Documente Academic
Documente Profesional
Documente Cultură
If you have any questions, or would like ot create your own controls mapping, please re
kbox.com!
164.306(c) Standards
164.306(e) Maintenance
164.308(a)(8) Evaluation
164.310(d)(2)(i) Disposal
164.310(d)(2)(iii) Accountability
164.312(c)(1) Integrity
164.312(e)(2)(ii) Encryption
164.316(b)(1) Documentation
164.316(b)(2)(ii) Availability
164.316(b)(2)(iii) Updates
Summary
(e) Maintenance. Security measures implemented to comply with standards and implementation specification
Implement policies and procedures to prevent, detect, contain and correct security violations
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate l
Apply appropriate sanctions against workforce members who fail to comply with the security policies and pr
Implement procedures to regularly review records of information system activity, such as audit logs, access re
Identify the security official who is responsible for the development and implementation of the policies and
Implement policies and procedures to ensure that all members of its workforce have appropriate access to el
Implement procedures for authorization and/or supervision of workforce members who work with electronic
Implement procedures to determine that the access of a workforce member to electronic protected health in
Implement procedures for termination access to electronic protected health information when the employment
Implement policies and procedures for authorizing access to electronic protected health information that are
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement polices an
Implement policies and procedures for granting access to electronic protected health information, for exam
Implement policies and procedures that, based upon the entity's access authorization policies, establish, doc
Implement a security awareness and training program for all members of its workforce (including manageme
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful
A covered(and
Establish entity, in accordance
implement with §policies
as needed) 164.306,
andmay permit a business
procedures associate
for responding to anto emergency
create, receive,
or other occurre
maintain, or transmit electronic protected health information on the covered entity's behalf only if the
covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate
Establish and implement
will appropriately safeguardprocedures to create and maintain retrievable exact copies of electronic protected
the information.
(2) This standard does not apply with respect to -
Establish (and implement
(i) The transmission as needed)
by a covered procedures
entity to restore
of electronic losshealth
protected of data.information to a health care provider
concerning the treatment of an individual.
Establish (and implement
(ii) The transmission as needed)
of electronic procedures
protected healthtoinformation
enable continuation
by a group ofhealth
criticalplan
business
or anprocesses for pr
HMO or health
insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of
Implement
§ 164.314(b)procedures for periodic
and § 164.504(f) applytesting
and areand revision
met; or of contingency plans.
(iii) The transmission of electronic protected health information from or to other agencies providing the
Assess
servicestheat relative criticality of specific
§ 164.502(e)(1)(ii)(C), applications
when the and data
covered entity is ainhealth
support
planofthat
otheris acontingency
governmentplan compone
program
providing public benefits, if the requirements of § 164.502(e)(1)(ii)(C) are met.
Perform
(3) a periodic
A covered entitytechnical and the
that violates nontechnical evaluation,
satisfactory assurances based initiallyas
it provided upon the standards
a business implemented
associate of another und
covered entity will be in noncompliance with the standards, implementation specifications, and
requirements of this paragraph and § 164.314(a).
Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contrac
Implement policies and procedures to limit physical access to its electronic information systems and the facil
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost
Implement policies and procedures to safeguard the facility and the equipment there in from unauthorized p
Implement procedures to control and validate a person's access to facilities based on their role or function, i
Implement policies and procedures to document repairs and modifications to the physical components of a faci
Implement policies and procedures that specify the proper functions to be performed, the manner in which tho
Implement physical safeguards for all workstations that access electronic protected health information, to res
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that
Implement policies and procedures to address the final disposition of electronic protected health informatio
Implement procedures for removal of electronic protected health information from electronic media before
Maintain a record of the movements of hardware and electronic media and any person responsible therefor
Create a retrievable, exact copy of electronic protected health information, when needed, before movement
Implement technical policies and procedures for electronic information systems that maintain electronic prot
Assign a unique name and/or number for identifying and tracking user identity.
(i) Business associate contracts. The contract between a covered entity and a business associate must
provide that the business associate will--
(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect
the confidentiality, integrity, and availability of the electronic protected health information that it creates,
receives, maintains, or transmits on behalf of the covered entity as required by this subpart;
(B) Ensure(and
Establish thatimplement
any agent, as including
needed)a procedures
subcontractor, for to whom itnecessary
obtaining provides such information
electronic protectedagrees
healthto inform
implement reasonable and appropriate safeguards to protect it;
(C) Report to
Implement the covered
electronic entity any
procedures security
that terminateincident of which it
an electronic becomes
session afteraware;
a predetermined time of inactivi
(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the
business
Implement associate has violated
a mechanism to encrypta material term ofelectronic
and decrypt the contract.protected health information.
(ii) Other arrangements.
(A) When a hardware,
Implement covered entity and itsand/or
software, business associate
procedural are both governmental
mechanisms that record and entities, the covered
examine activity in entity is
informatio
in compliance with paragraph (a)(1) of this section, if -
(1) It enterspolicies
Implement into a memorandum
and procedures of understanding with the
to protect electronic businesshealth
protected associate that contains
information terms thatalterat
from improper
accomplish the objectives of paragraph (a)(2)(i) of this section; or
(2) Other law (including regulations adopted by the covered entity or its business associate) contains
Implement
requirements electronic
applicable mechanisms
to the business to corroborate
associate that
that electronic
accomplishprotected healthofinformation
the objectives has not of
paragraph (a)(2)(i) been
this section.
Implement
(i) The
(B) procedures
If a contract
business or othertoarrangement
associate verify
is that aby
required person
law toor
between entity
the seeking
covered
perform access
entity
a function and to
itselectronic
business
or activity protected
associate
on behalf healthentity
required
of a covered informa
by
§ 164.308(b)
or to provide must meetdescribed
a service the requirements of paragraph
in the definition (a)(2)(i)
of business or (a)(2)(ii)
associate of this section,
as specified as applicable.
in § 160.103 of this
Implement
(ii) A covered
subchapter technical
toentity issecurity
a covered notentity, measures
in compliance
the covered to guard
with theagainst
entitystandards unauthorized
may permit in §the access
164.502(e)
business to paragraph
and electronic
associate protected
this health
(a) ofreceive,
to create,
section if the
maintain, covered electronic
or transmit entity knew of a pattern
protected of an
health activity oron
information practice of the
its behalf business
to the extentassociate
necessary that
to
Implement
constituted
comply withsecurity
athe
materialmeasures
legal breach or
mandate towithout
ensure meeting
violation that electronically
of the business transmitted
associate's
the requirements electronic
ofobligation
paragraph protected
under health
theofcontract
(a)(2)(i) this informati
or
section, other
arrangement,
provided unless
that the the covered
covered entity took
entity attempts reasonable
in good faith tosteps to cure
obtain the breach
satisfactory or end the
assurances violation,byas
as required
Implement(a)(2)(ii)(A)
applicable,
paragraph a mechanism
and, to encrypt
if suchofsteps
this electronic
were unsuccessful.
section, protected
and documents the health
attempt information whenever
and the reasons that deemed appropriate.
these assurances
(A) Terminated
cannot the contract or arrangement, if feasible; or
be obtained.
