
(a)(3)(ii)(B) of
164.308 164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(A)
required
aaccess
workforce
informationby member
when Isolating
determinations
the ends health
made
or as
employment asof
SAFEGUARDS this
care to in
electronic
section.
clearinghouse
specified paragraph protected
functions health
(a)(3)(ii)(B) of
164.308 164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(A) 164.308(a)(4)(ii)(A)
required by
a workforce that
information Isolating
determinations
member health
made
ends or aswith
are consistent as
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(A) (Required).
this
care section.
required Ifparagraph
clearinghouse
specified in
164.308(a)(4)(ii)(A)
by a health
determinations care
functions
(a)(3)(ii)(B)
Isolating made
health of
the applicable is
clearinghouse requirements
part ofcare of as
a larger
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(A) (Required).
this
care section.
subpart Ifparagraph
clearinghouse
specified in
164.308(a)(4)(ii)(A)
E of a health
this functions
part. (a)(3)(ii)(B)
Isolating health of
organization,
clearinghouse
(Required).
this section. If the clearinghouse
aishealth
part a larger must
ofcare
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(A) care clearinghouse
164.308(a)(4)(ii)(A)
implement policies functions
Isolating
and health
procedures
organization,
clearinghouse
(Required). the clearinghouse
aishealth
Ifthe part a larger must
ofcare
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(A) care
that clearinghouse
164.308(a)(4)(ii)(A)
protect
implement policies functions
Isolating
electronic
and health
protected
procedures
organization,
clearinghouse
(Required). the clearinghouse
aishealth
Ifthe part of a larger must
care
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(A) care
healthclearinghouse
information
164.308(a)(4)(ii)(A)
that protect
implement policies functions
of the
Isolating
electronic
and health
protected
procedures
organization,
clearinghouse
(Required).
clearinghouse the
ais
Ifthe clearinghouse
part
health
from of a larger must
care
unauthorized
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) care
healthclearinghouse
information
164.308(a)(4)(ii)(B)
that protect
implement policies functions
of the
Access
electronic
and protected
procedures
organization,
access
clearinghouse
by
(Required).
clearinghousethe the
alarger
Ifthe clearinghouse
ishealth
frompart a larger must
organization.
of
care
unauthorized
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) authorization
health information
164.308(a)(4)(ii)(B)
that protect
implement (ADDRESSABLE).
policies of the
Access
electronic
and protected
procedures
organization,
clearinghouse
access by
Implement
clearinghousethe the
is
larger
policies
from clearinghouse
part of a larger mustfor
organization.
and procedures
unauthorized
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) authorization
health information
164.308(a)(4)(ii)(B)
that protect
implement the(ADDRESSABLE).
policies of the
Access
electronic
and protected
procedures
organization,
granting
access by
Implement access
the the toclearinghouse
larger
policies electronic
organization.
and procedures must
protected
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) clearinghouse
authorization
health information
164.308(a)(4)(ii)(B)
that protect
implement
health the from
policies
information,
of the
Access
electronic
and
for protectedfor
unauthorized
(ADDRESSABLE). procedures
example,
granting
access by
Implement access
the to electronic
larger
policies protected
organization.
and procedures
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) clearinghouse
authorization
health information
164.308(a)(4)(ii)(B)
that
healthprotect
through access the
information,
from
to of the
Access
electronic
aelectronic protectedfor
unauthorized
(ADDRESSABLE).
workstation,
for example,
granting
access by
Implement access
the to
larger
policies protected
organization.
and procedures
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) clearinghouse
authorization
health information
164.308(a)(4)(ii)(B)
transaction,
through
health access
from
program,
information, to
unauthorized
(ADDRESSABLE).
of the
Access
process,
aelectronic
workstation,
for example, or for
granting
access by
Implement access
the to
larger
policies protected
organization.
and procedures
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) clearinghouse
authorization
other mechanism.
transaction,
164.308(a)(4)(ii)(B)
through
health access
from
program,
information, to
unauthorized
(ADDRESSABLE).
Access
process,
aelectronic
workstation,
for example, or for
granting
access by
Implement access
the to
larger
policies protected
organization.
and procedures
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(B) other
authorization
mechanism.
164.308(a)(4)(ii)(B)
transaction,
through
health access (ADDRESSABLE).
program,
information, to Access
process,
aelectronic
workstation,
for example, or for
granting
Implement access
policies to and protected
procedures
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(C) other
authorization
mechanism.
164.308(a)(4)(ii)(C)
transaction,
through
health access (ADDRESSABLE).
program,
information, to Access
process,
aelectronic
workstation,
for example, or for
granting
Implement access
policies to and protected
procedures
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(C) establishment
other mechanism.
164.308(a)(4)(ii)(C)
transaction,
through
health access and
program,
information, to modification
Access
process,
aelectronic
workstation,
for example, or for
SAFEGUARDS granting access
(ADDRESSABLE).
establishment to
and Implement protected
policies
164.308 164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(C) other
through
health
and
mechanism.
164.308(a)(4)(ii)(C)
transaction,
access program,
information,
procedures to amodification
that,
Access
process,
workstation,
for example,
based upon
or
the
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(C) (ADDRESSABLE).
establishment
other mechanism.
164.308(a)(4)(ii)(C)
transaction, and
program,Implement
modification
Access
process, policies
or
through
entity's
and accessauthorization
access
procedures to a workstation,
that, based policies,
upon the
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(C) (ADDRESSABLE).
establishment
other mechanism.
164.308(a)(4)(ii)(C)
transaction, program,Implement
and modification
Access
process, policies
or
establish,
entity's
and document,
access
procedures that, review,
authorization
based and
policies,
upon the
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(4)(ii)(C) (ADDRESSABLE).
establishment
other mechanism.
164.308(a)(4)(ii)(C)
modify aaccess
user's and Implement
right modification
Access
of policies
accesspolicies,
to a
establish,
entity's
and document,
procedures that, review,
authorization
based and
upon the
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) (ADDRESSABLE).
establishment
workstation,
164.308(a)(5)(i)
modify aaccess
user's and Implement
modification
transaction,
Standard:
right of policies
program,
to a or
Security
access
establish,
entity's
and document,
procedures that, review,
authorization
based and
policies,
upon the
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) (ADDRESSABLE).
process.
awareness
workstation, and
164.308(a)(5)(i)
modify aaccess
user's Implement
training.
transaction,
Standard:
right of policies
Implement
program,
to a or
Security
access a
establish,
entity's
and document,
procedures that, review,
authorization
based and
policies,
upon the
SAFEGUARDS security
process.
awareness awareness
and and
training. training
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) workstation,
modify
164.308(a)(5)(i)
a
establish,
entity's
program
user's transaction,
document,
access
for all
right
Standard:
of
authorization
members
access
review, and a
program,
Security
of
to a
policies,
its
or
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) security
process.
awareness
modify awareness
workstation, and
164.308(a)(5)(i)
a user's right and
training.
transaction,
Standard:
of training
Implement
program,
access to a or
Security a
establish,
workforce
program document,
for(including
all members review,
management).
of and
its
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) security
process.
awareness awareness
workstation, and
164.308(a)(5)(i)
modify a user's and
transaction,
training.
Standard:
right of training
Implement
program,
Security
access to a or
a
workforce
program
security
process. for(including
all
awareness members management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) workstation,
awareness and
164.308(a)(5)(i) transaction,
training.
Standard: Implement
program,
Security or
a
workforce
program
process.
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and
164.308(a)(5)(i) training.
Standard: Implement
Security a
workforce
program
security for(including
all members
awareness management).
and of its
training
SAFEGUARDS awareness and training. Implement a
workforce
security (including
programawareness
for all members management).
and of its
training
workforce
program for (including
all members management).
of its
workforce (including management).
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) 164.308(a)(5)(i) Standard: Security
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) awareness and training.
164.308(a)(5)(i) Standard: Implement
Security a
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(i) security
awarenessawareness
and training.
164.308(a)(5)(i) and training
Standard: Implement
Security a
SAFEGUARDS program
security
awareness forandall members
awareness of its
and training
training. Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) 164.308(a)(5)(i)
workforce Standard:
(including Security a
management).
SAFEGUARDS program
security
awareness forandall members
awareness and
training. of its
training
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) 164.308(a)(5)(i)
workforce Standard:
(including Security a
management).
SAFEGUARDS program
security
awareness forandall members
awareness and
training. of its
training
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) 164.308(a)(5)(i)
workforce Standard:
(including Security a
management).
SAFEGUARDS program
security
awareness forandall members
awareness and
training. of its
training
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) 164.308(a)(5)(i)
workforce Standard:
(including Security a
management).
SAFEGUARDS program
security
awareness forandall members
awareness and
training. of its
training
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) 164.308(a)(5)(i)
workforce Standard:
(including Security a
management).
SAFEGUARDS program
security
awareness forandall members
awareness and
training. of its
training
Implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(i) 164.308(a)(5)(i)
workforce Standard:
(including Security a
management).
SAFEGUARDS program
security
awareness forandall members
awareness and
training. of its
training
Implement a
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(ii) 164.308(a)(5)(ii)
workforce (includingImplementation
management).
SAFEGUARDS program
security for all members
awareness
specifications: and of its
training
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(ii)(A) 164.308(a)(5)(ii)(A)
workforce (including Security reminders
management).
SAFEGUARDS program for
(ADDRESSABLE). all members
Periodic of its
security
164.308 164.308 ADMINISTRATIVE 164.308(a)(5)(ii)(A) 164.308(a)(5)(ii)(A)
workforce (including Security reminders
management).
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(ii)(A) updates.
(ADDRESSABLE). Periodic
164.308(a)(5)(ii)(A) Security security
reminders
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(5)(ii)(B) updates.
(ADDRESSABLE). Periodic
164.308(a)(5)(ii)(B) security
Protection from
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(6)(i) updates.
malicious software
164.308(a)(6)(i) (ADDRESSABLE).
Standard: Security
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(6)(ii) Procedures for guarding
incident procedures.
164.308(a)(6)(ii) against,
Implement
Implementation
SAFEGUARDS detecting,
policies andand reporting
procedures
specification: Response malicious
to
and address
Reporting
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
software. Implementation
SAFEGUARDS security incidents.
(Required). Identify
specification: Response and respond
and Reporting to
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii) Implementation
SAFEGUARDS suspected
(Required). or known
Identify
specification: Response security
and respond incidents;
and Reporting to
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
mitigate, toorIdentify
the Implementation
extent practicable,
SAFEGUARDS suspected
(Required).
specification: known
Response security
and respond incidents;
andincidents to
Reporting
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
harmful
mitigate,effects Implementation
of
toorIdentify
the security
extent practicable,
SAFEGUARDS suspected
(Required).
specification: known
Response security
and respond incidents;
andincidents to
Reporting
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are known
harmful
mitigate,effects Implementation
to
of
toorIdentify
the the covered
security
extent practicable, entity;
SAFEGUARDS suspected
(Required).
specification:
and document known
Response
securitysecurity
and respond incidents;
andincidents to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are known
harmful
mitigate,effects Implementation
to
of
toorIdentify
the the covered
security
extent practicable, entity;
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) that
164.308(a)(6)(ii)
are
harmful
mitigate,known
effects to
Implementation
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their
and outcomes.
specification:
document known
Response
securitysecurity
and respond
incidents
and incidents;
to
Reporting
and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their
and outcomes.
specification:
document known
Response
securitysecurity
and respond
incidents
and incidents;
to
Reporting
and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
their
(Required).
outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
their
(Required).
outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) 164.308(a)(6)(ii)
that are
harmful
mitigate,known
effects Implementation
to
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(6)(ii) that
164.308(a)(6)(ii)
are
harmful
mitigate,known
effects to
Implementation
of
toorIdentify
the the
extent covered
security entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their outcomes.
specification:
and document known
Response
securitysecurity
and respond
and incidents;
to
Reporting
incidents and
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) that
164.308(a)(7)(i)
are
harmful
mitigate,known
effects to
Standard:
of
toorIdentify
the the covered
security
extent Contingency
entity;
incidents
practicable,
SAFEGUARDS suspected
(Required).
their
and
plan. outcomes.
document
Establish known
(and
securitysecurity
and respond
implement
incidentsincidents;
asto
and
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
that are
harmful
mitigate,known
effects
toorthe Standard:
to
of the Contingency
covered
security
extent entity;
incidents
practicable,
SAFEGUARDS suspected
needed)
their
and
plan.document
Establish known
policies
outcomes. and
(and
securitysecurity
procedures
implement
incidentsincidents;
asfor
and
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
that are
harmful
mitigate,known
effects
to tothean Standard:
to
of the
extent Contingency
covered
security entity;
incidents
practicable,
SAFEGUARDS responding
their
needed)
plan.
and outcomes.
policies
Establish
document (andemergency
and procedures
implement
security incidentsor as
other
for
and
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
that are
harmful known
effects
occurrence (for Standard:
to
of the Contingency
covered
securityfire,
example, entity;
incidents
SAFEGUARDS responding
needed)
their
plan.
and to an
policies
outcomes.
Establish
document (andemergency
and procedures
implement
security incidentsor as
other
for
and
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
that are known
vandalism,
occurrence system
(for Standard:
to the Contingency
covered
failure,fire,
example, entity;
andornatural
SAFEGUARDS responding
needed)
their
plan.
and to an
policies
outcomes.
Establish
document (andemergency
and procedures
implement
security incidents other
asfor
and
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat Standard:
damages
system
(for Contingency
systems
failure,fire,
example, that
andornatural
SAFEGUARDS responding
needed)
their
plan. to an
policies
outcomes.
Establish
contain electronic(andemergency
and procedures
implement
protected other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat Standard:
damages
system
(for Contingency
systems
failure,fire,
example, that
andornatural
SAFEGUARDS responding
needed)
plan. to an
policies
information.
Establish
contain electronic(andemergency
and procedures
implement
protected other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat
system
(for Standard:
damages
example, Contingency
systems
failure, and
fire, that
natural
SAFEGUARDS responding
needed)
information.
plan. to
policies
Establish
contain an
electronic(andemergency
and procedures
implement
protected or other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat
system
(for Standard:
damages
example, Contingency
systems
failure, and
fire, that
natural
SAFEGUARDS responding
needed)
information.
plan. to
policies
Establish
contain an
electronic(andemergency
and procedures
implement
protected or other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat
system
(for Standard:
damages
example, Contingency
systems
failure, and
fire, that
natural
SAFEGUARDS responding
needed)
information.
plan. to
policies
Establish
contain an
electronic(andemergency
and procedures
implement
protected or other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) disaster)
164.308(a)(7)(i)
vandalism,
occurrencethat damages
system
(for Standard: systems
failure,
example, Contingency
and
fire, that
natural
SAFEGUARDS responding
needed)
information.
plan. to
policies
Establish
contain an
electronic(andemergency
and procedures
implement
protected or other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) disaster)
164.308(a)(7)(i)
vandalism,
occurrencethat damages
system
(for Standard: systems
failure,
example, Contingency
and
fire, that
natural
SAFEGUARDS responding
needed)
information.
contain
plan. to
policies
Establish an
electronic(andemergency
and procedures
protected
implement or other
health
asfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat
system
(for Standard:
damages
example, Contingency
systems
failure, and
fire, that
natural
SAFEGUARDS responding
information.
needed)
plan. to
policies
Establish
contain an
electronic(andemergency
and procedures
implement
protected or other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat
system
(for Standard:
damages
example, Contingency
systems
failure, and
fire, that
natural
SAFEGUARDS responding
information.
needed)
plan. to
policies
Establish
contain an
electronic(andemergency
and procedures
implement
protected or other
as
healthfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(i) 164.308(a)(7)(i)
disaster)
vandalism,
occurrencethat
system
(for Standard:
damages
example, Contingency
systems
failure, and
fire, that
natural
SAFEGUARDS responding
needed)
information.
plan. to
policies
Establish
contain an
electronic(andemergency
and procedures
implement
protected or other
asfor
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii) 164.308(a)(7)(ii)
disaster)
vandalism,
occurrence
responding
that
system
(for
to an
Implementation
damages failure,
example,
emergency andhealth
systems
fire, or
that
natural
other
SAFEGUARDS needed) policies
information.
specifications:
contain electronic and procedures
protected for
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(A)
disaster)
vandalism,
occurrence
responding
that damages
system
(for
to an failure,
example,
emergency andhealth
Datasystems
backup
fire, or
plan
that
natural
other
SAFEGUARDS information.
(Required).
contain Establish
electronic and
protected implement
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(A)
disaster)
vandalism,
occurrencethat damages
system
(for Data andhealth
backup
systems
failure,
example, fire, plan
that
natural
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(A) procedures
information.
(Required).
contain todamages
create
Establish
electronic
164.308(a)(7)(ii)(A)
disaster) that and
and
protected
Data maintain
implement
backup
systems healthplan
that
vandalism,
retrievable system
exact failure,
copies and natural
ofimplement
electronic
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(A) procedures
information.
(Required). todamages
create
Establish
contain electronic
164.308(a)(7)(ii)(A)
disaster) that and
and
protected
Data maintain
backup
systems healthplan
that
protected
retrievable
procedures health
information. exact
to createinformation.
copiesandofimplement
electronic
maintain
SAFEGUARDS (Required). Establish
contain electronic and
protected health
protected
retrievablehealth
procedures
information. exact
to createinformation.
copiesandofmaintain
electronic
protected health information.
retrievable exact copies of electronic
protected health information.
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(A) 164.308(a)(7)(ii)(A) Data backup plan
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(C) (Required). EstablishEmergency
164.308(a)(7)(ii)(C) and implementmode
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(C) procedures
operation plan to create
164.308(a)(7)(ii)(C) and maintain
(Required).
Emergency Establish
mode
SAFEGUARDS retrievable
(and implement
operation exact
plan copies
as needed)
(Required). of electronic
Establish
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(C) 164.308(a)(7)(ii)(C)
protected health Emergency
information. mode
SAFEGUARDS procedures
(and implement
operation to enable
plan as continuation
needed)
(Required). Establish of
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(C) 164.308(a)(7)(ii)(C)
critical business Emergency
processes for mode
SAFEGUARDS procedures
(and implement
operation to
plan enable
as continuation
needed)
(Required). Establish of
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(C) 164.308(a)(7)(ii)(C)
protection
critical oftothe
business Emergency
security
processes of mode
forelectronic
SAFEGUARDS procedures
(and implement
operation plan enable
as continuation
needed)
(Required). Establish of
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
protected
protection
critical health
oftothe
business Testingof
information
security
processes and
for while
electronic
SAFEGUARDS procedures
(and implement
operating
revision procedures
in enable
as
emergency continuation
needed)
(ADDRESSABLE).
mode. of
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
protected
protection
critical health
ofto
business the Testing
information
security
processes ofand
for while
electronic
SAFEGUARDS procedures
Implement
revision
operating procedures
in enable
procedures
emergency continuation
for periodic
(ADDRESSABLE).
mode. of
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
protected
protection
critical health
of
business Testing
information
theprocesses
security ofand
for while
electronic
SAFEGUARDS testing
Implement
revision
operating and revision
procedures
procedures
in emergency of contingency
for periodic
(ADDRESSABLE).
mode.
