Original format: xlsx
Primary sheet: NIST & HHS-ONC
CSV companion: HIPAA_master_mapping.csv
| PK | DID | DOMAIN | CID | CFR-2007-TITLE45-VOL1-PART164 | TYPE_CFR-2007-TITLE45-VOL1-PART164 | NIST_HIPAA_SECURITY_RULE_TOOLKIT_W_LINEBREAKS | HHS-ONC_SRATK_ID | HHS-ONC_SRATK | HHS-ONC_SRATK_W_LINEBREAKS | HHS-ONC_SRATK_NIST_MAP | TYPE_HHS-ONC_SRATK |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(1)(i) | (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. | Standard | Q: Has your organization developed, disseminated, reviewed/updated, and trained on your Risk Assessment policies and procedures? | A1,A2 | (A1): Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its Electronic Protected Health Information (ePHI)?, (A2): Does your practice have a process for periodically reviewing its risk analysis policies and procedures and making updates as necessary? | (A1): Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its Electronic Protected Health Information (ePHI)? | Standard | RA-1 |
| Q: Does your organization's risk assessment policy address: purpose, scope, roles and responsibilities management commitment, coordination among organizational entities, training and compliance? | (A2): Does your practice have a process for periodically reviewing its risk analysis policies and procedures and making updates as necessary? | ||||||||||
| Q: Has your organization disseminated your Risk Assessment policies and procedures? | |||||||||||
| Q: Has your organization disseminated its Risk Assessment procedures to the work staff/offices with the associated roles and responsibilities? | |||||||||||
| Q: Has your organization defined the frequency of your Risk Assessment policy and procedures reviews and updates? | |||||||||||
| Q: Has your organization reviewed and updated your Risk Assessment policy and procedures in accordance with your defined frequency? | |||||||||||
| Q: Has your organization identified the types of information and uses of that information and the sensitivity of each type of information been evaluated (also link to FIPS 199 and SP 800-60 for more on categorization of sensitivity levels)? | |||||||||||
| Q: Has your organization identified all information systems that house ePHI? | |||||||||||
| Q: Does your organization inventory include all hardware and software that are used to collect, store, process, or transmit ePHI, including excel spreadsheets, word tables, and other like data storage? | |||||||||||
| Q: Are all the hardware and software for which your organization is responsible periodically inventoried, including excel spreadsheets, word tables, and other like data storage? | |||||||||||
| Q: Has your organization identified all hardware and software that maintains or transmits ePHI, including excel spreadsheets, word tables, and other similar data storage and included it in your inventory? | |||||||||||
| Q: Does your organization's inventory include removable media, remote access devices, and mobile devices? | |||||||||||
| Q: Is the current information system configuration documented, including connections to other systems, both inside and outside your firewall? | |||||||||||
| 2 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(1)(ii)(A) | (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. | Required | Q: Has your organization reviewed all processes involving ePHI, including creating, receiving, maintaining, and transmitting it? | A3,A4 | (A3): Does your practice categorize its information systems based on the potential impact to your practice should they become unavailable?, (A4): Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of a significant event or change in your business organization or environment? | (A3): Does your practice categorize its information systems based on the potential impact to your practice should they become unavailable? | Required | RA-2,RA-3 |
| Q: Has your organization reviewed the risk analysis and other implementation specifications for the security management process? | (A4): Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of a significant event or change in your business organization or environment? | ||||||||||
| Q: Does your organization have any prior risk assessments, audit comments, security requirements, and/or security test results? | |||||||||||
| Q: What are your organization's current and planned controls? Do you have them formally documented? | |||||||||||
| Q: Has your organization assigned responsibility to check all hardware and software, including hardware and software used for remote access, to determine whether selected security settings are enabled? | |||||||||||
| Q: Does your organization have an analysis of current safeguards and their effectiveness relative to the identified risks? | |||||||||||
| Q: Are any of your organization's facilities located in a region prone to any natural disasters, such as earthquakes, floods, or fires? Others? | |||||||||||
| 3 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(1)(ii)(B) | (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). | Required | Q: Does your organization have policies and procedures in place for security? | A5,A6,A7,A8 | (A5): Does your practice have a formal documented program to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis?, (A6): Does your practice assure that its risk management program prevents against the impermissible use and disclosure of ePHI., (A7): Does your practice document the results of its risk analysis and assure the results are distributed to appropriate members of the workforce who are responsible for mitigating the threats and vulnerabilities to ePHI identified through the risk analysis?, (A8): Does your practice formally document a security plan? | (A5): Does your practice have a formal documented program to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis? | Required | PL-2,RA-3,PL-1 |
| Q: Do your organization's current safeguards ensure the confidentiality, integrity, and availability of all ePHI? | (A6): Does your practice assure that its risk management program prevents against the impermissible use and disclosure of ePHI. | ||||||||||
| Q: Do your organization's current safeguards protect against reasonably anticipated uses and of ePHI that are not permitted by the HIPAA Privacy Rule? | (A7): Does your practice document the results of its risk analysis and assure the results are distributed to appropriate members of the workforce who are responsible for mitigating the threats and vulnerabilities to ePHI identified through the risk analysis? | ||||||||||
| Q: Has your organization protected against all reasonably anticipated threats or hazards to the security and integrity of ePHI? | (A8): Does your practice formally document a security plan? | ||||||||||
| Q: Does your organization have a formal and documented system security plan? | |||||||||||
| Q: Will your organization's new security controls work with your organization's existing IT architecture? | |||||||||||
| Q: Does your organization have formal and documented contingency plan? | |||||||||||
| Q: Does your organization have a communication plan or a process for communicating policies and procedures to your appropriate staff member, office and all your workforce? | |||||||||||
| Q: Does your organization review and update your policies, procedures and standards as needed and when appropriate? | |||||||||||
| Q: Has your organization assured compliance with all policies and procedures by all your staff and workforce? | |||||||||||
| Q: Has your organization developed a training schedule for your Risk Management Program? | |||||||||||
| 4 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(1)(ii)(C) | (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. | Required | Q: Does your organization have in place a formal and documented process, plus policy and procedures that address system misuse, abuse, and any fraudulent activities with your organization's ePHI? | A9,A10 | (A9): Does your practice have a formal and documented process or regular human resources policy to discipline workforce members who have access to your organization’s ePHI if they are found to have violated the office’s policies to prevent system misuse, abuse, and any harmful activities that involve your practice's ePHI?, (A10): Does your practice include its sanction policies and procedures as part of its security awareness and training program for all workforce members? | (A9): Does your practice have a formal and documented process or regular human resources policy to discipline workforce members who have access to your organization’s ePHI if they are found to have violated the office’s policies to prevent system misuse, abuse, and any harmful activities that involve your practice's ePHI? | Required | PS-8, |
| Q: Has your organization made all your staff, employees, and workforce aware of your processes, policy and procedures (concerning sanctions for inappropriate access), use, disclosure, and transmission of ePHI? | (A10): Does your practice include its sanction policies and procedures as part of its security awareness and training program for all workforce members? | ||||||||||
| Q: Does your organization's sanctions have a tiered structure of sanctions that takes into consideration the magnitude of harm to your organization and the individual whose ePHI is at risk, and the possible types of inappropriate disclosures? | |||||||||||
| Q: Does your organization have a process, procedure or communication plan of how and when your managers and staff, employees and workforce will be notified of suspected inappropriate activity? | |||||||||||
| 5 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(1)(ii)(D) | (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. | Required | Q: Does your organization have a formal, documented systems activity process and procedures? | A11,A12 | (A11): Does your practice have policies and procedures for the review of information system activity?, (A12): Does your practice regularly review information system activity? | (A11): Does your practice have policies and procedures for the review of information system activity? | Required | AU-1,AU-6,AU-7,SI-4 |
| Q: Who, and which office/department, within your organization is responsible for overall systems activity process, procedures and results? | (A12): Does your practice regularly review information system activity? | ||||||||||
| Q: How often does your organization review your information systems activity? What are the exceptions to the process that changes the review period? | |||||||||||
| Q: How often does your organization analyze your systems activity reviews/reports? | |||||||||||
| Q: Does your organization review exception reports and logs? | |||||||||||
| Q: What mechanisms and measures will your organization implement to assess the effectiveness of your review process? | |||||||||||
| Q: Does your organization file, electronic and/or paper, monitoring reports, and how are these reports monitored? | |||||||||||
| Q: Does your organization have a sanction policy for staff, employee or workforce violations? | |||||||||||
| 6 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(2) | (2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. | Standard | Q: Does your organization have a complete security official job description that accurately reflects the security duties and responsibilities? Does it include all areas outlined and spoken of in the questions outlined for this security standard? | A13,A14,A15,A16 | (A13): Does your practice have a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact?, (A14): Is your practice’s security point of contact qualified to assess its security protections as well as serve as the point of contact for security policies, procedures, monitoring, and training?, (A15): Does your practice have a job description for its security point of contact that includes that person's duties, authority, and accountability?, (A16): Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems? | (A13): Does your practice have a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact? | Required | CA-6,IR-2,IR-6 |
