Item HIPAA HIPAA Security Rule Standard Implementation Requirement Description Solution Full Regulatory Text Compliance Current

Solution Full Regulatory Text Compliance Current Practice Findings & Recommendation
Citation Implementation Specification Level ePHI Assets at Risk (reference
inventory items individually)

SECURITY STANDARDS: GENERAL RULES

1 164.306(a) Ensure Confidentiality, Integrity & Availability - Ensure CIA and protect against threats -
(a) General requirements. Covered entities must do the following:
2 164.306(b) Flexibility of Approach - Reasonably consider factors in security -
(b) Flexibility of approach.
3 164.306(c) - compliance
CEs must comply with standards -
Standards (c) Standards. A covered entity must comply with the standards as provided in
4 164.306(d) Implementation Specifications - Required and Addressable Implementation - this section and in §specifications.
(d) Implementation 164.308,
5 164.306(e) - Specification
Ongoing requirements
review and modification of security -
Maintenance (e) Maintenance. Security measures implemented to comply with standards
measures and implementation specifications adopted under § 164.105 and this subpart
ADMINISTRATIVE SAFEGUARDS
6 164.308(a)(1)(i) - P&P to manage security violations P&P must be reviewed
Implement policiesand andmodified
procedures as needed
to prevent, to continue provision
detect, contain and of correct
reasonable
Security Management Process
and appropriate
security violations protection of electronic protected health information as
7 164.308(a)(1)(ii)(A Risk Analysis Required Conduct vulnerability assessment Assessment Conduct an accurate and thorough assessment of the potential risks and
8 164.308(a)(1)(ii)(B Risk Management Required Implement security measures to reduce risk of Measures vulnerabilities
Implement to themeasures
security confidentiality, sufficientintegrity, and availability
to reduce of electronic to a
risks and vulnerabilities
9 164.308(a)(1)(ii)(C Sanction Policy Required security breachesfor P&P violations
Worker sanction P&P
protected
reasonable health information level
and appropriate held by the covered
to comply entity.
withmembers
Sec 164.206(a).
Apply appropriate sanctions against workforce who fail to comply
10 164.308(a)(1)(ii)(D Information System Activity Review Required Procedures to review system activity Procedures with the security
Implement policies
procedures toand procedures
regularly reviewofrecordsthe covered entity. system
of information
11 164.308(a)(2) Assigned Security Responsibility - Identify security official responsible for P&P Assignment activity, the
Identify such as audit
security logs, who
official access reports, andforsecurity
is responsible incident tracking
the development and
reports.
implementation of the
12 164.308(a)(3)(i) Workforce Security - Implement P&P to ensure approp PHI access P&P Implement policies andpolicies
procedures and procedures
to ensure that required by this subpart
all members for the
of its workforce
entity.
have appropriate access
13 164.308(a)(3)(ii)(A Authorization and/or Supervision Addressable Authorization/supervision for PHI access Procedures Implement procedures fortoauthorization
electronic protected health information,
and/or supervision of workforce as
provided
members who under paragraph
work with (a)(4) of this section, and to prevent those
14 164.308(a)(3)(ii)(B Workforce Clearance Procedure Addressable Procedures to ensure appropriate PHI access Procedures Implement procedures toelectronic
determineprotected health information
that the access of a workforce or in locations
member to
workforce
where members
it might who do not have access under paragraph (a))(4) of this
be accessed.
15 164.308(a)(3)(ii)(C Termination Procedures Addressable Procedures to terminate PHI access Procedures electronic
Implement protected
procedures health informationaccess
for termination is appropriate.
to electronic protected health
16 164.308(a)(4)(i) Information Access Management - P&P to authorize access to PHI P&P informationpolicies
Implement when the andemployment
proceduresoffor a workforce
authorizingmember access to ends or as required
electronic
by determination information
protected made as specified areinconsistent
paragraph (a)(3)(ii)(B) of this section.