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
protected
protection
plans. health
of Testing
the information
security ofand while
electronic
SAFEGUARDS testing
Implement
revision
operating and revision
procedures
procedures
in emergency of contingency
for periodic
(ADDRESSABLE).
mode.
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
protected
plans. health Testing
information and while
SAFEGUARDS testing
Implement
revision
operating and revision
inprocedures
procedures
emergency of contingency
for periodic
(ADDRESSABLE).
mode.
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
plans. Testing and
SAFEGUARDS testing
revisionand
Implement revision of
procedures
procedures contingency
for periodic
(ADDRESSABLE).
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
plans. Testing and
SAFEGUARDS testing
Implement and revision
procedures
revision proceduresTesting of contingency
for periodic
(ADDRESSABLE).
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
plans. and
SAFEGUARDS testing
revisionand
Implement revision of
procedures
procedures contingency
for periodic
(ADDRESSABLE).
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
plans. Testing and
SAFEGUARDS testing
revisionand
Implement revision of
procedures
procedures contingency
for periodic
(ADDRESSABLE).
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(D) 164.308(a)(7)(ii)(D)
plans. Testing and
SAFEGUARDS testing
revisionand
Implement revision of
procedures
procedures contingency
for periodic
(ADDRESSABLE).
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(E) 164.308(a)(7)(ii)(E)
plans. Applications and
SAFEGUARDS testing
Implement and procedures
data criticalityrevision
analysisof contingency
for periodic
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(E) 164.308(a)(7)(ii)(E)
plans. Applications and
SAFEGUARDS testing and revision
(ADDRESSABLE).
data criticality of contingency
Assess
analysis the relative
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(E) 164.308(a)(7)(ii)(E)
plans. Applications and
SAFEGUARDS criticality of specific
(ADDRESSABLE).
data criticality Assess
analysis applications
the relativeand
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(E) 164.308(a)(7)(ii)(E)
data in support Applications
ofAssess
other and
contingency
SAFEGUARDS criticality of
(ADDRESSABLE).
data specific
criticality analysis applications
the and
relative
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(E) 164.308(a)(7)(ii)(E)
plan
data components.
in support Applications
ofAssess
other and
contingency
SAFEGUARDS criticality of
(ADDRESSABLE).
data specific
criticality analysis applications
the and
relative
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(E) 164.308(a)(7)(ii)(E)
plan
data components.
in support Applications
ofAssess
other and
contingency
SAFEGUARDS criticality of
(ADDRESSABLE).
data specific
criticality analysis applications
the and
relative
164.308 164.308 ADMINISTRATIVE 164.308(a)(7)(ii)(E) 164.308(a)(7)(ii)(E)
plan
data components.
in support Applications
ofAssess
other and
contingency
SAFEGUARDS criticality
data of
(ADDRESSABLE). specific
criticalityStandard: applications
the and
relative
analysis Evaluation.
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
plan
data components.
in support ofAssess
other contingency
SAFEGUARDS criticality
Perform of
(ADDRESSABLE). specific
a periodic applications
the
technical and and
relative
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
plan
data components.
in support Standard:
of other Evaluation.
contingency
SAFEGUARDS criticality
nontechnical
Perform of specific applications
evaluation,
a periodic based
technical and
andinitially
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
plan
data components.
inthe
support Standard:
of other Evaluation.
contingency
SAFEGUARDS upon
nontechnical
Perform standards
a periodic implemented
evaluation, based
technical and initially
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
plan
under components. Standard:
thisstandards
rule Evaluation.
and subsequently, in
SAFEGUARDS upon
Perform the
nontechnicala periodic implemented
evaluation, based
technical andinitially
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
response
under thisto Standard:
environmental
rule and Evaluation.
or
subsequently, in
SAFEGUARDS upon
Perform theastandards
nontechnical periodic implemented
evaluation, based
technical and initially
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
under thisto Standard:
changes
environmental
rule and Evaluation.
affecting
or
subsequently, the in
SAFEGUARDS upon
Perform
securitytheof
nontechnical standards
ato
periodic
electronic implemented
evaluation, based
technical
protectedand initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
under this Standard:
changes
environmental
rule and Evaluation.
affecting
or
subsequently, the in
SAFEGUARDS upon
Perform
securitytheof
information,
nontechnical standards
ato that
periodic
electronic implemented
evaluation,
establishes
based
technical
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
under this Standard:
changes
environmental
rule and Evaluation.
affecting
or
subsequently, the in
SAFEGUARDS extent
upon the
toof
nontechnical
information,
Perform
security awhich
standards
that
periodic anestablishes
electronic entity's
implemented
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
policies
under thisto
and Standard:
changes
environmental
rule
procedures
and Evaluation.
affecting
or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
policies
under thisto
and rule Standard:
changes
environmental
of this
procedures
and Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
requirements
response
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
requirements
response
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) operational
164.308(a)(8)
response
requirements
under
policies thisto
and changes
rule Standard:
environmental
of this
and
procedures affecting
Evaluation.
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) operational
164.308(a)(8)
response
requirements
under
policies thisto
and changes
rule Standard:
environmental
of this
and
procedures affecting
Evaluation.
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
security
Perform standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
security
Perform standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent
Perform
securitythe
toof
information,
nontechnical standards
awhich that implemented
anestablishes
entity's
evaluation,
periodic
electronic security
based
technical
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS extent
upon the
toof
nontechnical
information,
Perform
security awhich
standards
that
periodic anestablishes
electronic entity's
implemented
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS extent
upon the
toof
nontechnical
information,
Perform
security awhich
standards
that
periodic anestablishes
electronic entity's
implemented
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
policies
under thisto
and rule Standard:
changes
environmental
of this
procedures
and Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
policies
under thisto
and rule Standard:
changes
environmental
of this
procedures
and Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
requirements
response
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) operational
164.308(a)(8)
response
requirements
under
policies thisto
and changes
rule Standard:
environmental
of this
and
procedures affecting
Evaluation.
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
Perform
security standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) operational
164.308(a)(8)
response
requirements
under
policies thisto
and changes
rule Standard:
environmental
of this
and
procedures affecting
Evaluation.
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent the
toof
nontechnical
information,
security
Perform standards
awhich that
periodic
electronic implemented
anestablishes
entity's
evaluation,
technical security
based
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent
Perform
securitythe
toof
information,
nontechnical standards
awhich that implemented
anestablishes
entity's
evaluation,
periodic
electronic security
based
technical
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(a)(8) 164.308(a)(8)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Evaluation.
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS upon
extent
Perform
securitythe
toof
information,
nontechnical standards
awhich that implemented
anestablishes
entity's
evaluation,
periodic
electronic security
based
technical
protected the
and initially
health
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
operational
response
requirements
under
policies thisto
and rule Standard:
changes
environmental
of this
and
procedures Business
affecting
subpart.or
subsequently,
meet the
the in
SAFEGUARDS extent
upon the
toofwhich
nontechnical
information,
associate
security standards
that
contracts anestablishes
electronic entity's
implemented
evaluation,
and security
based
other
protected theinitially
health
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
operational
response
requirements
under thisto Standard:
changes
environmental
rule of this
and Business
affecting
subpart.or
subsequently, the
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(b)(1)
policies
extent
upon the
associate
security
and
toofwhich
arrangements.
information,
164.308(b)(1)
operational
procedures
standards
contractsAan
that
electronic and
Standard:
changes
meet
entity's
implemented
covered
establishes
other
protected
the
the
Business
affecting theinin
security
entity, health
response
requirements
policies
under thisto
and environmental
rule of this
procedures
and subpart.or
subsequently,
meet the
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(b)(1)
accordance
extent
arrangements.
information,
associate
security
164.308(b)(1)
operational
with164.306,
toofwhich
contractsAan
that
electronic entity's
covered
establishes
and
Standard:
changes
may
other
protected
Business
affecting theinin a
permit
security
entity,
the health
requirements
response
business
policies
accordance to
and environmental
associateof this
to
procedures
with164.306, subpart.
create,
meetor
may receive,
the
permit
SAFEGUARDS extent toofwhich
arrangements.
information,
associate
security Aan
that
contracts entity's
covered
establishes
and other the in a
security
entity,
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
operational
requirements
maintain,
business
policies
accordance
extent to orelectronic
associate
and Standard:
changes
transmit
of this
to
procedures
with164.306,
which an
protected
Business
affecting
subpart.
electronic
create,
meet
entity's may
thehealth
receive,
the
permit
security a
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(b)(1) arrangements.
information,
associate
security ofcontracts
164.308(b)(1)
protected A
that
electronic
health covered
establishes
and
Standard: entity,
other
protected
information the
Business
on in
health
the
maintain,
requirements
business
policies
accordance andor transmit
associateof this
to
procedures
with164.306, electronic
subpart.
create,
meet
may receive,
the
SAFEGUARDS extent
covered
protected
maintain,
to
arrangements.
information,
associate
requirements
which
contracts
entity's
health
or
A
thatan
ofan
entity's
covered
establishes
and
behalf other
only
information
transmit
this thethe a
entity,permit
security
the
if on
electronic
subpart.
in
business
policies
accordance
extent
covered to associate
and
arrangements.which
entity A to
procedures
with164.306, create,
meet
entity's
covered
obtains may receive,
the
permit
security
entity,
satisfactory in a
covered
protected
maintain, entity's
requirements health
or behalf
transmit
of this only if on
information
electronic
subpart. the the
business
policies
accordance associate
and to
procedures
with164.306, create,
meet
may receive,
the
assurances,
covered
protected
maintain,
entity
requirements
in
entity's
health
or
accordance
obtains
behalf
transmit
of this
with thethe a
only if on
information
electronic
subpart.
permit
satisfactory
business
164.314(a)
assurances,
covered associate
that
entityin the tobusiness
accordance
obtains create,
withreceive,
associate
satisfactory
protected
maintain, entity's
health
or behalf only ifthe
information thethe
on
will
164.314(a)
assurances,
covered
covered entity intransmit
appropriately
that
entity's
the
accordance
obtains
electronic
safeguard
business
onlywith
associate
behalf satisfactory
if the
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1) Standard: Business
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(b)(1) associate contracts
164.308(b)(1) and other
Standard: Business
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(b)(1) arrangements.
associate contracts
164.308(b)(1) A covered
and other
Standard: entity, in
Business
SAFEGUARDS accordance
arrangements. with164.306,
associate contracts A covered
and othermay permit
entity, in a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
business associate Standard: Business
to create, receive,
SAFEGUARDS accordance
arrangements.
associate with164.306,
contracts A covered
and may
entity,
other permit
in a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
maintain,
business Standard:
orwith164.306,
transmit
associate Business
electronic
to create, receive,
accordance
arrangements. A covered may
entity, permit a
164.308 SAFEGUARDS
164.308 ADMINISTRATIVE 164.308(b)(1) associate
protected
164.308(b)(1)
maintain,
business
contracts
health
or and
Standard:
transmit
associate
other
information
Business
electronic
to create, on inthe
receive,
SAFEGUARDS accordance
arrangements.
covered
associate with164.306,
entity's
contracts A covered
behalf
and onlymay
entity,
other if onthethe a
permit
in
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
maintain,
business health
or Standard:
transmit
associate Business
information
electronic
to create, receive,
SAFEGUARDS accordance
arrangements.
covered
associate entitywith164.306,
entity's
contracts A covered
obtains
behalf
and may
entity,
satisfactory
only
other if on permit
thein a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
maintain,
business health
or Standard:
transmit
associate Business
information
electronic
to create, the
receive,
SAFEGUARDS accordance
assurances,
covered
arrangements.
associate
covered entitywith164.306,
in
contracts
entity's accordance
obtains
A covered
and
behalf may
with
satisfactory
entity,
other
only if onthethe a
permit
in
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
maintain,
business
164.314(a) health
orthat Standard:
transmit
associate the Business
information
electronic
tobusiness
create, receive,
associate
SAFEGUARDS accordance
assurances,
covered
arrangements.
associate
covered entitywith164.306,
in
contracts
entity's accordance
obtains
A covered
and
behalf may
with
satisfactory
entity,
other
only ifthe permit
thein a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
maintain,
will health
or
appropriately
business
164.314(a) that Standard:
transmit
associate the Business
information
electronic
safeguard
tobusiness
create, on the
receive,
associate
SAFEGUARDS assurances,
accordance
arrangements.
covered
associate
covered entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthethethe a
permit
in
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
information.
maintain,
will health
or
appropriately
164.314(a)
business Standard:
transmit
associate
that the Business
information
electronic
safeguard
tobusiness
create, on
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate
covered entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthe permit
thein a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
information.
maintain,
will
business health
or
appropriately
164.314(a) Standard:
transmit
associate
that the Business
information
electronic
safeguard
tobusiness
create, on the
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate
covered entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthethethe a
permit
in
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
information.
will
maintain, health
appropriately
business
164.314(a) orthat Standard:
transmit
associate thesafeguardBusiness
information
electronic
tobusiness
create, on
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate
covered entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthe permit
thein a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
information.
will
maintain, health
appropriately
business
164.314(a) or Standard:
transmit
associate
that thesafeguardBusiness
information
electronic
tobusiness
create, on the
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate
covered entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthethethe a
permit
in
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
information.
protected
maintain,
will health
or
appropriately
business
164.314(a) that Standard:
transmit
associate the Business
information
electronic
safeguard
tobusiness
create, on
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate
covered entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthe permit
thein a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) protected
164.308(b)(1)
information.
maintain,
will
164.314(a) health
or
appropriately
business Standard:
transmit
associate
that information
the Business
electronic
safeguard
tobusiness
create, on the
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate
covered entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthethethe a
permit
in
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) protected
164.308(b)(1)
information.
maintain,
will health
or
appropriately
business
164.314(a) that Standard:
transmit
associate information
the Business
electronic
safeguard
tobusiness
create, on
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate entitywith164.306,
in
entity's
contractsaccordance
A covered
obtains
behalf
and may
with
entity,
satisfactory
only
other ifthe permit
thein a
164.308 164.308 ADMINISTRATIVE 164.308(b)(1) 164.308(b)(1)
protected
information.
maintain,
will
164.314(a) health
or
appropriately
business Standard:
transmit
associate
that the Business
information
electronic
safeguard
tobusiness
create, on the
receive,
associate
SAFEGUARDS accordance
assurances,
arrangements.
covered
associate entitywith164.306,
in
contracts
entity's accordance
A covered
obtainsand
behalf may
with
entity,
satisfactory
other
only ifthe permit
thein a
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
protected
information.
maintain,
will
164.314(a) health
or
appropriately
business Standard:
transmit
associate
that the Facility
information
electronic
safeguard
tobusiness
create, on access
the
receive,
associate
accordance
assurances,
covered
arrangements.
controls.
covered entitywith164.306,
in
Implement
entity's accordance
obtains
A covered
behalf may
with
satisfactory
onlyentity,
policies and
ifthe permit
thein a
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
protected
information.
maintain,
will health
or
appropriately
business
164.314(a) that Standard:
transmit
associate the to Facility
information
electronic
safeguard
create,
business on access
the
receive,
associate
assurances,
accordance
procedures
covered
controls.
covered entitywith164.306,
in
to
Implement
entity's accordance
limit
obtainsphysical
behalf may
with
access
satisfactory
policies
only and
ifthe permit
the to a
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
protected
information.
maintain,
will health
or
appropriately
business
164.314(a) that Standard:
transmit
associate the to Facility
information
electronic
safeguard
create,
business on access
the
receive,
associate
assurances,
its electronic
procedures
covered
controls.
covered entityin
to information
Implement
entity's accordance
limit
obtainsphysical
behalf systems
with
access
satisfactory
policies
only and
ifthethe and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
protected
information.
maintain, health
or Standard: Facility
information on access
the
will
its facility
electronic
assurances,
procedures orintransmit
appropriately
164.314(a)
the that
to facilities
the
information
accordance
limit
electronic
safeguard
business
in which
physical with associate
systems
access they
and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) covered
controls.
covered entity
information.
are
will
the housed,Implement
entity's
164.310(a)(1)
protected health
appropriately
facility
164.314(a) or while
that
obtains
behalf
Standard: satisfactory
policies
only
information
ensuring
safeguard
facilities
the in
if
Facility
that
which
business theand
the
on theto
access
they
associate
its electronic
assurances,
procedures
covered
controls.
covered entityin
to information
Implement
entity's accordance
limit
obtainsphysical
behalf systems
with
access
satisfactory
policies
only and
ifthethe and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
information.
will
are
the housed,
appropriately
facility
164.314(a) or Standard:
authorized
while
that Facility
access
safeguard
ensuring
facilities
the in is
that
which
business access
allowed.
they
associate
its electronic
assurances,
procedures
covered
controls. entityin
to information
Implement accordance
limit
obtainsphysical systems
with
access
satisfactory
policies and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
information.
properly
are
will
the housed,
appropriately
facility
164.314(a) or
that Standard:
authorized
while inFacility
access
ensuring
safeguard
facilities
the is
that
which
business the access
allowed.
they
associate
its electronic
assurances,
procedures
controls. in
to information
Implement accordance
limit physical systems
policieswith
access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
information.
properly
are
will
the housed,
appropriately
facility
164.314(a) or
that Standard:
authorized
while inFacility
access
ensuring
safeguard
facilities
the is
that
which
business the access
allowed.
they
associate
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) properly
164.310(a)(1)
information.
are
will
the housed,authorized
appropriately
facility or Standard:
while access
inFacility
ensuring
safeguard
facilities is
that
whichthe allowed.
access
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
information.
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) properly
164.310(a)(1)
are
the housed,authorized
facility or Standard:
while access
inFacility
ensuring
facilities is
that
which allowed.
access
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) properly
164.310(a)(1)
are
the housed,authorized
facility or Standard:
while access
inFacility
ensuring
facilities is
that
which allowed.
access
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policies access
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(1) 164.310(a)(1)
properly
are
the housed,
facility or Standard:
authorized
while inFacility
access
ensuring
facilities is
that
which access
allowed.
they
its electronic
procedures
controls. to information
Implement limit physical systems
policiesisaccess
and and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2) 164.310(a)(2)
properly
are
the housed,
facility or Implementation
authorized
while access
ensuring
facilities that
in which allowed.
they
its electronic
procedures
specifications: to information
limit physical systems
access and
to
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(i) properly
163.310(a)(2)(i)
are
the housed,authorized
facility orwhile Contingency
access
ensuring
facilities is
that
in which allowed.
they
its electronic
operations information
(ADDRESSABLE). systems
Establish and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(i) properly
163.310(a)(2)(i)
are housed,
the authorized
facility orwhile Contingency
access
ensuring
facilities is
that
in which allowed.
they
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(i) (and implement
operations
163.310(a)(2)(i)
properly authorized as needed)
(ADDRESSABLE).
Contingency
access Establish
is allowed.
are housed,
procedures while
that allow ensuring that
facilityEstablish
access in
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(i) (and implement
operations
163.310(a)(2)(i)
properly authorized as needed)
(ADDRESSABLE).
Contingency
access is data
allowed.
support
procedures
(and of restoration
implementthat allow
as of lost
facility
needed) access in
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(i) operations (ADDRESSABLE).
163.310(a)(2)(i)
under the Contingency Establish
support
procedures
(and ofdisaster
restoration
implementthat recovery
allow
as of lostplan
facility
needed) data andin
access
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(i) operations
under the (ADDRESSABLE).