| Q: Have all your organization's staff, employees, workforce, offices and departments been notified of the name and office to contact with a security problem? | (A14): Is your practice’s security point of contact qualified to assess its security protections as well as serve as the point of contact for security policies, procedures, monitoring, and training? | ||||||||||
| (A15): Does your practice have a job description for its security point of contact that includes that person's duties, authority, and accountability? | |||||||||||
| (A16): Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems? | |||||||||||
| 7 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(3)(i) | (3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. | Standard | Q: Has your organization implemented policies and procedures to ensure that any and all staff, employees, and workforce members have appropriate, and only appropriate, access to ePHI; and to prevent the staff, employees, and workforce members who do not have access to ePHI from obtaining access to ePHI? | A17,A18,A19,A20,A21 | (A17): Does your practice have a list that includes all members of its workforce, the roles assigned to each, and the corresponding access that each role enables for your practice’s facilities, information systems, electronic devices, and ePHI?, (A18): Does your practice know all business associates and the access that each requires for your practice’s facilities, information systems, electronic devices, and ePHI?, (A19): Does your practice clearly define roles and responsibilities along logical lines and assures that no one person has too much authority for determining who can access your practice's facilities, information systems, and ePHI?, (A20): Does your practice have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access?, (A21): Has your practice chosen someone whose job duty is to decide who can access ePHI (and under what conditions) and to create ePHI access rules that others can follow? | (A17): Does your practice have a list that includes all members of its workforce, the roles assigned to each, and the corresponding access that each role enables for your practice’s facilities, information systems | Required | AC-1,AC-5,AC-6,CA-6 |
| electronic devices, and ePHI? | |||||||||||
| (A18): Does your practice know all business associates and the access that each requires for your practice’s facilities, information systems, electronic devices, and ePHI? | |||||||||||
| (A19): Does your practice clearly define roles and responsibilities along logical lines and assures that no one person has too much authority for determining who can access your practice's facilities, information systems, and ePHI? | |||||||||||
| (A20): Does your practice have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access? | |||||||||||
| (A21): Has your practice chosen someone whose job duty is to decide who can access ePHI (and under what conditions) and to create ePHI access rules that others can follow? | |||||||||||
| 8 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(3)(ii) | (ii) Implementation specifications: | nan | Q: Has your organization reviewed the workforce security implementation specifications? | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| 9 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(3)(ii)(A) | (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. | Addressable | Q: Has your organization implemented procedures for authorization and/or supervision of work force members who work with ePHI or in locations where it might be accessed? | A22,A23,A24,A25 | (A22): Does your practice define roles and job duties for all job functions and keep written job descriptions that clearly set forth the qualifications?, (A23): Does your practice have policies and procedures for access authorization that support segregation of duties?, (A24): Does your practice implement procedures for authorizing users and changing authorization permissions?, (A25): Do your practice’s policies and procedures for access authorization address the needs of those who are not members of its workforce? | (A22): Does your practice define roles and job duties for all job functions and keep written job descriptions that clearly set forth the qualifications? | Addressable | AC-1,PS-1,AC-3,MP-2,PS-6,AC-2,MA-5,PS-7 |
| Q: Has your organization defined roles and responsibilities for all job functions? | (A23): Does your practice have policies and procedures for access authorization that support segregation of duties? | ||||||||||
| Q: Has your organization assigned appropriate levels of security level oversight, training and access to each role? | (A24): Does your practice implement procedures for authorizing users and changing authorization permissions? | ||||||||||
| Q: Does your organization have a listing in writing who has the business need, and who has been granted permission, to view, alter, retrieve, and store ePHI, and at what times, and under what circumstances and for what purposes? | (A25): Do your practice’s policies and procedures for access authorization address the needs of those who are not members of its workforce? | ||||||||||
| Q: Does your organization have written job descriptions that are correlated with appropriate levels of access? | |||||||||||
| Q: Does your organization have an established set of qualifications for each job description? | |||||||||||
| Q: Does your organization check a candidate's qualifications against a specific job description? | |||||||||||
| Q: Has your organization made a determination of each candidate for a specific position can perform the tasks for that position? | |||||||||||
| Q: Has your organization established chains or command and lines of authority for workforce security? | |||||||||||
| Q: Has your organization established a process for maintenance personnel authorization and maintain a current list of authorized maintenance organizations and personnel? | |||||||||||
| Q: Has your organization made your work staff aware of the identity and roles of their supervisors? | |||||||||||
| Q: Has your organization provided staff, employees, and workforce members with a copy of their job descriptions, informed of the access granted to them, as well as the conditions by which this access can be used? | |||||||||||
| 10 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(3)(ii)(B) | (B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. | Addressable | Q: Does your organization check an applicant's employment and educational references, if this is reasonable for such a job description? | A26,A27 | (A26): Does your organization have policies and procedures that authorize members of your workforce to have access to ePHI and describe the types of access that are permitted?, (A27): Do your practice’s policies and procedures require screening workforce members prior to enabling access to its facilities, information systems, and ePHI to verify that users are trustworthy? | (A26): Does your organization have policies and procedures that authorize members of your workforce to have access to ePHI and describe the types of access that are permitted? | Addressable | PS-1,PS-6,PS-2,PS-3 |
| Q: Does your organization do background checks, such as a Criminal Offender Record Information (CORI) check, if appropriate in the circumstances? | (A27): Do your practice’s policies and procedures require screening workforce members prior to enabling access to its facilities, information systems, and ePHI to verify that users are trustworthy? | ||||||||||
| Q: Does your organization have a process and strategy that supports your organization's authorizes who are permitted to designate and grant access to ePHI? | |||||||||||
| Q: Does your organization have formal and documented procedures for obtaining the necessary and appropriate sign-offs within your organizational structure to both grant and terminate access to ePHI? | |||||||||||
| 11 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(3)(ii)(C) | (C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. | Addressable | Q: Does your organization have a standards set of procedures to recover access control devices, including identification badges, keys access cards from staff, employees and workforce member where their employment ends? | A28,A29 | (A28): Does your practice have policies and procedures for terminating authorized access to its facilities, information systems, and ePHI once the need for access no longer exists?, (A29): Does your practice have formal policies and policies and procedures to support when a workforce member’s employment is terminated and/or a relationship with a business associate is terminated? | (A28): Does your practice have policies and procedures for terminating authorized access to its facilities, information systems, and ePHI once the need for access no longer exists? | Addressable | PS-1,PS-4,PS-5 |
| Q: Does your organization have a procedure to deactivate computer, and other electronic tools, access accounts, including the process that will disable user IDs and passwords? | (A29): Does your practice have formal policies and policies and procedures to support when a workforce member’s employment is terminated and/or a relationship with a business associate is terminated? | ||||||||||
| Q: Does your organization need, and have separate termination procedures for voluntary termination, including retirement, promotion, transfer, or change of employment internal to your organization, versus involuntary termination, including for cause, reduction in force, involuntary transfer, and criminal or disciplinary actions? | |||||||||||
| Q: Does your organization have a standard checklist of action items for completion when a staff, employee, workforce member leaves your employment, such a s the return of all access devices, deactivation of logon accounts, including remote access, and return of any computers and other similar electronic tools, such as a PDA, and cell phone, and delivery of any data/information under this staff, employee of workforce member control? | |||||||||||
| 12 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(4)(i) | (4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. | Standard | Q: Has your organization implemented policies and procedures that authorized your staff, employees and workforce to access to ePHI to provide protection for the use and disclosure of the ePHI? | A30 | (A30): Do your practice’s policies and procedures describe the methods it uses to limit access to its ePHI? | (A30): Do your practice’s policies and procedures describe the methods it uses to limit access to its ePHI? | Standard | AC-1,AC-2,AC-5,AC-6 |
| 13 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(4)(ii) | (ii) Implementation specifications: | nan | Q: Has your organization reviewed the isolating clearinghouse functions implementation specifications? | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| 14 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(4)(ii)(A) | (A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. | Required | Q: Does your organization have a component that functions as a healthcare clearinghouse? | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| Q: Has your organization a formal and documented finding that one part of your organization is a healthcare clearinghouse? | |||||||||||