(B) The
(C) If termination is notmay
covered entity feasible, reported
omit from the problem
its other to the authorization
arrangements Secretary. of the termination of the
contract by the covered entity, as required by paragraph (a)(2)(i)(D) of this section if such authorization is
inconsistent
The plan documentswith theof statutory
the group obligations
health plan of the
mustcovered entity or
be amended to its business associate.
incorporate provisions to require the
plan sponsor to--
Except
(i) when the
Implement only electronic
administrative, protected
physical, and health
technicalinformation
safeguardsdisclosed to a planand
that reasonably sponsor is disclosed
appropriately pursuan
protect
the confidentiality, integrity, and availability of the electronic protected health information that it creates,
receives, maintains, or transmits on behalf of the group health plan;
Ensure that the adequate separation required by
§ 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement
Report to the group health plan any security incident of which it becomes aware.
Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be
A covered entity
electronic) form; must,
and in accordance with § 164.306: Implement reasonable and appropriate policies and proce
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written
(which may be electronic) record of the action, activity, or assessment.
Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation
Make documentation available to those persons responsible for implementing the procedures to which the
Review documentation periodically, and update as needed, in response to environmental or operational chang
CID DID DOMAIN Control TYPE_CFR-200
164.308(a)(1)(i) 164.308 164.308 Admin(1)(i) Standar Standard
Q: Has your organization reviewed all processes involving ePHI, including A3,A4
creating, receiving, maintaining, and transmitting it?
Q: Has your organization reviewed the risk analysis and other implementation
specifications for the security management process?
Q: Does your organization have any prior risk assessments, audit comments,
security requirements, and/or security test results?
Q: What are your organization's current and planned controls? Do you have
them formally documented?
Q: Has your organization assigned responsibility to check all hardware and
software, including hardware and software used for remote access, to
determine whether selected security settings are enabled?
Q: Does your organization have an analysis of current safeguards and their
efectiveness relative to the identified risks?
Q: Are any of your organization's facilities located in a region prone to any
natural disasters, such as earthquakes, floods, or fires? Others?
Q: Does your organization have policies and procedures in place for security? A5,A6,A7,A8
Q: Do your organization's current safeguards ensure the confidentiality,
integrity, and availability of all ePHI?
Q: Do your organization's current safeguards protect against reasonably
anticipated uses and of ePHI that are not permitted by the HIPAA Privacy Rule?
Q: Has your organization protected against all reasonably anticipated threats or
hazards to the security and integrity of ePHI?
Q: Does your organization have a formal and documented system security
plan?
Q: Will your organization's new security controls work with your organization's
existing IT architecture?
Q: Does your organization have formal and documented contingency plan?
Q: Does your organization have a communication plan or a process for
communicating policies and procedures to your appropriate staf member,
office and all your workforce?
Q: Does your organization review and update your policies, procedures and
standards as needed and when appropriate?
Q: Has your organization assured compliance with all policies and procedures
by all your staf and workforce?
Q: Has your organization developed a training schedule for your Risk
Management Program?
Q: Does your organization have in place a formal and documented process, A9,A10
plus policy and procedures that address system misuse, abuse, and any
fraudulent activities with your organization's ePHI?
Q: Has your organization made all your staf, employees, and workforce aware
of your processes, policy and procedures (concerning sanctions for
inappropriate access), use, disclosure, and transmission of ePHI?
Q: Does your organization's sanctions have a tiered structure of sanctions that
takes into consideration the magnitude of harm to your organization and the
individual whose ePHI is at risk, and the possible types of inappropriate
disclosures?
Q: Does your organization have a process, procedure or communication plan of
how and when your managers and staf, employees and workforce will be
notified of suspected inappropriate activity?
Q: Does your organization have a formal, documented systems activity process A11,A12
and procedures?
Q: Who, and which office/department, within your organization is responsible
for overall systems activity process, procedures and results?
Q: How often does your organization review your information systems activity?
What are the exceptions to the process that changes the review period?
Q: How often does your organization analyze your systems activity
reviews/reports?
Q: Does your organization review exception reports and logs?
Q: What mechanisms and measures will your organization implement to assess
the efectiveness of your review process?
Q: Does your organization file, electronic and/or paper, monitoring reports,
and how are these reports monitored?
Q: Does your organization have a sanction policy for staf, employee or
workforce violations?
Q: Does your organization have a complete security official job description that A13,A14,A15,
accurately reflects the security duties and responsibilities? Does it include all
areas outlined and spoken of in the questions outlined for this security
standard?
Q: Have all your organization's staf, employees, workforce, offices and
departments been notified of the name and office to contact with a security
problem?
Q: Has your organization implemented policies and procedures to ensure that anA17,A18,A19,
Q: Has your organization formally documented the standards you use to grant A32,A33
a staf, employee, workforce member user's access to a workstation, lap top,
transaction, program, process, and other tools and mechanisms?
Q: Does your organization have security access controls policies and
procedures? Are they updated regularly?
Q: Does your organization provide formal written and documented
authorization from the appropriate manager before granting access to
sensitive information?
Q: Are your organization's staf, employees, and workforce member's duties
separated so that only the minimally necessary ePHI based on the specific job
description is made available upon request?
Q: Does your organization have authentication mechanisms to verify the
identity of the user accessing the system?
Q: Does your organization's management regularly review the list of access
authorizations, including remote access authorizations, to verify that the list is
accurate and has not been inappropriately altered?
Q: Has your organization formally determined and documented your security A34,A35,A36,
trailing needs?
Q: Does your organization interview key staf when assessing your security
training needs?
Q: Did your organization's assessment include the security training needs of
sensitive data, and other similar information?
Q: Has your organization determined what awareness, training and education
programs are needed, and which programs will be required?
Q: Has your organization outlined content and audience training priorities?
Q: What gaps did your organization discover in conducting the training
assessment; outline what needs to be added and updated?
Q: Does your organization's training strategy and plan include an outline of
your organization's specific policies and procedures that require security
awareness and training?
Q: Does your organization's training strategy and plan include scope of the
awareness an training program?
Q: Does your organization's training strategy and plan include the goals?
Q: Does your organization's training strategy and plan include the target
audience(s)?
Q: Does your organization's training strategy and plan include the learning
objectives?
Q: Does your organization's training strategy and plan include the deployment
methods?
Q: Does your organization's training strategy and plan include evaluation of the
training through designated measurement techniques?
Q: Does your organization's training strategy and plan include the frequency of
training?
Q: Does your organization's training strategy and plan include the
consideration of compliance dates and the HITECH Act Updates?
Q: Does your organization have a process, a procedure, in place to ensure that
everyone in your organization receives security awareness training?
Q: Does your organization have a plan in place to for training to address
specific technical topics based on job descriptions and responsibilities?
