Citation: §164.308(a)(4)(ii)(B)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement procedures for granting workforce members appropriate access authorization to electronic media, transactions, processes, and other mechanisms that contain PHI.
Citation: §164.310(a)(2)(iii)
Implementation Specification: Addressable
This policy addresses how the facility will control and validate a person’s access to our facilities in the following four ways: Verify an individual’s authorization, establish a visitor sign-in/sign-out and badge system in order to safeguard ePHI, control access and movement within the facility, escort visitors in areas with access to ePHI if there is a reason for visitors to be in such areas.
Citation: §164.312(a)(1)
Implementation Specification:
This policy addresses how the facility will implement technical policies and procedures for electronic information systems that maintain ePHI, allowing access only to those persons, entities, or automated process (e.g., software programs) that have been granted access rights.
Citation: §164.308(a)(4)(ii)(C)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement policies and procedures – based on the facility’s access authorization policies – for establishing, documenting, reviewing, and modifying a user’s right of access to electronic media, transactions, processes, and other mechanisms that contain ePHI.
Citation: §164.308(a)(7)(ii)(E)
Implementation Specification: Addressable
This policy addresses how the Security Official will assess vulnerabilities and threats as part of our facility’s risk analysis, and prioritize steps in data backup, disaster recovery, and emergency mode operation plans for recovery of electronic systems that contain ePHI.
Citation: §164.308(a)(2)
Implementation Specification: Required
This policy addresses how the designated Security Official, who has overall responsibility in the practice for compliance with the Security Rule and for implementing policies and procedures ensures the confidentiality, integrity and availability of the facility’s ePHI.
Citation: §164.312(b)
Implementation Specification:
This policy addresses how the Security Official will train workforce members to comply with the facility’s technical safeguards regarding the use of electronic systems and access to and protection of ePHI, and enforce workforce compliance through sanctions.
Citation: §164.308(a)(1)(ii)(A)
Implementation Specification: Required
This policy addresses how the Security Official will ensure that your facility has procedures in place to authorize workforce members who work with ePHI to access only the information that they require and to supervise them in locations where such information might be accessed.
Citation: §164.312(a)(2)(iii)
Implementation Specification: Addressable
This policy addresses how the Security Official will ensure that automatic logoff procedures are in place on all systems and devices that provide access to ePHI in your facility.
Citation: §164.308(b)(1)
Implementation Specification:
This policy addresses how the Security Official, in consultation with the facility’s attorney, will prepare a Business Associate Agreement that contains the necessary assurances and the Security Official will ensure that such agreement is executed with each Business Associate engaged by the facility.
Citation: §164.308(a)(7)(i)
Implementation Specification:
This policy addresses how the Security Official will develop and implement policies and procedures for responding to emergencies that may impair the facility’s electronic systems containing ePHI.
Citation: §164.308(a)(7)(ii)(A)
Implementation Specification: Required
This policy addresses how the Security Official will implement policies and procedures for establishing and implementing a data backup plan that creates and maintains up-to-date exact copies of your practice’s ePHI.
Citation: §164.310(d)(1)
Implementation Specification: Required
This policy addresses how the facility will monitor and document the receipt and removal of hardware and electronic media that contain ePHI into and out of the facility, and the movement of hardware and electronic media within the facility.
Citation: §164.310(d)(2)(iii)
Implementation Specification: Addressable
This policy addresses how the facility will establish and maintain a written record of the movements of hardware and electronic media and any person responsible for the movements of such hardware.
Device and Media Controls – Data Backup and Storage Procedures Policy
Citation: §164.310(d)(2)(iv)
Implementation Specification: Addressable
This policy addresses how the facility will regularly back up ePHI in accordance with the backup procedures that the facility will determine appropriate when a risk analysis is conducted.
Device and Media Controls – Disposal Policy
Citation: §164.310(d)(2)(i)
Implementation Specification: Required
Prior to final disposition of any hardware or electronic media in your facility, your facility will dispose of ePHI in a manner that is consistent with the Breach Notification Rule Guidance.
Device and Media Controls – Media Re-Use Policy
Citation: §164.3010(d)(2)(ii)
Implementation Specification: Required
This policy addresses how the Security Official shall confirm that your practices’ hardware and electronic media disposal procedures are consistent with the Breach Notification Rule Guidance and any updates to it, and that your system vendors are aware of and understand the NIST Special Publication 800-88, Guidelines for Media Sanitization, which is the current Guidance-recommended set of guidelines for removal of ePHI on electronic media “such that the PHI cannot be retrieved.”
Citation: §164.308(a)(7)(ii)(B)
Implementation Specification: Required
This policy addresses how the Security Official will implement policies and procedures for establishing and implementing a disaster recovery plan for restoring business operations and electronic systems that contain ePHI should a disaster occur.
Citation: §164.312(a)(2)(ii)
Implementation Specification: Required
This policy addresses how the Security Official will establish methods of emergency access to ePHI in the event if loss of data and systems due to an emergency or disaster such as fire, earthquake, flood, tornado, hurricane, vandalism, terrorism, power outage, or system failure.
Citation: §164.308(a)(7)(ii)(C)
Implementation Specification: Required
This policy addresses how the Security Official will implement policies and procedures for establishing and implementing, as needed, an emergency mode operation plan for safeguarding the availability of your facility’s ePHI while operating in emergency mode.
Citation: §164.312(a)(2)(iv)
Implementation Specification: Addressable
This policy addresses how the Security Official is responsible for safeguarding the facility’s ePHI. The facility’s Notice of Privacy Practices outlines our facility’s policy on communication over open networks or electronic systems. The policy is to inform patients that an electronic message from the facility can be accessed on the facility’s server only when the patient provides a unique patient ID and password for access.