17 164.308(a)(4)(ii)(A Isolation Health Clearinghouse Functions Required P&P to separate PHI from other operations P&P If a health health
care clearinghousethat is part of a larger with the applicable
organization, the
requirements
clearinghouse of subpart
mustand E
implement of this part.
polices and procedures
18 164.308(a)(4)(ii)(B Access Authorization Addressable P&P to authorize access to PHI P&P Implement policies procedures for granting access that protect the
to electronic protected
electronic
health protectedfor
information, health information of the clearinghouse from unauthorized
19 164.308(a)(4)(ii)(C Access Establishment and Modification Addressable P&P to grant access to PHI P&P Implement policies andexample,
procedures through
that, access
based upon to a workstation,
the entity's access transaction,
access byprocess
program, the larger or organization.
other mechanism.
20 164.308(a)(5)(i) Security Awareness Training - Training program for workers and managers Program authorization
Implement a security awareness and training program for all members ofright
policies, establish, document, review, and modify a user's its of
21 164.308(a)(5)(ii)(A Security Reminders Addressable Distribute periodic security updates Reminders
access to a(including
workforce workstation, transaction, program, or process.
management).
Periodic security updates.
22 164.308(a)(5)(ii)(B Protection from Malicious Software Addressable Procedures to guard against malicious software Procedures Procedures for guarding against, detecting, and reporting malicious software.
23 164.308(a)(5)(ii)(C Log-in Monitoring Addressable Procedures and monitoring of log-in attempts Procedures Procedures for monitoring log-in attempts and reporting discrepancies.
24 164.308(a)(5)(ii)(D Password Management Addressable Procedures for password management Procedures Procedures for creating, changing, and safeguarding passwords.
25 164.308(a)(6)(i) Security Incident Procedures - P&P to manage security incidents P&P Implement policies and procedures to address security incidents.
26 164.308(a)(6)(ii) Response and Reporting Required Mitigate and document security incidents Measures Identify and respond to suspected or known security incidents; mitigate, to the
27 164.308(a)(7)(i) Contingency Plan - Emergency response P&P P&P extent
Establishpracticable, harmfulas
(and implement effects
needed) of security
policiesincidents
and proceduresthat arefor known to the
responding
28 164.308(a)(7)(ii)(A Data Backup Plan Required Data backup planning & procedures Procedures
covered
to entity; and
an emergency or document
otherprocedures security(for
occurrence incidents
example, andfire,
theirvandalism,
outcomes.system
Establish and implement to create and maintain retrievable exact
failure, of
copies and natural disaster) that damages systems that contain electronic
29 164.308(a)(7)(ii)(B Disaster Recovery Plan Required Data recovery planning & procedures Procedures Establish electronic
(and implementprotected health
as needed) information.
procedures to restore loss of data.
protected health information.
30 164.308(a)(7)(ii)(C Emergency Mode Operation Plan Required Business continuity procedures Procedures Establish (and implement as needed) procedures to enable continuation of
31 164.308(a)(7)(ii)(D Testing and Revision Procedures Addressable Contingency planning periodic testing procedures Procedures critical
Implement business processes
procedures for protection
for periodic testingofand therevision
securityof ofcontingency
electronic protectedplans.
32 164.308(a)(7)(ii)(E Applications and Data Criticality Analysis Addressable Prioritize data and system criticality for Analysis
health information while operation in emergency mode.
Assess the relative criticality of specific applications and data in support of
contingency planning other contingency
33 164.308(a)(8) Evaluation - Periodic security evaluation Evaluation Perform a periodicplan components.
technical and nontechnical evaluation, based initially upon
34 164.308(b)(1) Business Associate Contracts and Other - CE implement BACs to ensure safeguards - thecovered
A standards implemented
entity, in accordance under withthis§ rule and subsequently,
164.306, may permit a in response to
business
Arrangements environmental
associate tothe or operational
create, receive, changes affecting
maintain, or transmit theelectronic
security of electronic