163.310(a)(2)(i)
emergency mode
disaster Contingency
operations
recovery Establish
plan
plan in
and
support
procedures
(and of restoration
implementthat allow
as of lost data
facilityEstablish
needed) access in
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(ii) operations
the event of(ADDRESSABLE).
164.310(a)(2)(ii)
emergency
under the an
mode emergency.
Facility security
operations plan plan
in
support
procedures
(and ofdisaster
restoration
implementthat recovery
allow
as of lostplan
facility
needed) data and
access in
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(ii) (ADDRESSABLE).
the event ofmode
164.310(a)(2)(ii) Implement
an emergency.
Facility policies
emergency
under
support the
procedures
and ofdisaster
restoration
proceduresthat allow
to ofsecurity
operations
recovery
facility
safeguard
plan
lostplandataplan
access
the
in
and in
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(ii) (ADDRESSABLE).
the event ofmode
164.310(a)(2)(ii) Implement
an emergency.
Facility policies
emergency
under
support
facility
and
the
ofdisaster
and restoration
proceduresthe equipment
to ofsecurity
operations
recovery
safeguardlostplandataplan
plan
therein
the
in
and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(ii) (ADDRESSABLE).
the event
emergency
under the of
164.310(a)(2)(ii)
mode
disaster Implement
an emergency.
Facility policies
security
operations
recovery planplan
plan in
and
from
facility
and unauthorized
andof
proceduresthe physical
equipment
to safeguard access,
therein
the
(ADDRESSABLE).
the event
emergency
tampering, an
mode Implement
emergency.
operations
and equipment
theft. policies
plan in
from
facility
and unauthorized
andofthe
procedures physicaltherein
to safeguard access,
the
the event
tampering, an emergency.
and equipment
theft.
from
facilityunauthorized
and the physicaltherein
access,
tampering,
from and theft.
unauthorized physical access,
tampering, and theft.
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(ii) 164.310(a)(2)(ii) Facility security plan
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(ii) (ADDRESSABLE). Facility
164.310(a)(2)(ii) Implement securitypolicies
plan
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(ii) and procedures to
(ADDRESSABLE).
164.310(a)(2)(ii) safeguard
Implement
Facility security theplan
policies
facility
and and the equipment
procedures
(ADDRESSABLE). to safeguard
Implement therein
theand
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iii) 163.310(a)(2)(iii)
from unauthorized Access control
physical access,
facility
and and
procedures
validation the equipment
procedures to safeguard therein
theand
(ADDRESSABLE).
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iii) 163.310(a)(2)(iii)
tampering,
from Access
and equipment
unauthorized theft. control
physical access,
facility
Implementand
validation the
procedures
procedures to therein
control
(ADDRESSABLE). and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iii) 163.310(a)(2)(iii)
tampering,
from and theft.
unauthorized Access control
physical access, and
validate
Implement
validation a person's
procedures
procedures accessto to facilities
control
(ADDRESSABLE). and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
tampering,
based androle
ona their Maintenance
theft. or function, records
validate
Implement
(ADDRESSABLE).person's
procedures access
Implement to to facilities
control
policies and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
including
based onavisitor
their Maintenance
control,
role and
or function, records
control of
validate
and person's
procedures
(ADDRESSABLE). to access
document
Implement to facilities
repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
access
including
based to software
on visitor
their Maintenance
programs
control,
role or and
function, for records
testing
control of
and
and modifications
procedures
(ADDRESSABLE).
and revision. to to the physical
document
Implement repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
access
includingto software
components visitor
of a Maintenance
programs
control,
facility and
which for records
testing
control
are of
and modifications
procedures
(ADDRESSABLE).
and revision. to to the physical
document
Implement repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
access
related to
componentsto software
security
of a Maintenance
programs
(for
facility example,
which for records
testing
are
and
and modifications
procedures
(ADDRESSABLE).
and revision. to to the physical
document
Implement repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
hardware,
related
components walls,
to security
of ato Maintenance
doors,
(forthe
facility and
example,
which records
locks).
are
and
and modifications
procedures
(ADDRESSABLE). to
document
Implement physical repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
hardware,
related
componentsto walls,
security
of a Maintenance
doors,
(for
facility and
example,
which records
locks).
are
and
and modifications
procedures
(ADDRESSABLE). to to the physical
document
Implement repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
hardware,
related
componentsto walls,
security
of a Maintenance
doors,
(for
facility and
example,
which records
locks).
are
and
and modifications
procedures
(ADDRESSABLE). to to the physical
document
Implement repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(a)(2)(iv) 163.310(a)(2)(iv)
hardware,
related
componentsto walls,
security
of a Maintenance
doors,
(for
facility and
example,
which records
locks).
are
and
and modifications
procedures
(ADDRESSABLE). to to the physical
document
Implement repairs
policies
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) hardware,
164.310(b)
related
componentsto walls,
Standard:
security
of a doors,
(for Workstation
facility and
example,
whichlocks).
are use.
and
and modifications
procedures
Implement policies to to theprocedures
document
and physical repairs
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) hardware,
164.310(b)
related
components walls,
Standard:
to security doors,
of aproper Workstation
(forthe
facility and
example,
whichlocks).
aretouse.
and
that modifications
specifywalls,
Implement the
policies toand physical
functions
procedures be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
hardware,
related
components Standard:
to security doors,
of amanner Workstation
facility and
(for example,
whichlocks). use.
arethose
performed,
that specify
Implement the
the
policiesproper and in which
functions
procedures to be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
hardware,
related
functions to areStandard:
walls,
security doors,
tomanner
be (for Workstation
and
example,
performed, locks).and use.
the
performed,
that specify
Implement the
the
policiesproper and in which
functions
procedures those
to be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
hardware,
physical
functions Standard:
walls,
attributes
are doors,
tomanner
be of Workstation
the and locks).
surroundings
performed, and use.
the
performed,
that specify
Implement the
the
policiesproper and in which
functions
procedures those
to be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are beof
tomanner Workstation
the or classand
surroundings
performed, ofuse.
the
performed,
that specify
Implement
workstation the
the
policiesproper
that can and in which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
Implement
workstation the
the
health
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
Implement
workstation the
the
health
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
Implement
workstation the
the
health
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
Implement
workstation the
the
health
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
Implement
workstation the
the
health
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) of
164.310(b)
a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
workstation
Implement the
the
health
policiesproper
that can in
information.
and
access which
functions
procedures those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
workstation
Implement the
the
health
policiesproper
that can in
information.
and
access which
functions
procedures those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
protected
that specify
Implement
workstation the
health
the
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
protected
that specify
Implement
workstation the
health
the
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(b) 164.310(b)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, ofuse.
and the
performed,
that specify
protected
Implement
workstation the
the
health
policiesproper
that can in
information.
and which
functions
procedures
access those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c) 164.310(c)
of a specific
physical
functions Standard:
workstation
attributes
are tomanner
be of Workstation
the or class
surroundings
performed, of the
and
performed,
that specify
protected
security.
workstation the
the
health
Implement proper
that can in
information.
physical
access which
functions those
to
electronic be
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c) 164.310(c)
of a specific
physical
functions Standard:
workstation
attributes
are of
toallmanner
be Workstation
the or class
surroundings
performed, of the
and
performed,
safeguards
protected
security.
workstation the
for
health
Implement
that can in
workstations
information.
physical
access which those
that
electronic
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c) 164.310(c)
of a specific
physical
functions Standard:
workstation
attributes
are toallbe of Workstation
the or class
surroundings
performed, of the
and
access
security.electronic
safeguards
protected
workstation for
health
Implement
that protected
workstations
information.
can physical
access healththat
electronic
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c) 164.310(c)
of a specific
physical Standard:
workstation
attributes
information, toall Workstation
of the
restrict or class
surroundings
access to of
access
security.electronic
safeguards
protected
workstation for
health
Implement
that protected
workstations
information.
can physical
access healththat
electronic
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c) 164.310(c)
of a specific
authorized
information, Standard:
workstation
users.
toall
restrict Workstation
or
access class to of
access
security.electronic
safeguards
protected
workstation for
health
Implement
that protected
workstations
information.
can physical
access healththat
electronic
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c) 164.310(c)
authorized
information, Standard:
users. Workstation
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c)
access
protected
security.
164.310(c) fortoall
electronic
safeguards health
Implement
restrict
Standard:
protectedaccess
workstations
information.
physical
Workstation
to
healththat
authorized
information,
access users.
electronicto restrict
protectedaccess to
health
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(c) safeguards
security.
164.310(c) for
Implement all
Standard: workstations
physical
Workstation that
authorized
information,
access users.
electronictoall
restrict
protectedaccess to
health
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(1) safeguards
security. for
Implement
164.310(d)(1) workstations
physical that
authorized
information,
access electronic
safeguards fortoStandard:
users. restrict
all protected
Deviceto
access
workstations health
and
that
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(1) media controls.
164.310(d)(1) Implement
Standard: policies
Device
authorized
information,
access
and
users.
electronic
procedures to restrict
protected
that access
govern toand
health
the
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(1) media controls.
164.310(d)(1) Implement
Standard: policies
Device
authorized
and andusers.
information,
receipt
procedures to restrict
removal that of access
hardware
govern the toand
and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(1) media controls.
164.310(d)(1)
authorized Implement
Standard:
users. policies
Device and
electronic
receipt
and and media
procedures removal thatof
that contain
hardware
govern the and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2) media controls.
164.310(d)(2)
electronic Implement
Implementation
protected health policies
electronic
receipt
and and media
procedures removal thatof
that contain
hardware
govern the and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(i) specifications:
164.310(d)(2)(i)
information intoDisposal
protected and out
health(Required).
of a facility,
electronic
receipt and media
removal thatof contain
hardware and
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(i) Implement
and
164.310(d)(2)(i)
information
electronic policies
the movementintoDisposal
protected and and
ofout procedures
these facility,to
of aitems
(Required).
electronic
address
within the
the media
final
facility. thathealth
contain
disposition of
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(i) Implement
and
164.310(d)(2)(i)
information
electronic policies
the movement andand
intoDisposal
protected out procedures
ofhealth
these facility,to
of aitems
(Required).
electronic
address
within
and thethe
Implement theprotected
final
facility.
policies
movement ofhealth
disposition
and offacility,to
procedures
these items
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(ii) information
164.310(d)(2)(ii)
information, into
and/or Media
and out
the re-use
of a
hardware or
electronic
address
within
(Required).
and theprotected
thethe final
facility.
Implement
movement ofhealth
disposition of
procedures
these items for
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(ii) 164.310(d)(2)(ii)
electronic
information, mediaand/or Media
on which
the re-use
it
hardwareis stored.
or
electronic
removal
within the
(Required). ofprotected
electronic
facility.
Implement health
protected
procedures health
for
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(ii) 164.310(d)(2)(ii)
electronic
information, mediaand/or Media
on which
the re-use
itmedia
hardwareis stored.
or
information
removal
(Required). from
of electronic
Implement electronic
protected
procedures health
for
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(iii) 164.310(d)(2)(iii)
electronic
before the media Accountability
on
arewhich itavailable
is stored.
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(iii)
information
removal of media
(ADDRESSABLE).
164.310(d)(2)(iii)
fromMaintain
electronic made
electronic
protected
Accountabilitya media
record health
of
for re-use.
before the media
information fromof are made available
electronic media
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(iii) the movements
(ADDRESSABLE).
164.310(d)(2)(iii) hardware
Maintain
Accountabilitya and of
record
for re-use.
before themedia
electronic mediaofand are made
any available
person
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(iv) the movements
(ADDRESSABLE).
164.310(d)(2)(iv) hardware
Maintain
Data backup and
a recordand of
for re-use.
responsible
electronic therefore.
media and any person
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(iv) the movements
storage (ADDRESSABLE).
164.310(d)(2)(iv) of hardware
Data Create
backup and a
and
responsible
electronic
retrievable, therefore.
media
exact and
copyany persona
ofCreate
electronic
164.31 164.310 PHYSICAL SAFEGUARDS 164.310(d)(2)(iv) storage (ADDRESSABLE).
164.310(d)(2)(iv) Data backup and
responsible
protected
retrievable, therefore.
health
exact information,
copy ofAccess when
electronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(1) storage (ADDRESSABLE).
164.312(a)(1) Standard: Create a
needed,
protected
retrievable,before
health
exactmovement
information,
copy of of when
electronic
control.
equipment. Implement technical policies
needed,
protected
and before
healthmovement
procedures information,
for electronic of when
equipment.
needed, before movement
information systems that maintain of
equipment.protected health
electronic
information to allow access only to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(1) 164.312(a)(1) Standard: Access
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(1) control. Implement
164.312(a)(1) Standard:technical
Access policies
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(1) and procedures
control. Implement
164.312(a)(1) for electronic
Standard:technical
Access policies
information
and procedures
control. systems
Implement that maintain
for electronic
technical policies
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(1) 164.312(a)(1)
electronic Standard:
protected Access
health
information
and procedures
control. systems
Implement that
for electronic
technicalmaintain
policies
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(1) 164.312(a)(1)
information
electronic toStandard:
allow that
protected Access
access
health only to
information
and procedures
control. systems
Implement for maintain
electronic
technical policies
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(1) those
164.312(a)(1)
persons
information
electronic toStandard:
or software
allow
protected Access
access
health programs
only to
information
and
that procedures
control.
have systems
Implement
been for
granted thataccess
technicalmaintain
electronic policies
rights
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i)
those persons
information
electronic to or Unique
software
allow
protected user
access
health programs
only to
information
and
as
that procedures
specified
identification
have systems
in
been for thataccess
164.308(a)(4).
(Required).
granted maintain
electronic
Assignrights
ato
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i)
those persons
information
electronic to or
protected Unique
software
allow user
access
health programs
only
information
as
unique
specified
name
identification systems
in and/or that
164.308(a)(4).
numbermaintain
for
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) that have been
164.312(a)(2)(i)
those persons
information
electronic
identifying to(Required).
granted
or
protected
and
Unique
software
allow
tracking access
health
Assign
access
user
programs
useronly ato
rights
identity.
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) as
unique
specified
name
identification
that have in
been
164.312(a)(2)(i)
those persons and/or
164.308(a)(4).
(Required).
granted
or Unique number
software access
user for
Assign ato
rights
programs
information
identifying andto allow
tracking access
useronly
identity.
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) unique
as name
specified
identification
that have been
164.312(a)(2)(i)
those persons and/or
in(Required).
orgranted
Unique number
164.308(a)(4).
software access
user for
Assign a
rights
programs
identifying
unique
as name
specified and
identification
that have tracking
and/or
in(Required).
been 164.308(a)(4).
granted user
number identity.
for
Assign
access a
rights
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique
as name
specified and
identification tracking
and/or
in(Required). user
number
164.308(a)(4). identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand(Required).
identification tracking
and/or user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand tracking
and/or
identification (Required). user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand tracking
and/or
identification (Required). user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand tracking
and/or
identification (Required). user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand tracking
and/or
identification (Required). user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand tracking
and/or
identification (Required). user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand tracking
and/or
identification (Required). user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(i) 164.312(a)(2)(i) Unique user
identifying
unique nameand tracking
and/or
identification (Required). user
number identity.
fora
Assign
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(ii) 164.312(a)(2)(ii) Emergency access
identifying
unique nameand tracking
and/or
procedure (Required). user
number identity.
Establishfor(and
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(ii) 164.312(a)(2)(ii) Emergency access
identifying
implement and
as tracking
needed)
procedure (Required). user identity.
procedures
Establish (and for
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(ii) 164.312(a)(2)(ii) Emergency access
obtaining
implement necessary
as needed)
procedure (Required). electronic
procedures
Establish (and for
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(ii) 164.312(a)(2)(ii)
protected health Emergency
information access
duringfor
obtaining
implement
procedure necessary
as needed)
(Required). electronic
procedures
Establish (and
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(ii) 164.312(a)(2)(ii)
an emergency.
protected health Emergency
information access
duringfor
obtaining
implement
procedure necessary
as needed)
(Required). electronic
procedures
Establish (and
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(iii) 164.312(a)(2)(iii)
an emergency.
protected health Automatic
information logoff
duringfor
obtaining
implement necessary
(ADDRESSABLE).as needed) electronic
Implementprocedures
electronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(iii) 164.312(a)(2)(iii)
an emergency.
protected health Automatic
information logoff
during
obtaining
procedures necessary
(ADDRESSABLE). electronic
that terminate
Implement anelectronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(iii) 164.312(a)(2)(iii)
an emergency.
protected health Automatic
information logoff
during
electronic
procedures session
(ADDRESSABLE). after a anelectronic
that terminate
Implement
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(iii) 164.312(a)(2)(iii)
an emergency.
predetermined Automatic
time of logoff
inactivity.
electronic
procedures session
(ADDRESSABLE). after a anelectronic
that terminate
Implement
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(iii) 164.312(a)(2)(iii)
predetermined Automatic
time logoff
of inactivity.
electronic
procedures session
that after
terminate
(ADDRESSABLE). Implement a anelectronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(a)(2)(iv) 164.312(a)(2)(iv)
predetermined Encryption and
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b)
electronic
procedures
164.312(b) thattime
decryptionsession
(ADDRESSABLE).
Standard:
of inactivity.
after
terminate a an
Audit controls.
predetermined
electronic time of inactivity.
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implementsession
Implement
164.312(b) ahardware,
mechanism
Standard:
after a to encrypt
software, and/or
predetermined
and decrypt
procedural time
electronic
mechanisms ofAudit controls.
inactivity.
protected
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement Standard:
164.312(b) hardware,Audit software, and/or
health
and information.
examine
procedural activity insoftware,
mechanisms information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b) hardware,
Standard: Audit and/or
systems
and thatmechanisms
examine
procedural contain
activity or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use electronic
insoftware,
information
thatcontrols.
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(b) Implement
164.312(b)
protected hardware,
Standard:
health Audit
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use
thatelectronic
insoftware,
information
record
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) Implement
164.312(c)(1)
protected hardware,
healthStandard: Integrity.
information. and/or
systems
and that
examine
procedural contain
activity
mechanisms or use
thatelectronic
in information
record to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) Implement
164.312(c)(1)
protected policies
healthStandard:and procedures
Integrity.
information.
systems
and that
examine
protect contain
activity
electronic or use electronic
in information
protected health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) Implement
164.312(c)(1)
protected policies
healthStandard:and procedures
Integrity.
information.
systems
protect that
information contain
from
electronic or
improper use
protected electronic
alteration
health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) Implement
164.312(c)(1)
protected policies
healthStandard:and procedures
Integrity.
information.
or destruction.
information
protect from
electronic improper
protected alteration
health to
Implement policies and procedures
or destruction.
information
protect from improper
electronic protectedalteration
health
or destruction.
information from improper alteration
or destruction.
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) 164.312(c)(1) Standard: Integrity.