| Q: Has your organization healthcare clearinghouse developed and implemented policies and procedures that protect the clearinghouse ePHI form unauthorized access by the other parts of your organization? | |||||||||||
| Q: Does your organization's clearinghouse share hardware or software with your larger organization of which it is part? | |||||||||||
| Q: Does your organization's clearinghouse share staff or physical space with staff from a larger organization? | |||||||||||
| Q: Has your organization established a separate network or subsystem for your organization's clearinghouse? | |||||||||||
| Q: Has your organization's clearinghouse staff, employees, and workforce been trained to safeguard ePHI from disclosure to your larger organization? | |||||||||||
| 15 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(4)(ii)(B) | (B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. | Addressable | Q: Has your organization formally documented how access to ePHI will be granted to your staff, employees, and workforce members? | A31 | (A31): Does your practice have policies and procedures that explain how it grants access to ePHI to its workforce members and to other entities (business associates)? | (A31): Does your practice have policies and procedures that explain how it grants access to ePHI to its workforce members and to other entities (business associates)? | Required | AC-1,AC-2,AC-6 |
| Q: Has your organizations formally documented the basis for restricting access to ePHI? | |||||||||||
| Q: Has your organization formally documented your ePHI access control method? Does your organization use identity-based, role-based, biometric based, proximity based, other means of access, or a combination of access methods? | |||||||||||
| Q: Does your organization's job descriptions accurately reflect assigned duties, responsibilities and enforcement of segregation of duties? | |||||||||||
| Q: Does your organization grant your staff, employees and workforce members remote access to ePHI? | |||||||||||
| Q: Has your organization determined if direct access to ePHI will be granted to third parties external to your organization, including business partners, other providers, health plans, patients and members to their own ePHI, and others? | |||||||||||
| Q: Does your organization's IT systems have the capacity to set access controls? | |||||||||||
| Q: Does your organization use stronger access controls for sensitive data? | |||||||||||
| 16 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(4)(ii)(C) | (C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. | Addressable | Q: Has your organization formally documented the standards you use to grant a staff, employee, workforce member user's access to a workstation, lap top, transaction, program, process, and other tools and mechanisms? | A32,A33 | (A32): Do the roles and responsibilities assigned to your practice’s workforce members support and enforce segregation of duties?, (A33): Does your practice’s policies and procedures explain how your practice assigns user authorizations (privileges), including the access that are permitted? | (A32): Do the roles and responsibilities assigned to your practice’s workforce members support and enforce segregation of duties? | Addressable | AC-1,AC-2,AC-5 |
| Q: Does your organization have security access controls policies and procedures? Are they updated regularly? | (A33): Does your practice’s policies and procedures explain how your practice assigns user authorizations (privileges), including the access that are permitted? | ||||||||||
| Q: Does your organization provide formal written and documented authorization from the appropriate manager before granting access to sensitive information? | |||||||||||
| Q: Are your organization's staff, employees, and workforce member's duties separated so that only the minimally necessary ePHI based on the specific job description is made available upon request? | |||||||||||
| Q: Does your organization have authentication mechanisms to verify the identity of the user accessing the system? | |||||||||||
| Q: Does your organization's management regularly review the list of access authorizations, including remote access authorizations, to verify that the list is accurate and has not been inappropriately altered? | |||||||||||
| 17 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(5)(i) | (5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). | Standard | Q: Has your organization formally determined and documented your security trailing needs? | A34,A35,A36,A37,A38 | (A34): Does your practice have a training program that makes each individual with access to ePHI aware of security measures to reduce the risk of improper access, uses, and disclosures?, (A35): Does your practice periodically review and update its security awareness and training program in response to changes in your organization, facilities or environment?, (A36): Does your practice provide ongoing basic security awareness to all workforce members, including physicians?, (A37): Does your practice provide role-based training to all new workforce members?, (A38): Does your practice keep records that detail when each workforce member satisfactorily completed periodic training? | (A34): Does your practice have a training program that makes each individual with access to ePHI aware of security measures to reduce the risk of improper access, uses, and disclosures? | Standard | AT-1,AT-2,AT-3,AT-4 |
| Q: Does your organization interview key staff when assessing your security training needs? | (A35): Does your practice periodically review and update its security awareness and training program in response to changes in your organization, facilities or environment? | ||||||||||
| Q: Did your organization's assessment include the security training needs of sensitive data, and other similar information? | (A36): Does your practice provide ongoing basic security awareness to all workforce members, including physicians? | ||||||||||
| Q: Has your organization determined what awareness, training and education programs are needed, and which programs will be required? | (A37): Does your practice provide role-based training to all new workforce members? | ||||||||||
| Q: Has your organization outlined content and audience training priorities? | (A38): Does your practice keep records that detail when each workforce member satisfactorily completed periodic training? | ||||||||||
| Q: What gaps did your organization discover in conducting the training assessment; outline what needs to be added and updated? | |||||||||||
| Q: Does your organization's training strategy and plan include an outline of your organization's specific policies and procedures that require security awareness and training? | |||||||||||
| Q: Does your organization's training strategy and plan include scope of the awareness an training program? | |||||||||||
| Q: Does your organization's training strategy and plan include the goals? | |||||||||||
| Q: Does your organization's training strategy and plan include the target audience(s)? | |||||||||||
| Q: Does your organization's training strategy and plan include the learning objectives? | |||||||||||
| Q: Does your organization's training strategy and plan include the deployment methods? | |||||||||||
| Q: Does your organization's training strategy and plan include evaluation of the training through designated measurement techniques? | |||||||||||
| Q: Does your organization's training strategy and plan include the frequency of training? | |||||||||||
| Q: Does your organization's training strategy and plan include the consideration of compliance dates and the HITECH Act Updates? | |||||||||||
| Q: Does your organization have a process, a procedure, in place to ensure that everyone in your organization receives security awareness training? | |||||||||||
| Q: Does your organization have a plan in place to for training to address specific technical topics based on job descriptions and responsibilities? | |||||||||||
| Q: Does your organization train your non-employees, such as contractors, interns, volunteers, and others? | |||||||||||
| Q: Has your organization selected topics to be included in your training content, materials and methods? | |||||||||||
| Q: Does your organization incorporate new information from email advisories, daily news web sites, periodical, and other sources into your training content and materials when reasonable and appropriate? | |||||||||||
| Q: What and how many different types of media and venues does your organization use for security awareness training; such as computer based training, on-site trailing, electronic and paper publications, others; name them? | |||||||||||
| Q: Has your organization given each staff, employee, and workforce member a copy of your security polices and procedures, and do they know where to find them on your internal web or server or other place? | |||||||||||
| Q: Do your organization's staff, employees, workforce members know whom to contact and the procedures to handle a security incident? | |||||||||||
| Q: Does your organization's staff, employees, workforce members know and understand the consequences of their noncompliance with your organization's security policies and procedures? | |||||||||||
| Q: Does your organization's staff, employees, workforce members know how to handle physical security and information security issues with a lap top, PDA, tablet, smart phone, and/or other similar tools? | |||||||||||
| Q: Does your organization continuously research security issues and security training? Do you update your security training content, materials and evaluation with the new information? | |||||||||||
| Q: Has your organization scheduled and conducted the training outlined in your training strategy and plan and how often has your organization done security training since the publication of the HIPAA Security Rule? | |||||||||||
| Q: Does your organization have sanctions to impose on staff, employees and workforce if they do not complete the required security training? | |||||||||||
| Q: Does your organization keep your security awareness and training program current by updating it periodically? What is the review and update period? | |||||||||||
| Q: Does your organization conduct new or additional security training whenever changes occur in either technology or practices? | |||||||||||
| Q: Does your organization have a new hire security awareness, technology and information systems training plan? | |||||||||||
| Q: Does your organization train non-employees, including, contracts/vendors, interns, volunteers, and others? | |||||||||||
| 18 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(5)(ii) | (ii) Implementation specifications. Implement: | nan | Q: Has your organization reviewed the security reminder implementation specifications? | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| 19 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(5)(ii)(A) | (A) Security reminders (Addressable). Periodic security updates. | Addressable | Q: Does your organization provide periodic security updates to your staff, employees, workforce, business associates and contractors/vendors? | A39 | (A39): As part of your practice’s ongoing security awareness activities, does your practice prepare and communicate periodic security reminders to communicate about new or important issues? | (A39): As part of your practice’s ongoing security awareness activities, does your practice prepare and communicate periodic security reminders to communicate about new or important issues? | Addressable | SI-5 |
| Q: What methods does your organization already have in place or use to keep your staff, employees, workforce, business associates and contractors/vendors updated and aware of security other ways? | |||||||||||