35 164.308(b)(4) Written Contract Required Implement compliant BACs Contracts Document satisfactory assurances required by paragraphprotected (b)(1) of health
this
protected health
information on theinformation,
covered that established
entity's behalf only the
if extent
the to which
covered entity anobtains
entity's
PHYSICAL SAFEGUARDS section through a written contract or other arrangement with the business
satisfactory
associate thatassurances,
meets the in accordance
applicable with § 164.314(a)
requirements of § that the business
164.314(a).
36 164.310(a)(1) Facility Access Controls - P&P to limit access to systems and facilities P&P Implement policies and procedures to limit physical access to its electronic
37 164.310(a)(2)(i) Contingency Operations Addressable Procedures to support emergency operations Procedures information
Establish systems
(and implementand the as facility
needed) or procedures
facilities in which
that allowtheyfacility
are housed,
accesswhilein
38 164.310(a)(2)(ii) Facility Security Plan Addressable and recovery
P&P to safeguard equipment and facilities P&P ensuring
support ofthat
Implement properly
restoration
policies and authorized
of lost data under
procedures access is allowed.
the
to safeguard disaster the recovery
facility and plantheandequipment
emergency
there in from mode operations
unauthorized plan
physical in the event of an emergency.
39 164.310(a)(2)(iii) Access Control Validation Procedures Addressable Facility access procedures for personnel Procedures Implement procedures to control andaccess,
validatetampering,
a person'sand theft.to facilities
access
40 164.310(a)(2)(iv) Maintenance Records Addressable P&P to document security-related repairs and P&P based on their
Implement role or
policies and function,
procedures including visitor control,
to document repairsand andcontrol of access
modifications to
41 164.310(b) - modifications
P&P to specify workstation environment & use P&P
to software programs
the physicalpolicies
components for testing and
of a facilitythat revision.
thatspecify
are related to security (for example,
Workstation Use Implement and procedures the proper functions to be
42 164.310(c) - Physical safeguards for workstation access Controls
hardware, walls,
performed, physical doors,
the manner and locks).
in whichfor those functions arethat to be performed, and the
Workstation Security Implement safeguards all workstations access electronic
physical attributes
protected of the surroundings of a specific workstation or class of
43 164.310(d)(1) Device and Media Controls - P&P to govern receipt and removal of hardware P&P Implementhealth policiesinformation,
and procedures to restrictthataccess
governto the authorized
receipt and users.
removal of
and media workstation that can access electronic protected health information.
44 164.310(d)(2)(i) Disposal Required P&P to manage media and equipment disposal P&P hardware and electronic media that contain
Implement policies and procedures to address the final disposition of electronic protected health
45 164.310(d)(2)(ii) Media Re-use Required P&P to remove PHI from media and equipment P&P
informationprotected
electronic into and health
out of ainformation,
facility, andand/or the movement
the hardwareof these items within
or electronic
Implement procedures for removal of electronic protected health information
the facility.
media on whichmedia it is stored.
46 164.310(d)(2)(iii) Accountability Addressable Document hardware and media movement Documentation from electronic
Maintain a record of the before
movementsthe media are madeand
of hardware available for re-use.
electronic media and
47 164.310(d)(2)(iv) Data Backup and Storage Addressable Backup PHI before moving equipment Procedures any person responsible therefore.
Create a retrievable, exact copy of electronic protected health information,
TECHNICAL SAFEGUARDS when needed, before movement of equipment.
48 164.312(a)(1) Access Control - Technical (administrative) P&P to manage PHI P&P Implement technical policies and procedures for electronic information
access systems
49 164.312(a)(2)(i) Unique User Identification Required Assign unique IDs to support tracking Procedures Assign a that maintain
unique name electronic protected
and/or number health information
for identifying to allow
and tracking useraccess