Q: Does your organization train your non-employees, such as contractors,
Q: Has your organization reviewed the security reminder implementation specifiXXXXX
Q: Does your organization provide periodic security updates to your staf, A39
employees, workforce, business associates and contractors/vendors?
Q: What methods does your organization already have in place or use to keep
your staf, employees, workforce, business associates and contractors/vendors
updated and aware of security other ways?
Q: Does your organization provide security awareness training with all new
hires before they are given access to ePHI?
Q: Has your organization trained your staf, employees, and workforce membersA40,A41
XXXXX A42
XXXXX A43
Q: Has your organization implemented policies and procedures for any security iA44
Q: Has your organization documented incident response procedures that can A45,A46,A47,
provide your organization with a single point of reference to guide the day-to-
day operations of the incident response team?
Q: Has your organization determined how it will respond to a security
incident? Are there a formal documented policy and procedures?
Q: Has your organization incorporated your staf, employee, workforce
members jobs and job descriptions roles and responsibilities in *
Q: Has your organization reviewed incident response procedures with the staf,
employees, or workforce members with the roles and responsibilities related
to incident response, solicit suggestions for improvement, and make changes
to reflect input that is reasonable and appropriate?
Q: Do your organization's staf, employees and workforce members know the
importance of timely application of system patched to protect against
malicious software and exploitation of vulnerabilities?
Q: Does your organization monitor log-in attempts? Do your staf, employees
and workforce members know of this monitoring?
Q: Has your organization analyzed these problems and created a mitigation
plan that it is working to decrease risks and vulnerabilities?
Q: Does your organization have a process, procedure for reporting and
handling security incidents?
Q: Has your organization prioritized your key functions to determine what
would need to be restored first in the event of a disruption?
Q: Does your organization update the incident response procedures when your
organizational needs change?
Q: Has your organization told your staf, employees and workforce members
how to and where to report a security incident?
Q: Has your organization developed standard incident reporting templates to
ensure that all necessary information related to an incident is documented and
investigated?
Q: If you have determined that your organization does not need a standing
incident response team, what other response mechanism are you using?
Q: Has your organization determine what information and when data will be
disclosed to the media?
Q: Does your organization have an identified list of both internal and external
Q: Has your organization defined your overall contingency objectives? Does it A49,A50,A51
include a listing of all areas that use ePHI?
Q: Has your organization established your organization's contingency plan
framework, roles and responsibilities?
Q: Does your organization's contingency policy and plan address scope,
resource requirements, training, testing, plan maintenance and backup
requirements?
Q: Does your organization's policy and plan outline what critical services must
be provided within specific timeframes?
Q: Does your organization's policy and plan identify and outline cross-
functional dependencies to determine how failure in one systems impacts
other system(s)?
Q: Has your organization outlined scenarios and identified preventive
measures, measures you can do now, for each scenario that could result in the
loss of a critical service involving the use of ePHI?
Q: Has your organization brain stormed and outlined alternatives for
continuing operations for your organization if you lose a critical function or a
critical resource? Remember there are physical resources like offices and desks
and copiers and paper, electronic recourses,
Q: Has you organization researched the cost of preventive measures being
considered?
Q: Are the preventable measures you are considering afordable and practical
for the environment?
Q: Does your organization have an emergency coordinator who manages,
maintains and updates the contingency plan? Does your organization's staf,
employees, and workforce members know who this individual is and how to
contact your coordinator?
Q: Does your organization have an emergency call list? Has it been distributed
to all staf, employees, and workforce members?
Q: Does your organization have a determination of when your contingency
plan needs to be activated? Is it triggered by anticipated duration of outage,
loss of capability, or impact on service delivery? Other?
Q: Does your organization have plans, procedures, and agreements initiated or
in place if the preventive measures need to be implemented?
Q: Has your organization reviewed the data backup plan and disaster recovery pXXXXX
Q: Does your organization's contingency plan address disaster recovery and A52
back up?
Q: Has your organization established and implemented procedures to create
and maintain retrievable exact copies of ePHI?
Q: Has your organization established and implemented procedures to restore
any loss of ePHI?
Q: Has your organization documented all your data backup procedures and
made them available to all your staf, employees, and workforce members?
Q: Does your organization have individuals/office named and responsibilities
assigned to conduct backup activities?
XXXXX A53
Q: Has your organization established, and implemented when needed, A54
procedures to enable continuation of critical business processes for the
security of ePHI while your organization is operating in emergency mode?
Q: Has your organization identified your key activities and developed
procedures to continue these key activities during an emergency?
Q: Has your organization also identified critical functions that use ePHI?
Q: During the emergency would diferent staf/employees, facilities or systems
be needed to perform these critical functions during the emergency?
Q: Can your organization assure the security of the ePHI in the alternative
mode(s) operation?
Q: Does your organization have any existing reports or documentation that you A57,A58,A59
had previously prepared or created by your organization addressing
compliance, integration, or maturity of a particular or many security
safeguard(s) deployed to protect ePHI that your can leverage for this
evaluation?
Q: Has your organization established a frequency for security evaluations, and
disseminated this information to your entire organization?
Q: Does your organization's security policies specify that security evaluations
will be repeated when environmental and operational changes, such as
technology updates, are made that afect the security of ePHI?
Q: Does your organization's frequency of security evaluation policies reflect
any and all federal laws, regulations, and guidance documents that impact
environmental or operational changes afecting the security of ePHI?
Q: Does your organization's corporate, legal, and regulatory compliance staf,
employees, or workforce members participate when you conduct your
analysis?
Q: Has your organization considered management, operational, and technical
issues in your evaluation?
Q: Has your organization performed a periodic technical and nontechnical
evaluation, based initially upon the standards implemented?
Q: Has your organization decided if your evaluation will be conducted by your
internal staf and resources or by external consultants, or by a combination of
internal and external resources?
Q: Do any of your organization's staf, employee or workforce members have
the technical experience to evaluate your systems?
Q: Do your staf, employees, or workforce members have the training
necessary on security technical and non-technical issues?
Q: Has your organization outlined the necessary factors to be considered in
selecting an outside vendor, including credentials and experience?
Q: Does your organization use a strategy and tool that considers all the
elements of the HIPAA Security Rule, including all standards and
implementation specifications?
Q: Do the elements of each of your organization's evaluation procedure,
including questions, statement and other components, address individual,
Q: Does your organization have business associate contracts? A60,A61,A62
Q: Does your organization's business associate agreements (as written and
executed) contain sufficient language to ensure that required information
types are protected? Including the 2009, 2010, and 2011 HITECH Act updates
and inclusions?
Q: Has your organization identified the individual or department who is
responsible for coordinating the execution of your organization's business
associate agreements and other such agreements?
Q: Does your organization periodically review and reevaluate your list of
business associates to determine who has access to ePHI in order to assess
whether your list is complete and current?
Q: Has your organization named your systems and functions covered by the
contract/ agreement?
Q: Are your organization's outsourced functions also covered by
contracts/agreements?