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) Implement policies
164.312(c)(1) Standard: and procedures
Integrity. to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) protect
Implement electronic
164.312(c)(1) policies protected
Standard: and procedures health to
Integrity.
information
protect from
electronic
Implement policies improper
protected alteration
and procedures health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) 164.312(c)(1)
or destruction. Standard: Integrity.
information
protect from
electronic
Implement policies improper
protected alteration
and procedures health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) 164.312(c)(1)
or destruction. Standard: Integrity.
information
protect from
electronic
Implement policies improper
protected alteration
and procedures health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) 164.312(c)(1)
or destruction. Standard: Integrity.
information
protect from
electronic
Implement policies improper
protected alteration
and procedures health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) 164.312(c)(1)
or destruction. Standard: Integrity.
information
protect from
electronic
Implement policies improper
protected alteration
and procedures health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) 164.312(c)(1)
or destruction. Standard: Integrity.
information
protect from
electronic
Implement policies improper
protected alteration
and procedures health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(1) 164.312(c)(1)
or destruction. Standard: Integrity.
information
protect from
electronic
Implement policies improper
protected alteration
and procedures health to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(2) 164.312(c)(2)
or destruction. Implementation
information
protect from
electronic
specification: Mechanism improper
protected alteration
to health
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(2) 164.312(c)(2)
or destruction. Implementation
information
authenticate from improper
electronic
specification: Mechanism toalteration
protected
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(2) 164.312(c)(2)
or destruction. Implementation
health information
authenticate electronic
specification: Mechanism (ADDRESSABLE).
protected
to
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(c)(2) 164.312(c)(2)
Implement Implementation
electronic mechanisms to
health information
authenticate
specification: electronic
Mechanism (ADDRESSABLE).
protected
toprotected
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) 164.312(d)
corroborate
Implement Standard:
that
electronic Person
electronic
mechanisms or entityto
health information
authenticate
authentication. electronic (ADDRESSABLE).
Implement protected
procedures
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) 164.312(d)
health
corroborate
Implement Standard:
informationthat
electronic hasPerson
electronic not or entity
been
protected
mechanisms to
health
to verifyinformation
orthat
authentication.
altered a person
destroyed (ADDRESSABLE).
Implement or
inPerson
an entity
procedures
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) health
164.312(d)
information
corroborate
Implement Standard:
that
electronic has
electronic not been
or entity
protected
mechanisms to
seeking
to verify
unauthorizedaccess
that
authentication.
altered or to
amanner.
person
destroyed electronic
Implement or
inPerson
an protected
entity
procedures
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) health
164.312(d)
information
corroborate
health Standard:
informationthat has
electronic
is thenotone been
or entity
protected
claimed.
seeking
to verify
unauthorized
altered access
that
authentication.
or to
amanner.
person
destroyed electronic
Implement or
inPerson
an protected
entity
procedures
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) 164.312(d)
health
health Standard:
information
information has
is the notone or
been entity
claimed.
seeking
to verify
unauthorizedaccess
that
authentication.
altered or destroyed a to
person
manner.electronic
Implement or protected
entity
an procedures
inPerson
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) 164.312(d)
health Standard:
information is the or entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d)
seeking
unauthorized
to verify access
that
authentication.
164.312(d)
to
amanner.
person
Implement
Standard: or one
electronic
Personentityclaimed.
protected
procedures
or entity
health
seeking
to verifyinformation
access
that a to
person is theor one
electronic claimed.
protected
entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) authentication.
164.312(d) Implement
Standard: Person procedures
or entity
health
seeking
to verifyinformation
access
that a to
person is theor one
electronic claimed.
protected
entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) authentication.
164.312(d) Implement
Standard: Person procedures
or entity
health
seeking
to verifyinformation
access
that a to
person is theor one
electronic claimed.
protected
entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) authentication.
164.312(d) Implement
Standard: Person procedures
or entity
health
seeking
to verifyinformation
access
that a to
person is theor one
electronic claimed.
protected
entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) authentication.
164.312(d) Implement
Standard: Person procedures
or entity
health
seeking
to verifyinformation
access
that a to
person is theor one
electronic claimed.
protected
entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(d) authentication.
164.312(d) Implement
Standard: Person procedures
or entity
health
seeking
to verifyinformation
access to
that aStandard:
person is the
electronic one claimed.
protected
orTransmission
entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) authentication.
164.312(e)(1) Implement procedures
health
seeking
to verifyinformation
access
that to is the
electronic
aStandard:
person one claimed.
protected
orTransmission
entity
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) security.
164.312(e)(1)Implement technical security
health
seeking information is the one claimed.
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) security.access
measures
164.312(e)(1) to guard
Implement to electronic
Standard:against
technical protected
security
Transmission
health information
unauthorized
measures isto
accessagainst
to guard theelectronic
one claimed.
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) security. Implement
164.312(e)(1) Standard: technical security
Transmission
protected
unauthorized
measures health
to access
guard information
to electronic
against that is
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) security.
164.312(e)(1)
being Implement
transmitted Standard:
overtechnical security
Transmission
protected
unauthorized
measures
security.
health
to access
guard
Implement to an
information
against
electronic
electronic
technical
that is
security
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) 164.312(e)(1)
communications
being transmitted Standard:
network.
over Transmission
protected
unauthorized
measures
security.
health
to access
guard
Implement to an
information
against
electronic
electronic
technical
that is
security
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) 164.312(e)(1)
communications
being transmitted Standard:
network.
over Transmission
protected
unauthorized
measures
security.
health
to access
guard
Implement to an
information
against
electronic
electronic
technical
that is
security
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) 164.312(e)(1)
communications
being transmitted Standard:
network.
over Transmission
protected
unauthorized
measures
security.
health
to access
guard
Implement to an
information
against
electronic
electronic
technical
that is
security
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(1) 164.312(e)(1)
communications
being transmitted Standard:
network.
over Transmission
protected
unauthorized
measures
security.
health
to access
guard
Implement to an
information
against
electronic
electronic
technical
that is
security
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2) 164.312(e)(2)
communications
being transmitted Implementation
network.
over
protected
unauthorized
measures
specifications:
health
to access
guard to an
information
against
electronic
electronicthat is
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(i) 164.312(e)(2)(i)
communications
being transmitted Integrity
network.
over controls
protected
unauthorized
(ADDRESSABLE).
health access to an
information
Implement
electronic
electronicthat is
security
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(i) communications
164.312(e)(2)(i)
being transmitted
protected health Integrity
network.
over ancontrols
information electronic
that is
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(ii) measures
(ADDRESSABLE).
communications to ensure
164.312(e)(2)(ii) that electronically
Implement
Encryption
network. security
being transmitted
transmitted over an electronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(ii) measures
(ADDRESSABLE). toelectronic
164.312(e)(2)(ii)
communications ensure that
Implement
Encryption
network.
protected
electronically
a
health
mechanisminformation
transmitted electronic
to encrypt is not improperly
protected
electronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(ii) (ADDRESSABLE).
164.312(e)(2)(ii)
modified without Implement
Encryption
detection a
until
health
protected
mechanisminformation
health
to encrypt is not
information improperly
electronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(ii) (ADDRESSABLE).
164.312(e)(2)(ii)
disposed
modified of.
without Implement
Encryption
detection a
until
whenever
protected
mechanism deemed
health
to encrypt appropriate.
information
electronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(ii) (ADDRESSABLE).
164.312(e)(2)(ii)
disposed of. Implement
Encryption a
whenever
protected
mechanism deemed
health
to encrypt appropriate.
information
electronic
164.312 164.312 TECHNICAL SAFEGUARDS 164.312(e)(2)(ii) (ADDRESSABLE).
164.312(e)(2)(ii) Implement
Encryption a
whenever
protected
mechanism deemed
health appropriate.
information
toStandard:
encrypt electronic
164.314 164.314 ORGANIZATIONAL 164.314(a)(1) (ADDRESSABLE).
164.314(a)(1) Implement a
Business
whenever
protected
mechanism deemed
health
to encrypt appropriate.
information
electronic
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(1)(i) associate contracts
164.314(a)(1)(i) The or other
contract or other
whenever
protected
arrangements. deemed
health appropriate.
information
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(1)(ii) arrangement
164.314(a)(1)(ii) between
A covered the covered
entity is not
whenever
entity and deemedits business appropriate.
associate
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(1)(ii)(A) in compliance
164.314(a)(1)(ii)(A) with the standards
Terminated thein
REQUIREMENTS required
164.502(e)
contract or byand164.308(b)
paragraph
arrangement, mustif(a)meet
of this
feasible; the
164.314 164.314 ORGANIZATIONAL 164.314(a)(1)(ii)(B) 164.314(a)(1)(ii)(B)
requirements If termination
of paragraph isoror
(a)(2)(i)
REQUIREMENTS section
not if
feasible, the covered
reported entity
the knew
problem oftoa
164.314 164.314 ORGANIZATIONAL 164.314(a)(1)(ii)(B) 164.314(a)(1)(ii)(B)
(a)(2)(ii)
pattern ofan
of this section,
activity If or
termination
as ofisthe
applicable.
practice
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(1)(ii)(B) the
not Secretary.
feasible,
164.314(a)(1)(ii)(B) reported the problemisto
If termination
business associate that constituted a
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(1)(ii)(B) the
not Secretary.
feasible,
164.314(a)(1)(ii)(B)
material breach reported the problem
If termination
or violation of theisto
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(2)(i)(A) the
not Secretary.
feasible,
business reported
associate's
164.314(a)(2)(i)(A) the problem
obligation
Implement under to
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(2)(i)(A) the Secretary.
contract or physical,
administrative,
164.314(a)(2)(i)(A) other arrangement,
Implement and technical
REQUIREMENTS unless the covered
safeguards
administrative, thatphysical, entityand
reasonably took
and
technical
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)(i)(A) 164.314(a)(2)(i)(A)
reasonable steps toImplement
cure theandbreach or
REQUIREMENTS appropriately
safeguards
administrative, that protect
reasonably
physical, the and technical
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)(i)(B) 164.314(a)(2)(i)(B)
end the violation, Ensure
as that
applicable, any if
REQUIREMENTS
confidentiality,
appropriately
safeguards
agent, includingthat integrity,
protect
reasonably
a the and and,
and
subcontractor, to
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)(i)(C) 164.314(a)(2)(i)(C)
such steps
availability
confidentiality, were
of the Report
unsuccessful.
electronic
integrity, to the
andprotected
REQUIREMENTS appropriately
whom
covered it provides
entity protect
any such the
information
security incident of
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)(i)(C) 164.314(a)(2)(i)(C)
health information
availability
confidentiality, of the Report
that
electronic
integrity, it to the
creates,
andprotected
REQUIREMENTS agrees
which
covered
receives, tobecomes
implement
itinformation
entity
maintains,any aware. reasonable
security
or and
incident
transmits on of
health
availability ofsafeguards
appropriate that
the electronic it creates,
protected
to protect it.
which
behalf itof
receives,
health becomes
the covered
maintains,
information aware.
orentity
that transmitsas on
it creates,
required
behalf
receives,of bythethis subpart;
covered
maintains, orentity
transmitsas on
required
behalf of bythethis subpart;
covered entity as
required by this subpart;
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)(i)(C) 164.314(a)(2)(i)(C) Report to the
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(2)(i)(D) covered entity any security
164.314(a)(2)(i)(D) Authorize incident of
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(2)(i)(D) which
terminationit becomes
164.314(a)(2)(i)(D) of theaware. contract
Authorizeby the
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(2)(i)(D) covered
termination entity,
164.314(a)(2)(i)(D) if the
of the covered
contract
Authorize byentity
the
REQUIREMENTS determines
covered entity,that
termination of theOther if the
the business
covered
contract associate
byentity
the
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)((ii) 164.314(a)(2)((ii)
has violated a material arrangements.
term ofentity the
REQUIREMENTS determines
covered
(A) When entity,
a that ifthe
covered the business
covered
entity and associate
its
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)((ii) 164.314(a)(2)((ii)
contract.
has violated a materialOther arrangements.
term of the
REQUIREMENTS determines
business
(A) Whenassociate that theare
a covered business
entityboth andassociate
its
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)((ii) 164.314(a)(2)((ii)
contract.
has violated a materialOther arrangements.
term of the
REQUIREMENTS governmental
business
(A) Whenassociate
a coveredentities,areentitythe and
both covered its a
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)((ii)(1) 164.314(a)(2)((ii)(1)
contract.
entity is in compliance It enters
with into
paragraph
REQUIREMENTS governmental
business
memorandum associate entities,are
of understanding the covered
both with
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)((ii)(2) 164.314(a)(2)((ii)(2)
(a)(1)
entity of this
is in section,
compliance Other with lawparagraph
REQUIREMENTS governmental
the business
(including entities,
associate
regulations the covered
that
adopted contains
by the
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)((ii)(B) 164.314(a)(2)((ii)(B)
(a)(1)
entity of this
is in section, the
compliance If a business
withobjectives
paragraph
REQUIREMENTS terms
covered
associate that is accomplish
entity or its Ifbusiness
required by law to perform
164.314 164.314 ORGANIZATIONAL 164.314(a)(2)((ii)(B) 164.314(a)(2)((ii)(B)
(a)(1)
of of this
paragraph section,
(a)(2)(i) a business
of this section;
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(a)(2)((ii)(C) aassociate)
function
associate iscontains
164.314(a)(2)((ii)(C) activityrequirements
orrequired on
by
The behalf
law
coveredto perform a or
ofentity
applicable
acovered to the business associate
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(1) may omitentity
function
164.314(b)(1)
that accomplish
or
or activity
from its to
Standard:
the
provide
other on behalf a service
arrangements
Requirements
objectives
of a
of
described
covered
authorization in the
entity ofor definition
theto provide
termination ofabusiness
service
of the
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(1) for group as
164.314(b)(1)
paragraph
associate health plans.
Standard:
(a)(2)(i)
specified of this Except
Requirements
section.
in160.103 whenof this
described
contract
the only byin the
the
electronic definition
coveredprotected of business
entity, as
health
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(2) for group as
164.314(b)(2)
subchapter health plans.in160.103
Implementation Except
entity,when
associate
required
information
the by to
only entity
a covered
specified
paragraph
disclosed
electronic (a)(2)(i)
to
protected aThe
plan
the
(D)
health
ofof
this
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(2) specifications
covered
subchapter
164.314(b)(2)
this section to
if (Required).
may permit
Implementation
a
such covered the
entity,
authorization plan
the
is
sponsor
information
documents
business is disclosed
disclosed
of
associate the group
to pursuant
to health
a plan
create, to plan
receive,
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(2) specifications
covered
inconsistententity
164.314(b)(2)
164.504(f)(1)(ii) (Required).
with may permit
Implementation
orthe or The
statutory
(iii), asthe plan
sponsor
must be
maintain,
documents
business is disclosed
amended
or transmit
of
associate the to
group
to pursuant
incorporate
electronic
health
create, toplan
receive,
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(2) obligations
specifications
164.314(b)(2)
authorized
164.504(f)(1)(ii) of (Required).
underthe covered
Implementation
or164.508,
(iii), The
entity
orplan
as plan
a group or its
provisions
protected
must beplan
maintain,
documents
business to
health
amended
or require
theinformation
transmit
of
associate. to
group the
incorporate
electronic
health sponsor
on its
plan
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(2) specifications
health
164.314(b)(2)
authorized
to implement
behalf must
under(Required).
ensure
Implementation
164.508,
safeguards. The
thata plan
its
group plan
REQUIREMENTS beto
provisions
protected
must
documents
specifications
health plan
the
toof
health
amended extent
require
provide
must thelegalgroup
(Required).
ensure
necessary
the
information
tothat planplan
incorporate
the
health
The its
that
toits
sponsor
on
planplan
164.314 164.314 ORGANIZATIONAL 164.314(b)(2) 164.314(b)(2)
comply
to
provisions
sponsor
must be
with
implement
behalf to the
willto
amended
Implementation
the
safeguards.
extent
require
reasonably to
mandate
necessary
the plan
incorporate
and toplan
sponsor
164.314 REQUIREMENTS
164.314 ORGANIZATIONAL 164.314(b)(2) documents
specifications
without meeting
164.314(b)(2)
comply with of the
provide group
(Required). that health
the
the requirements
Implementation
the legal mandate plan
The plan planof
to implement
provisions
appropriately
sponsor
must be willto
amended safeguards.
require
safeguard
reasonably to the plan
electronic
incorporate
and sponsor
164.316 REQUIREMENTS
164.316 POLICES AND PROCEDURES 164.316(a) documents
paragraph
specifications
without
164.316(a) meetingof the
(a)(2)(i) group
of
(Required).
Standard: the this health
section,
The and
requirements
Policies planplanof
to implement
protected
appropriately
provisions
must
providedbe health
to
amended
that safeguards.
require
the information
safeguard to the
covered electronic
plan
incorporate
entitycreated,
sponsor
164.316 AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(a) documents
paragraph
procedures.
164.316(a)
received, of
(a)(2)(i)
Implement
Standard:
maintained, group
of this health
section,
reasonable
Policies
or and
transmitted plan
to implement
protected
provisions
attempts
must
providedbe health
into
amended
that goodsafeguards.
require
the information
faith
to the
covered plan
toandobtain
incorporate
entitycreated,
sponsor
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(a) and
to or appropriate
procedures.
by the
164.316(a)
received, Standard:
maintained, policies
Implement
plan sponsor reasonable
Policies
or on behalf
and
transmitted of
to implement
satisfactory
provisions
attempts
procedures into good
to safeguards.
assurances
require
comply faiththe as
to
with required
plan
obtain
the sponsor by
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(a) and
the appropriate
group
procedures.
to or by
164.316(a)
paragraph thehealth
plan
Standard: policies
Implement
(a)(2)(ii)(A) plan.
sponsor and
reasonable
Policies
of on
this behalf
and
section, of
to implement
satisfactory
standards,
procedures safeguards.
assurances
implementation
to comply as required
with the by
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(a) and
the appropriate
group
procedures.
and documents
164.316(a)
paragraph health
Standard: policies
Implement
the
(a)(2)(ii)(A) plan. attempt and
reasonable
Policies
of this and
and the
section,
specifications,
standards,
procedures or otherwith
implementation
to comply requirements
the
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(1) and
of appropriate
reasons
procedures.
and that
documents
164.316(b)(1)
this subpart, these policies
Implement
the
Standard:
taking assurances
attempt
intoand
reasonable
and
accountcannot
the
specifications,
standards,
procedures
be obtained. to or
implementation
comply other requirements
with the
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(1) and
those appropriate
reasons that
Documentation.
factors
164.316(b)(1)
of this subpart, these policies
specified
Standard:
taking assurances
in
intoand
subsection
accountcannot
specifications,
standards,
procedures
be obtained. or otherwith
implementation
tospecified
comply requirements
the
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(1) 164.306(b)(2)(i),
those
Documentation.
thisfactors
164.316(b)(1)
of subpart, (ii), (iii),
Standard:
taking in
into and (iv). This
subsection
account
specifications,
standards,
standard is not or
implementation
to other
be requirements
construed toThis
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(1) 164.306(b)(2)(i),
Documentation.
those
thisfactors
164.316(b)(1)
of subpart, (ii),
specified
Standard:
taking (iii),
in
into and (iv).
subsection
account
specifications,
permit
standard orisexcuse
not orto other
anbe action requirements
construed that toThis
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(1) 164.306(b)(2)(i),
Documentation.
those
thisfactors
164.316(b)(1)
of subpart, (ii),
specified
Standard:
taking (iii), and
in subsection
into (iv).
account
violates
permit
standard any
oris other
excuse
not to an standard,
be action
construed that toThis
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(2) 164.306(b)(2)(i),
Documentation.
those factors
164.316(b)(2)
implementation (ii),
specified
Implementation(iii),
specification, and
in subsection(iv).
or other
violates
permit
standard any
oris other
excuse
not to an standard,
be action
construed that
164.316 REQUIREMENTS
AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(2)(i) 164.306(b)(2)(i),
specifications:
requirements
164.316(b)(2)(i)
implementation
violates any other
(ii),
of Time
this (iii),
subpart.and Aortoother
(iv).
limit (Required).
specification,
standard,
This
REQUIREMENTS permit
standard
covered orisexcuse
entitynot to
may anbe action
construed
change that
its to
policies
164.316 AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(2)(ii) Retain the
requirements
164.316(b)(2)(ii)
implementation
violates any documentation
of specification,
other this subpart.