| Q: Does your organization provide security awareness training with all new hires before they are given access to ePHI? | |||||||||||
| 20 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(5)(ii)(B) | (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. | Addressable | Q: Has your organization trained your staff, employees, and workforce members in procedures for... * Guarding against, detecting, and reporting malicious software * Monitoring log-in attempts and reporting discrepancies * Creating changing and safeguarding passwords? | A40,A41 | (A40): Does your practice’s awareness and training content include information about the importance of implementing software patches and updating antivirus software when requested?, (A41): Does your practice’s awareness and training content include information about how malware can get into your systems? | (A40): Does your practice’s awareness and training content include information about the importance of implementing software patches and updating antivirus software when requested? | Addressable | CM-11,AT-2 |
| (A41): Does your practice’s awareness and training content include information about how malware can get into your systems? | |||||||||||
| 21 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(5)(ii)(C) | (C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. | Addressable | XXXXX | A42 | (A42): Does your practice include log-in monitoring as part of its awareness and training programs? | (A42): Does your practice include log-in monitoring as part of its awareness and training programs? | Addressable | AT-2,IR-5 |
| 22 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(5)(ii)(D) | (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. | Addressable | XXXXX | A43 | (A43): Does your practice include password management as part of its awareness and training programs? | (A43): Does your practice include password management as part of its awareness and training programs? | Addressable | AC-1,IA-1 |
| 23 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(6)(i) | (6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents. | Standard | Q: Has your organization implemented policies and procedures for any security incidents? | A44 | (A44): Does your practice have policies and procedures designed to help prevent, detect and respond to security incidents? | (A44): Does your practice have policies and procedures designed to help prevent, detect and respond to security incidents? | Standard | IR-1 |
| 24 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(6)(ii) | (ii) Implementation specification: Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. | Required | Q: Has your organization documented incident response procedures that can provide your organization with a single point of reference to guide the day-to-day operations of the incident response team? | A45,A46,A47,A48 | (A45): Does your practice have incident response policies and procedures that assign roles and responsibilities for incident response?, (A46): Does your practice identify members of its incident response team and assure workforce members are trained and that incident response plans are tested?, (A47): Does your practice’s incident response plan align with its emergency operations and contingency plan, especially when it comes to prioritizing system recovery actions or events to restore key processes, systems, applications, electronic device and media, and information (such as ePHI)?, (A48): Does your practice implement the information system’s security protection tools to protect against malware? | (A45): Does your practice have incident response policies and procedures that assign roles and responsibilities for incident response? | Required | IR-1,IR-2,IR-3,IR-4,IR-5 |
| Q: Has your organization determined how it will respond to a security incident? Are there a formal documented policy and procedures? | (A46): Does your practice identify members of its incident response team and assure workforce members are trained and that incident response plans are tested? | ||||||||||
| Q: Has your organization incorporated your staff, employee, workforce members jobs and job descriptions roles and responsibilities in * | (A47): Does your practice’s incident response plan align with its emergency operations and contingency plan, especially when it comes to prioritizing system recovery actions or events to restore key processes | ||||||||||
| Q: Has your organization reviewed incident response procedures with the staff, employees, or workforce members with the roles and responsibilities related to incident response, solicit suggestions for improvement, and make changes to reflect input that is reasonable and appropriate? | systems, applications, electronic device and media, and information (such as ePHI)? | ||||||||||
| Q: Do your organization's staff, employees and workforce members know the importance of timely application of system patched to protect against malicious software and exploitation of vulnerabilities? | (A48): Does your practice implement the information system’s security protection tools to protect against malware? | ||||||||||
| Q: Does your organization monitor log-in attempts? Do your staff, employees and workforce members know of this monitoring? | |||||||||||
| Q: Has your organization analyzed these problems and created a mitigation plan that it is working to decrease risks and vulnerabilities? | |||||||||||
| Q: Does your organization have a process, procedure for reporting and handling security incidents? | |||||||||||
| Q: Has your organization prioritized your key functions to determine what would need to be restored first in the event of a disruption? | |||||||||||
| Q: Does your organization update the incident response procedures when your organizational needs change? | |||||||||||
| Q: Has your organization told your staff, employees and workforce members how to and where to report a security incident? | |||||||||||
| Q: Has your organization developed standard incident reporting templates to ensure that all necessary information related to an incident is documented and investigated? | |||||||||||
| Q: If you have determined that your organization does not need a standing incident response team, what other response mechanism are you using? | |||||||||||
| Q: Has your organization determine what information and when data will be disclosed to the media? | |||||||||||
| Q: Does your organization have an identified list of both internal and external persons and their contact information who should be informed of a security incident has occurred? | |||||||||||
| Q: Does your organization have mitigation options for security incidents? | |||||||||||
| Q: Do your organization's staff, employees, and workforce members know where and to whom to report log-in discrepancies? | |||||||||||
| Q: Has your organization named an individual, or several individuals, to speak for your organization to the media, law enforcement, clients, business partners and others? | |||||||||||
| Q: Do your organization's staff, employees, and workforce members understand their roles and responsibilities in selecting a password of appropriate strength, changing the password periodically as required, and safeguarding their password? | |||||||||||
| Q: Does your organization review your current procedures and determine if they were adequate and appropriate to respond to this particular security incident? And make updates and changes as necessary? | |||||||||||
| Q: Does your organization's incident response team or individual keep documentation of security incidents, their outcomes, including weaknesses exploited and how access to information was gained? | |||||||||||
| Q: Does your organization employ malicious code protection mechanisms at information system entry and exit points and at workstations servers, or mobile computing devices on the network to detect and eradicated malicious code) transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means? | |||||||||||
| 25 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(7)(i) | (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. | Standard | Q: Has your organization defined your overall contingency objectives? Does it include a listing of all areas that use ePHI? | A49,A50,A51 | (A49): Does your practice know what critical services and ePHI it must have available to support decision making about a patient’s treatment during an emergency?, (A50): Does your practice consider how natural or man-made disasters could damage its information systems or prevent access to ePHI and develop policies and procedures for responding to such a situation?, (A51): Does your practice regularly review/update its contingency plan as appropriate? | (A49): Does your practice know what critical services and ePHI it must have available to support decision making about a patient’s treatment during an emergency? | Standard | CP-1,CP-2 |
| Q: Has your organization established your organization's contingency plan framework, roles and responsibilities? | (A50): Does your practice consider how natural or man-made disasters could damage its information systems or prevent access to ePHI and develop policies and procedures for responding to such a situation? | ||||||||||
| Q: Does your organization's contingency policy and plan address scope, resource requirements, training, testing, plan maintenance and backup requirements? | (A51): Does your practice regularly review/update its contingency plan as appropriate? | ||||||||||
| Q: Does your organization's policy and plan outline what critical services must be provided within specific timeframes? | |||||||||||
| Q: Does your organization's policy and plan identify and outline cross-functional dependencies to determine how failure in one systems impacts other system(s)? | |||||||||||
| Q: Has your organization outlined scenarios and identified preventive measures, measures you can do now, for each scenario that could result in the loss of a critical service involving the use of ePHI? | |||||||||||
| Q: Has your organization brain stormed and outlined alternatives for continuing operations for your organization if you lose a critical function or a critical resource? Remember there are physical resources like offices and desks and copiers and paper, electronic recourses, | |||||||||||
| Q: Has you organization researched the cost of preventive measures being considered? | |||||||||||
| Q: Are the preventable measures you are considering affordable and practical for the environment? | |||||||||||
| Q: Does your organization have an emergency coordinator who manages, maintains and updates the contingency plan? Does your organization's staff, employees, and workforce members know who this individual is and how to contact your coordinator? | |||||||||||
| Q: Does your organization have an emergency call list? Has it been distributed to all staff, employees, and workforce members? | |||||||||||
| Q: Does your organization have a determination of when your contingency plan needs to be activated? Is it triggered by anticipated duration of outage, loss of capability, or impact on service delivery? Other? | |||||||||||
| Q: Does your organization have plans, procedures, and agreements initiated or in place if the preventive measures need to be implemented? | |||||||||||
| Q: Has your organization finalized a set of contingency procedures that can be invoked for all identical impacts, including emergency mode of operation? | |||||||||||
| Q: Does your organization have documented procedures related to recovery from emergency or disastrous events? | |||||||||||