Q: Are your organization's of-shore functions also covered by
contracts/agreements?
Q: Has your organization executed new and updated existing agreements or
arrangements when necessary and appropriate?
Q: Does your organization's agreements and other arrangements include your
business associate(s) roles and responsibilities for the ePHI?
Q: Does your organization's agreements and other arrangements include
security requirements that address confidentiality, integrity and availability of
ePHI?
Q: Do your organization's agreements and other arrangements include security
requirements meet all the HIPAA Security Rule requirements per the HITECH
Act?
Q: Do your organization's agreements and other arrangements include the
appropriate training requirements, as necessary?
Q: Who/which office within your organization is responsible for coordinating
and preparing the final agreement(s) or arrangement(s)?
Q: Do your organization's agreements and other arrangements specify how
ePHI is to be transmitted to and from the business associate?
Q: Do your organization's agreements and other arrangements specify
XXXXX A63
XXXXX A64
XXXXX XXXXX
Q: Does your organization have facility access controls , policies and PH1,PH2,PH3,
procedures?
Q: Does your organization have policies and procedures regarding access to
and use of your facilities and equipment?
Q: Does your organization have facility access control policies and procedures
already in place?
Q: Has your organization developed, disseminated, and periodically
reviewed/updated a formal, documented a physical and environmental
protection policy that address the purposes, scope, roles, responsibilities,
management commitment, coordination among organizational entities and
functions, and compliance?
Q: Does your organization have formal, documented procedures to facilitate
implementation of the physical and environmental protection policy and
associated physical and environmental controls?
Q: Does your organization have an inventory of your facilities and have
identified the vulnerabilities in your current physical security capabilities?
Q: Has your organization assigned degrees of significance to each vulnerability
that you have identified?
Q: Has your organization determined which types of locations require access
controls to safeguard ePHI, such as: Data centers, Peripheral equipment
centers, IT staf offices, Workstation locations, and Others?
Q: Does your organization have locks and cameras in nonpublic areas and are
these reasonable and appropriate security controls?
Q: Are all your organization's workstations protected from public access and
viewing?
Q: Are all your organization's entrances and exits that lead to locations with
ePHI secured?
Q: Do normal and usual physical protections exist, such as locks on doors and
windows?
Q: Has your organization identified and assigned responsibility for the
measures and activities necessary to correct deficiencies and ensure that
proper access is allowed?
Q: Has your organization developed and deployed policies and procedures to
ensure that repairs, upgrades and or modifications are made to your buildings
Q: Does your organization have a contingency operations plan? XXXXX
Q: Has your organization determined who needs access to your facilities and PH5,PH6,PH7
offices in the event of a disaster?
Q: Who is named in your contingency plan as responsible for access to ePHI
during a disaster?
Q: Who in your organization is responsible for implementing the contingency
plan for access to ePHI in each department, unit, and other office designation?
Q: Will your organization contingency plan be appropriate for all types of
potential disasters, such as fire, flood, earthquake?
Q: Will your organization contingency plan be appropriate for all your facilities?
Q: Does your organization have a backup plan for access to the your facility and
/ or the ePHI?
Q: Has your organization implemented measures to provide physical protection PH8,PH9,PH10
for the ePHI in your possession?
Q: Does your organization have documentation of your facility inventory,
physical maintenance record, the history of physical changes, upgrades, and
other modifications?
Q: Does your organization's inventory identify points of access to your facilities
and the existing security controls used in these areas?
Q: Does your organization have procedures for security your facilities, including
the exterior, the interior, and your equipment?
Q: Is a workforce member of your organization other than the security official
responsible for the facility plan?
Q: Does your organization have a facility security plan in place, under revision,
or under development?
Q: Does your organization periodically review your security plan for the
information system?
Q: Does your organization have policies and procedures in place for controlling PH12,PH13,PH
and validating access to your facilities by staf, employees, workforce
members, visitors, and probationary employees?
Q: Does your organization monitor physical access to the information system to
detect and respond to physical security incidents?
Q: Does your organization periodically review physical access logs?
Q: Has your organization developed and implemented polices and procedures PH17,PH18
to document repairs and modification to the physical components of your
facilities specifically related to security?
Q: Has your organization developed, disseminated, and periodically
reviewed/updated your formal, documented information system maintenance
policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organization entities, and compliance?
Q: Does your organization have formal, documented procedures to facilitate
the implementation of your information system maintenance policy and
associated system maintenance controls?
Q: Does your organization maintain records of repairs to hardware, walls,
doors, and locks?
Q: Has your organization assigned responsibility to an individual or office for
the maintenance to repair and modification records?
Q: Does your organization control all maintenance activities, whether
performed on site or remotely and whether the equipment is serviced on site
or removed to another location?
Q: Does your organization require that the designated official explicitly
approve the removal of the information system or system components from
your organization's facilities fro of-site maintenance or repairs?
Q: Does your organization sanitize equipment to remove all information from
associated media prior to removal from your organization's facilities for of-site
maintenance?
Q: Does your organization obtain support and/or spare parts for you
organization's security- critical information systems components or key
information technology components with in a designated time period of
failure?
Q: Does your organization have workstation use policies and procedures? PH19,PH20,PH
Q: Has your organization developed and implemented polices and procedures
for proper use and performance of all types of workstations, including for day-
to-day operations?
Q: Does your organization have an inventory of workstation types and locations
within your organization?
Q: Has your organization included all types of computing devices in your
inventory of workstations, such as laptops, PDAs, tablets (iPads), smart phones,
and others?
Q: Has your organization named an individual or office responsible for this
inventory and its maintenance?
Q: Has your organization developed and implemented policies and procedures
for each type of workstation device, including accommodating their unique
issues?
Q: Has your organization classified your workstations based on their
capabilities, and defined the tasks commonly performed on a given
workstation or type of workstation?
Q: Has your organization identified key operational risks that could result in a
breach of security from all types of workstations, and trained your staf,
employees, and workforce members on predictable breaches?
Q: Does your organization have policies and procedures that will prevent
unauthorized access of unattended workstations, limit the ability of
unauthorized persons to view sensitive information, and to dispose of sensitive
information an needed?
Q: Has your organization trained your staf, employees or workforce members
in the security requirements for ePHI use in their day-to-day jobs?
Q: Does your organization:1) document allowed methods or remote access to
the information system?
Q: Does your organization: 3) monitor for unauthorized remote access to the
information system?
Q: Does your organization: 4) authorize remote access to the information
system prior to the connection?
Q: Does your organization: 1) establish usage restrictions and implementation
guidance for organization-controlled mobile devices?
Q: Does your organization have workstation security physical safeguards in PH22,PH23,PH
place?
Q: Has your organization documented the diferent ways workstations are
accessed by staf, employees workforce members, and non-employees?
Q: Are any of your organization's workstations located in public areas?
Q: Does your organization use lap tops and tablets (iPads) as workstations? Do
you have specific policies and procedures for such workstations?