Availability
standard, required
Aor otherby
REQUIREMENTS permit
and
paragraph
covered or excuse
procedures(b)(1)
entity mayatan
of anyaction
this
change time, that
sectionitsprovided
for 6
policies
164.316 AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(2)(ii) (Required).
requirements
164.316(b)(2)(ii)
implementation
violates any Makeof
other documentation
this subpart.
Availability
specification,
standard, Aor other
REQUIREMENTS that
years
and the
fromchanges
tothe
procedures
available
covered entity those date
mayatareanyofdocumented
persons
change its
time,creation
itsprovided
responsible and
or
policies
164.316 AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(2)(ii) (Required).
requirements
164.316(b)(2)(ii)
implementation
are implemented Makeof documentation
this subpart.
Availability
specification,
in accordance Aor other
with
REQUIREMENTS the
that
for
and date
the when
changes
implementing
procedures
available
covered to
entity those it
mayatlast
are
the
any was
persons
change time,in
documented
procedures effect,
provided
responsible
its and
to
policies
164.316 AND DOCUMENTATION
164.316 POLICES AND PROCEDURES 164.316(b)(2)(iii) (Required).
requirements isMake
164.316(b)(2)(iii)
this subpart.
whichever
are implemented of this
later. documentation
Updates
in subpart.
accordance A with
(Required).
REQUIREMENTS which
that
for
and thethe todocumentation
changes
implementing
procedures
available
covered entity those mayatare
the
any documented
persons
change time, pertains.
procedures itsprovided
responsible and
to
policies
AND DOCUMENTATION Review
this
are documentation
subpart.
implemented in periodically,
accordance with
REQUIREMENTS which
that
and thethe
procedures
update documentation
changes
for implementing are
atthe
as needed, documented
anyprocedures
time, pertains.
provided
in response and
to to
this
are
which
that subpart.
implemented
thethe documentation
changes in
are accordance
documentedpertains. with
and
environmental or operational changes
this subpart.
are implemented
affecting the security in accordance
of the electronic with
this subpart.
protected health information.
NIST_HIPAA_SECURITY_RULE_TOOLKIT
Q: Has your organization developed,
disseminated,
Q: reviewed/updated,
Does your organization's risk and
trained
assessment
Q: on your
Has your policy Risk
organization Assessment
address: purpose,
disseminated policies
and
scope,
your procedures?
roles
Risk and
Assessment responsibilities
policies and
Q: Has your organization disseminated its
management
procedures?
RiskHasAssessment commitment,
procedures coordination
to the work
Q:
among your organization
organizational defined
entities, training the
staff/offices
frequency
Q: Has with
yourthe
youroforganization Riskassociated
Assessment
reviewed roles and
policy
and
and compliance?
responsibilities?
and
Q: procedures
updated
Has your your reviews
Risk Assessment
organization and updates?
identified policy the and
procedures
types
Q: Hasofyour in accordance
information
organization withofyour
and identified
uses that all
defined frequency?
information
Q: Does yourand systems the sensitivity
organization that house inventory ofePHI?
each
type
includeof information
allthehardware been
andand evaluated
software (also
that
Q:
linkAre all
to FIPS 199 hardware
andstore,
SP 800-60 software
for more for
are
which
Q: used
Has your
yourto collect,
organization
organization is process,
responsible
identified orall
on categorization
transmit ePHI, of sensitivity
including excel levels)?
periodically
hardware
Q: Does your andinventoried,
software
organization's including
that maintains
inventory excelor
spreadsheets,
spreadsheets,
transmits ePHI, word
word tables,
tables,
including and
and
excel other
other like
like
include
Q: theremovable
Is storage? media, remote
current information system access
data
spreadsheets,
devices, and word
mobile tables,
devices? and other
configuration
Q: Has your documented, including
similar data organization
connections storage
to otherePHI, and reviewed
included
systems, both itall
in
inside
processes
Q:
yourHas your involving
inventory? organization including
reviewed the risk
and outside
creating,
analysis your
receiving, firewall?
maintaining, and
Q: Does and yourother implementation
organization have any prior
transmitting
specifications
riskWhat
assessments, it?for theaudit security
comments,
Q: are your organization's current
management
security
andHasplanned process?
requirements,
controls? Do and/oryou have security them
Q: your organization assigned
test results?
formally documented?
responsibility to check all hardware
Q: Does your organization have an and
software,
analysis
Q: Are any ofincluding
current hardware and
safeguards
of your organization's andfacilities
their
software
effectiveness
located in used
a regionfor
relative remote
proneto the access,
to identified
anypoliciesto
natural
Q: Does
determine your organization
whether have
selected security
risks?
disasters,
and such
procedures asinearthquakes,
place for floods, or
security?
Q: Do
settings your
are organization's
enabled? current
fires? Others?
safeguards
Q: Do your ensure
organization'sthe confidentiality,
current
integrity,
safeguards
Q: Has your and availability
protect
organization against of all ePHI?
reasonably
protected
anticipated
against
Q: Doesall uses
reasonably
your and
organization of ePHI
anticipated
have that are
threats
a formal not
permitted
or hazards
andWill
documentedby
to the
the HIPAA
security Privacy
system security and Rule?
integrity
plan? of
Q: your organization's new security
ePHI?
controls workorganization
with your organization's
Q: Does your have formal
existing
andDoes
Q: IT
documentedarchitecture?
your contingency
organization haveplan? a
communication
Q: Does your organization plan or a process review and for
communicating
update
Q: Has your policies
yourorganization
policies, and
procedures
assuredproceduresand
to your appropriate
standards
compliance aswith
needed staff
andmember,
all policies when and office
Q:
and Has
all your
your by organization
workforce? developed a
appropriate?
procedures
training all your staff and
Q: Does schedule
your organizationfor your Risk have in place a
workforce?
Management
formal Program? process,
and documented
Q: Has your organization made allplus your
policy
staff,
Q: Does and procedures
employees, that address
and workforce
your organization's sanctions aware of
system
your
have misuse,
processes,
a tiered abuse,
policy and
structure and any fraudulent
procedures
of sanctions that
Q: Does
activities your
with organization
your organization's have a process,
ePHI?of
(concerning
takes into
procedure sanctions
consideration
or organization
communication for theinappropriate
magnitude
plan of how
Q: Does
access), your have a formal,
harm
and to use,
when
documented your
your disclosure,
organization
managers
systems
and
activity and
and transmission
the and
staff,
process
Q:
of Who,
ePHI?
individual andwhosewhich ePHI office/department,
is at risk, and the
employees
procedures?
within and workforce will be notified
Q: Howyour
possible
of suspectedoften
typesorganization
does is responsible
your organization
of inappropriate
inappropriate activity?
for
overall
review
Q: systems
Howyour
disclosures? activity
ofteninformation
does yourprocess,
systems activity?
organization
procedures
What
analyze are the
your and results?
exceptions
systems toreview
activity the process
Q: Does your organization
that changes
reviews/reports?
exception the review
reports andand period?
logs?
Q: What mechanisms measures will
your
Q: organization
Does your organizationimplement file,toelectronic
assess
the
Q: effectiveness
and/or
Does paper, of your review
monitoring
your organization have aprocess?
reports, and
sanction
how
policy
Q: are
Does these
foryour reports
staff,organization
employee monitored?
orhaveworkforce
a
violations?
complete
Q: Have allsecurity official job description
your organization's staff,
that accurately
employees,
Q: Has your workforce,reflects offices
organization the security
implementedand duties
and responsibilities?
departments
policies been notified
and organization
procedures Does to itensure
ofinclude
the name thatall
Q: Hasoutlined
areas your and spoken reviewed in thethe
ofsecurity
and
any office
and
workforce allto contact
staff,
security with
employees, a
implementation and
Q: Has your
questions
problem? organization
outlined for thisimplemented
security
workforce
specifications?
procedures members
for have
authorization appropriate,
and/or
Q: Has
standard?
and onlyyour organization
appropriate, accessdefined to ePHI;rolesand
supervision
and
Q: Has your of
responsibilities work for
organization forceall members
job
assigned functions? who
to
workprevent
with the staff,
ePHI or in employees,
locations and it
where
appropriate
Q: Does levels ofwhosecurity level
workforce
might beyour
oversight,
organization
members
accessed?
training
dohave not ahave
listing in
writing
access
Q: Doesto who ePHI
your has fromtheand
organization access
business
obtaining have to
need, each
access
written and
to
role?
who has your
beenorganization
granted permission,
ePHI?
jobDoes
Q: descriptions that are have an to
correlated with
view, alter, retrieve,
appropriate
established levels ofand store ePHI,
access? and
Q:
at yourset
Does times,
what
of qualifications
organization
and under what checkfor a each
job
Q: description?
candidate's
Has your qualifications
organization against
made aa
circumstances and for what purposes?
specific
Q: Has yourjob description?
determination of each candidate
organization established for a
specific
chains orposition
command can and perform
lines the tasks for
of authority
thatworkforce
for position? security?
Q: Has your organization established a
process
Q: Has your for maintenance
organization made personnel your work
authorization
staff
Q: Has aware
yourof and maintain
the identity
organization a current
and
provided rolesstaff,oflist
of authorized
their supervisors?
employees, maintenance organizations
Q:
and Does yourand
personnel?
workforcecheck
organization members an with
aQ:copy
Doesofyour
applicant's their job descriptions,
employment
organization and informed
doeducational
background
of the access
references,
checks, such ifasgranted
this to them,
is reasonable
a Criminal Offender as
for well
suchasa
Q:
theDoes your
conditions organization
by which thishaveaccess a process
can be
job
and description?
Record Information
strategy (CORI) check, if
Q: Does
used? yourthat supportshave
organization your formal
appropriate
organization's
andDoes
documented in authorizes
theprocedures
circumstances?
who are
for
Q: your organization have a
permitted
obtaining
standards to
the designate
necessary
set organization
of procedures and
and grant access
appropriate
to recover
Q:
to Does
ePHI? your have a
sign-offs
access
procedure within
control your
devices,
to organization organizational
including
deactivate computer, and
Q: Does your
structure to both grantkeys andneed,
terminate and have
identification
other
separate electronic badges,
termination tools, access
proceduresaccess cards
accounts,
for
Q: Does
access
from your
to ePHI?
staff, organization
employees and have
workforce a
including
voluntary
standard the process
termination,
checklist that
of action will
includingitemsdisablefor
Q: Has
member your where organization
their implemented
employment
user IDs
retirement,
completion
policies
and passwords?
promotion,
when
and organization a staff,
procedures that transfer,
employee, orends?
authorized
Q: Has
change your
of employment reviewed
internal the
workforce
your staff,
isolating member leaves
employees
clearinghouse and your to your
workforce
functions to
Q: Does
organization,
employment, your organization
versus
such a involuntary have
s theprotection a
return of all
access to
implementation
component ePHI that to provide
specifications?
functions as for
Q: Has your
termination,
access
the and organization
usedevices, including
deactivation
disclosure of athe
for ofaePHI?
formal
cause, healthcare
logon and
clearinghouse?
documented
reduction
accounts,
Q: Has your finding
in organization
force,
including that healthcare
involuntary
remote one part
access, of
transfer,and your
organization
and
return
Q: criminal
clearinghouse
Does ofyouranyis or adisciplinary
healthcare
developed
computers
organization's and
and actions?
other similar
clearinghouse
clearinghouse?
implemented
electronic
share hardware tools, policies
such
or and
as
software procedures
a PDA, withand your cell
Q: Does your organization's clearinghouse
that
phone,
larger
share protect
and
organization the
delivery clearinghouse
ofof any
which it ePHI
is part? form
Q: Hasstaffyourororganization
unauthorized
data/information
physical space
access under by thethis
with staff
established
other
staff, parts a of
from
separate
Q: Has a larger
your network organization?
or
organization's subsystem for
clearinghouse your
your organization?
employee of workforce member control?
organization's
staff,
Q: Has employees, clearinghouse?
your organization and workforce formallybeen
trained
documented
Q: to safeguard
how access
Has your organizations ePHIto from
ePHIdisclosure
formally will be
to your
granted
documented larger
to your organization?
staff, employees,
the basis forformally restricting and
Q: Has your organization
workforce
access
documented to members?
ePHI?
Q: Does your your ePHI access
organization's jobcontrol
method?
descriptions
Q: Does your Does your organization
accurately
organization reflect
grantassigned use staff,
your
identity-based,
duties,
employees responsibilities
and role-based, and
workforcedetermined biometric
enforcement
members
Q: Has your
based, proximity organization
based, other means ifof
of segregation
remote
direct access
access to of duties?
toePHI
ePHI? will be granted to
Q: Does your organization's
access, or a combination of access IT systems
third
have
Q: Does
methods?parties
the your external
capacity to set
organization to your
access controls?
use stronger
organization,
access controls including
for sensitive business data? partners,
Q: Hasproviders,
other your organization health plans, formally patients
documented
Q:
andDoes
members your the standards
organization
to their ownhave you security
ePHI, useandto
grant
access
Q: Does
others? acontrols
staff,
youremployee, policies and
organization workforce
procedures?
provide formal
member
Are they
written anduser's
updated access
documented to aauthorization
regularly? workstation,
Q:
lapAre
top, your organization's staff,
from
Q: Does thetransaction,
employees, appropriate
your and
program,
workforce
organization manager process,
member's
have before
and other
granting tools
access and
to mechanisms?
sensitive information?
duties separated
authentication
Q: Does your organization's so that only
mechanisms management the
to verify the
minimally
identity
regularly necessary
ofreview
the user ePHI
theaccessing
list based
offormally
access theon the
system?
Q: Has
specific your organization
job description is remote
made available
authorizations,
determined
Q: Does yourand including
documented
organization access
your key
interview
upon request?
authorizations, to verify
security
staff
Q: Did when trailing
your assessing needs?
organization's yourthat the list
security
assessment
is
training
accurate
needs? and has not been
include
Q: Has your the security
inappropriately organization training
altered? needs of
determined
sensitive
what
Q: Hasawareness,
your data, and other outlined
training
organization similar
and education content
information?
programs
andWhat
audience are needed,
training and which
Q: gaps did yourpriorities?
organization
programs
discover inwill be required?
conducting the training
Q: Does your organization's training
assessment;
strategy
Q: Does your and planoutline what an
include
organization's needs outline
training to be of
added
your
strategy and updated?
organization's
and plan specific
include scope policies of the and
Q: Does your organization's training
procedures
awareness
strategy andan that require
training
plan include security
program?
the goals?
Q: Does your
awareness and organization's
training? training
strategy
Q: Does your and plan include thetraining
organization's target
audience(s)?
strategy
Q: Does your and plan include thetraining
organization's learning
objectives?
strategy
Q: Does your and plan include thetraining
organization's deployment
methods?
strategy
Q: Does your and plan include evaluation
organization's training of
the
Q: training
strategy
Does andthrough
your plan designated
include
organization's thetraining
frequency
measurement
of training?
strategy and plan techniques?
include the
Q: Does your organization have a process,
consideration
a procedure,
Q: Does your in ofplace
compliance
organization to ensurehave datesthat
a planandin
the
placeHITECH
everyone to your in Act
your
for training Updates?
organization
to address receives
Q: Does organization train specific
your non-
security
technical
employees, awareness
topics
such as training?
based onselected
contractors,job descriptions
interns,
Q: Has your organization topics
and
to be responsibilities?
volunteers,
included and inothers?
your training content,
Q: Does your organization incorporate
materials
new
Q: What andhow
information
and methods?
from
manyemail differentadvisories,
types of
daily
media
Q: news
Has and web
yourvenues sites,
organization does periodical,
your andstaff,
givenorganization
each
other
use forsources
employee, securityand into your training
awareness
workforce training;
member contentasuch
copy
Q:
andDo your
materials organization's
when reasonablestaff, and
as
of computer
your
employees, security based training,
polices
workforce and
members on-site
procedures,
know
appropriate?
trailing,
and doto electronic
they knowand andthe
where paperto publications,
find themto on
whom contact procedures
others;
your name
internal them?
handle a security incident? other
web or server or
place?
Q: Does your organization's staff,
employees,
Q: Does yourworkforce organization's members staff,know
and
Q: understand
employees,
Does yourworkforce the consequences
organization members continuously knowof
their
how
research noncompliance
to handle
security physical with
issues and your
security and
securityand
Q: Has your
organization's organization
security scheduled
policies and
information
training?
conducted Dothe security
you update
training issues your
outlinedwith a lap
security
in your top,
Q: Does
procedures?
PDA, your
tablet, organization
smart phone, have
and/or sanctions
other
training
training
to impose content,
strategy materials
and
on organization plan
staff, employees and
and evaluation
how often
Q: Does
similar
with your
thetools?new information? keepand your
has your
workforce
security organization
if they
awareness doand done
not security
complete
training the or
program
Q: Does
training your
since organization
the training?
publication conductof thenew HIPAA
required
current
additional by security
updating
security it periodically?
traininghave whenever What
Q: Does your
Security Rule? organization a new hire
is the review
changes
security occurand
awareness, update
in either period?andor
technology
technology
Q: Does your organization train non-
practices?
information
employees, systems training plan? the
Q: Has your including, organization contracts/vendors,
reviewed
interns,
security
Q: Does your volunteers,
reminder and others?
implementation
organization provide
specifications?
periodic
Q: What securitymethodsupdates does your to your staff,
organization
employees,
already
Q: Doeshave yourworkforce,
in place orbusiness
organization use to keep your
provide
associates
staff,
security employees, and contractors/vendors?
awareness workforce,
training business
with all new
Q: Has your organization trained your
associates
hires
staff, before
employees, and they contractors/vendors
are given
and workforce access to
members
Q: Has
updated your organization
and aware implemented
ePHI?
in
Q: procedures
policies
Has your for... *ofGuarding
and organization
procedures
security against,
for
other
any security
documented
ways?
detecting, and reporting malicious
incidents?
incident
Q: Has your responseorganizationprocedures determined that canhow
software
provide * Monitoring
your organization log-in with attempts
a single
it
Q:
andwill
Has respond
your
reporting to a
organization security
discrepancies incident?
incorporated
* Creating Are
point
there
your of
a reference
formal
staff, employee, to
documented guide
workforce the
policy day-to-day
and
members
Q: Has
changing
operations your and organization
safeguarding reviewed
passwords?
procedures?
jobsDoand
incident
Q: your jobof
response
the incidentroles
descriptions
procedures
organization's
response
staff,withand
employeesthe
team?
responsibilities in *
staff,
andDoes
Q: employees,
workforce or workforce
members know
your organization monitor members
the log-in
with the roles
importance
attempts? of and
timely responsibilities
application ofrelated
Q:
to Has yourDo
incident
your
organization
response,
staff, employees
solicitanalyzed
suggestions
and
these
system
workforce
problems patched members
and to
created protect
know
a against
of
mitigation this plan
Q:
for Does your
improvement,
malicious softwareorganization
and
and make have a
changesofto
exploitation process,
monitoring?
that it isinputworking to decrease risks
procedure
Q: Has
reflect your
vulnerabilities? for reporting
organization
that and
is reasonable prioritized andand
handling your
vulnerabilities?
security
key functions
appropriate? incidents? to determineupdate what would
Q: Does your organization the
needHastoyour
incident
Q: be restored
responseorganization first in
procedures toldtheyour event
when of a
your
staff,
disruption?
organizational
employees needs change?