| 26 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(7)(ii) | (ii) Implementation specifications: | nan | Q: Has your organization reviewed the data backup plan and disaster recovery plan implementation specifications? | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| 27 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(7)(ii)(A) | (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. | Required | Q: Does your organization's contingency plan address disaster recovery and back up? | A52 | (A52): Does your practice have policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster? | (A52): Does your practice have policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster? | Required | CP-1,CP-6 |
| Q: Has your organization established and implemented procedures to create and maintain retrievable exact copies of ePHI? | |||||||||||
| Q: Has your organization established and implemented procedures to restore any loss of ePHI? | |||||||||||
| Q: Has your organization documented all your data backup procedures and made them available to all your staff, employees, and workforce members? | |||||||||||
| Q: Does your organization have individuals/office named and responsibilities assigned to conduct backup activities? | |||||||||||
| 28 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(7)(ii)(B) | (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. | Required | XXXXX | A53 | (A53): Does your practice have policies and procedures for contingency plans to provide access to ePHI to continue operations after a natural or human-made disaster? | (A53): Does your practice have policies and procedures for contingency plans to provide access to ePHI to continue operations after a natural or human-made disaster? | Required | CP-1,CP-6,CP-9 |
| 29 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(7)(ii)(C) | (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. | Required | Q: Has your organization established, and implemented when needed, procedures to enable continuation of critical business processes for the security of ePHI while your organization is operating in emergency mode? | A54 | (A54): Does your practice have an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation? | (A54): Does your practice have an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation? | Required | AC-3,CP-2,CP-4 |
| Q: Has your organization identified your key activities and developed procedures to continue these key activities during an emergency? | |||||||||||
| Q: Has your organization also identified critical functions that use ePHI? | |||||||||||
| Q: During the emergency would different staff/employees, facilities or systems be needed to perform these critical functions during the emergency? | |||||||||||
| Q: Can your organization assure the security of the ePHI in the alternative mode(s) operation? | |||||||||||
| 30 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(7)(ii)(D) | (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. | Addressable | Q: Has your organization established and implemented as needed periodic testing procedures and for the revision of your organization's contingency plan? | A55 | (A55): Does your practice have policies and procedures for testing its contingency plans on a periodic basis? | (A55): Does your practice have policies and procedures for testing its contingency plans on a periodic basis? | Addressable | CP-1,CP-4 |
| Q: Has your organization tested its contingency plan on a predefined cycle? | |||||||||||
| Q: Has your organization trained your staff/employees with defined plan responsibilities in their roles? | |||||||||||
| Q: Does your organization include external entities, including vendors, alternative site and service providers, in your testing exercises? | |||||||||||
| Q: Has your organization determined how the plan will be tested? Will it be a table top exercise, or a real operational scenario? | |||||||||||
| Q: Does your organizational testing lend itself to phased testing? Based on the assessment of business impact and acceptability of sustained loss of service? | |||||||||||
| Q: Does your organization test during normal business hours? | |||||||||||
| Q: Or must testing take place during off hours? | |||||||||||
| Q: How frequently does your organization test its plan? | |||||||||||
| Q: Has your organization a timeline on when the contingency plan should be revised? | |||||||||||
| 31 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(7)(ii)(E) | (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components. | Addressable | Q: Has your organization identified the critical services or operations, and the manual and automated processes that support them, involving ePHI? | A56 | (A56): Does your practice implement procedures for identifying and assessing the criticality of its information system applications and the storage of data containing ePHI that would be accessed through the implementation of its contingency plans? | (A56): Does your practice implement procedures for identifying and assessing the criticality of its information system applications and the storage of data containing ePHI that would be accessed through the implementation of its contingency plans? | Addressable | CP-2,CP-6,RA-2 |
| Q: Has your organization determined what hardware and software and personnel are critical to your organization's daily business operations? | |||||||||||
| Q: Has your organization determined the impact on desired service levels if these critical assets are not available? | |||||||||||
| Q: Has your organization outlined the nature and degree of impact on your operations if any of the critical resources are not available? | |||||||||||
| Q: Has your organization determined the amount of time your organization can tolerate disruption to these operations, material or services? | |||||||||||
| Q: Has your organization determine what, if any, support is or can be provided by external providers, including ISPs, utilities, or contractors? | |||||||||||
| Q: Has your organization established cost-effective strategies for recovering these critical services, resources, or processes? | |||||||||||
| 32 | 164.308 | 164.308 Administrative Safeguards | 164.308(a)(8) | (8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart. | Standard | Q: Does your organization have any existing reports or documentation that you had previously prepared or created by your organization addressing compliance, integration, or maturity of a particular or many security safeguard(s) deployed to protect ePHI that your can leverage for this evaluation? | A57,A58,A59 | (A57): Does your practice maintain and implement policies and procedures for assessing risk to ePHI and engaging in a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of your practice’s ePHI?, (A58): Does your practice periodically monitor its physical environment, business operations, and information system to gauge the effectiveness of security safeguards?, (A59): Does your practice identify the role responsible and accountable for assessing risk and engaging in ongoing evaluation, monitoring, and reporting? | (A57): Does your practice maintain and implement policies and procedures for assessing risk to ePHI and engaging in a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of your practice’s ePHI? | Standard | RA-1,SI-4,PE-6 |
| Q: Has your organization established a frequency for security evaluations, and disseminated this information to your entire organization? | (A58): Does your practice periodically monitor its physical environment, business operations, and information system to gauge the effectiveness of security safeguards? | ||||||||||
| Q: Does your organization's security policies specify that security evaluations will be repeated when environmental and operational changes, such as technology updates, are made that affect the security of ePHI? | (A59): Does your practice identify the role responsible and accountable for assessing risk and engaging in ongoing evaluation, monitoring, and reporting? | ||||||||||
| Q: Does your organization's frequency of security evaluation policies reflect any and all federal laws, regulations, and guidance documents that impact environmental or operational changes affecting the security of ePHI? | |||||||||||
| Q: Does your organization's corporate, legal, and regulatory compliance staff, employees, or workforce members participate when you conduct your analysis? | |||||||||||
| Q: Has your organization considered management, operational, and technical issues in your evaluation? | |||||||||||
| Q: Has your organization performed a periodic technical and nontechnical evaluation, based initially upon the standards implemented? | |||||||||||
| Q: Has your organization decided if your evaluation will be conducted by your internal staff and resources or by external consultants, or by a combination of internal and external resources? | |||||||||||
| Q: Do any of your organization's staff, employee or workforce members have the technical experience to evaluate your systems? | |||||||||||
| Q: Do your staff, employees, or workforce members have the training necessary on security technical and non-technical issues? | |||||||||||
| Q: Has your organization outlined the necessary factors to be considered in selecting an outside vendor, including credentials and experience? | |||||||||||
| Q: Does your organization use a strategy and tool that considers all the elements of the HIPAA Security Rule, including all standards and implementation specifications? | |||||||||||
| Q: Do the elements of each of your organization's evaluation procedure, including questions, statement and other components, address individual, measurable security safeguards of ePHI? | |||||||||||
| Q: Has your organization determined which security procedures must be tested in more than one system? | |||||||||||
| Q: Has your organization determined in advance what departments and staff, employees, and/or workforce members will participate in your security evaluation? | |||||||||||
| Q: Does your organization have senior management support for your security evaluation, and have they stated the need for everyone within your organization to participate in and support your security evaluation? | |||||||||||
| Q: Has your organization included staff, employees, or workforce members with IT knowledge in your security evaluation team and used during your evaluation? | |||||||||||
| Q: Has your organization collected and documented all information needed for your security evaluation, by interviews, surveys, and output of automated tools, for example, audit logging tools, results of penetration testing? | |||||||||||
| Q: Has your organization conducted penetration testing? Before the penetration testing did your organization have management approval for such testing? | |||||||||||
| Q: Has your organization formally communicated your security evaluation process to your staff, employees, and workforce members who have assigned roles and responsibilities in your evaluation process? | |||||||||||
| Q: Does your organization use automated tools to collect data and otherwise support your organization's evaluation process? | |||||||||||
| Q: Does your organization's evaluation process support the development of security recommendations? | |||||||||||
| Q: Has your organization documented each security evaluation finding, outlined mediation options and recommendations, and remediation decisions? | |||||||||||
| Q: Has your organization documented the known security gaps after your security evaluation between the known risks and your mitigating security controls, and any acceptance of risk, including your organization's justification? | |||||||||||
| Q: Has your organization developed a security program with established priorities and targets for continuous security improvement? | |||||||||||