Q: Has your organization determined which type(s) of access holds the greatest
threat to security?
Q: Has your organization reviewed the areas of your workstations to determine
which areas are more vulnerable to unauthorized use, theft, or viewing of the
data? Do you do this review periodically?
Q: Has your organization implemented physical safeguards and other security
measures to minimize the possibility of inappropriate access of ePHI through
workstations, including locked door, screen barriers, cameras, guards?
Q: Does your organization protect information system media until the media
are destroyed or sanitized using approved equipment, techniques, and
procedures?
Q: Does your organization have device and media controls, policies and PH30,PH31,PH
procedures?
Q: Does your organization: 1) protect and control your defined types of digital
and non-digital media during transport outside of controlled areas using your
organizational security measures?
Q: Does your organization: 2) maintain accountability for information system
media during transport outside of controlled areas?
Q: Does your organization: 3) restrict the activities associated with transport of
such media to authorized personnel?
Q: Does your organization have procedures for the removal of ePHI from PH35
electronic media before the media are made available for reuse, including
assuring that ePHI is properly destroyed and cannot be recreated?
Q: Does your organization have one individual or department responsible for
coordinating data disposal and reuse of hardware and software across your
enterprise?
Q: Does your organization train your staf, employees, and workforce members
on the security and risks of ePHI destruction and reuse of software and
hardware?
Q: Does your organization keep a record of the movement of hardware and PH36,PH37
software both inside your organization and when it leave your facility, and do
you have an individual or office responsible for this task?
Q: Does your organization have an inventory of the type of media that are used
to store ePHI, and is it updated periodically?
Q: Does your organization permit your staf, employees, and workforce
members to remove electronic media that contains or can be used to access
ePHI; does your organization have procedures to track the media externally?
Q: Does your organization create an exact copy of ePHI if needed before you PH38
move the equipment?
Q: Does your organization maintain backup files ofsite to assure data
availability in the event of data is lost while transporting or moving electronic
media containing ePHI?
Q: Does your organization have an inventory of what business process would
be impacted and for how long if data were unavailable while media was being
moved?
Q: Does your organization have access to technical policies and procedures? T1,T2,T3,T4
Q: Has your organization identified all applications, systems, servers and other
electronic tools that hold and use ePHI?
Q: Has your organization outlined the user roles for the applications, systems,
servers and other electronic identified above?
Q: Has your organization determined where the ePHI supporting the electronic
tools is currently housed (i.e. lap top, network, etc.)?
Q: Are any of your organization's systems, networks, or data accessed
remotely?
Q: Has your organization identified an approach for access control?
Q: Has your organization determined the access capabilities of all your
electronic tools that hold and create ePHI, such as viewing data, modifying
data, deleting data, and creating data?
Q: Does your organization have a formal access control policy that guided the T5,T6
development of access control procedures?
Q: Has your organization developed and implemented access control
procedures?
Q: Do your organization's access control procedures include: 1) initial access, 2)
increased access, 3) access to diferent systems and applications that user
currently has?
Q: Has your access control policy, including the rules of user behavior, been
communicated to your system users?
Q: Has your organization outlined how user compliance with your access
control policy will be enforced?
Q: Has your organization determined who will manage the access control
procedures?
Q: Does your organization train your users in access control procedures and
management?
Q: Does your organization train new employees/users in your access control
policy and procedures, and other instructions for protecting ePHI?
Q: Does your organization have procedures for new employee/user access to
your data and systems?
Q: Does your organization have procedures for reviewing and, as appropriate,
modifying access authorization for existing users?
Q: Has your organization determined how a user identifier should be
established, such as length and content, and communicated this information to
your staf, employees, and workforce members?
Q: Has your organization determined if the user identifier should be self-
selected or randomly generated? Is it diferent for diferent types of data?
Q: Can your organization trace all system activity, viewing, modifying, deleting
and creating of ePHI, to a specific user?
Q: Does your organization record each time ePHI is viewed, modified, deleted
or created in an audit tool to support audit and other business functions?
Q: Does your organization have procedures for obtaining necessary access to T7,T8,T9,T10,T
ePHI during an emergency?
Q: Does your organization have a policy on when access procedures should be
activated?
Q: Does your organization policy name the person/role/office that makes the
decision to activate your emergency access procedures?
Q: Does your organization have procedures and a method for supporting
continuity of operations when normal access procedures are disabled or
unavailable due to system problems?
Q: Will your organization's systems automatically default to settings and
functionalities that will enable the emergency access procedures or will it
need to be activated by a system's administrator/authorized individual?
Q: Has your organization determined the appropriate scope of audit controls T23,T24,T25,T
that are be necessary to protect your information systems and tools that
contain ePHI, based on your risk assessment?
Q: Has your organization determined what data will need to be captured by
your audit controls and in your audit logs, user ID, event type/date/time?
Q: Has your organization determined where your ePHI is at risk within your
organization and when you transmit it outside your organization?
Q: Does your organization have an inventory of what systems, applications,
processes, servers, laptops, PDAs, tablets (iPads) and other electronic tools
make data vulnerable to unauthorized or inappropriate tampering, uses or
disclosures of ePHI?
Q: What activities will your audit controls monitor, creation, review, updating,
deleting, other of ePHI?
Q: Has your organization evaluated your existing systems capabilities in the last
12 months and determined if any changes of upgrades are necessary?
Q: Does your organization have tools in place for auditing data review, creating,
deleting and updating, plus for firewall system activity and other similar
activities?
Q: Has your organization determined what are the most appropriate
monitoring tools for your organization, such as third party tools, freeware,
operating-system provided, or home grown?
Q: Does your organization's evaluation include determination of what changes
and upgrades to your monitoring tools is reasonable and appropriate?
Q: Does your organization have a process and communication plan to tell your
staf, employees, and workforce members about your organization's decisions
re audit and review of their use of ePHI?
Q: Has your organization named a person, role or office as the responsible
party for your overall audit process and its results?
Q: Has your organization determined the period when audits will be
performed?
Q: Has your organization determined the type of audit trail data it will need,
and the monitoring procedures to derive exception reports, other reports?
Q: Has your organization determined how your exception reports and logs will
be reviewed?
Q: Does your organization have integrity policies and procedures? T32
Q: Does your organization a list of all your organization users are authorized to
access ePHI?
Q: Has your organization an established basis for assigning specific individuals
and roles access to the ePHI based on need, such as necessary for job task?
Q: Has your organization identified all approved users with the ability to alter
or destroy data?
Q: Have your organization's users been trained on how to use ePHI?
Q: Does your organization have audit trails established for all accesses to ePHI?
Q: Has your organization determined what can be done to protect the ePHI
when is it at rest in your systems and tools?
Q: Does your organization have policies and procedures that are used to
decrease or eliminate alteration of ePHI during transition, such as encryption?
Q: Does your organization have a formally documented set of integrity
requirements that is based on your analysis of use, users and misuses of ePHI
and your risk analysis?