Q: Has yourand workforcedeveloped
organization members how
to
Q: and
standard
If you where incident
have to report
reporting
determined a security
templates
that your to
incident?
ensure
organization that all does necessary
not need information
a standing
Q: Has your organization determine what
related
incident
information toresponse
anand incident team,
when isdata
documented
what be and
willother
Q: Does
investigated? your organization have an
response
disclosed
identified mechanism
to
listthe media?
of both are you using?
internal and
Q: Does your organization have mitigation
external
options
Q: Do your persons
for organization's and
security incidents?their contact
staff,
information
employees, whoworkforce
and should bemembers informed of a
Q: Has your
security incident organization
has named an
occurred?
know where
individual,
Q: Do your or and to whom
several individuals,
organization's staff,report
to log-in
to speak
discrepancies?
for your
employees, organization to the media, law
Q: Does yourand workforcereview
organization members your
enforcement,
understand
current procedures clients,
their rolesandbusiness
and partners
responsibilities
determine if they
Q:
and Does
others? your organization's incident
in selecting
were
response adequate team a password
and
or of appropriate
appropriate
individual keepto
Q: Does
strength, yourchanging organization
the password employ
respond
documentation to this protection
particular
of security security
incidents,
malicious
Q: Has your
periodically
incident?
code
And organization
as required,
make updates and mechanisms
defined yourtheir
safeguarding
and changes
at
outcomes,
information
overall contingencyincluding
system weaknesses
entry
objectives? and exit
Does points it
Q: Has
their
as your
password?
necessary?
exploited organization
and how access established your
and
includeat workstations
organization's
Q: ayourlisting of all
contingency areastoplan
servers, information
or
that mobile
use ePHI?
wasDoesgained?
computing organization's
devices on the contingency
network to
framework,
policy
Q: Does and your roles
plan and
organization's responsibilities?
addressmaliciousscope, policyresource
and
detect and eradicated code)
requirements,
plan
Q: Doesoutline
transported yourby whattraining,
criticaltesting,
organization's
electronic services
policy
mail, plan must
and be
electronic
maintenance
provided
plan
mail identify within
attachments, and backup
specific
and outline requirements?
timeframes?
cross-functional
web accesses,
Q: Has your organization outlined
dependencies
removable
scenarios
Q: Has your andmedia,to determine
or other
identified
organization how
common
preventive
brain failure in
stormed
one
means?
andHas systems
measures,
outlined impacts
measures other
you
alternativesresearched can system(s)?
do
for continuingnow, for
Q: you organization the
each
costAre scenario
operations
of the
preventive for that
your could result
organization
measures in ifthe
beingyou are you loss
Q:
of a critical preventable
service measures
involving the use of
lose a critical
considered?
considering function
affordable or
and a critical
practical for
Q: Does
ePHI?
resource? your organization
Remember there have
are an
physical
the environment?
emergency coordinator
Q: Does
resources your like offices andwho
organization have
desks manages,
an
and
maintains
emergency
copiers
Q: Doesand your andcall updates
paper,
organization Hasthe
list?electronic contingency
it been
have recourses,
a
plan? Does to
distributed
determination your oforganization's
all staff,
whenemployees,
your staff,
contingencyand
Q: Does
employees, your andorganization
workforce have
members plans,
workforce
plan needs
procedures, members?
to be activated?
andindividual
agreements Is it triggered
initiated
Q:
know
by
Haswho yourthis
anticipated
organization
duration of
finalized
isoutage,
and how a set toorof
in place
contingency
Q: Does
contact ifyour
your theprocedures
preventive
organization
coordinator? measures
thathave can beloss need of
capability,
to fororall
be implemented?
invoked impact
identical on impacts,
service delivery?
documented
Q: Has your
Other? procedures
organization related including
reviewed tothe
emergency
recovery
data backup from mode of
emergency operation? orcontingency
disastrous
Q: Does yourplan and disaster
organization's recovery
events?
plan
plan implementation
address disaster specifications?
recovery and back
Q: Has your organization established and
up?
implemented
Q: Has your organization proceduresestablished to create and and
maintain
implemented
Q: Has your retrievable
procedures
organization exactdocumented
copies
to restore of ePHI?
any all
loss
yourof ePHI?
data backup procedures and made
them available to all your staff,
employees, and workforce members?
Q: Does your organization have
individuals/office
Q: Has your organization named established,
and and
responsibilities
implemented
Q: Has your organization assigned
when needed, to conduct
procedures
identified your
backup
to
keyenable activities?
activities continuation
and developed ofalso
critical business
procedures
Q: Has your organization identified
processes
to continue
critical for
functions the
these security
key ePHI? whilean
of
activities
that use would ePHI during
Q:
yourDuring the emergency
organization is operating in different
emergency?
staff/employees, facilitiesassure or systems
Q: Can yourmode?
emergency organization the be
needed
security
Q: Has your to
of perform
the ePHIthese
organization critical
in theestablished
alternative functions
and
during
mode(s)
implementedthe emergency?
operation?as needed periodic
Q: Has your organization tested itstesting
procedures
Has your and
contingency
Q: planfor onthe
organization revision
trainedofyour
a predefined your
cycle?
organization's
staff/employees contingency
with defined plan?plan
Q: Does your organization include
responsibilities
external
Q: Has your entities, inincluding
their roles?
organization vendors, how
determined
alternative
theDoes
Q: plan yourwillsite be and
tested? service
organizational Willproviders,
it be a table
testing lendin
your
top
itself testing
exercise,
to phased exercises?
or a real operational
testing? Based on the
Q: Does your organization test during
scenario?
assessment
normal business of business
hours? impact and off
Q: Or must testing take place during
acceptability
hours? of sustained loss of service?
Q: How frequently does your organization
testHas
Q: its your
plan?organization a timeline on
when
Q: Hasthe your contingency
organization plan should be
identified the
revised?
critical
Q: services
Has your or operations,
organization determinedand the
manual
what
Q: and organization
Hashardware
your automated
and software processes and thatthe
determined
support
personnel
impact them,
are
on desired involving
critical to ePHI?
your
serviceoutlined
levels if the these
Q: Has your organization
organization's
critical
nature assets
and degree daily
are notofbusiness
available?
impact operations?
on your the
Q: Has your organization determined
operations
amount
Q: Has your iforganization
of time anyyourof the critical
organization
determine resources
can what,
are not
tolerate
if any, available?
disruption to these operations,
Q: Hassupport is or can beestablished
your organization provided by cost-
material
external
effective or services?
providers,
strategies including
for recovering ISPs, utilities,
these
Q: Does your organization have any
or contractors?
critical
existing services,
reports resources,
or documentation or processes? that
Q: Has your organization established a
you
Q: had
frequency
Does your previously
fororganization'sprepared
security evaluations, or created
security and
by your organization
disseminated
policies this addressing
information to your of
Q: Does specify
compliance,
that
yourintegration, security
organization's evaluations
frequency
or maturity of a
entire
will be
security organization?
repeated
evaluation when environmental
policies safeguard(s)
reflect anyand
Q: Does your
particular or organization's
many security corporate,
operational
and
legal,alland
federal changes,
regulatory such as technology
laws, regulations,
compliance and
staff,
Q: Has
deployed
updates, your to
are organization
protect
made ePHI
that considered
that the
affect your can
security
guidance
employees,
management,
leverage documents
for or workforce
operational,
this that
evaluation? impact
members
and technical
Q:
of Has your
ePHI? when
environmental organization
or you
operational performed changes a
participate
issues
periodic in your
technical evaluation?
and conduct
nontechnical your
Q: Has your organization
affecting the security of ePHI?
analysis? decided if your
evaluation,
evaluation
Q: Do any of based
will initially upon
be organization's
your conducted by the
your
staff,
standards
internal implemented?
staff and resources or
employee
Q: Do yourorstaff, workforce
employees, members orby external
have
workforce
consultants,
the technical or by a
experience combination
to evaluate of
members
Q: Has
internal your
and
have the training
organization
external
necessary
outlined
resources? theyour on
systems?
security
necessary technical
factors and non-technical
to be considered in
Q: Does your organization use a strategy
issues?
selecting
andDo tool an outside vendor, including
Q: thethat considers
elements of all the
each of elements
your
credentials
of the HIPAA
organization's and experience?
Security Rule,
evaluation determinedprocedure, all
including
Q: Has your organization
standards
including
which and implementation
questions, statement mustand other
Q: Hassecurity
your
specifications?
procedures
organization determined be tested in
components,
in more
advance than address
one
whatorganization system?
departmentshaveindividual,andsenior
staff,
Q: Does
measurable your securityworkforce
safeguards of ePHI?
employees,
Q: Has your and/or
management support forincluded
organization yourmembers
security
staff,
will participate
evaluation,
employees, and
or in yourthey
have
workforce security
stated the
members need
with IT
Q: Has
evaluation?your organization collected and
for everyone
knowledge
documented in within
your your
security
all information organization
evaluation
needed for to
Q: Has
participateyour organization
in evaluation,
and support conducted
team
your and used
security
penetration
Q: Has
during
testing?
your organization
your
Before byyour security
evaluation?
interviews,
the
formally
evaluation?
surveys, and output of automated tools,
penetration
communicated
Q: Does yourtesting yourdid
organization your
security use organization
evaluation
automated
for
have example,
process management
to your audit logging
staff,approval
employees,tools,
for results
such
and of
tools
Q: Doesto collect
penetration yourtesting? data and otherwise
organization's evaluation
testing?
workforce
support your members who have
organization's assigned
evaluation
process
Q: Hasand support
your the development
organization documented of
roles
process?
security responsibilities
recommendations? in your
each
Q: Has security
your
evaluation process? evaluation
organization finding,
documented outlined the
mediation
known
Q: Has your options
security gaps
organization and recommendations,
after your security
developed a
and remediation
evaluation between decisions?
security
Q: program
In determining thethe
with known
established
best way to risks and
display
your mitigating
priorities
evaluation and security
targets
results for controls,
continuous
has yourcirculate and
organization's any
Q: Does your
acceptance oforganization
risk, includingkey your your
security
written
final improvement?
reports highlighted findings
Q: Doreport
you have
organization's to justification?
key staff, employees,
a process, procedures and in
and recommendations
workforce
place to your
make sure thattothe
members? bedocument
considered? is
Q: Does organization have business
available
associate
Q: Does your only to those designated
contracts?
organization's business to
receive
associate it?agreements (as written and
Q: Has your organization identified the
executed)
individual
Q: Does your contain
or departmentsufficient
organization who language
is
periodically to
ensure
responsible
review that required
for
and reevaluate information
coordinating your the
list ofyourtypes
Q:
are Has your
protected? organization
Including named
the 2009, 2010,
execution
business
systems of functions
your
associates
and organization's
to determine
covered bybusiness
who
the has
Q:
and Are
2011
associate your organization's
HITECH
agreements Act updates
and outsourced
other and such
access
contract/
functions to ePHI
agreement?in order by
also covered to assess whether
inclusions?
agreements?
your list is complete and current?
contracts/agreements?
Q: Are your organization's off-shore
functions
Q: Has your also covered byexecuted new
organization
contracts/agreements?
andDoes
Q: updated your existing agreements
organization's agreements or
arrangements
andDoes
Q: other your when necessary
arrangements
organization's include and
agreementsyour
appropriate?
business
andDo other associate(s)
arrangements roles and security
include
Q: your organization's agreements and
responsibilities
requirements
other for
that the ePHI?
address confidentiality,
Q: Do arrangements
your organization's include security and
agreements
integrity
requirements and availability
meet of HIPAA
ePHI?
other
Q: arrangements
Who/which officeall the
include
within the Security
your
Rule requirements
appropriate
organization training per the
requirements,
is responsibleagreements HITECH
for Act?
as and
Q: Do your organization's
necessary?
coordinating
other and preparing the final
Q: Do arrangements
your organization's specify how ePHI and
agreements is
agreement(s)
to be
other transmitted
arrangements or arrangement(s)?
to specify
and from the
necessary
Q: Does your organization conduct
business
security
periodic associate?
controls?
security reviews established
on your business
Q: Has your organization
associates
criteria
Q: Do each for or ofcovered
measuring entities?
contract
your organization's
performance?
contracts
Q: Do eachorofagreementsyour organization'sinclude what
service
Q: Doesisyour
contracts being performed
or agreements
organization by the
include
have inexpected
place a
business
outcome
process associate?
by the business associate?
Q: Does for your reporting
organization security have incidents
in place a
related
Q: Doesto
process to
yourthe agreement?
periodically
organization evaluatehave athe process
effectiveness
in place
Q: If yourfor of the business
terminating
organization's the associate's
contract,
business and
security
has
associate controls?
the business associate
is a organization
federal, state,know been
or local advised
Q: Does your all the
what
government
laws conditions
and entity
regulations would
you warrant
mayhave
governing usethe a use of
Q: Does
termination? your organization facility
Memorandum
ePHI
access by the of Understanding
governmental business (MOU)
Q:
to Doescontrols
share your , policies and
ePHI.organization
Does your MOU have procedures?
policies
state all
associate?
and procedures regarding access to and
Q: Does
required your organization
safeguards for sharing have ePHI?facility
use
access
Q: of your
Has your facilities
control policies
organization and and equipment?
procedures
developed,
already
disseminated,
Q: in place?
Does your organizationand periodically have formal,
reviewed/updated
documented
Q: Does your procedures a formal,
organization tohavedocumented
facilitate
an
ainventory
physical of
implementation and environmental
of the andprotection
physical
your facilitiesassigned anddegrees
have
Q: Has
policy your
thatthe organization
address the purposes, scope,
environmental
identified
of significance protection
vulnerabilities
to eachmanagement policy
in your
vulnerability and that
Q: Hasresponsibilities,
roles,
associated yourphysical
organization and determined
environmental
current
you
which have physical
types identified?
of security require
locations capabilities? access
commitment,
Q: Does
controls? your organization
coordination have
among locks and
controls
Q: Are allto
organizational
cameras safeguard
inyour
nonpublic
entities ePHI,
areas such
and functions,
organization's and as: these
are
workstationsData
and
centers,
reasonable
compliance?
protected Peripheral
from equipment
andorganization's
appropriate
public accesssecurityandcenters, IT
Q: Are
staff all your
offices, Workstation locations, and entrances
controls?
viewing?
and exits that andleadusualto locations
Q: Do
Others? normal physicalwith ePHI
secured?
protections
Q: Has your exist, such as identified
organization locks on doors and
and
Q: Haswindows?
assigned your responsibility
organization fordeveloped
the measures and
and
Q: activities
deployed
Does your necessary
policies to need
and procedures
organization correct totoupdate
deficiencies
ensure
your facility and ensure
that repairs,
access control that
upgrades proper
andyour
policies or
and
Q: Has
access your
is organization
allowed? trained
modifications
procedures?
staff, employees, are made to
and workforce your buildings
members
Q:
and Does
offices your organization's
while ensuring staff,
thatand only
in
Q: your
employees,
Howaccessfacility
doesand access
your controls
workforce
organization membersdocument need
proper
procedures? is allowed?
facility
your
Q: Has access
correction
your controls
measures
organization and procedures
decisions
developed and
and
refresher
actions?
kept a current training?
list of personnel
Q: Does your organization issuewith
authorized
authorization
Q: Does your access to the facility
credentials,
organization such as where
periodically badges,
the
reviewinformation
identification systems
cards, smart resides?
cards, listforandthe
Q: Doesand your approve
organizationthe access enforce
facility
physical where
authorization access the information
credentials,
authorization removingsystem
for all form
Q: Does your
resides? organization verify
the access
physical
individual list personnel
access
access points, no longer
including
authorization before
Q: Is another
requiring workforce
access? member other
designated
granting
than theyour entry/exit
access
security the points,
toofficialfacility? to the for
responsible
Q: Does
facility organization
where the information control entry to
your
the
Q: Doesorganization's
facility your containing facility
organization the andsystem
physical
information
periodically
resides?
security?
system
Q: Doesusing
inventory your physical
physical access
access
organization devices
devices?
periodically
and/or
change guards?
Q: Doescombinations
your organization and keys, control and when
physical
keys
access
Q: Doesaretoyour
lost, combinations
information
organization system compromised,
have distribution
a
or
andindividuals
transmission
contingency are lines,
transferred
operations including
plan? or locked
Q: Has
terminated? your organization determined who
wiring
needs closets,
access disconnected
to your facilities orandlockedoffices
Q: Who
spare is named
jacks, and in your
protection contingency
of cabling by
in the
plan
Q: Who asevent of aorganization
responsible
in your disaster?
for accessisto ePHI
conduit and cable trays?
during
Q: Will ayour
responsible disaster?
for implementing
organization the
contingency
contingency
plan
Q: Willbeyour plan forfor
appropriate
organization access to ePHI
allcontingency
types of in
each
potential
plan department,
disasters,
be appropriate unit,
such and
as
for all have other
fire, office
flood,
your facilities?
Q: Does
designation? your organization a backup
earthquake?
plan foryouraccess to the your facility and / or
Q: Has organization implemented
the
Q: ePHI?
measures
Does yourto provide
organization physical have protection
for
Q: the ePHI
documentation
Does yourinorganization's
your
of yourpossession?
facility inventory,
inventory
physical
identify
Q: Does pointsmaintenance
your of access
organization record,
tohave
yourthefacilities
history
of
andphysical
the changes,
existing upgrades,
security
procedures for security your facilities, controls and other
used in
modifications?
these areas?
including the exterior, the interior, and
your equipment?
Q: Is a workforce member of your
organization
Q: Does yourother than thehave
organization security
a facility
official
Q: Doesresponsible
security plan in
your place, for under
organization the periodically
facility
revision, plan? or
under
review
Q: development?