| Q: In determining the best way to display evaluation results has your organization's written reports highlighted key findings and recommendations to be considered? | |||||||||||
| Q: Does your organization circulate your final report to key staff, employees, and workforce members? | |||||||||||
| Q: Do you have a process, procedures in place to make sure that the document is available only to those designated to receive it? | |||||||||||
| 33 | 164.308 | 164.308 Administrative Safeguards | 164.308(b)(1) | (b)(1) Standard: Business associate contracts and other arrangements. A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information. | Standard | Q: Does your organization have business associate contracts? | A60,A61,A62 | (A60): Does your practice identify the role responsible and accountable for making sure that business associate agreements are in place before your practice enables a service provider to begin to create, access, store or transmit ePHI on your behalf?, (A61): Does your practice maintain a list of all of its service providers, indicating which have access to your practice’s facilities, information systems and ePHI?, (A62): Does your practice have policies and implement procedures to assure it obtains business associate agreements? | (A60): Does your practice identify the role responsible and accountable for making sure that business associate agreements are in place before your practice enables a service provider to begin to create, access, store or transmit ePHI on your behalf? | Standard | ,MA-5,PS-7 |
| Q: Does your organization's business associate agreements (as written and executed) contain sufficient language to ensure that required information types are protected? Including the 2009, 2010, and 2011 HITECH Act updates and inclusions? | (A61): Does your practice maintain a list of all of its service providers, indicating which have access to your practice’s facilities, information systems and ePHI? | ||||||||||
| Q: Has your organization identified the individual or department who is responsible for coordinating the execution of your organization's business associate agreements and other such agreements? | (A62): Does your practice have policies and implement procedures to assure it obtains business associate agreements? | ||||||||||
| Q: Does your organization periodically review and reevaluate your list of business associates to determine who has access to ePHI in order to assess whether your list is complete and current? | |||||||||||
| Q: Has your organization named your systems and functions covered by the contract/ agreement? | |||||||||||
| Q: Are your organization's outsourced functions also covered by contracts/agreements? | |||||||||||
| Q: Are your organization's off-shore functions also covered by contracts/agreements? | |||||||||||
| Q: Has your organization executed new and updated existing agreements or arrangements when necessary and appropriate? | |||||||||||
| Q: Does your organization's agreements and other arrangements include your business associate(s) roles and responsibilities for the ePHI? | |||||||||||
| Q: Does your organization's agreements and other arrangements include security requirements that address confidentiality, integrity and availability of ePHI? | |||||||||||
| Q: Do your organization's agreements and other arrangements include security requirements meet all the HIPAA Security Rule requirements per the HITECH Act? | |||||||||||
| Q: Do your organization's agreements and other arrangements include the appropriate training requirements, as necessary? | |||||||||||
| Q: Who/which office within your organization is responsible for coordinating and preparing the final agreement(s) or arrangement(s)? | |||||||||||
| Q: Do your organization's agreements and other arrangements specify how ePHI is to be transmitted to and from the business associate? | |||||||||||
| Q: Do your organization's agreements and other arrangements specify necessary security controls? | |||||||||||
| Q: Does your organization conduct periodic security reviews on your business associates or covered entities? | |||||||||||
| Q: Has your organization established criteria for measuring contract performance? | |||||||||||
| Q: Do each of your organization's contracts or agreements include what service is being performed by the business associate? | |||||||||||
| Q: Do each of your organization's contracts or agreements include expected outcome by the business associate? | |||||||||||
| Q: Does your organization have in place a process for reporting security incidents related to the agreement? | |||||||||||
| Q: Does your organization have in place a process to periodically evaluate the effectiveness of the business associate's security controls? | |||||||||||
| Q: Does your organization have a process in place for terminating the contract, and has the business associate been advised what conditions would warrant termination? | |||||||||||
| Q: If your organization's business associate is a federal, state, or local government entity you may use a Memorandum of Understanding (MOU) to share ePHI. Does your MOU state all required safeguards for sharing ePHI? | |||||||||||
| Q: Does your organization know all the laws and regulations governing the use of ePHI by the governmental business associate? | |||||||||||
| 34 | 164.308 | 164.308 Administrative Safeguards | 164.308(b)(2) | (2) This standard does not apply with respect to— (i) The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual. (ii) The transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of § 164.314(b) and § 164.504(f) apply and are met; or (iii) The transmission of electronic protected health information from or to other agencies providing the services at § 164.502(e)(1)(ii)(C), when the covered entity is a health plan that is a government program providing public benefits, if the requirements of § 164.502(e)(1)(ii)(C) are met. | nan | XXXXX | A63 | (A63): If your practice is the business associate of another covered entity and your practice has subcontractors performing activities to help carry out the activities that you have agreed to carry out for the other covered entity that involve ePHI, does your practice require these subcontractors to provide satisfactory assurances for the protection of the ePHI? | (A63): If your practice is the business associate of another covered entity and your practice has subcontractors performing activities to help carry out the activities that you have agreed to carry out for the other covered entity that involve ePHI, does your practice require these subcontractors to provide satisfactory assurances for the protection of the ePHI? | Required | nan |
| 35 | 164.308 | 164.308 Administrative Safeguards | 164.308(b)(3) | (3) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and § 164.314(a). | nan | XXXXX | A64 | (A64): Does your practice execute business associate agreements when it has a contractor creating, transmitting or storing ePHI? | (A64): Does your practice execute business associate agreements when it has a contractor creating, transmitting or storing ePHI? | Required | nan |
| 36 | 164.308 | 164.308 Administrative Safeguards | 164.308(b)(4) | (4) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a). | Required | XXXXX | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| 37 | 164.31 | 164.310 Physical Safeguards | 164.310(a)(1) | (a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. | Standard | Q: Does your organization have facility access controls , policies and procedures? | PH1,PH2,PH3,PH4 | (PH1): Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?, (PH2): Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility., (PH3): Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility., (PH4): Do you have physical protections in place to manage physical security risks, such as a) locks on doors and windows and b) cameras in nonpublic areas to monitor all entrances and exits? | (PH1): Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI? | Standard | PE-3,PE-2,PE-5,PE-1 |
| Q: Does your organization have policies and procedures regarding access to and use of your facilities and equipment? | (PH2): Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility. | ||||||||||
| Q: Does your organization have facility access control policies and procedures already in place? | (PH3): Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility. | ||||||||||
| Q: Has your organization developed, disseminated, and periodically reviewed/updated a formal, documented a physical and environmental protection policy that address the purposes, scope, roles, responsibilities, management commitment, coordination among organizational entities and functions, and compliance? | (PH4): Do you have physical protections in place to manage physical security risks, such as a) locks on doors and windows and b) cameras in nonpublic areas to monitor all entrances and exits? | ||||||||||
| Q: Does your organization have formal, documented procedures to facilitate implementation of the physical and environmental protection policy and associated physical and environmental controls? | |||||||||||
| Q: Does your organization have an inventory of your facilities and have identified the vulnerabilities in your current physical security capabilities? | |||||||||||
| Q: Has your organization assigned degrees of significance to each vulnerability that you have identified? | |||||||||||
| Q: Has your organization determined which types of locations require access controls to safeguard ePHI, such as: Data centers, Peripheral equipment centers, IT staff offices, Workstation locations, and Others? | |||||||||||
| Q: Does your organization have locks and cameras in nonpublic areas and are these reasonable and appropriate security controls? | |||||||||||
| Q: Are all your organization's workstations protected from public access and viewing? | |||||||||||
| Q: Are all your organization's entrances and exits that lead to locations with ePHI secured? | |||||||||||
| Q: Do normal and usual physical protections exist, such as locks on doors and windows? | |||||||||||
| Q: Has your organization identified and assigned responsibility for the measures and activities necessary to correct deficiencies and ensure that proper access is allowed? | |||||||||||
| Q: Has your organization developed and deployed policies and procedures to ensure that repairs, upgrades and or modifications are made to your buildings and offices while ensuring that only proper access is allowed? | |||||||||||
| Q: Does your organization need to update your facility access control policies and procedures? | |||||||||||
| Q: Has your organization trained your staff, employees, and workforce members in your facility access controls and procedures? | |||||||||||
| Q: Does your organization's staff, employees, and workforce members need facility access controls and procedures refresher training? | |||||||||||
| Q: How does your organization document your correction measures decisions and actions? | |||||||||||
| Q: Has your organization developed and kept a current list of personnel with authorized access to the facility where the information systems resides? | |||||||||||
| Q: Does your organization issue authorization credentials, such as badges, identification cards, smart cards, for the facility where the information system resides? | |||||||||||
| Q: Does your organization periodically review and approve the access list and authorization credentials, removing form the access list personnel no longer requiring access? | |||||||||||
| Q: Does your organization enforce physical access authorization for all physical access points, including designated entry/exit points, to the facility where the information system resides? | |||||||||||