Q: Does your organization have a written policy related to your integrity
requirements and has it been communicated to your system(s) users?
Q: Are your organization's current audit, logging, and access control techniques
and methods sufficient to address the integrity of ePHI?
Q: If your organization's current techniques and methods are not sufficient,
what additional techniques and methods can you apply to check ePHI integrity,
such as quality control process, transaction and output reconstruction?
Q: Can your organization provide additional training to decrease instances
attributable to human errors?
Q: Does your organization have integrity controls policies and procedures? XXXXX
Q: Does your organization have measures planned or implemented to protect T40,T41,T42
ePHI during transmission?
Q: Does your organization have assurance that the information is not altered
during transmission?
XXXXX O2
Q: Does your organization's business associate contract(s) provide the business XXXXX
associates that will implement administrative, physical and technical
safeguards to protect the ePHI?
Q: Does your organization's business associate contract(s) address functions
related to creating, receiving, maintaining, and transmitting ePHI?
Q: Do your organization's business associate contracts provide that the
business associates conduct a risk assessment that addresses administrative,
physical and technical risks?
Q: Do your organization's business associate contracts provide that any agent, XXXXX
Q: Does your organization's business associate contract(s) provide that the XXXXX
business associate will report any security incidents of which it becomes aware
to the covered entity?
Q: Has your organization identified the key business associate staf/point of
contact in the event of a security incident?
Q: Does your organization have in place a procedure including a reporting
mechanism for reporting security incidents by a business associate?
Q: Does your organizations business associate contract include standards and XXXXX
thresholds for termination of contract?
Q: Do the conditions for termination within your organization's business
associate contract include material breach of the contract, and that the breach
cannot be cured?
Q: Does your organizations business associate contract include reporting the
problem to Office for Civil Rights (OCR) if contract termination is not possible?
Q: If your organization and the organization you are contract with are both XXXXX
governmental agencies do you use a memorandum of understanding (MOU)?
Q: Does your organization's MOU/agreement provide protection for the ePHI
equivalent to those provided in at HIPAA business associate contract?
Q: If your organization's MOU cannot be terminated, are other enforcement
mechanisms in place that are reasonable and appropriate?
Q: Does your organization use memorandum of understanding (MOU) with certai XXXXX
Q: Does your organization have other laws similar to business associate agree XXXXX
Q: If your organization has an MOU have you made a good faith efort to obtain XXXXX
satisfactory assurances that the HIPAA Security Standards are met?
Q: Does your organization make the attempt to obtain satisfactory assurances,
and the reasons that they cannot be obtained documented?
Q: Does your organization have policies and procedures for administrative PO1
safeguards, physical safeguards, and technical safeguards?
Q: Does your organization have in place reasonable and appropriate polices
and procedures that comply with the standards and implementation
specifications of the HIPAA Security Rule?
Q: Does your organizations security policies and procedures take into
consideration: 1) your organization's size, complexity and the services you
provide. 2) your organization's technical infrastructure, hardware and software
capabilities, 3) the cost of your organization's security measures, 4) the
potential risks to day-to-day operation including which functions, and tools are
critical to operations?
Q: Does your organization have procedures for periodic revaluation of your
security polices and procedures, and update them when necessary?
Q: Does your organization change security policies and procedures at any
appropriate time, and document the changes and implementation?
Q: Does your organization have a documentation policy and procedures? XXXXX
Q: Has your organization documented all security policies and procedures?
Q: Has your organization documented your decisions concerning the security
management, operational, and technical controls to mitigate your identified
risks?
Q: Does your organization update your security documentation following
breaches, security incidents, new acquisitions, change in technology and other
similar times?
Q: Does your organization have an individual or office that maintains and is
responsible for your HIPAA Security documentation?
XXXXX PO2
XXXXX PO3
Q: Does your organization have a data retention policy and procedure(s) that co XXXXX
Q: Has your organization aligned HIPAA documentation retention requirements wi PO4
Q: Has your organization communicated with all staf that need access to your PO5
security documentation where it is found?
Q: Does your organization's education, training and awareness activities
include the availability of your security documentation?
Q: Does your organization have a process in place to solicit input from the staf,
employees, and workforce impacted, into your updates of your security
policies and procedures?
Q: Does your organization have a version control for your procedure(s) and proces
PO6
HHS-ONC_SRAHHS-ONC_SRATK_W_LINEBREAKS TYPE_HHS-ONC_SRATK
(A1): Does you(A1): Does your practice develop, document, and implement Standard
policies and procedures for assessing and managing risk to its
Electronic Protected Health Information (ePHI)?
(A2): Does your practice have a process for periodically
reviewing its risk analysis policies and procedures and making
updates as necessary?
(A3): Does you(A3): Does your practice categorize its information systems Required
based on the potential impact to your practice should they
become unavailable?
(A4): Does your practice periodically complete an accurate and
thorough risk analysis, such as upon occurrence of a significant
event or change in your business organization or environment?
(A5): Does you(A5): Does your practice have a formal documented program Required
to mitigate the threats and vulnerabilities to ePHI identified
through the risk analysis?
(A6): Does your practice assure that its risk management
program prevents against the impermissible use and disclosure
of ePHI.
(A7): Does your practice document the results of its risk
analysis and assure the results are distributed to appropriate
members of the workforce who are responsible for mitigating
the threats and vulnerabilities to ePHI identified through the
risk analysis?
(A8): Does your practice formally document a security plan?
(A9): Does you(A9): Does your practice have a formal and documented Required
process or regular human resources policy to discipline
workforce members who have access to your organizationÕs
ePHI if they are found to have violated the officeÕs policies to
prevent system misuse, abuse, and any harmful activities that
involve your practice's ePHI?
(A10): Does your practice include its sanction policies and
procedures as part of its security awareness and training
program for all workforce members?
(A11): Does yo(A11): Does your practice have policies and procedures for the Required
review of information system activity?
(A12): Does your practice regularly review information system
activity?
(A13): Does yo(A13): Does your practice have a senior-level person whose job Required
it is to develop and implement security policies and
procedures or act as a security point of contact?
(A14): Is your practiceÕs security point of contact qualified to
assess its security protections as well as serve as the point of
contact for security policies, procedures, monitoring, and
training?
(A15): Does your practice have a job description for its security
point of contact that includes that person's duties, authority,
and accountability?
(A16): Does your practice make sure that its workforce
members and others with authorized access to your ePHI
know the name and contact information for its security point
of contact and know to contact this person if there are any
security problems?
(A17): Does y (A17): Does your practice have a list that includes all members Required
of its workforce, the roles assigned to each, and the
corresponding access that each role enables for your
practiceÕs facilities, information systems
electronic devices, and ePHI?
(A18): Does your practice know all business associates and the
access that each requires for your practiceÕs facilities,
information systems, electronic devices, and ePHI?
(A19): Does your practice clearly define roles and
responsibilities along logical lines and assures that no one
person has too much authority for determining who can access
your practice's facilities, information systems, and ePHI?