Doesyour yoursecurity
organization plan for have thepolicies
information
andDoes
Q: yoursystem?
procedures in place formonitor
organization controlling
and validating
physical
Q: Does your access access
to theto
organization your
information facilities
periodically systemby
staff,
to
review employees,
detect and
physical respondworkforce
access logs? to members,
physical security
Q: Has your
visitors, and organization
probationarydeveloped employees? and
incidents?
implemented polices anddeveloped, procedures to
Q: Has your organization
document
disseminated,
Q: Does your repairs andand modification
periodically
organization have formal, to the
physical
documented components
reviewed/updated procedures your of your
formal, facilities
tomaintain
facilitate the
Q: Does your
specifically organization
related
documented
implementation
records
Q: Has of repairs
your oftoto
information
organization your security?
hardware, systemwalls,
information
assigned
maintenance
system
doors, maintenance policy that policy addresses
and
Q: Doesand
responsibility
purpose,
associated your locks?
scope,
system
to roles,
an individual
organization controlor office
responsibilities,
maintenance all for
controls?
the
Q: maintenance
maintenance
Does your organization
management to
activities,
commitment, repair and
whether
require
coordinationthat
modification
performed
the
among designated onrecords?
organization site orentities,
official remotely
explicitly and and
approve
Q: Does your organization sanitize
whether
the removal
compliance?
equipment thetoof equipment allisinformation
the information
remove serviced system on site
or
Q:
or Does
removed your toorganization
another obtain
location? support
system
from
and/or components
associated media from prior your to removal
Q: Doesspare
organization'syour parts for you have
organization
facilities
organization's
frofacilities
off-site
from yourcritical
security-
workstation organization's
use information
policies and systems for off-
procedures?
Q: Has
maintenance
site your
maintenance? organization
orkeyrepairs? developed and
components
implemented or information
polices and procedures for
Q: Does
technology your organization
components have
with of an
in all
a types
proper
inventory
Q: Has useofand
your performance
workstation
organization types
included and all
designated
of workstations, time including
period of for failure?
locations
types
Q: Hasofyour within
computing yourdevices
organization organization?
namedinday-to-day
your an
operations?
inventory of workstations, such as this
individual
Q: Has your ororganization
office responsible developed for and
laptops,
inventory
implemented PDAs,
and tablets
its
policies (iPads),
maintenance?
and smart for
procedures
Q: Has
phones, yourand organization
others? classified your
each
Q: Has type
workstations
your oforganization
workstation
based on their device, including
capabilities,
identified key
accommodating
and defined
operational the their
tasks unique
commonly issues?
Q: Does yourrisks that couldhave
organization result in a
policies
performed
breach
andHas procedures on a that
of security givenfrom workstation
will all types of
prevent or type
Q:
of your
workstation? organization trained your
workstations,
unauthorized
staff, employees and
access trained
of your
unattended
or workforcedocument staff,
members in
Q: Does
employees, yourand organization:1)
workforce members onin
workstations,
the security
allowed methods limit
requirements
or the ability
remote for of
ePHI use
access to the
Q: Does
predictable
unauthorized your organization:
breaches?
persons to view 3) monitor
sensitive for
their day-to-day
information
unauthorized system?
remotejobs?access to the
Q: Does your organization:
information, and to dispose of sensitive 4) authorize
information
remote
Q: Doesaccess
information yoursystem?
an to the information
organization:
needed? 1) establish system
prior
usage
Q: Doesto the
yourconnection?
restrictions and implementation
organization: 3) monitor for
guidance
unauthorized
Q: Does your for organization-controlled
connections of
organization: 6) mobile
issue
mobile
devices
specificallydevices?
to your organization's
configured mobile information
Q: Does your organization havedevices to
system?
individuals
workstation traveling to
security physical locations that your
safeguards
Q: Has your organization documented the
organization
in place?
different ways deems to be ofare
workstations significant
accessed
Q:
riskAre any of
in accordance your organization's
with organizational
by
Q: staff,
workstations
Does employeeslocated
yourprocedures?
organizationworkforce
in public use members,
areas?
lap tops
policies
and and
non-employees?
andHas
Q: tablets
your (iPads)
organization as workstations?
determinedDo
you
which
Q: have
Has your specific
type(s) policies
of access
organization and the
holds
reviewed procedures
greatest
the
for such
threat
areas to workstations?
security?
Q: Hasofyour yourorganization
workstations to determine
implemented
which
physical
Q: Does areas
your are
safeguards more
organizationand vulnerable
otherprotect to
security
unauthorized
measures
information to use,
minimize theft,
system media have the or viewing
possibility
until the of ofthe
media
Q: Does
data? Doyour you organization
do this review device
periodically?
inappropriate
are destroyed
andDoesmedia access
or
controls, of
sanitized ePHI using
policies1)and throughapproved
Q:
workstations, your organization:
including locked protect
door, and
equipment,
procedures?
control techniques, andofprocedures?
screen barriers, cameras, guards? and
Q: Does your
your defined
organization: types 2) digital
maintain
non-digital
accountability
Q: Does your media during transport
for information
organization: systemthe
3) restrict
outside
media
activities of
during controlled
transport
associated areas
with outsideusingofyour
transport of
Q: Does
organizationalyour organization
security measures? have disposal
controlled
such
policiesmedia andareas?
to authorized
procedures? personnel?and
Q: Has your organization developed
implemented
Q: policies and procedures
Does your organization have a process
that
Q: address
to assure
Does thatthe
your ePHI disposal
organizationis properly of ePHI
keep andon
destroyed
ePHI / or
the
and hardware
cannot
removable be and
devices electronic
recreated?
such ashave media
CDs, DVDs, zip on
Q: Does
which your
ittablets
is stored,organization
including the
drives,
procedures for (iPads)?
the removalDoes ofyourePHI
Q: Does
appropriate
organization
your organization
methods
have to
policies
have
dispose
and of from
one
procedures
electronic
individual
Q: Does
hardware, media
or
your before
department
organization
software and the
the media
responsible
train
data your are for
staff,
itself?
for
made data
coordinating disposal
available data foron theseincluding
reuse,
disposal tools?
and reuse of
employees,
Q: Does your and workforcekeep
organization members a recordon
assuring
hardware
the security that
and ePHI
and softwareis properly
risks ofacross
ePHI destroyed
your
destruction
of
Q:
andthe
Does movement
cannot yourbe of hardware
organization
recreated? have and
an
enterprise?
and reuse
software of
both software
inside and
your hardware?
organization
inventory
Q: Does your of the type of media
organization permit that yourare
and
used
staff, when
to store it leave
employees, ePHI, your
and and facility,
is itcreate
workforce updatedand do you
members
Q:
haveDoes your
an individual organization
or media
office responsible an exact
periodically?
to remove
copy of ePHI electronic
if needed before thatyou contains
move
Q:
for Does
thisbe your
task? organization maintain
or
thecan
backupequipment?used to access
files ePHI; does your
Q: Does
organization youroffsite
have
to assure
organization
procedures havedata
toisan
track the
availability
inventory
Q: Doesexternally?
your in
of whatthe event of
businesshave
organization data
process lost
access would to
media
while transporting orhowmoving
be impacted
technical and for
policies and longelectronic
procedures? if data
media containing while
were unavailable ePHI?media was being
moved?
Q: Has your organization identified all
applications,
Q: systems, servers
Has your organization outlined and theother
electronic
user
Q: Hasroles
your tools
for thethat holddetermined
applications,
organization and use ePHI?
systems,
servers
where
Q: Are the andePHI
any ofother
your electronic
supporting
organization's theidentified
electronic
systems,
above?
tools is
networks, currently housed (i.e. lap top,
Q: Has yourororganization
data accessed remotely?
identified an
network,
approach etc.)?
fororganization
access control?
Q: Has your determined the
access
Q: Doescapabilities
your organization of all your have electronic
a formal
tools
Q: Hasthat
access control
your hold and create
policy
organization ePHI, such
thatdeveloped
guided theand as
viewing
development
implemented data, modifying
of access
access control data,
control deleting
procedures?
Q: Doand
data, yourcreating
organization'sdata? access control
procedures?
procedures
Q: Has your include:access control 1) initial access, 2)
policy,
increased
including
Q: Has your access,
the rules3)ofaccess
organization to different
useroutlined
behavior, how been
systems
communicated
user and applications
compliance towith
youryour that
system accessuser
users?control
Q: Has
currently your has? organization determined who
policy
willDoes
Q: will
manage yourbethe enforced?
access control
organization train your users
procedures?
in access
Q: Does your control procedures
organization train andnew
management?
employees/users
Q: Does your organization in your access have control
policy and
procedures
Q: Does your procedures,
fororganization andhave
new employee/user other access
instructions
to your
procedures data for
and protecting
systems? ePHI?
Q: Has your for reviewing determined
organization and, as how
appropriate,
a user
Q: Has identifier modifying
your organization should access
bedetermined
established, if
authorization
such
theCan asyour
user length
identifierfor
andexisting
content,
should users?
beand self-selected
Q: organization trace all system
communicated
or randomly this information to your
activity,
Q: Does
staff, yourgenerated?
viewing,
employees,
modifying,
organization
and
Is record
workforce
it deleting
differenteach for
and
different
creating
time ePHI oftypes
ePHI, of
is viewed, data?
to a specific
modified, user?
Q: Does
members? your organization havedeleted or
created
Does in
procedures
Q: youranfororganization
audit tool tonecessary
obtaining support
have audit
access
a policy
and
to other
ePHI
on Does
whenyour business
during
access an functions?
emergency?
procedurespolicy should be
Q: organization name
activated?
theDoes
Q: person/role/office
your organization thathave makes the
decision
procedures
Q: Will your to activate
and
organization'syour emergency
a method for
systemssupporting
access
continuityprocedures?
of operations when
automatically
Q: Does your default to settings
organization havenormal anand
access
electronicprocedures
functionalities procedurethatare will disabled
enable
that or
the
automatically
Q: Has
unavailableyour organization
due to procedures
system inventoried
problems? your
emergency
terminates
electronic access
electronic
tools session
for automatic or will
after
logoff a itthe
Q:
needHas your organization
to be activated determined
byactivity?
a system's
predetermined
capabilities?
period of activity timeprior of todetermined
triggering
Q: Has your organization
administrator/authorized individual?the the
automatic
period
Q: Has your log-
of activity off? prior todeveloped
organization triggering the and
automatic
built
Q: in-house
Does your log-off is deferent
tool(s)
organization have have foraspecific
automatic log-
parts
off of your
capabilities
process/mechanism organization?
or can they
to encrypt be modified
and the to
Q: Has your organization determined
include
decrypt
appropriate automatic
ePHI? log-off
scope of audit capabilities?
controls that
Q: Has your organization determined
are
what
Q: bedata
Has necessary
yourwill need to protect
organization your by
to bedetermined
captured
information
your
where audit systems
controls andand intools
your that
audit
yourlogs,
Q: Doesyour
contain yourePHI
ePHI, based
is at risk within
organization on you
your have riskan it
user ID,
organization
inventory event andtype/date/time?
when
of what systems, transmit
Q: What activities
assessment? will your applications,
audit controls
outside
processes,
monitor, your organization?
servers,
creation, laptops,
review, PDAs, tablets
updating,
Q: Has your organization evaluated your
(iPads)
deleting,
existing and other
other
systems of electronic
ePHI?
capabilities tools
in the make
lastin12
Q:
dataDoes your
vulnerable organization
to unauthorized have tools
or
months
place
Q: Hasfor and
your determined
auditing ifdetermined
data review,
organization any creating,
changes of
inappropriate
upgrades are tampering,
necessary? uses or
deleting
what
Q: Does and
areyour
disclosures updating,
theofmostePHI?appropriate
organization's plus for firewall
evaluation
system
monitoring
include activity tools
determination and forother
your similar
organization,
of what changes
Q: Does
activities? your organization have a process
such
and as third party
upgrades to your tools, freeware,
monitoring
andHas
Q: communication
your
operating-system organization plan to tell your
named
provided,members or home atools
person, is
staff,
reasonable
employees,
role or your and
and appropriate?
officeorganizationworkforce
as the responsible party the for
Q: Has
grown? determined
about
your
period your
whenorganization's
overall audit
audits process
will be decisions
and re
its results?
performed?
Q: Has your organization
audit and review of their use of ePHI? determined the
type
Q: Hasofyour
auditorganization
trail data it will need, and
determined how
the
your
Q: monitoring
exception
Where will your procedures
reports and to
organization logs derive
will be
file and
exception
reviewed?
maintain reports,
your other reports?
monitoring reports?
Q: Does your organization have a formal
documented
Q: Does your process organization in place have toaaddress
plan to
your
notify
Q: systems,
youraudit
Is your and
managers tools,
system and misuse,
other staff,
activated abuse,
on all
and fraudulent
employees, activity?
your
Q: Has your and
systems, workforce
servers,
organization network,
begunmembers tools,
your and
regarding
other
logging similarsuspect
areas?
and auditing activity?
procedures?
Q: Has your organization determined the
period,
Q: Whathow often the has
mechanisms audit your results will be
analyzed?
organization
Q: Does yourimplemented
organization have to assess a plan to
effectiveness
revise
Q: Does youryour of
audit your
process
organization auditwhen process,
have needed?what
integrity
metrics
policies are being used?
Q: Does and yourprocedures?
organization a list of all your
organization
Q: users are authorized
Has your organization an established to
access
basis
Q: HasforePHI?
assigning
your organizationspecificidentified
individuals all and
roles
approvedaccess usersto the with ePHI
thebased
abilityon to need,
alter or
such as necessary
destroy data? for job task?
Q: Have your organization's users been
trained
Q: Doeson your how to use ePHI?
organization have audit
trails
Q: Hasestablished
your organization for all accesses
determined to ePHI?
what
Q: Does canyourbe done to protect
organization have thepolicies
ePHI
when
andDoes
Q: is ityour
procedures at rest in your
that
organization are systems
used and
havetoadecrease
formally
tools?
or eliminate
documented alteration of ePHI during
Q: Does your set of integrity
organization haverequirements
a written
transition,
that
policy is related
based such toas
on your
yourencryption?
analysis
integrity of use,
Q: Are your organization's current audit,
users
logging, and
requirements and misusesand of
has
access control ePHI
it and
been your risk
techniques
Q: If your
analysis? organization's current
communicated
and methods
techniques to your system(s)
sufficient toprovide not users?
address the
Q: Can yourand methods
organization are
integrity
sufficient,
additional of ePHI?
what
training additional
to decrease techniques and
Q: Does your organization haveinstances
in place
methods
attributable
electronic can toyouhuman
mechanisms apply to check
errors?
to corroborate ePHI
Q: Does your
integrity, such organization
as quality use both
control process,
that ePHIyour
electronic
Q: Does has
and not been altered
non-electronic
organization use or
transaction
destroyed and output
in anmechanisms,
unauthorized reconstruction?
manner?
mechanisms
Q: Does yourto
authentication protect
organization's ePHI? such as
information
error-correcting
integrity
Q: Does your process, memory,
as currently
organization magnetic
have person disc
storage,
implemented,
andHas entity digital signatures,
provide that check sum
polices and of
a high level
Q:
technology? yourauthentication
organization
Others? established
assurance
procedures?
formal that
documented information integritypolicy
authentication is
Q: Do maintained?
being your organization authentication
and procedures
procedures
Q: and
include ongoing
Do your organization's communicated system,
identity them
to your organization's
applications,
methods network,that
corroborate staff,
and employees,
tool
the person
Q:
and What
workforceauthentication
members? methods doesis
maintenance
the
your one claimed?
organization and update
use? ofmethods your
Q: Do your authentication
authentication methods?
require
Q: Doesthe yourvalidity of a transmission
organization have trained
source
staff
Q: Doesto and/or
maintain verifying
the system
your organization an use
individual's
orpasswords
is this
claim
work of authorization
outsourced?
forIfindividual access touses privileges
ePHI? to ePHI?
Q: your organization passwords for
individual
Q: Has/does access
yourto ePHI are they
organization useunique
by
Q: individual?
outside
Has thirdorganization
your party vendor support to
implemented
implement
theHas
Q: youryour
selected organization's
authentication
organization methodsuser
completed into
authentication
your
andDoes organization's
support methods?systems, networks,
Q: yourstaff training?
organization have
applications,
transportation and tools?and procedures?
policies
Q: Does your organization have formal
documented
Q: Do your organization policies andpolicies procedures and for
transmission
procedures
Q: of ePHI,methods
identify
Do your organization andpolicies
have ofthey
and been
communicated
transmission
procedures to
that your
will staff,
used toemployees,
safeguard
Q:
and Has your identify
workforce organization
members?
tools implemented
and techniques
ePHI?
that will your
procedures be used to support
fororganization
transmitting the formal
ePHI using
Q: Does have
transmission
hardware
documented or security
software?
set of does policy?
requirements for
Q: What measures your organization
transmitting
have
Q: Does yourePHI?
in place to protect ePHI
organization have during
in place
transmission?
an Does
Q: auditing yourprocess
organizationduringhave transmission
trained
that
staff
Q: verifies
Doesthatyour that
monitor the ePHI has
transmissions?
organization havebeen integrity
protected
controls againstand
policies unauthorized
procedures? access?
Q: Does your organization have measures
planned
Q: Does your or implemented
organizationtohave protect ePHI
assurance
during
that
Q: Hasthetransmission?
information
your organization is not altered during
implemented
transmission?
encryption
Q: Does your fororganization
ePHI transmission? believe
encryption
Q: Is encryption necessaryfeasible to protect ePHI
and cost-effective
during
Q: yourtransmission?
forWhat, organization?
if any, encryption algorithms
andDoes
Q: mechanism are available
your organization have to staff
your
organization?
skilled
Q: Doesinyour the use of encryption?
organization have staff to
maintain
Q: Does your a process for encrypting
organization have businessePHI
during
Q: Doestransmission?
associate agreements
your organization's or other contracts
business
withDoother
associate
Q: health
youragreements careinclude
organization's entities?
businessmandated
requirements?
associate
Q: Does your agreements
organization's includes specified
business
paragraphs
associate
Q: Does your onorganization's
disclosures
agreements ofbusiness
includes business
specified
associates?
paragraphs
associate onorganization
termination
agreements includes of business
specified
Q: Does your include the
associates?
paragraphs
following if organization
termination
requirements of
and/or business
Q: Does your include the
associates
specifications,
following is not feasible,
explicitly
requirements ortheby issues
and/or reference,is
Q: Does
reported your organization
to theexplicitly
Office for include
Civil the
Rights?
in information
specifications,
following acquisition
requirements or contracts
by
and/or reference,based
Q:
on Does your
the assessment organization's
of risk business
in information
specifications,
associate
Q: Does
acquisition
explicitly
contract(s)
your orand
provide
organization's
in
contracts
bybusiness
reference,
the based
business
accordance
on
in the assessment
information with applicable
of
acquisition risk and laws,
in
contracts based
associates
associate
Q: Do that will
contract(s) implement
address functions
theyour
regulations,
accordance
on
administrative,
related to
organization's
assessment and related
with
creating,
applicable
physicalof riskand
receiving,
business
guidance
and laws,
in
technical
associate
Q: Do yourcontracts
documents:1)
regulations, security
organization's
and provide
related that
functional
business the
accordance
safeguards
maintaining,
business
with
to protect
and
associates
requirements/specifications? theguidance
applicable
transmitting
conduct
laws,
ePHI?a ePHI?
risk
associate
documents:
Q: Does your
regulations, contracts
2) provide
security-
organization's
and related that
related any
business
guidance
assessment
agent, including
documentation
associate
documents:3) that
contract(s) aaddresses
subcontractor,
requirements?
provide
developmental administrative,
andto
that thewhom
Q: Has
physical your
and organization
technical identified
risks? the
the
key business associate staff/point of or
business
business associate
associate
evaluation-related will provides
report
assurance anyePHI,
security
access
incidents toinof
requirements?
contact such
the ePHI.
which
event agrees
it of
becomes to aware
a security implement to
reasonable
the covered
incident? and appropriate
entity? safeguards to
protect the ePHI?