identity.
50 164.312(a)(2)(ii) Emergency Access Procedure Required Procedures to support emergency access Procedures only to those
Establish (andpersons or software
implement programs
as needed) that have
procedures been granted
for obtaining access
necessary
rights as specified
electronic protectedin § 164.308(a)(4).
51 164.312(a)(2)(iii) Automatic Logoff Addressable Session termination mechanisms Mechanism Implement electronichealth information
procedures during anan
that terminate emergency.
electronic session after a
predetermined time of inactivity.
 52 164.312(a)(2)(iv)
Encryption and Decryption Addressable Mechanism for encryption of stored PHI Mechanism Implement a mechanism to encrypt and decrypt electronic protected health
53 164.312(b) Audit Controls - Procedures and mechanisms for monitoring Controls information.
Implement hardware, software, and/or procedural mechanisms that record and
54 164.312(c)(1) - system activity
P&P to safeguard PHI unauthorized alteration P&P examine activity in information systems that contain or use electronic
Integrity Implement policies and procedures to protect electronic protected health
55 164.312(c)(2) Addressable protected health
information from information.
improper alterationtoorcorroborate
destruction.
Mechanism to Authenticate Electronic Protected Health Mechanisms to corroborate PHI not altered Mechanism Implement electronic mechanisms that electronic protected
56 164.312(d) Information
Person or Entity Authentication - Procedures to verify identities Procedures health information has not been altered or destroyed in an unauthorized
Implement procedures to verify that a person or entity seeking access to
57 164.312(e)(1) - Measures to guard against unauthorized access Controls
manner. protected health information is the one claimed.
electronic
Transmission Security Implement technical security measures to guard against unauthorized access
56 164.312(e)(2)(i) Addressable to transmitted
Measures PHI integrity of PHI on
to ensure Controls to electronicsecurity
protected health information thatelectronically
is being transmitted over an
Integrity Controls Implement measures to ensure that transmitted
transmission electronic protected
electronic communications
health network. is not improperly modified without
55 164.312(e)(2)(ii) Encryption Addressable Mechanism for encryption of transmitted PHI Mechanism Implement a mechanism toinformation
encrypt electronic protected health information
detection until
whenever deemeddisposed of.
appropriate.
ORGANIZATIONAL REQUIREMENTS
56 164.314(a)(1) Business Associate Contracts or Other - CE must ensure BA safeguards PHI Process (i) The contract or other arrangement between the covered entity and its
57 164.314(a)(2) Arrangements
Business Associate Contracts Required BACs must contain security language Contracts business
(i) Businessassociate required
associate by The contract between a covered entity and a
contracts.
58 164.314(b)(1) Requirements for Group Health Plans - Plan documents must reflect security safeguards Plan Doc business
Except associate
when must
the only provideprotected
electronic that the business associate disclosed
health information will-- to a
59 164.314(b)(2)(i) Implement Safeguards Required Plan sponsor to implement safeguards as P&P plan plan
The sponsor is disclosed
documents of thepursuant to § 164.504(f)(1)(ii)
group health or (iii), ortoas
plan must be amended incorporate
appropriate authorized
provisions under § 164.508, a group health plan must ensure that its plan
60 164.314(b)(2)(ii) Ensure Adequate Separation Required Security measures to separate PHI from plan P&P Ensure thattothe
require the plan
adequate sponsorrequired
separation to-- by
sponsor and plan documents provide that the plan sponsor will reasonably and appropriately
61 164.314(b)(2)(iii) Ensure Agents Safeguard Required Ensure subcontractors safeguard PHI Contracts Ensure that any agent, including a subcontractor, to whom it provides this
62 164.314(b)(2)(iv) Report Security Incidents Required Plan sponsors report breaches to health plan Process information
Report to the agrees
groupto implement
health reasonable
plan any and appropriate
security incident of whichsecurity
it becomes
63 164.316(a) - P&P to ensure safeguards to PHI P&P
measures
aware. to protect the information; and
