HIPAA SECURITY REQUIREMENTS & OHI POLICY CROSS WALK

HOSPITAL
HIPAA (R) IMPLEMENTATION COMMENTS/NOTES
REQUIREMENTS POLICY
CITATION (A) SPECIFICATIONS
REFERENCE
Security Risk Analysis R Conduct an accurate and thorough
management assessment of the potential risks and
45 CFR 164.308 vulnerabilities related to the
(1) confidentiality, integrity, and
availability of electronic protected
health information.
Risk management R Implement security measures
sufficient to reduce risks and
vulnerabilities to reasonable and
appropriate level
Sanction Policy R Apply appropriate sanctions against
workforce members who fail to
comply with the security policies and
procedures.
System Activity R Implement procedures to regularly
Review review records of system activity such
as audit logs, access reports, and
security incident tracking reports
Assigned Security Officer R Identify a security officer who is
security responsible for the development and
responsibility implementation of the policies and
45 CFR 164.308 procedures required by HIPAA
(2)
Workforce Authorization and A Implement procedures for
Security supervision authorization and supervision of
45 CFR 164.308 workforce members who work with
(3) electronic protected health
information.
Workforce A Implement procedures to determine
Clearance that the access of a workforce
procedures member to electronic protected health
01/25/2011 Page 1 of 5
 HIPAA SECURITY REQUIREMENTS & OHI POLICY CROSS WALK

HOSPITAL
HIPAA (R) IMPLEMENTATION COMMENTS/NOTES
REQUIREMENTS POLICY
CITATION (A) SPECIFICATIONS
REFERENCE
information is appropriate.
Termination A Implement procedures for terminating
Procedures access to electronic protected health
information when the employment of
a workforce member ends.
Information Access A Implement policies and procedures
access Authorization for granting access to electronic
management protected health information.
45 CFR 164.308
(4)
Access A Implement policies and procedures
establishment and that establish, document, review, and
modification modify a user’s right of access.
Security Security reminders A Training and Periodic security
awareness and updates
training
45 CFR 164.308
(5)
Protection from A Procedures for guarding against
malicious software malicious software and for detecting
and reporting malicious software
Log-in monitoring A Procedures for monitoring log-in
attempts and reporting discrepancies.
Password A Procedures for creating, changing,
management and safeguarding passwords.
Security Incident Response and R Identify and respond to suspected or
procedures Reporting known security violations, mitigate
45 CFR 164.308 the harmful effects of such incidents
(6) and document the outcomes.
Contingency Data Back-up plan R Create and maintain exact retrievable
Plan copies of electronic health
45 CFR 164.308 information.
01/25/2011 Page 2 of 5
 HIPAA SECURITY REQUIREMENTS & OHI POLICY CROSS WALK

HOSPITAL
HIPAA (R) IMPLEMENTATION COMMENTS/NOTES
REQUIREMENTS POLICY
CITATION (A) SPECIFICATIONS
REFERENCE
(7)
Disaster Recovery R Establish and implement procedures
Plan to restore any loss of data
Emergency mode R Establish procedures to enable
operation plan continuation of critical business
processes for the protection of PHI
while working in an emergency mode
Testing and revision A Implement procedures for periodic
procedures testing and revision of contingency
plans
Application and A Assess the relative criticality of
data criticality specific applications and data.
analysis
Evaluation Periodic technical R Perform a periodic evaluation in
45 CFR 164.308 and non-technical response to environmental or
(8) analysis operational changes affecting the
security of electronic PHI.
Facility Access Contingency A Establish and implement procedures
45 CFR 164.310 Operations allowing facility access in support of
(a) restoration of lost data under a
disaster recovery plan and emergency
mode plan in the event of an
emergency
Facility Security A Implement policies and procedures to
Plan safeguard the facility and equipment
from unauthorized physical access,
tampering and theft.
Access Control and A Implement procedures to control and
Validation validate access to facilities based on
role or function, including visitor
control and control of access to
software.
01/25/2011 Page 3 of 5
 HIPAA SECURITY REQUIREMENTS & OHI POLICY CROSS WALK

HOSPITAL
HIPAA (R) IMPLEMENTATION COMMENTS/NOTES
REQUIREMENTS POLICY
CITATION (A) SPECIFICATIONS
REFERENCE
Maintenance A Document repairs and modifications
Records to the physical components of a
facility. (locks, walls, doors etc)
Workstation Use R Policies and procedures that specify
45 CFR 164.310 functions performed and physical
(b) attributes of surroundings of
workstation that can access PHI.
Workstation R Implement physical safeguards for all
Security workstations accessing PHI to restrict
45 CFR 164.310 access by unauthorized users.
(c)
Device and Disposal R Implement policies and procedures
Media Controls for final disposition of hardware and
45 CFR 164.310 electronic media.
(c)
Media Re-use R Implement procedures for removal of
PHI from electronic media before it is
made available for re-use
Accountability A Maintain records of the movement of
hardware and electronic media and
any person responsible for the
movement.
Data Back-up and A Back-up PHI before movement of
Storage equipment.
Access Control Unique user ID R Assign a unique ID for tracking user
45 CFR 164.312 identity
(a)
Emergency Access R Establish procedure for providing PHI
Procedure during an emergency
Automatic log-off A Implement procedures to terminate an
electronic session after a
predetermined period of inactivity
01/25/2011 Page 4 of 5
 HIPAA SECURITY REQUIREMENTS & OHI POLICY CROSS WALK

HOSPITAL
HIPAA (R) IMPLEMENTATION COMMENTS/NOTES
REQUIREMENTS POLICY
CITATION (A) SPECIFICATIONS
REFERENCE
Encryption A Implement a mechanism to encrypt
and decrypt PHI
Audit Controls Data Integrity A Implement mechanism to authenticate
45 CFR 164.312 PHI—Corroborate that PHI has not
(b) been altered or destroyed in an
unauthorized manner.
Person or entity A Implement mechanism to verify that
authentication person seeking access is the person
claimed.
Transmission Integrity A Implement measures to ensure that all
Security electronically transmitted PHI is not
45 CFR 164.312 improperly modified during
(c) transmission without detection.
Encryption A Implement mechanism to encrypt PHI
when appropriate.

R -- REQUIRED -- The implementation specification is required by the regulation.

A -- ADDRESSABLE -- Entity must assess whether specification is a reasonable and appropriate safeguard in the specific environment and either
Implement the specification if reasonable and appropriate, or
Document why the specification is not reasonable and appropriate, and implement an equivalent alternative measure.

01/25/2011 Page 5 of 5