Citation: §164.312(e)(2)(ii)
Implementation Specification: Addressable
This policy addresses how the facility encrypts all ePHI at rest in the facility’s database and in motion through outbound communications in conformance with the technologies and methodologies specified in the ‘Guidance Specifying the Technologies and Methodologies That render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals’ of the August 24, 2009, Interim Final Rule: Breach Notification for Unsecured Protected Health Information.
Citation: §164.308(a)(8)
Implementation Specification:
This policy addresses how the Security Official will establish procedures for your facility to perform periodic technical and non-technical evaluations of security performances, based upon the Standards the facility has implemented under the HIPAA Security Rule and changes required to the Standards’ Implementation Specifications due to environmental or operational changes affecting the security of your facility’s ePHI.
Citation: §164.310(a)(2)(ii)
Implementation Specification: Addressable
This policy addresses how to safeguard the practice and its facility or facilities and the electronic systems and ePHI contained therein from unauthorized physical access, tampering and theft.
Citation: §164.308(a)(1)(ii)(D)
Implementation Specification: Required
This policy addresses how the Security Official will be responsible for implementing procedures for reviewing system activity functions, such as audit logs, access reports, and security incident tracking reports to validate performance of safeguard measures designed to protect confidentiality, integrity, and availability of the facility’s ePHI and to detect evidence of any unauthorized access to or inappropriate use of data in our facility’s information system.
Citation: §164.312(e)(2)(i)
Implementation Specification: Addressable
This policy addresses how the Security Official is responsible for implementing a policy that will ensure that ePHI has not been altered without appropriate knowledge and approval of the facility.
Citation: §164.308(a)(5)(ii)(C)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement policies and procedures for monitoring computer log-in attempts and reporting discrepancies.
Citation: §164.310(a)(2)(iv)
Implementation Specification: Addressable
This policy addresses how the facility shall document repairs and modifications to the physical components of the practice’s facility that are related to security, including hardware, locks, doors, and walls.
Citation: §164.312(c)(2)
Implementation Specification: Addressable
This policy addresses how the Security Official is responsible for implementing mechanisms for corroborating the integrity of ePHI.
Citation: §164.308(a)(5)(ii)(D)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement policies and procedures for creating, changing, and safeguarding passwords.
Citation: §164.312(d)
Implementation Specification:
This policy addresses how the Security Official has implemented a policy that any user seeking access to the facility’s electronic systems and ePHI shall posses credentials that authenticate access. Credentials entered by a potential user must match those stored in the electronic system in order to gain access.
Citation: §164.308(a)(5)(ii)(B)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement policies and procedures for guarding against, detecting and reporting malicious software, including software that has not yet comprised the facility’s electronic system but that is suspect.
Citation: §164.308(a)(6)(ii)
Implementation Specification: Required
This policy addresses how the Security Official will implement policies and procedures for identifying and responding to suspected or known security incidents; mitigating, to the extent practicable, harmful effects of security incidents that are known to your facility; and documenting security incidents and their outcomes.
Citation: §164.308(a)(1)(ii)(A)
Implementation Specification: Required
This policy addresses how the Security Official will conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the practice’s ePHI and will update the risk analysis whenever the facility determines a review is warranted.
Citation: §164.308(a)(1)(ii)(B)
Implementation Specification: Required
This policy addresses how the Security Official will develop and implement a plan to manage the risks that your practice has identified in its risk assessment.
Citation: §164.308(a)(1)(ii)(C)
Implementation Specification: Required
This policy addresses how the Security Official will develop, implement and enforce a sanction policy for workforce members who do not comply with safeguards designed to secure the practice’s electronic systems and electronic protected health information.
Citation: §164.308(a)(5)(ii)(A)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement policies and procedures for security awareness training or workforce members and security awareness counseling or representatives of our facility’s Business Associate. In addition, the Security Official will be responsible for providing periodic security updates and security reminders to our workforce members and representatives of our Business Associates.
Citation: §164.308(a)(3)(ii)(C)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement procedures in the facility to terminate access to ePHI when a workforce member’s job responsibilities change such that he or she no longer requires such access, or when a workforce member’s employment terminates.
Citation: §164.308(a)(7)(ii)(D)
Implementation Specification: Addressable
This policy addresses how the Security Official will implement policies and procedures for testing and revising the facility’s contingency plans, including the facility’s data backup, disaster recovery, and emergency mode operation plans.
Citation: §164.312(a)(2)(ii)
Implementation Specification: Required
This policy addresses how the Security Official will determine each workforce member’s need for access to ePHI, and make sure that workforce members only have access to the information that is necessary to perform their work responsibilities. Your practice will identify users and track users identity through assigned unique names and/or numbers.
Citation: §164.308(a)(3)(ii)(B)
Implementation Specification: Addressable
This policy addresses how the Security Official will evaluate and describe work functions in the practice, determine the level of access to ePHI necessary for each work function, and incorporate appropriate access clearances in connection with each workforce member’s job function.
Citation: §164.310(c)
Implementation Specification: Required
This policy addresses how the facility will maintain workstation security for all workstations that provide access to ePHI in order to prevent access by unauthorized users.
Citation: §164.310(b)
Implementation Specification: Required
This policy addresses how the facility will specify the proper functions to be performed on each workstation, the manner in which they are to be performed, and the physical attributes of the surroundings of specific workstations or classes or workstations that can access ePHI.