Policies and Procedures A covered entity must, in accordance with § 164.306: Implement reasonable
64 164.316(b)(1) Documentation Required Document P&P and actions & activities and appropriate policies and procedures to comply with the standards,
Documentation Documentation.
65 164.316(b)(2)(i) Required Retain documentation for 6 years Procedures
implementation specifications, or other requirements of this subpart, taking
Time Limit Retain the documentation required by paragraph (b)(1) of this section for 6
into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This
66 164.316(b)(2)(ii) Availability Required Documentation available to system Procedures years documentation
Make from the date ofavailable
its creation or thepersons
to those date when it last wasforinimplementing
responsible effect,
67 164.316(b)(2)(iii) Updates Required administrators
Periodic review and updates to changing needs Process
whichever is later.
the procedures to whichperiodically,
the documentation pertains.
Review documentation and update as needed, in response to
environmental or operational changes affecting the security of the electronic
protected health information.
Applicable ISO 17799 Standard(s)
& References
SECURITY STANDARDS: GENERAL RULES
12.1.4 164.306(a)
12.1.1, 10.1.1
ADMINISTRATIVE SAFEGUARDS
10.1.1
7.1.5, 10.3.1, 10.2.3, 11.1.2,
9.4.1, 9.4.2, 3.1.2, 5.1.1, 6.3.4,
8.2.1, 9.4.3, 9.4.3, 9.4.5, 9.4.6,
9.4.7, 9.4.8, 9.4.9, 9.6.2, 10.1.1,
10.4.3
6.3.4, 8.1.1, 4.1.2, 3.1.1, 3.1.2,
4.1.1, 5.1.1, 8.1.4, 8.2.1, 8.5.1,
8.6.4, 9.4.4-9.4.9, 9.6.2, 9.7.1,
10.1.1, 11.1.1, 10.4.3, 12.2.2,
12.1.9
6.3.5,11.1.2
6.3.5, 9.7.1, 9.7.2, 12.2.1, 12.2.2,
12.3.1, 12.3.2, 6.3.4, 8.1.1, 8.2.2,
10.4.3, 10.5.4, 10.3.4, 10.5.1-
10.5.5, 12.2.1, 12.1.5,12.2.2
3.1.2, 4.1.3, 4.1.5, 4.1.1, 4.1.2
9.6.1
8.1.4, 9.2.1, 9.2.2, 9.4.2, 9.8.2,
10.4.3
6.1.2, 6.1.4
6.1.2, 6.1.4
9.6.1, 9.5.3, 9.2.2, 10.4.3
4.2.1
9.1.1, 9.2.2, 9.4.1, 9.6.2, 9.2.1,
8.1.4, 5.2.1
8.1.4, 9.1.1, 9.2.2, 9.2.4, 9.4.1,
9.5.2, 9.5.3, 9.6.2, 8.6.4, 5.2.1,
9.4.2, 9.4.3, 9.4.4, 9.4.5, 12.1.5
6.2.1, 8.7.7, 9.2.1, 9.2.2, 9.3.2,
9.8.1, 8.7.7, 8.7.4, 12.1.5, 6.1.1,
6.1.3
6.2.1, 9.3.2, 6.1.1, 6.1.3
8.3.1, 8.7.4, 4.1.4, 10.4.1, 10.4.2,
10.5.1-10.5.5
HIPAA Citation Standard Implementation Specification Implementation Requirement Description
Ensure Confidentiality, Integrity and Availability Ensure CIA and protect against threats
Reasonably consider factors in security
164.306(b) Flexibility of Approach
compliance
164.306(c) Standards CEs must comply with standards
Required and Addressable Implementation
164.306(d) Implementation Specifications
Specification requirements
Ongoing review and modification of security
164.306(e) Maintenance
measures
164.308(a)(1)(i) Security Management Process P&P to manage security violations
164.308(a)(1)(ii)(A) Risk Analysis Required Conduct vulnerability assessment
Implement security measures to reduce
164.308(a)(1)(ii)(B) Risk Management Required
risk of security breaches
164.308(a)(1)(ii)(C) Sanction Policy Required Worker sanction for P&P violations
164.308(a)(1)(ii)(D) Information System Activity Review Required Procedures to review system activity
164.308(a)(2) Assigned Security Responsibility Identify security official responsible for P&P
Implement P&P to ensure appropriate PHI
164.308(a)(3)(i) Workforce Security
access
164.308(a)(3)(ii)(A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access
Procedures to ensure appropriate PHI
164.308(a)(3)(ii)(B) Workforce Clearance Procedure Addressable
access
164.308(a)(3)(ii)(C) Termination Procedures Addressable Procedures to terminate PHI access
164.308(a)(4)(i) Information Access Management P&P to authorize access to PHI
P&P to separate PHI from other
164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions Required
operations
164.308(a)(4)(ii)(B) Access Authorization P&P to authorize access to PHI
164.308(a)(4)(ii)(C) Access Establishment and Modification Addressable P&P to grant access to PHI
164.308(a)(5)(i) Security Awareness Training Training program for workers and managers
164.308(a)(5)(ii)(A) Security Reminders Addressable Distribute periodic security updates
Procedures to guard against malicious
164.308(a)(5)(ii)(B) Protection from Malicious Software Addressable
software
 8.4.2, 9.7.1, 9.7.2, 8.4.3 164.308(a)(5)(ii)(C) Log-in Monitoring Addressable Procedures and monitoring of log-in attempts

