The 54 policies in the suite are organized into four major categories
– Administrative Safeguards, Physical Safeguards, Technical
Safeguards, and Other Standards – corresponding to categorizations
within the Security Rule. We include introductory how-to's and supplemental
reference materials to purchasers of the complete suite to support
adapting the policy templates to your environment. Suite components
include:
| 1. Security Management Process |
(Standard.) Describes processes the organization implements
to prevent, detect, contain, and correct security violations
relative to its ePHI. |
| 2. Risk Analysis |
Discusses what the organization should do to identify, define,
and prioritize risks to the confidentiality, integrity, and
availability of its ePHI. (Required Implementation Specification
for the Security Management Process standard.) |
| 3. Risk Management |
Defines what the organization should do to reduce the risks
to its ePHI to reasonable and appropriate levels. (Required
Implementation Specification for the Security Management Process
standard.) |
| 4. Sanction Policy |
Indicates actions that are to be taken against employees who
do not comply with organizational security policies and procedures.
(Required Implementation Specification for the Security Management
Process standard.) |
| 5. Information System Activity
Review |
Describes processes for regular organizational review of activity
on its information systems containing ePHI. (Required Implementation
Specification for the Security Management Process standard.) |
| 6. Assigned Security Responsibility |
(Standard.) Describes the requirements for the responsibilities
of the Information Security Officer. |
| 7. Workforce Security |
(Standard.) Describes what the organization should do to ensure
ePHI access occurs only by employees who have been appropriately
authorized. |
| 8. Authorization and/or Supervision |
Identifies what the organization should do to ensure that
all employees who can access its ePHI are appropriately authorized
or supervised. (Required Implementation Specification for the
Workforce Security standard.) |
| 9. Workforce Clearance Procedure |
Reviews what the organization should do to ensure that employee
access to its ePHI is appropriate. (Addressable Implementation
Specification for Workforce Security standard.) |
| 10. Termination Procedures |
Defines what the organization should do to prevent unauthorized
access to its ePHI by former employees. (Addressable Implementation
Specification for Workforce Security standard.) |
| 11. Information Access Management |
(Standard.) Indicates what the organization should do to ensure
that only appropriate and authorized access is made to its ePHI. |
| 12. Access Authorization |
defines how the organization provides authorized access to
its ePHI. (Addressable Implementation Specification for Information
Access Management standard.) |
| 13. Access Establishment and
Modification |
Discusses what the organization should do to establish, document,
review, and modify access to its ePHI. (Addressable Implementation
Specification for Information Access Management standard.) |
| 14. Security Awareness &
Training |
(Standard.) Describes elements of the organizational program
for regularly providing appropriate security training and awareness
to its employees. |
| 15. Security Reminders |
Defines what the organization should do to provide ongoing
security information and awareness to its employees. (Addressable
Implementation Specification for Security Awareness & Training
standard.) |
| 16. Protection from Malicious
Software |
Indicates what the organization should do to provide regular
training and awareness to its employees about its process for
guarding against, detecting, and reporting malicious software.
(Addressable Implementation Specification for Security Awareness
& Training standard.) |
| 17. Log-in Monitoring |
Discusses what the organization should do to inform employees
about its process for monitoring log-in attempts and reporting
discrepancies. (Addressable Implementation Specification for
Security Awareness & Training standard.) |
| 18. Password Management |
Describes what the organization should do to maintain an effective
process for appropriately creating, changing, and safeguarding
passwords. (Addressable Implementation Specification for Security
Awareness & Training standard.) |
| 19. Security Incident Procedures |
(Standard.) Discusses what the organization should do to maintain
a system for addressing security incidents that may impact the
confidentiality, integrity, or availability of its ePHI. |
| 20. Response and Reporting |
Defines what the organization should do to be able to effectively
respond to security incidents involving its ePHI. (Required
Implementation Specification for Security Incident Prodedures
standard.) |
| 21. Contingency Plan |
(Standard.) Identifies what the organization should do to
be able to effectively respond to emergencies or disasters that
impact its ePHI. |
| 22. Data Backup Plan |
Discusses organizational processes to regularly back up and
securely store ePHI. (Required Implementation Specification
for Contingency Plan standard.) |
| 23. Disaster Recovery Plan |
Indicates what the organization should do to create a disaster
recovery plan to recover ePHI that was impacted by a disaster.