| Q: Does your organization verify individual access authorization before granting access to the facility? | |||||||||||
| Q: Is another workforce member other than the security official responsible for your organization's facility and physical security? | |||||||||||
| Q: Does your organization control entry to the facility containing the information system using physical access devices and/or guards? | |||||||||||
| Q: Does your organization periodically inventory physical access devices? | |||||||||||
| Q: Does your organization periodically change combinations and keys, and when keys are lost, combinations compromised, or individuals are transferred or terminated? | |||||||||||
| Q: Does your organization control physical access to information system distribution and transmission lines, including locked wiring closets, disconnected or locked spare jacks, and protection of cabling by conduit and cable trays? | |||||||||||
| 38 | 164.31 | 164.310 Physical Safeguards | 164.310(a)(2) | (2) Implementation specifications: | nan | Q: Does your organization have a contingency operations plan? | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| 39 | 164.31 | 164.310 Physical Safeguards | 163.310(a)(2)(i) | (i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. | Addressable | Q: Has your organization determined who needs access to your facilities and offices in the event of a disaster? | PH5,PH6,PH7 | (PH5): Do you plan and coordinate physical (facilities) and technical (information systems, mobile devices, or workstations) security-related activities (such as testing) before doing such activities to reduce the impact on your practice assets and individuals?, (PH6): Have you developed policies and procedures that plan for your workforce (and your information technology service provider or contracted information technology support) to gain access to your facility and its ePHI during a disaster?, (PH7): If a disaster happens, does your practice have another way to get into your facility or offsite storage location to get your ePHI? | (PH5): Do you plan and coordinate physical (facilities) and technical (information systems, mobile devices, or workstations) security-related activities (such as testing) before doing such activities to reduce the impact on your practice assets and individuals? | Addressable | CP-7,PE-17,CP-2,CP-6 |
| Q: Who is named in your contingency plan as responsible for access to ePHI during a disaster? | (PH6): Have you developed policies and procedures that plan for your workforce (and your information technology service provider or contracted information technology support) to gain access to your facility and its ePHI during a disaster? | ||||||||||
| Q: Who in your organization is responsible for implementing the contingency plan for access to ePHI in each department, unit, and other office designation? | (PH7): If a disaster happens, does your practice have another way to get into your facility or offsite storage location to get your ePHI? | ||||||||||
| Q: Will your organization contingency plan be appropriate for all types of potential disasters, such as fire, flood, earthquake? | |||||||||||
| Q: Will your organization contingency plan be appropriate for all your facilities? | |||||||||||
| Q: Does your organization have a backup plan for access to the your facility and / or the ePHI? | |||||||||||
| 40 | 164.31 | 164.310 Physical Safeguards | 164.310(a)(2)(ii) | (ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. | Addressable | Q: Has your organization implemented measures to provide physical protection for the ePHI in your possession? | PH8,PH9,PH10,PH11 | (PH8): Do you have policies and procedures for the protection of keys, combinations, and similar physical access controls?, (PH9): Do you have policies and procedures governing when to re-key locks or change combinations when, for example, a key is lost, a combination is compromised, or a workforce member is transferred or terminated?, (PH10): Do you have a written facility security plan?, (PH11): Do you take the steps necessary to implement your facility security plan? | (PH8): Do you have policies and procedures for the protection of keys, combinations, and similar physical access controls? | Addressable | PE-3 |
| Q: Does your organization have documentation of your facility inventory, physical maintenance record, the history of physical changes, upgrades, and other modifications? | (PH9): Do you have policies and procedures governing when to re-key locks or change combinations when, for example, a key is lost, a combination is compromised, or a workforce member is transferred or terminated? | ||||||||||
| Q: Does your organization's inventory identify points of access to your facilities and the existing security controls used in these areas? | (PH10): Do you have a written facility security plan? | ||||||||||
| Q: Does your organization have procedures for security your facilities, including the exterior, the interior, and your equipment? | (PH11): Do you take the steps necessary to implement your facility security plan? | ||||||||||
| Q: Is a workforce member of your organization other than the security official responsible for the facility plan? | |||||||||||
| Q: Does your organization have a facility security plan in place, under revision, or under development? | |||||||||||
| Q: Does your organization periodically review your security plan for the information system? | |||||||||||
| 41 | 164.31 | 164.310 Physical Safeguards | 163.310(a)(2)(iii) | (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. | Addressable | Q: Does your organization have policies and procedures in place for controlling and validating access to your facilities by staff, employees, workforce members, visitors, and probationary employees? | PH12,PH13,PH14,PH15,PH16 | (PH12): Do you have a Facility User Access List of workforce members, business associates, and others who are authorized to access your facilities where ePHI and related information systems are located?, (PH13): Do you periodically review and approve a Facility User Access List and authorization privileges, removing from the Access List personnel no longer requiring access?, (PH14): Does your practice have procedures to control and validate someone’s access to your facilities based on that person’s role or job duties?, (PH15): Do you have procedures to create, maintain, and keep a log of who accesses your facilities (including visitors), when the access occurred, and the reason for the access?, (PH16): Has your practice determined whether monitoring equipment is needed to enforce your facility access control policies and procedures? | (PH12): Do you have a Facility User Access List of workforce members, business associates, and others who are authorized to access your facilities where ePHI and related information systems are located? | Addressable | nan |
| Q: Does your organization monitor physical access to the information system to detect and respond to physical security incidents? | (PH13): Do you periodically review and approve a Facility User Access List and authorization privileges, removing from the Access List personnel no longer requiring access? | ||||||||||
| Q: Does your organization periodically review physical access logs? | (PH14): Does your practice have procedures to control and validate someone’s access to your facilities based on that person’s role or job duties? | ||||||||||
| (PH15): Do you have procedures to create, maintain, and keep a log of who accesses your facilities (including visitors), when the access occurred, and the reason for the access? | |||||||||||
| (PH16): Has your practice determined whether monitoring equipment is needed to enforce your facility access control policies and procedures? | |||||||||||
| 42 | 164.31 | 164.310 Physical Safeguards | 163.310(a)(2)(iv) | (iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). | Addressable | Q: Has your organization developed and implemented polices and procedures to document repairs and modification to the physical components of your facilities specifically related to security? | PH17,PH18 | (PH17): Do you have maintenance records that include the history of physical changes, upgrades, and other modifications for your facilities and the rooms where information systems and ePHI are kept?, (PH18): Do you have a process to document the repairs and modifications made to the physical security features that protect the facility, administrative offices, and treatment areas? | (PH17): Do you have maintenance records that include the history of physical changes, upgrades, and other modifications for your facilities and the rooms where information systems and ePHI are kept? | Addressable | nan |
| Q: Has your organization developed, disseminated, and periodically reviewed/updated your formal, documented information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organization entities, and compliance? | (PH18): Do you have a process to document the repairs and modifications made to the physical security features that protect the facility, administrative offices, and treatment areas? | ||||||||||
| Q: Does your organization have formal, documented procedures to facilitate the implementation of your information system maintenance policy and associated system maintenance controls? | |||||||||||
| Q: Does your organization maintain records of repairs to hardware, walls, doors, and locks? | |||||||||||
| Q: Has your organization assigned responsibility to an individual or office for the maintenance to repair and modification records? | |||||||||||
| Q: Does your organization control all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location? | |||||||||||
| Q: Does your organization require that the designated official explicitly approve the removal of the information system or system components from your organization's facilities fro off-site maintenance or repairs? | |||||||||||
| Q: Does your organization sanitize equipment to remove all information from associated media prior to removal from your organization's facilities for off-site maintenance? | |||||||||||
| Q: Does your organization obtain support and/or spare parts for you organization's security- critical information systems components or key information technology components with in a designated time period of failure? | |||||||||||
| 43 | 164.31 | 164.310 Physical Safeguards | 164.310(b) | (b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. | Standard | Q: Does your organization have workstation use policies and procedures? | PH19,PH20,PH21 | (PH19): Does your practice keep an inventory and a location record of all of its workstation devices?, (PH20): Has your practice developed and implemented workstation use policies and procedures?, (PH21): Has your practice documented how staff, employees, workforce members, and non-employees access your workstations? | (PH19): Does your practice keep an inventory and a location record of all of its workstation devices? | Standard | nan |
| Q: Has your organization developed and implemented polices and procedures for proper use and performance of all types of workstations, including for day-to-day operations? | (PH20): Has your practice developed and implemented workstation use policies and procedures? | ||||||||||
| Q: Does your organization have an inventory of workstation types and locations within your organization? | (PH21): Has your practice documented how staff, employees, workforce members, and non-employees access your workstations? | ||||||||||
| Q: Has your organization included all types of computing devices in your inventory of workstations, such as laptops, PDAs, tablets (iPads), smart phones, and others? | |||||||||||
| Q: Has your organization named an individual or office responsible for this inventory and its maintenance? | |||||||||||
