1 |
General HIPAA
Compliance Policy |
164.104
164.306
HITECH 13401 |
Covered Entities and Business Associates, as defined in HIPAA and HITECH, must comply with all required parts and subparts of the regulations that apply to each type of Entity. |
2 |
Policies & Procedures
General Requirement |
164.306; 164.316
164.312(b)(1)
164.530(i) |
Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P changes must be appropriately documented. |
3 |
Documentation Policy
Requirement |
164.530(j)(1)(ii)
164.530(j)(1)(iii)
164.312(b)(2)(i)
164.316 |
Maintain all P&Ps in written (may be electronic) form. If an action, activity or assessment must be documented, maintain written (may be electronic) records of all. |
4 |
Documentation
Retention Policy
Requirement |
164.316
164.530(j) |
Retain all required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later. |
5 |
Documentation Availability Policy
Requirement |
164.310
164.316
164.530(j) |
Make documentation available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains. |
6 |
Documentation Updates
Requirement |
164.310
164.316
164.530(j) |
Review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of PHI. |
7 |
HHS Investigations Policy |
160.308
164.310
164.312 |
CEs and BAs must implement policies & procedures to assure compliance with HHS investigation & recordkeeping requirements. |
8 |
Breach Notification Policy |
164.400 to
164.414 |
Requires CEs and BAs to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications. |
9 |
Assign Privacy Official Policy |
164.530(a) |
CEs and BA must assign an individual for all Privacy-related activities and compliance efforts; and to accept and process complaints. |
10 |
State Law Preemption Policy |
160.201 to
160.205 |
CEs and BAs must analyze and assess state law requirements related to data privacy & security; and HIPAA preemption impacts of state laws. |
11 |
HIPAA Training Policy |
164.530(b) |
CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed. |
12 |
PHI Uses & Disclosures Policy |
164.502 to
164.514 |
CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regs. |
13 |
Patient Rights Policy |
164.520 to
164.528 |
CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regs. |
14 |
Complaints Policy |
164.530(d)
164.530(a) |
CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received. |
15 |
Risk Management
Process Policy
Required |
164.302 to
164.318 |
Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements. |
16 |
Risk Analysis
Required Standard |
164.308(a)(1) |
Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. |
17 |
Risk Management
Required Standard |
164.308(a)(1) |
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a). |
18 |
Sanction Policy
Required Standard |
164.308(a)(1) |
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. |
19 |
Information System
Activity Review
Required Standard |
164.308(a)(1) |
Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc. |
20 |
Assigned Security
Responsibility
Required Standard |
164.308(a)(2) |
Assign security responsibility. Identify Security Official responsible for development and implementation of required P&Ps. |
21 |
Authorization & Supervision Policy
Addressable Standard |
164.308(a)(3) |
Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed. |
22 |
Workforce Clearance
Policy
Addressable Standard |
164.308(a)(3) |
Implement procedures to determine that the access of a workforce member to ePHI is appropriate. |
23 |
Termination Policy
Addressable Standard |
164.308(a)(3) |
Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section. |
24 |
Access Authorization
Addressable Standard |
164.308(a)(4) |
Implement policies and procedures for granting access to ePHI, for workstations, transactions, programs, processes, or other mechanisms. |
25 |
Access Establishment
and Modification
Addressable Standard |
164.308(a)(4) |
Implement P&Ps, based on Access Authorization policies, to establish, document, review, and modify user's rights of access to workstations, transactions, programs, or processes. |
26 |
Security Reminders
Addressable Standard |
164.308(a)(5) |
Implement periodic reminders of security and information safety best practices. |
27 |
Protection from
Malicious Software
Addressable Standard |
164.308(a)(5) |
Implement Procedures for guarding against, detecting, and reporting malicious software. |
28 |
Log-in Monitoring
Addressable Standard |
164.308(a)(5) |
Implement Procedures for monitoring and reporting log-in attempts and discrepancies. |
29 |
Password Management
Addressable Standard |
164.308(a)(5) |
Implement Procedures for creating, changing, and safeguarding appropriate passwords. |
30 |
Security Incident Policy
Required Standard |
164.308(a)(6)
164.400 to
164.414 |
Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes. |
31 |
Data Backup Policy
Required Standard |
164.308(a)(7) |
Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events. |
32 |
Disaster Recovery Policy
Required Standard |
164.308(a)(7) |
Establish (and implement as needed) procedures to restore any loss of data. |
33 |
Emergency Mode
Operation Policy
Required Standard |
164.308(a)(7) |
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode. |
34 |
Testing and Revision
Policy
Addressable Standard |
164.308(a)(7) |
Implement procedures for periodic testing and revision of contingency and emergency plans. |
35 |
Applications and Data
Criticality Analysis
Addressable Standard |
164.308(a)(7) |
Assess the relative criticality of specific applications and data in support of other contingency plan components. |
36 |
Evaluation Policy
Required Standard |
164.308(a)(8) |
Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart. |
37 |
Business Associates Policy
Required Standard |
164.308(b)(1)
164.410
164.502(e)
164.504(e) |
CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded. |
38 |
Contingency Operations Policy
Addressable Standard |
164.310(a)(1-2) |
Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency. |
39 |
Facility Security Policy
Addressable Standard |
164.310(a)(1-2) |
Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. |
40 |
Access Control and
Validation Policy
Addressable Standard |
164.310(a)(1-2) |
Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision. |
41 |
Maintenance Records
Addressable Standard |
164.310(a)(1-2) |
Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.). |
42 |
Workstation Use
Required Standard |
164.310(b-c) |
Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI. |
43 |
Workstation Security
Required Standard |
164.310(b-c) |
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. |
44 |
Media Disposal & Disposition
Required Standard |
164.310(d)(1-2) |
Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. |
45 |
Media Re-use
Required Standard |
164.310(d)(1-2) |
Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. |
46 |
Hardware & Media
Accountability
Addressable Standard |
164.310(d)(1-2) |
Maintain records of the movements of hardware and electronic media, and any person responsible therefore. |
47 |
Data Backup and Storage
Addressable Standard |
164.310(d)(1-2)
164.308(a)(7) |
The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup. |
48 |
Unique User Identification
Required Standard |
164.306
164.312(a)(1-2) |
Assign a unique name and/or number for identifying and tracking user identity. |
49 |
Emergency Access Policy
Required Standard |
164.104
164.306
164.312(a)(1) |
Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. |
50 |
Automatic Logoff
Addressable Standard |
164.306
164.312(a)(1-2) |
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
51 |
Encryption and Decryption
Addressable Standard |
164.312(a)(1-2) |
Implement an appropriate mechanism to encrypt and decrypt ePHI. |
52 |
Audit Controls
Required Standard |
164.312(b) |
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. |
53 |
Integrity Controls Policy
Addressable Standard |
164.312(c)(1-2) |
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. |
54 |
Person or Entity
Authentication
Required Standard |
164.312(d) |
Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. |
55 |
Transmission Security Policy
Addressable Standard |
164.312(e)(1) |
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. |
56 |
Mobile Device Policy
Optional Policy |
164.302-164.314 |
Governs the use in an entity of mobile devices that can access, use, transmit, or store ePHI. |