(Required Implementation Specification for Contingency Plan
standard.) |
| 24. Emergency Mode Operation
Plan |
Discusses what the organization should do to establish a formal,
documented emergency mode operations plan to enable the continuance
of crucial business processes that protect the security of its
ePHI during and immediately after a crisis situation. (Required
Implementation Specification for Contingency Plan standard.) |
| 25. Testing and Revision Procedure |
Describes what the organization should do to conduct regular
testing of its disaster recovery plan to ensure that it is up-to-date
and effective. (Addressable Implementation Specification for
Contingency Plan standard.) |
| 26. Applications and Data Criticality
Analysis |
Reviews what the organization should do to have a formal process
for defining and identifying the criticality of its information
systems. (Addressable Implementation Specification for Contingency
Plan standard.) |
| 27. Evaluation |
(Standard.) Describes what the organization should do to regularly
conduct a technical and non-technical evaluation of its security
controls and processes in order to document compliance with
its own security policies and the HIPAA Security Rule. |
| 28. Business Associate Contracts
and Other Arrangements |
(Standard.) Describes how to establish agreements that should
exist between the organization and its various business associates
that create, receive, maintain, or transmit ePHI on its behalf. |
| 29. Facility Access Controls |
(Standard.) Describes what the organization should do to appropriately
limit physical access to the information systems contained within
its facilities, while ensuring that properly authorized employees
can physically access such systems. |
| 30. Contingency Operations |
Identifies what the organization should do to have formal,
documented procedures for allowing authorized employees to enter
its facility to take necessary actions as defined in its disaster
recovery and emergency mode operations plans. (Addressable Implementation
Specification for Facility Access Controls standard.) |
| 31. Facility Security Plan |
Discusses what the organization should do to establish a facility
security plan to protect its facilities and the equipment therein.
(Addressable Implementation Specification for Facility Access
Controls standard.) |
| 32. Access Control and Validation
Procedures |
Discusses what the organization should do to appropriately
control and validate physical access to its facilities containing
information systems having ePHI or software programs that can
access ePHI. (Addressable Implementation Specification for Facility
Access Controls standard.) |
| 33. Maintenance Records |
Defines what the organization should do to document repairs
and modifications to the physical components of its facilities
related to the protection of its ePHI. (Addressable Implementation
Specification for Facility Access Controls standard.) |
| 34. Workstation Use |
(Standard.) Indicates what the organization should do to appropriately
protect its workstations. |
| 35. Workstation Security |
(Standard.) Reviews what the organization should do to prevent
unauthorized physical access to workstations that can access
ePHI while ensuring that authorized employees have appropriate
access. |
| 36. Device and Media Controls |
(Standard.) Discusses what the organization should do to appropriately
protect information systems and electronic media containing
PHI that are moved to various organizational locations. |
| 37. Disposal |
Describes what the organization should do to appropriately
dispose of information systems and electronic media containing
ePHI when it is no longer needed. (Required Implementation Specification
for Device and Media Controls standard.) |
| 38. Media Re-use |
Discusses what the organization should do to erase ePHI from
electronic media before re-using the media. (Required Implementation
Specification for Device and Media Controls standard.) |
| 39. Accountability |
Defines what the organization should do to appropriately track
and log all movement of information systems and electronic media
containing ePHI to various organizational locations. (Addressable
Implementation Specification for Device and Media Controls standard.) |
| 40. Data Backup and Storage |
Discusses what the organization should do to backup and securely
store ePHI on its information systems and electronic media.
(Addressable Implementation Specification for Device and Media
Controls standard.) |
| 41. Access Control |
(Standard.) Indicates what the organization should
do to purchase and implement information systems that comply
with its information access management policies. |
| 42. Unique User Identification |
Discusses what the organization should do to assign a unique
identifier for each of its employees who access its ePHI for
the purpose of tracking and monitoring use of informations systems.
(Required Implementation Specification for Access Control standard.) |
| 43. Emergency Access Procedure |
Discusses what the organization should do to have a formal,
documented emergency access procedure enabling authorized employees
to obtain required ePHI during the emergency. (Required Implementation
Specification for Access Control standard.) |
| 44. Automatic Logoff |
Discusses what the organization should do to develop and implement
procedures for terminating users' sessions after a certain period
of inactivity on systems that contain or have the ability to
access ePHI. (Addressable Implementation Specification for Access
Control standard.) |
| 45. Encryption and Decryption |
Discusses what the organization should do to appropriately
use encryption to protect the confidentiality, integrity, and
availability of its ePHI. (Addressable Implementation Specification
for Access Control standard.) |
| 46. Audit Controls |
(Standard.) Discusses what the organization should do to record
and examine significant activity on its information systems
that contain or use ePHI. |
| 47. Integrity |
(Standard.) Defines what the organization should do to appropriately
protect the integrity of its ePHI. |
| 48. Mechanism to Authenticate
Electronic Protected Health Information |
Discusses what the organization should do to implement appropriate
electronic mechanisms to confirm that its ePHI has not been
altered or destroyed in any unauthorized manner. (Addressable
Implementation Specification for Integrity standard.) |
49. Person
or Entity Authentication |
(Standard.) Defines what the organization should do to ensure
that all persons or entities seeking access to its ePHI are
appropriately authenticated before access is granted. |
| 50. Transmission Security |
(Standard.) Describes what the organization should do to appropriately
protect the confidentiality, integrity, and availability of
the ePHI it transmits over electronic communications networks. |
| 51. Integrity Controls |
Indicates what the organization should do to maintain appropriate
integrity controls that protect the confidentiality, integrity,
and availability of the ePHI it transmits over electronic communications
networks. (Addressable Implementation Specification for Transmission
Security standard.) |
| 52. Encryption |
Defines what the organization should do to appropriately use
encryption to protect the confidentiality, integrity, and availability
of ePHI it transmits over electronic communications networks.
(Addressable Implementation Specification for Transmission Security
standard.) |