(A20): Does your practice have policies and procedures that
make sure those who need access to ePHI have access and
those who do not are denied such access?
(A21): Has your practice chosen someone whose job duty is to
decide who can access ePHI (and under what conditions) and
to create ePHI access rules that others can follow?
(A26): Does yo(A26): Does your organization have policies and procedures Addressable
that authorize members of your workforce to have access to
ePHI and describe the types of access that are permitted?
(A27): Do your practiceÕs policies and procedures require
screening workforce members prior to enabling access to its
facilities, information systems, and ePHI to verify that users are
trustworthy?
(A28): Does yo(A28): Does your practice have policies and procedures for Addressable
terminating authorized access to its facilities, information
systems, and ePHI once the need for access no longer exists?
(A29): Does your practice have formal policies and policies and
procedures to support when a workforce memberÕs
employment is terminated and/or a relationship with a
business associate is terminated?
(A30): Do your(A30): Do your practiceÕs policies and procedures describe the Smtandard
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
(A31): Does yo(A31): Does your practice have policies and procedures that explRequired
(A32): Do the (A32): Do the roles and responsibilities assigned to your Addressable
practiceÕs workforce members support and enforce
segregation of duties?
(A33): Does your practiceÕs policies and procedures explain
how your practice assigns user authorizations (privileges),
including the access that are permitted?
(A34): Does yo(A34): Does your practice have a training program that makes Standard
each individual with access to ePHI aware of security measures
to reduce the risk of improper access, uses, and disclosures?
(A35): Does your practice periodically review and update its
security awareness and training program in response to
changes in your organization, facilities or environment?
(A36): Does your practice provide ongoing basic security
awareness to all workforce members, including physicians?
(A37): Does your practice provide role-based training to all
new workforce members?
(A38): Does your practice keep records that detail when each
workforce member satisfactorily completed periodic training?
(A40): Does yo(A40): Does your practiceÕs awareness and training content Addressable
include information about the importance of implementing
software patches and updating antivirus software when
requested?
(A41): Does your practiceÕs awareness and training content
include information about how malware can get into your
systems?
(A42): Does yo(A42): Does your practice include log-in monitoring as part of i Addressable
(A43): Does yo(A43): Does your practice include password management as partAddressable
(A44): Does yo(A44): Does your practice have policies and procedures designedStandard
(A45): Does yo(A45): Does your practice have incident response policies and Required
procedures that assign roles and responsibilities for incident
response?
(A46): Does your practice identify members of its incident
response team and assure workforce members are trained and
that incident response plans are tested?
(A47): Does your practiceÕs incident response plan align with
its emergency operations and contingency plan, especially
when it comes to prioritizing system recovery actions or events
to restore key processes
systems, applications, electronic device and media, and
information (such as ePHI)?
(A48): Does your practice implement the information
systemÕs security protection tools to protect against malware?
(A49): Does yo(A49): Does your practice know what critical services and ePHI Standard
it must have available to support decision making about a
patientÕs treatment during an emergency?
(A50): Does your practice consider how natural or man-made
disasters could damage its information systems or prevent
access to ePHI and develop policies and procedures for
responding to such a situation?
(A51): Does your practice regularly review/update its
contingency plan as appropriate?
(A53): Does yo(A53): Does your practice have policies and procedures for contRequired
(A54): Does yo(A54): Does your practice have an emergency mode operations plan
Required
(A55): Does yo(A55): Does your practice have policies and procedures for testi Addressable
(A56): Does yo(A56): Does your practice implement procedures for identifying Addressable
(A57): Does yo(A57): Does your practice maintain and implement policies and Standard
procedures for assessing risk to ePHI and engaging in a
periodic technical and non-technical evaluation in response to
environmental or operational changes afecting the security of
your practiceÕs ePHI?
(A58): Does your practice periodically monitor its physical
environment, business operations, and information system to
gauge the efectiveness of security safeguards?
(A59): Does your practice identify the role responsible and
accountable for assessing risk and engaging in ongoing
evaluation, monitoring, and reporting?
(A60): Does yo(A60): Does your practice identify the role responsible and Standard
accountable for making sure that business associate
agreements are in place before your practice enables a service
provider to begin to create, access, store or transmit ePHI on
your behalf?
(A61): Does your practice maintain a list of all of its service
providers, indicating which have access to your practiceÕs
facilities, information systems and ePHI?
(A62): Does your practice have policies and implement
procedures to assure it obtains business associate
agreements?
(A63): If your (A63): If your practice is the business associate of another cove Required
(A64): Does yo(A64): Does your practice execute business associate agreements Required
XXXXX XXXXX XXXXX
(PH1): Do you (PH1): Do you have an inventory of the physical systems, Standard
devices, and media in your office space that are used to store
or contain ePHI?
(PH2): Do you have policies and procedures for the physical
protection of your facilities and equipment? This includes
controlling the environment inside the facility.
(PH3): Do you have policies and procedures for the physical
protection of your facilities and equipment? This includes
controlling the environment inside the facility.
(PH4): Do you have physical protections in place to manage
physical security risks, such as a) locks on doors and windows
and b) cameras in nonpublic areas to monitor all entrances
and exits?
(PH12): Do you(PH12): Do you have a Facility User Access List of workforce Addressable
members, business associates, and others who are authorized
to access your facilities where ePHI and related information
systems are located?
(PH13): Do you periodically review and approve a Facility User
Access List and authorization privileges, removing from the
Access List personnel no longer requiring access?
(PH14): Does your practice have procedures to control and
validate someoneÕs access to your facilities based on that
personÕs role or job duties?
(PH15): Do you have procedures to create, maintain, and keep
a log of who accesses your facilities (including visitors), when
the access occurred, and the reason for the access?
(PH16): Has your practice determined whether monitoring
equipment is needed to enforce your facility access control
policies and procedures?
(PH17): Do you(PH17): Do you have maintenance records that include the Addressable
history of physical changes, upgrades, and other modifications
for your facilities and the rooms where information systems
and ePHI are kept?
(PH18): Do you have a process to document the repairs and
modifications made to the physical security features that
protect the facility, administrative offices, and treatment
areas?
(PH19): Does y(PH19): Does your practice keep an inventory and a location Standard
record of all of its workstation devices?
(PH20): Has your practice developed and implemented
workstation use policies and procedures?
(PH21): Has your practice documented how staf, employees,
workforce members, and non-employees access your
workstations?
(PH22): Does y(PH22): Does your practice have policies and procedures that Standard
describe how to prevent unauthorized access of unattended
workstations?
(PH23): Does your practice have policies and procedures that
describe how to position workstations to limit the ability of
unauthorized individuals to view ePHI?
(PH24): Have you put any of your practice's workstations in
public areas?
(PH25): Does your practice use laptops and tablets as
workstations? If so, does your practice have specific policies
and procedures to safeguard these workstations?
(PH26): Does your practice have physical protections in place
to secure your workstations?