| Q: Has your organization developed and implemented policies and procedures for each type of workstation device, including accommodating their unique issues? | |||||||||||
| Q: Has your organization classified your workstations based on their capabilities, and defined the tasks commonly performed on a given workstation or type of workstation? | |||||||||||
| Q: Has your organization identified key operational risks that could result in a breach of security from all types of workstations, and trained your staff, employees, and workforce members on predictable breaches? | |||||||||||
| Q: Does your organization have policies and procedures that will prevent unauthorized access of unattended workstations, limit the ability of unauthorized persons to view sensitive information, and to dispose of sensitive information an needed? | |||||||||||
| Q: Has your organization trained your staff, employees or workforce members in the security requirements for ePHI use in their day-to-day jobs? | |||||||||||
| Q: Does your organization:1) document allowed methods or remote access to the information system? | |||||||||||
| Q: Does your organization: 3) monitor for unauthorized remote access to the information system? | |||||||||||
| Q: Does your organization: 4) authorize remote access to the information system prior to the connection? | |||||||||||
| Q: Does your organization: 1) establish usage restrictions and implementation guidance for organization-controlled mobile devices? | |||||||||||
| Q: Does your organization: 3) monitor for unauthorized connections of mobile devices to your organization's information system? | |||||||||||
| Q: Does your organization: 6) issue specifically configured mobile devices to individuals traveling to locations that your organization deems to be of significant risk in accordance with organizational policies and procedures? | |||||||||||
| 44 | 164.31 | 164.310 Physical Safeguards | 164.310(c) | (c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. | Standard | Q: Does your organization have workstation security physical safeguards in place? | PH22,PH23,PH24,PH25,PH26,PH27,PH28,PH29 | (PH22): Does your practice have policies and procedures that describe how to prevent unauthorized access of unattended workstations?, (PH23): Does your practice have policies and procedures that describe how to position workstations to limit the ability of unauthorized individuals to view ePHI?, (PH24): Have you put any of your practice's workstations in public areas?, (PH25): Does your practice use laptops and tablets as workstations? If so, does your practice have specific policies and procedures to safeguard these workstations?, (PH26): Does your practice have physical protections in place to secure your workstations?, (PH27): Do you regularly review your workstations’ locations to see which areas are more vulnerable to unauthorized use, theft, or viewing of the data?, (PH28): Does your practice have physical protections and other security measures to reduce the chance for inappropriate access of ePHI through workstations? This could include using locked doors, screen barriers, cameras, and guards., (PH29): Do your policies and procedures set standards for workstations that are allowed to be used outside of your facility? | (PH22): Does your practice have policies and procedures that describe how to prevent unauthorized access of unattended workstations? | Standard | nan |
| Q: Has your organization documented the different ways workstations are accessed by staff, employees workforce members, and non-employees? | (PH23): Does your practice have policies and procedures that describe how to position workstations to limit the ability of unauthorized individuals to view ePHI? | ||||||||||
| Q: Are any of your organization's workstations located in public areas? | (PH24): Have you put any of your practice's workstations in public areas? | ||||||||||
| Q: Does your organization use lap tops and tablets (iPads) as workstations? Do you have specific policies and procedures for such workstations? | (PH25): Does your practice use laptops and tablets as workstations? If so, does your practice have specific policies and procedures to safeguard these workstations? | ||||||||||
| Q: Has your organization determined which type(s) of access holds the greatest threat to security? | (PH26): Does your practice have physical protections in place to secure your workstations? | ||||||||||
| Q: Has your organization reviewed the areas of your workstations to determine which areas are more vulnerable to unauthorized use, theft, or viewing of the data? Do you do this review periodically? | (PH27): Do you regularly review your workstations’ locations to see which areas are more vulnerable to unauthorized use, theft, or viewing of the data? | ||||||||||
| Q: Has your organization implemented physical safeguards and other security measures to minimize the possibility of inappropriate access of ePHI through workstations, including locked door, screen barriers, cameras, guards? | (PH28): Does your practice have physical protections and other security measures to reduce the chance for inappropriate access of ePHI through workstations? This could include using locked doors, screen barriers, cameras, and guards. | ||||||||||
| Q: Does your organization protect information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures? | (PH29): Do your policies and procedures set standards for workstations that are allowed to be used outside of your facility? | ||||||||||
| 45 | 164.31 | 164.310 Physical Safeguards | 164.310(d)(1) | (d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. | Standard | Q: Does your organization have device and media controls, policies and procedures? | PH30,PH31,PH32,PH33 | (PH30): Does your practice have security policies and procedures to physically protect and securely store electronic devices and media inside your facility(ies) until they can be securely disposed of or destroyed?, (PH31): Do you remove or destroy ePHI from information technology devices and media prior to disposal of the device?, (PH32): Do you maintain records of the movement of electronic devices and media inside your facility?, (PH33): Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI? | (PH30): Does your practice have security policies and procedures to physically protect and securely store electronic devices and media inside your facility(ies) until they can be securely disposed of or destroyed? | Standard | nan |
| Q: Does your organization: 1) protect and control your defined types of digital and non-digital media during transport outside of controlled areas using your organizational security measures? | (PH31): Do you remove or destroy ePHI from information technology devices and media prior to disposal of the device? | ||||||||||
| Q: Does your organization: 2) maintain accountability for information system media during transport outside of controlled areas? | (PH32): Do you maintain records of the movement of electronic devices and media inside your facility? | ||||||||||
| Q: Does your organization: 3) restrict the activities associated with transport of such media to authorized personnel? | (PH33): Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI? | ||||||||||
| 46 | 164.31 | 164.310 Physical Safeguards | 164.310(d)(2) | (2) Implementation specifications: | nan | Q: Does your organization have disposal policies and procedures? | XXXXX | XXXXX | XXXXX | XXXXX | nan |
| 47 | 164.31 | 164.310 Physical Safeguards | 164.310(d)(2)(i) | (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. | Required | Q: Has your organization developed and implemented policies and procedures that address the disposal of ePHI and / or the hardware and electronic media on which it is stored, including the appropriate methods to dispose of hardware, software and the data itself? | PH34 | (PH34): Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal? | (PH34): Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal? | Required | nan |
| Q: Does your organization have a process to assure that ePHI is properly destroyed and cannot be recreated? | |||||||||||
| Q: Does your organization keep ePHI on removable devices such as CDs, DVDs, zip drives, tablets (iPads)? Does your organization have policies and procedures for data disposal on these tools? | |||||||||||
| 48 | 164.31 | 164.310 Physical Safeguards | 164.310(d)(2)(ii) | (ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. | Required | Q: Does your organization have procedures for the removal of ePHI from electronic media before the media are made available for reuse, including assuring that ePHI is properly destroyed and cannot be recreated? | PH35 | (PH35): Do you have procedures that describe how your practice should remove ePHI from its storage media/ electronic devices before the media is re-used? | (PH35): Do you have procedures that describe how your practice should remove ePHI from its storage media/ electronic devices before the media is re-used? | Required | nan |
| Q: Does your organization have one individual or department responsible for coordinating data disposal and reuse of hardware and software across your enterprise? | |||||||||||
| Q: Does your organization train your staff, employees, and workforce members on the security and risks of ePHI destruction and reuse of software and hardware? | |||||||||||
| 49 | 164.31 | 164.310 Physical Safeguards | 164.310(d)(2)(iii) | (iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. | Addressable | Q: Does your organization keep a record of the movement of hardware and software both inside your organization and when it leave your facility, and do you have an individual or office responsible for this task? | PH36,PH37 | (PH36): Does your practice maintain a record of movements of hardware and media and the person responsible for the use and security of the devices or media containing ePHI outside the facility?, (PH37): Do you maintain records of employees removing electronic devices and media from your facility that has or can be used to access ePHI? | (PH36): Does your practice maintain a record of movements of hardware and media and the person responsible for the use and security of the devices or media containing ePHI outside the facility? | Addressable | nan |
| Q: Does your organization have an inventory of the type of media that are used to store ePHI, and is it updated periodically? | (PH37): Do you maintain records of employees removing electronic devices and media from your facility that has or can be used to access ePHI? | ||||||||||
| Q: Does your organization permit your staff, employees, and workforce members to remove electronic media that contains or can be used to access ePHI; does your organization have procedures to track the media externally? | |||||||||||
| 50 | 164.31 | 164.310 Physical Safeguards | 164.310(d)(2)(iv) | (iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. | Addressable | Q: Does your organization create an exact copy of ePHI if needed before you move the equipment? | PH38 | (PH38): Does your organization create backup files prior to the movement of equipment or media to ensure that data is available when it is needed? | (PH38): Does your organization create backup files prior to the movement of equipment or media to ensure that data is available when it is needed? | Addressable | nan |
| Q: Does your organization maintain backup files offsite to assure data availability in the event of data is lost while transporting or moving electronic media containing ePHI? | |||||||||||
| Q: Does your organization have an inventory of what business process would be impacted and for how long if data were unavailable while media was being moved? |