Top

Administrative Safeguards

SafeguardTypeCategoryDescription
164.308(a)(1)(i)Security Management Process-P&P to manage security violations
164.308(a)(1)(ii)(A)Risk AnalysisRequiredConduct vulnerability assessment
164.308(a)(1)(ii)(B)Risk ManagementRequiredImplement security measures to reduce risk of security breaches
164.308(a)(1)(ii)(C)Sanction PolicyRequiredWorker sanction for P&P violations
164.308(a)(1)(ii)(D)Information System Activity ReviewRequiredProcedures to review system activity
164.308(a)(2)Assigned Security Responsibility-Identify security official responsible for P&P
164.308(a)(3)(i)Workforce Security-Implement P&P to ensure appropriate PHI access
164.308(a)(3)(ii)(A)Authorization and/or SupervisionAddressableAuthorization/supervision for PHI access
164.308(a)(3)(ii)(B)Workforce Clearance ProcedureAddressableProcedures to ensure appropriate PHI access
164.308(a)(3)(ii)(C)Termination ProceduresAddressableProcedures to terminate PHI access
164.308(a)(4)(i)Information Access Management-P&P to authorize access to PHI
164.308(a)(4)(ii)(A)Isolation Health Clearinghouse FunctionsRequiredP&P to separate PHI from other operations
164.308(a)(4)(ii)(B)Access AuthorizationAddressableP&P to authorize access to PHI
164.308(a)(4)(ii)(C)Access Establishment and ModificationAddressableP&P to grant access to PHI
164.308(a)(5)(i)Security Awareness Training-Training program for workers and managers
164.308(a)(5)(ii)(A)Security RemindersAddressableDistribute periodic security updates
164.308(a)(5)(ii)(B)Protection from Malicious SoftwareAddressableProcedures to guard against malicious software
164.308(a)(5)(ii)(C)Log-in MonitoringAddressableProcedures and monitoring of log-in attempts
164.308(a)(5)(ii)(D)Password ManagementAddressableProcedures for password management
164.308(a)(6)(i)Security Incident Procedures-P&P to manage security incidents
164.308(a)(6)(ii)Response and ReportingRequiredMitigate and document security incidents
164.308(a)(7)(i)Contingency Plan-Emergency response P&P
164.308(a)(7)(ii)(A)Data Backup PlanRequiredData backup planning & procedures
164.308(a)(7)(ii)(B)Disaster Recovery PlanRequiredData recovery planning & procedures
164.308(a)(7)(ii)(C)Emergency Mode Operation PlanRequiredBusiness continuity procedures
164.308(a)(7)(ii)(D)Testing and Revision ProceduresAddressableContingency planning periodic testing procedures
164.308(a)(7)(ii)(E)Applications and Data Criticality AnalysisAddressablePrioritize data and system criticality for contingency planning
164.308(a)(8)Evaluation-Periodic security evaluation
164.308(b)(1)Business Associate Contracts and Other Arrangements-CE implement BACs to ensure safeguards
164.308(b)(4)Written ContractRequiredImplement compliant BACs

Physcial Safeguards

 
SafeguardTypeCategoryDescription
164.310 (a)(1)Facility Access Controls-P&P to limit access to systems and facilities
164.310(a)(2)(i)Contingency OperationsAddressableProcedures to support emergency operations and recovery
164.310(a)(2)(ii)Facility Security PlanAddressableP&P to safeguard equipment and facilities
164.310(a)(2)(iii)Access Control Validation ProceduresAddressableFacility access procedures for personnel
164.310(a)(2)(iv)Maintenance RecordsAddressableP&P to document security-related repairs and modifications
164.310(b)Workstation Use-P&P to specify workstation environment & use
164.310(c)Workstation Security-Physical safeguards for workstation access
164.310(d)(1)Device and Media Controls-P&P to govern receipt and removal of hardware and media
164.310(d)(2)(i)DisposalRequiredP&P to manage media and equipment disposal
164.310(d)(2)(ii)Media Re-useRequiredP&P to remove PHI from media and equipment
164.310(d)(2)(iii)AccountabilityAddressableDocument hardware and media movement
164.310(d)(2)(iv)Data Backup and StorageAddressableBackup PHI before moving equipment
 

Technical Safeguards

SafeguardTypeCategoryDescription
164.312(a)(1)Access Control -Technical (administrative) P&P to manage PHI access
164.312(a)(2)(i)Unique User IdentificationRequiredAssign unique IDs to support tracking
164.312(a)(2)(ii)Emergency Access ProcedureRequiredProcedures to support emergency access
164.312(a)(2)(iii)Automatic LogoffAddressableSession termination mechanisms
164.312(a)(2)(iv)Encryption and DecryptionAddressableMechanism for encryption of stored PHI
164.312(b)Audit Controls-Procedures and mechanisms for monitoring system activity
164.312(c)(1)Integrity-P&P to safeguard PHI unauthorized alteration
164.312(c)(2)Mechanism to Authenticate Electronic Protected Health InformationAddressableMechanisms to corroborate PHI not altered
164.312(d)Person or Entity Authentication-Procedures to verify identities
164.312(e)(1)Transmission Security-Measures to guard against unauthorized access to transmitted PHI
164.312(e)(2)(i)Integrity ControlsAddressableMeasures to ensure integrity of PHI on transmission
164.312(e)(2)(ii)EncryptionAddressableMechanism for encryption of transmitted PHI