(PH27): Do you regularly review your workstationsÕ locations
to see which areas are more vulnerable to unauthorized use,
theft, or viewing of the data?
(PH28): Does your practice have physical protections and other
security measures to reduce the chance for inappropriate
access of ePHI through workstations? This could include using
locked doors, screen barriers, cameras, and guards.
(PH29): Do your policies and procedures set standards for
workstations that are allowed to be used outside of your
facility?
(PH30): Does y(PH30): Does your practice have security policies and Standard
procedures to physically protect and securely store electronic
devices and media inside your facility(ies) until they can be
securely disposed of or destroyed?
(PH31): Do you remove or destroy ePHI from information
technology devices and media prior to disposal of the device?
(PH32): Do you maintain records of the movement of
electronic devices and media inside your facility?
(PH33): Have you developed and implemented policies and
procedures that specify how your practice should dispose of
electronic devices and media containing ePHI?
(PH35): Do you(PH35): Do you have procedures that describe how your practiceRequired
(PH36): Does y(PH36): Does your practice maintain a record of movements of Addressable
hardware and media and the person responsible for the use
and security of the devices or media containing ePHI outside
the facility?
(PH37): Do you maintain records of employees removing
electronic devices and media from your facility that has or can
be used to access ePHI?
(PH38): Does y(PH38): Does your organization create backup files prior to the Addressable
(T1): Does you(T1): Does your practice have policies and procedures Standard
requiring safeguards to limit access to ePHI to those persons
and software programs appropriate for their role?
(T2): Does your practice have policies and procedures to grant
access to ePHI based on the person or software programs
appropriate for their role?
(T3): Does your practice analyze the activities performed by all
of its workforce and service providers to identify the extent to
which each needs access to ePHI?
(T4): Does your practice identify the security settings for each
of its information systems and electronic devices that control
access?
(T5): Does you(T5): Does your practice have policies and procedures for the Required
assignment of a unique identifier for each authorized user?
(T6): Does your practice require that each user enter a unique
user identifier prior to obtaining access to ePHI?
(T7): Does you(T7): Does your practice have policies and procedures to Required
enable access to ePHI in the event of an emergency?
(T8): Does your practice define what constitutes an emergency
and identify the various types of emergencies that are likely to
occur?
(T9): Does your practice have policies and procedures for
creating an exact copy of ePHI as a backup?
(T10): Does your practice back up ePHI by saving an exact copy
to a magnetic disk/tape or a virtual storage such as a cloud
environment?
(T11): Does your practice have back up information systems so
that it can access ePHI in the event of an emergency or when
your practiceÕs primary systems become unavailable?
(T12): Does your practice have the capability to activate
emergency access to its information systems in the event of a
disaster?
(T13): Does your practice have policies and procedures to
identify the role of the individual accountable for activating
emergency access settings when necessary?
(T14): Does your practice designate a workforce member who
can activate the emergency access settings for your
information systems?
(T15): Does your practice test access when evaluating its ability
to continue accessing ePHI and other health records during an
emergency?
(T16): Does your practice efectively recover from an
emergency and resume normal operations and access to ePHI?
(T17): Does yo(T17): Does your practice have policies and procedures that Addressable
require an authorized userÕs session to be automatically
logged-of after a predetermined period of inactivity?
(T18): Does a responsible person in your practice know the
automatic logof settings for its information systems and
electronic devices?
(T19): Does your practice activate an automatic logof that
terminates an electronic session after a predetermined period
of user inactivity?
(T20): Does yo(T20): Does your practice have policies and procedures for Addressable
implementing mechanisms that can encrypt and decrypt ePHI?
(T21): Does your practice know the encryption capabilities of
its information systems and electronic devices?
(T22): Does your practice control access to ePHI and other
health information by using encryption/decryption methods to
deny access to unauthorized users?
(T23): Does yo(T23): Does your practice have policies and procedures Standard
identifying hardware, software, or procedural mechanisms
that record or examine information systems activities?
(T24): Does your practice identify its activities that create,
store, and transmit ePHI and the information systems that
support these business processes?
(T25): Does your practice categorize its activities and
information systems that create, transmit or store ePHI as high,
moderate or low risk based on its risk analyses?
(T26): Does your practice use the evaluation from its risk
analysis to help determine the frequency and scope of its
audits, when identifying the activities that will be tracked?
(T27): Does your practice have audit control mechanisms that
can monitor, record and/or examine information system
activity?
(T28): Does your practice have policies and procedures for
creating, retaining, and distributing audit reports to
appropriate workforce members for review?
(T29): Does your practice generate the audit reports and
distribute them to the appropriate people for review?
(T30): Does your practice have policies and procedures
establishing retention requirements for audit purposes?
(T31): Does your practice retain copies of its audit/access
records?
(T31): Does your practice retain copies of its audit/access
records?
(T32): Does yo(T32): Does your practice have policies and procedures for prot Standard
(T33): Does yo(T33): Does your practice have mechanisms to corroborate that Addressable
(T34): Does yo(T34): Does your practice have policies and procedures for Required
verification of a person or entity seeking access to ePHI is the
one claimed?
(T35): Does your practice know the authentication capabilities
of its information systems and electronic devices to assure that
a uniquely identified user is the one claimed?
(T36): Does your practice use the evaluation from its risk
analysis to select the appropriate authentication mechanism?
(T37): Does your practice protect the confidentiality of the
documentation containing access control records (list of
authorized users and passwords)?
(T38): Does yo(T38): Does your practice have policies and procedures for Standard
guarding against unauthorized access of ePHI when it is
transmitted on an electronic network?
(T39): Do your practice implement safeguards, to assure that
ePHI is not accessed while en-route to its intended recipient?
(T44): Does yo(T44): Does your practice have policies and procedures for Addressable
encrypting ePHI when deemed reasonable and appropriate?
(T45): When analyzing risk, does your practice consider the
value of encryption for assuring the integrity of ePHI is not
accessed or modified when it is stored or transmitted?
XXXXX XXXXX XXXXX
(O1): Does you(O1): Does your practice assure that its business associate agre Standard
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
(O2): Do the te(O2): Do the terms and conditions of your practiceÕs business Required
associate agreements state that the business associate will
implement appropriate security safeguards to protect the
privacy, confidentiality, integrity
and availability of ePHI that it collects, creates, maintains, or
transmits on behalf of the practice and timely report security
incidents to your practice?
(O3): If your p(O3): If your practice is the business associate of a covered ent Required
XXXXX XXXXX XXXXX
XXXXX XXXXX XXXXX
(PO2): Does yo(PO2): Does your practice assure that its policies and procedur Standard
(PO3): Does yo(PO3): Does your practice assure that its other security progra Standard
XXXXX XXXXX XXXXX
(PO4): Does yo(PO4): Does your practice assure that its policies, procedures, a Required
(PO5): Does yo(PO5): Does your practice assure that its policies, procedures a Required
(PO6): Does yo(PO6): Does your practice assure that it periodically reviews a Required
PE_HHS-ONC_SRATK