Q: Does your organization have in place a
procedure
Q: Does your including
organizationsa reporting business
mechanism
associate
Q: for reporting
Do the contract
conditions include security
standards and
for termination
incidents
thresholds
within byfora business
termination associate?
of contract?
Q: Doesyouryour organization's
organizations business
business
associate
associate
Q: contract
If your contract
organization include
include material
andreporting
the breach
the
of the
problem contract,
organization to Office
you and that the breach
are contract with are if
for Civil Rights (OCR)
Q: Does
cannot your organization's
betermination
cured? agencies
contract
both governmental is notprotection
possible?
MOU/agreement
Q: If your provide
organization's MOUdo you use
cannot be a
for
memorandum
the ePHI
terminated, equivalentof understanding
to those (MOU)?
provided in
Q: Does yourare other enforcement
organization use
at HIPAA
mechanisms
memorandum business
in placeassociate
that
of understanding arecontract?
reasonable
(MOU)
Q: Does your organization have other laws
and
with appropriate?
similarcertain business
to business associates?
associate
Q: If your organization has anagreement
MOU have
requirements
youDoes
Q: made a good
your thatfaithit must
organization effortimplement?
make to obtain
the
satisfactory
attempt
Q: Does your assurances
to obtain that
satisfactory
organization orthe HIPAA
assurances,
your contact
Security
and Standards aretheymet?
Q: Isthe
partners
your reasons
have that
statutory
organization cannot
aobligations
group bewhich
health
obtained
requires
plan? documented?
the removal of theonly termination
Q: Does your organization share
requirement?
summary health information or group
disclose
Q: Does your organization have
whether
health
Q: Doesplan an documents
your individual
organization isthat
a participant
include
amend your or
plan
enrolled/unenrolled
sponsor
plan requirements?
documents to the
to incorporate health plan
Q: Does
sponsor? your organization's planprovisions
thatDorequire
document
Q: yourand a health
ensureplan
organization's sponsor
adequate
plan to
documents
implement
separation
include administrative,
between
provisions the
to require physical
group health and plan
Q: Do your
technical organization's
safeguards planplan
toincluding
protect documents
the ePHI.
and the
sponsor's
include plan sponsor,
agents,
provisions including
tosponsor
require plansponsor's
Q: Does
Also, does
employees, yourtheorganization
plan have
create,a sponsor
to
Q: report
procedure
Does
receive, toinclasses
subcontractors,
your the
maintainplaceto
group
or
of employees,
whom
that
organization healthit provides
includes
transmit have plan
on
or
a ayePHI
aaccess
your
other
agrees
security persons
to who
implement
incident will
ofthat all
which be given
reasonable
it becomes andto
mechanism
procedure
behalf?
Q:
the Does
ePHI? yourinfor reporting
place
organization security
includes
haveto aprotect
policies
appropriate
aware?
incidents by security
a plan measures
reporting
and
Q:
theDoes
ePHI? mechanism
procedures
your for sponsor?
organization for responding
administrative
have in place to
security
safeguards,
reasonable incidents
physical
and by a plan
safeguards,
appropriatesecurity sponsor? and
polices and
Q: Does your organizations
technical
procedures safeguards?
policies
Q: Does andyourthat comply take
procedures
organization with
have the
into
standards
consideration:
procedures and implementation
1) your organization's ofsize,
Q: Does yourfororganization
specifications
periodic revaluation
ofthetheservices
HIPAA change
Security security
Rule?
complexity
your security
policies and andpolices and you
procedures, provide. and
Q:
2) yourprocedures
Doesorganization's
your organization at have
technical
any a
update
appropriatethem
documentation when
time, and necessary?
document
policy andand procedures? the
Q: Has your organization
infrastructure, hardware documented
software all
changes
security and implementation?
policies and procedures?
Q: Has your
capabilities, organization
3) the cost ofdocumented
your
your
Q: decisions
organization's
Does concerning
security
your organization the security
measures,
update 4) the
your
potential
management,
security
Q: risksorganization
operational,
to day-to-day
documentation
Does your andoperation
following
have technical
an
including
controls
breaches,
individual towhich
ormitigate
security functions,
office yourmaintains
incidents,
that identified
and new tools risks?
and areis
Q: Doestoyour
critical organization
operations? have a data
acquisitions,
responsible
retention change
for
policy your in technology
HIPAA
and procedure(s) Security and
that
Q: Hassimilar
other your organization
times? aligned HIPAA
documentation?
consider
documentationall HIPAA retention
retention requirements
Q: Has your organization communicated
requirements?
with
with all
all other
staff dataneed retention polices?
Q: Does yourthatorganization's access to your
education,
security
training
Q: Does anddocumentation
yourawareness
organization where
haveita include
activities is
process
found?
the availability
in place of your security
Q: Does to yoursolicit input from
organization have theastaff,
version
documentation?
employees,
control for your and procedure(s)
workforce impacted, and process into
yourthe
for updates of your
verification of security
the timeliness policiesofand
procedures?
your security policies and procedures?
 Security Management Process:
Workforce
ImplementSecurity:
policies and Implement
procedures policies
to
ID HIPAA_Control and procedures to ensure
Standarddetect, contain, and correct
prevent, that all CONTROL_NAME
1 164.308(a)(1)(i) members of its workforce have
security violations.
appropriate access to electronic
2 164.308(a)(1)(ii)(A) protected health information, as Risk Analysis
3 164.308(a)(1)(ii)(B) Assigned Security
provided under Responsibility:
paragraph (a)(4) of Identify
this Risk Management
4 164.308(a)(1)(ii)(C) the security
section, and official
to prevent whothose
is responsible
workforcefor Information
Sanction Policy
the development and implementation of System Activity
5 164.308(a)(1)(ii)(D) members who do not have access under Review
the policies(a)(4)
paragraph and procedures
of this section required
from, by
6 164.308(a)(2) this subpart
Information
obtaining for the
Access
access entity.
Management:
to electronic protected
7 164.308(a)(3)(i) Implement policies and procedures for Workforce Clearance
health information.
8 164.308(a)(3)(ii)(B) authorizing access to electronic Procedure
protected health information that are
9 164.308(a)(3)(ii)(C) consistent with the applicable, Termination Procedure
10 164.308(a)(4)(i) requirements of subpart E of this part. Isolating Healthcare
11 164.308(a)(4)(ii)(A) Clearinghouse Functions
12 164.308(a)(4)(ii)(B) Security Awareness and Training: Access
Implement a security awareness and Access Authorization
Establishment and
13 164.308(a)(4)(ii)(C) training program for all members of its Modification
14 164.308(a)(5)(i) workforce (including management).
15 164.308(a)(5)(ii)(A) Security
ProtectionReminders
from Malicious
Contingency Plan: Establish (and
16 164.308(a)(5)(ii)(B) implement as needed) policies and Software
17 164.308(a)(5)(ii)(C) procedures for responding to an Log-in Monitoring
Security Incident Procedures: Implement
18 164.308(a)(5)(ii)(D) emergency or other occurrence
policies and procedures to address (for Password Management
19 164.308(a)(6)(i) example,
security fire, vandalism,
incidents. system failure,
Evaluation:
Business
and natural Perform
Associate
disaster) athat
periodic
Contracts technical
and
damages Other
20 164.308(a)(6)(ii) and nontechnical
Arrangements:
systems that contain evaluation,
A covered based
entity,protected
electronic in Response and Reporting
21 164.308(a)(7)(i) initially
accordance upon the
with
health information. §standards
164.306, implemented
may permit
under this rule
a, business and subsequently,
associate to create, receive, in
22 164.308(a)(7)(ii)(A) response to environmental or Data Backup Plan
maintain, or transmit electronic
23 164.308(a)(7)(ii)(B) operational
protected health changes affecting on
information thethe Disaster
Emergency Recovery Plan
Mode Operation
24 164.308(a)(7)(ii)(C) security of
covered electronic
entity’s behalf, protected
only if the health Plan
Testing and Revision
25 164.308(a)(7)(ii)(D) information
covered entity that establishes
obtains the extent to Procedure
satisfactory
Facility
which anAccess
entity’s Controls:
securityImplement
policies and Applications and Data
26 164.308(a)(7)(ii)(E) assurances, in accordance with Sec., Criticality Analysis
policies
procedures and
164.314(a), meet procedures
that the to
thebusiness limit
requirements physical
associateof
27 164.308(a)(8) access to its
this appropriately
will subpart. electronic information
safeguard the
28 164.308(b)(1) systems
information.and the facility or facilities in
which they are
Workstation housed,
Use: Implement ensuringand Written Contract or Other
whilepolicies
29 164.308(b)(4) that properly authorized access is Arrangement
procedures that specify the proper
30 164.310(a)(1) allowed.
functions to be performed, the manner
31 164.310(a)(2)(i) in which those functions are to be Contingency Operations
32 164.310(a)(2)(ii) performed, and the physical attributes of Facility Securityand
Plan
Device
the and MediaofControls:
surroundings a specific Implement Access Control
33 164.310(a)(2)(iii) Workstation
policies and or Security:
procedures Implement
that governthatphysical
the Validation Procedures
workstation
safeguards for class
all of workstation
workstations that
34 164.310(a)(2)(iv) receipt
can accessand removal
electronic of hardware
protected and
health Maintenance Records
access
electronicelectronic
media protected
that contain health
electronic
35 164.310(b) information.
information to restrict access to
protected health information into and
36 164.310(c) authorized
out users.
Access Control: Implement technicalof
of a facility, and the movement
37 164.310(d)(1) these
policiesitems
and within
proceduresthe facility.
for electronic
38 164.310(d)(2)(i) information systems that maintain Disposal
39 164.310(d)(2)(ii) electronic protected health information Media Reuse
40 164.310(d)(2)(iii) to allow access only to those persons or Accountability
software programs that have been
41 164.310(d)(2)(iv) granted access rights as specified in §, Data Backup and Storage
42 164.312(a)(1) 164.308(a)(4).
43 164.312(a)(2)(i) Unique UserAccess
Emergency Identification
44 164.312(a)(2)(ii) Audit Controls: Implement hardware, Procedure
45 164.312(a)(2)(iii) software, and/or procedural mechanisms Automatic Logoff
that record
Integrity: and examine
Implement activity
policies andin
46 164.312(a)(2)(iv) information to systems contain or use Encryption and Decryption
procedures protectthat electronic
47 164.312(b) electronic protected
protected health health information.
information from
48 164.312(c)(1) improper alteration or destruction.
 knew of a pattern of an activity or
practice of the business associate that
constituted a material breach or violation
Person
of
Transmission or Entity
the business Authentication:
associate’s
Security: obligation
Implement
Requirements
Implement
under the for
procedures
contract Group
or toHealth
other verify Plans:
that a Mechanism to Authenticate
technical security measures to guard
Except
person or
arrangement,
against when the
entity only
seeking
unless
unauthorized electronic
the access
covered
access toentity Electronic Protected Health
to electronic
49 164.312(c)(2) protected health information disclosed Information
electronic
took
Policies
protected andprotected
reasonable steps
Procedures:
health health
to Implement
information cure that is to
information
the breach
50 164.312(d) aor
is plan
the
end
reasonable sponsor
one
the is
claimed.
being transmittedviolation,disclosed
and appropriateas pursuant
applicable, to
and,
policies and
over an electronic §if
51 164.312(e)(1) 164.504(f)(1)(ii)
such steps were
procedures
communications or (iii),with
or asthe
unsuccessful—(A)
to comply
network. authorized
under § 164.508,
Terminatedimplementation
standards, a, group health
the contract or arrangement, plan
52 164.312(e)(2)(i) Integrity Controls
must ensure
if feasible; or (B)
specifications, that its
orIfother plan documents
termination
requirementsis not of Other Arrangements: When
53 164.312(e)(2)(ii) provide
feasible, that the
reported plan
the sponsor
problem will
tothose
the aEncryption
covered entity and its
this subpart, taking into account business associate are both
54 164.314(a)(1) reasonably
Secretary.
factors and appropriately
specified in §, 164.306(b)(2)(i), safeguard
electronic protected health information governmental entities, the
55 164.314(a)(2)(i) (ii), (iii), and (iv). This standard is not to Business Associate
covered entity is in Contracts
created,
be construed received, maintained,
to permit or excuse or an
56 164.314(a)(2)(ii) transmitted to or byany theother
plan sponsor on compliance with paragraph
action that violates standard, Group Heath Plan
57 164.314(b)(1) behalf of
implementation the group health plan. other Implementation
Documentation: specification,
(i) Maintain the or policies Group Heath Plan
58 164.314(b)(2)(i) and procedures implemented to comply Specification
requirements of this subpart. A covered Implementation
Group Heath Plan
59 164.314(b)(2)(ii) entity
with this may changeinits
subpart policies
written and may Specification
(which Implementation
procedures at form;
any time, Group Heath Plan
60 164.314(b)(2)(iii) be electronic) and provided that
(ii) If an action, Specification
Implementation
the changes are documented and are
activity or assessment is required by this Specification
61 164.314(b)(2)(iv) implemented in accordance with this
subpart to be documented, maintain a
62 164.316(a) subpart.
written (which may be electronic) record
63 164.316(b)(1) of the action, activity, or assessment.
64 164.316(b)(2)(i) Time Limit
65 164.316(b)(2)(ii) Availability
66 164.316(b)(2)(iii) Updates
Conduct an accurate and thorough
assessment of the potential risks and REQUIRED_ADDRESS
vulnerabilities,
CONTROL_DESCRIPTIONto the confidentiality, ABLE
integrity, and availability
Implement security measures of electronic
sufficient to
protected health
reduceappropriate information
risks and vulnerabilities held
to aby the
Apply
covered entity. sanctions against Required
reasonable
workforce and
membersappropriate
who level to comply
Implement
with Section procedures
164.306(a). to fail to comply
regularly review Required
with theof,
records security policies
information and procedures
system activity, such of
theaudit
as covered
logs,entity.
access reports, and security Required
incident tracking
Implement reports.
procedures for terminating Required
Implement procedures
access to electronic to determine
protected health that
the
information when the employmentto
access of a workforce member of a
electronic protected
workforce member ends healthor information
as required by is
If a healthcare clearinghouse
appropriate.
determinations made as specified is partin of a Addressable
larger organization,
Implement
paragraph policies theofclearinghouse
and
(a)(3)(ii)(B) procedures
this section.for must Addressable
Implement
implement policies and
policies and procedures
procedures that,
that
granting
based access
upon to electronic
the entity's protected
access health
protect
health the electronic
information, forprotected
example, document,
through
authorization
information policies, establish,
of the clearinghouse from u Required
access to
review, anda workstation,
modify a user's transaction,
right of access
program, process, or other mechanism.
to a workstation, transaction, program, or Addressable
process. Addressable

Periodic
Procedures security updates.against, detecting, Addressable
for guarding
and reporting
Identify andfor
Procedures malicious
respond software.
to suspected
monitoring or
log-in attempts Addressable
known
and security
reporting
Procedures incidents;
fordiscrepancies. mitigate,
creating, changing, and to the Addressable
extent practicable,
safeguarding harmful effects of
passwords. Addressable
security incidents that are known to the
covered entity; and document security
Establish
incidents and
and implement
their outcomes.procedures to Required
Establish
create and (and implement
maintain as needed)
retrievable exact
procedures to enable continuation
copies of electronic protected health of
critical business processes for protection of Required
information.
Establish
the security(and ofimplement as needed)health
electronic protected
procedures to restore
information while operating any loss
in of data.
emergency Required
mode.
Implement procedures for periodic testing Required
Assess the relative criticality of specific
and revisionthe
Document
applications of satisfactory
and contingency
data in support plans.
assurances
of other Addressable
required
contingency by paragraph
plan components. (b)(1) of this section Addressable
through a written contract or other
Establish
arrangement (andwith implement as needed)
the business associate
procedures that allow facility
that meets the applicable requirements access in of
support of restoration of lost data under
§, 164.314(a Required
the disaster
Implement recovery
policies plan
and and emergency
procedures to
Implement
mode procedures
operations planand to control
in the event and
of an
safeguard
validate the facility
a person's access the equipment
to facilities
Implement
emergency.
therein from policies and procedures
unauthorized physical tobased Addressable
access,
on their
document role or
repairs function, including visitor
and modifications to the Addressable
tampering,
control, and theft.
physical and control
components ofofaccess to software
a facility which are
programs
related to for testing
security and
(for revision.hardware, Addressable
example,
walls, doors, and locks). Addressable
Implement policies and procedures to
address the final disposition of electronic
protected health
Implement proceduresinformation and/orofthe
for removal
hardware
electronic or electronic
protected media
health on which it is
information
stored.
from electronic media before the media Required
Maintain a record of the movements of are
made available
hardware for reuse.media and any
and electronic Required
Create a retrievable exact copy of electronic
person responsible therefore.
protected health information, when Addressable
needed, before movement of equipment. Addressable
Establish (and implement as needed)
Assign a unique
procedures name and/or
for obtaining number for
necessary
identifyingprotected
electronic and tracking userinformation
health identity. Required
Implement electronic procedures that
during an
terminate an emergency.
electronic session afteranda Required
Implement a mechanism to encrypt
predetermined time of
decrypt electronic protected healthinactivity. Addressable
information. Addressable
Implement electronic mechanisms to
corroborate that electronic protected
health information has not been altered or
Implement
destroyed insecurity measures manner.
an unauthorized to ensure Addressable
that electronically transmitted electronic
protected health information is not
The contractamodified
improperly
Implement between
mechanism a covered
without entity and
detection
to encrypt
aWhen
business
until disposed
a associate
covered of.entitymustand
electronic protected health informationprovide
its that the
business Addressable
business
associate
wheneverare associate will--
both governmental
deemed (A) Implement
appropriate. entities, Addressable
administrative,
the covered entity physical, and technical
is in compliance with
safeguards(a)(1)
paragraph that reasonably
of this section, and if-- (1) It
The plan
appropriately
enters intodocuments
protectofththe group
a memorandum, of health Required
plan
The must
plan be amended
documents of to
the
understanding with the business associ incorporate
group health
provisions
plan must to require
be amended thetoplan sponsor to--
incorporate
The
The plan
plan documents
documents of
of the group health
(i)
plan
Implement
provisions
must to require
be amended thethe
administrative,
to plangroup health
physical,
sponsor
incorporate
and
to--
plan must
technical be amended
safeguards
(ii) Ensure that to
that
the adequate incorporate
reasonably and
separationto-- Required
provisions
provisions to require the
the plan
plan sponsor
required
(iii) Ensure byto§ require
that 164.504(f)(2)(iii)
any agent,
sponsor
including a
to--
is supporte Required
(iv) Report to the group health plan any
subcontractor,
security incident to ofwhom
which it it
provides
becomes this info Required
aware. Required
Retain the documentation required by
paragraph
Make (b)(1) of thisavailable
documentation section to forthose
six years
Review
from thedocumentation
date of its periodically,
creation or the and
date
persons
update asresponsible
needed, infor implementing
response to the
when it last to
procedures was in effect,
which whichever is later.
the documentation Required
environmental or operational changes
pertains.
affecting the security of the electronic Required
protected health information. Required