9.2.3, 9.3.1, 9.5.4 164.308(a)(5)(ii)(D) Password Management Addressable Procedures for password management
8.1.3, 4.1.6 164.308(a)(6)(i) Security Incident Procedures P&P to manage security incidents

6.3.1,6.3.2,6.3.4,8.1.3 164.308(a)(6)(ii) Response and Reporting Required Mitigate and document security incidents

11.1.1, 8.6.3, 4.1.6, 8.1.2 164.308(a)(7)(i) Contingency Plan Emergency response P&P

8.1.1, 8.4.1, 11.1.3, 11.1.2, 8.6.3 164.308(a)(7)(ii)(A) Data Backup Plan Required Data backup planning & procedures

11.1.3 164.308(a)(7)(ii)(B) Disaster Recovery Plan Required Data recovery planning & procedures

11.1.3 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required Business continuity procedures
7.2.2, 11.1.3, 11.1.5, 8.1.5, 7.2.3, Contingency planning periodic testing
164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable
10.5.1-10.5.5 procedures
Prioritize data and system criticality for
11.1.2, 11.1.4, 8.1.5, 5.2.2, 8.1.2 164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Addressable
contingency planning
4.1.5, 9.7.2, 12.2.1, 12.2.2, 3.1.2,
164.308(a)(8) Evaluation Periodic security evaluation
6.3.4, 8.1.1, 8.2.2
4.2.1, 4.2.2, 4.3.1, 8.1.6, 12.1.1,
164.308(b)(1) Business Associate Contracts and Other Arrangements CE implement BACs to ensure safeguards
4.1.6, 8.2.1, 8.7.4
8.71,4.3.1,12.1.1 164.308(b)(4) Written Contract Required Implement compliant BACs
PHYSICAL SAFEGUARDS

7.1.1-7.1.5, 12.1.3, 9.3.2 164.310 (a)(1) Facility Access Controls P&P to limit access to systems and facilities

7.2.2, 11.1.1, 11.1.3, 12.1.3, Procedures to support emergency

164.310(a)(2)(i) Contingency Operations Addressable
4.1.7, 7.2.3, 7.2.4, 8.1.1 operations and recovery

7.1.1, 7.1.3 164.310(a)(2)(ii) Facility Security Plan Addressable P&P to safeguard equipment and facilities

7.1.2, 7.1.4, 9.1.1 164.310(a)(2)(iii) Access Control Validation Procedures Addressable Facility access procedures for personnel

P&P to document security-related repairs

7.2.4, 12.1.3 164.310(a)(2)(iv) Maintenance Records Addressable
and modifications
2.2.4, 7.2.1, 8.6.1, 7.1.4, 7.2.4,
P&P to specify workstation environment &
8.6.1, 12.1.5, 9.3.2, 8.1.5, 4.1.4, 164.310(b) Workstation Use
use
5.2.1

7.2.1, 7.2.4, 8.6.2, 9.3.2, 7.3.2 164.310(c) Workstation Security Physical safeguards for workstation access

5.1.1, 7.2.5, 7.3.2, 8.7.2, 8.6.7, P&P to govern receipt and removal of
164.310(d)(1) Device and Media Controls
9.8.1, 8.5.1, 6.3.3 hardware and media
P&P to manage media and equipment
7.2.6, 8.6.2 164.310(d)(2)(i) Disposal Required
disposal
P&P to remove PHI from media and
7.2.6, 8.6.2 164.310(d)(2)(ii) Media Re-use Required
equipment

5.1.1, 7.3.2, 7.2.5, 8.7.2, 9.8.1 164.310(d)(2)(iii) Accountability Addressable Document hardware and media movement

8.1.1, 8.4.1, 8.6.3, 12.1.3 164.310(d)(2)(iv) Data Backup and Storage Addressable Backup PHI before moving equipment
TECHNICAL SAFEGUARDS
Technical (administrative) P&P to manage
9.1.1, 9.4.1, 9.6.1, 12.1.3 164.312(a)(1) Access Control
PHI access
9.2.1, 9.2.2 164.312(a)(2)(i) Unique User Identification Required Assign unique IDs to support tracking

11.1.3 164.312(a)(2)(ii) Emergency Access Procedure Required Procedures to support emergency access

9.5.7, 9.5.8, 7.3.1 164.312(a)(2)(iii) Automatic Logoff Addressable Session termination mechanisms
 8.5.1, 8.7.4, 10.3.1, 10.3.2,
164.312(a)(2)(iv) Encryption and Decryption Addressable Mechanism for encryption of stored PHI
10.3.3, 12.1.6

8.1.3, 8.6.2, 9.7.1, 9.7.2, 12.3.1, Procedures and mechanisms for monitoring
164.312(b) Audit Controls
12.3.2, 10.3.4, 9.7.3, 4.1.6, 4.1.7 system activity

P&P to safeguard PHI unauthorized

12.1.3, 10.2.1, 10.4.2 164.312(c)(1) Integrity
alteration

10.2.3, 8.1.6 164.312(c)(2) Mechanism to Authenticate Electronic Protected Health Information Addressable Mechanisms to corroborate PHI not altered

9.4.3, 9.5.3, 8.76, 4.2.1, 9.2.1,

9.2.2, 10.2.1, 10.3.3
10.3.1, 10.3.4, 10.2.4, 4.2.1
12.1.3, 10.3.4, 8.7.4, 7.2.3, 8.7.6,
9.4.3, 9.4.3-9.4.9, 9.6.2,10.2.2,
10.2.4, 10.4.3
8.5.1, 8.7.4, 10.3.1, 10.3.2,
10.3.3, 10.4.2, 12.1.6
ORGANIZATIONAL REQUIREMENTS
4.2.2, 4.3.1, 8.1.6, 12.1.1, 4.2.1,
164.314(a)(1)
8.2.1, 4.1.6
4.2.2, 4.3.1, 8.1.6, 8.7.1, 12.1.1,
8.7.4
N/A
N/A
N/A
164.312(d) Person or Entity Authentication Procedures to verify identities
Measures to guard against unauthorized
164.312(e)(1) Transmission Security
access to transmitted PHI
Measures to ensure integrity of PHI on
164.312(e)(2)(i) Integrity Controls Addressable
transmission
164.312(e)(2)(ii) Encryption Addressable Mechanism for encryption of transmitted PHI
Business Associate Contracts or Other Arrangements CE must ensure BA safeguards PHI
164.314(a)(2) Business Associate Contracts BACs must contain security language
Plan documents must reflect security
164.314(b)(1) Requirements for Group Health Plans
safeguards
Plan sponsor to implement safeguards as
164.314(b)(2)(i) Implement Safeguards
appropriate
Security measures to separate PHI from
164.314(b)(2)(ii) Ensure Adequate Separation
plan sponsor and plan

N/A 164.314(b)(2)(iii) Ensure Agents Safeguard Ensure subcontractors safeguard PHI

Plan sponsors report breaches to health

N/A 164.314(b)(2)(iv) Report Security Incidents
plan

3.1.1, 8.1.1, 12.1.4 (Privacy 6.1.3,

7.3.1, 8.7.4, 8.7.7), 12.1.1, 9.8.2, 164.316(a) Policies and Procedures P&P to ensure safeguards to PHI
12.1.2, 12.2.1, 12.1.4

8.1.1, 12.1.1, 12.2.1 164.316(b)(1) Documentation Document P&P and actions & activities
164.316(b)(2)(i) Time Limit Retain documentation for 6 years
Documentation available to system
164.316(b)(2)(ii) Availability
administrators
Periodic review and updates to changing
4.1.7, 12.1.1 164.316(b)(2)(iii) Updates
needs