Embed
Email

HIPAA Checklist

Document Sample
HIPAA Checklist
HIPAA Security Rule Standard

HIPAA Citation Implementation Specification Implementation



164.308(a)(1)(i) Security Management Process Required

164.308(a)(1)(ii)(A) Risk Analysis Required



164.308(a)(1)(ii)(B) Risk Management Required



164.308(a)(1)(ii)(C) Sanction Policy Required



164.308(a)(1)(ii)(D) Information System Activity Review Required



164.308(a)(2) Assigned Security Responsibility Required



164.308(a)(3)(i) Workforce Security Required



164.308(a)(3)(ii)(A) Authorization and/or Supervision Addressable

164.308(a)(3)(ii)(B) Workforce Clearance Procedure Addressable



164.308(a)(3)(ii)(C) Termination Procedures Addressable

164.308(a)(4)(i) Information Access Management Required

Isolation Health Clearinghouse

164.308(a)(4)(ii)(A) Functions Required



164.308(a)(4)(ii)(B) Access Authorization Addressable

Access Establishment and

164.308(a)(4)(ii)(C) Modification Addressable

164.308(a)(5)(i) Security Awareness Training Required



164.308(a)(5)(ii)(A) Security Reminders Addressable









164.308(a)(5)(ii)(B) Protection from Malicious Software Addressable



164.308(a)(5)(ii)(C) Log-in Monitoring Addressable



164.308(a)(5)(ii)(D) Password Management Addressable



164.308(a)(6)(i) Security Incident Procedures Required



164.308(a)(6)(ii) Response and Reporting Required

164.308(a)(7)(i) Contingency Plan Required

164.308(a)(7)(ii)(A) Data Backup Plan Required

164.308(a)(7)(ii)(B) Disaster-Recovery Plan Required

164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required

164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable

Applications and Data Criticality

164.308(a)(7)(ii)(E) Analysis Addressable

164.308(a)(8) Evaluation Required

Business Associate Contracts and

164.308(b)(1) Other Arrangements Required

164.308(b)(4) Written Contract Required



164.310(a)(1) Facility Access Controls Required



164.310(a)(2)(i) Contingency Operations Addressable



164.310(a)(2)(ii) Facility Security Plan Addressable

Access Control and Validation

164.310(a)(2)(iii) Procedures Addressable



164.310(a)(2)(iv) Maintenance Records Addressable



164.310(b) Workstation Use Required





164.310( c ) Workstation Security Required



164.310(d)(1) Device and Media Controls Required



164.310(d)(2)(i) Disposal Required



164.310(d)(2)(ii) Media Reuse Required

164.310(d)(2)(iii) Accountability Addressable

164.310(d)(2)(iv) Data Backup and Storage Addressable



164.312(a)(1) Access Control Required





164.312(a)(2)(i) Unique User Identification Required

164.312(a)(2)(ii) Emergency Access Procedure Required



164.312(a)(2)(iii) Automatic Logoff Addressable



164.312(a)(2)(iv) Encryption and Decryption Addressable



164.312(b) Audit Controls Required



164.312( c)(1) Integrity Required



Mechanism to Authenticate Electronic

164.312( c)(2) Protected Health Information Addressable







164.312(d) Person or Entity Authentication Required



164.312(e)(1) Transmission Security Required



164.312(e)(2)(i) Integrity Controls Addressable

164.312(e)(2)(ii) Encryption Addressable

Requirement Description Solution



Policies and procedures to manage security violations

Conduct vulerability assessment Penetration test, vulnerability assessment

Implement security measures to reduce risk of security SIM/SEM, patch management, vulnerability

breaches management, asset management, helpdesk



Worker sanction for policies and procedures violations Security policy document management

Log aggregation, log analysis, security event

Procedures to review system activity management, host IDS

Identify security official responsible for policies and

procedures

Implement policies and procedures to ensure

appropriate PHI access

Mandatory, discretionary and role-based access

Authorization/supervision for PHI access control: ACL, native OS policy enforcement

Procedures to ensure appropriate PHI access Background checks

Procedures to terminate PHI access security policy Single sign-on, identity management, access

document management controls

Policies and procedures to authorize access to PHI

Policies and procedures to separate PHI from other

operations Application proxy, firewall, mandatory UPN, SOCKS

Mandatory, discretionary and role-based access

Policies and procedures to authorize access to PHI control



Policies and procedures to grant access to PHI Security policy document management

Training program for workers and managers

Sign-on screen, screen savers, monthly memos, e-

Distribute periodic security updates mail, banners



Procedures to guard against malicious software

host/network IPS, unified threat management, network

anomaly detection, patch management, firmware

management, host/network IDS, OS access controls Network firewall, desktip firewall, antivirus, anti-

(least-privileged user), content filtering spam

Log aggregation, log analysis, security event

Procedures and monitoring of log-in attempts host IDS management

Password management software, single sign-on,

Procedures for password management metadirectories



Policies and procedures to manage security incidents

Helpdesk, vulnerability management, security event

Mitigate and document security incidents management

Emergency response policies and procedures

Data backup planning and procedures Backup support on-site/off-site

Data recovery planning and procedures

Business continuity procedures

Contingency-planning periodic testing procedures

Prioritize data and system criticality for contingency Change management control software, asset

planning management software

Periodic security evaluation Perform a periodic compliance assessment

CE implement BACs to ensure safeguards

Implement coompliant BACs Contracts

Policies and procedures to limit access to systems and

facilities Policies and procedures

Procedures to support emergency ooperations and

recovery Procedures

Policies and procedures to safeguard equipment and

facilities Policies and procedures

Card readers, locks, biometrics, proximity badges,

Facility access procedures for personnel tokens

Policies and procedures to document security-related

repairs and modifications Policies and procedures

Policies and procedures to specify workstation Desktop management, policy management,

environment and use application management



Card readers, locks, biometrics, tokens, hardware

Physical safeguards for workstation access cables, proximity tokens, locking screen savers

Policies and procedures to govern receipt and removal

of hardware and media

Policies and procedures to manage media and

equipment disposal Destruction, recycling

Policies and procedures to remove PHI from media

and equipment Zeroing, degaussing

Document hardware and media movement Logs, receipts, cameras

Backup PHI before moving equipment Tape/network backup, encrypted backup

Technical (administrative) policies and procedures to

manage PHI access Policies and procedures

Directories, OS user directories, ERP software, ID

management software, single sign-on,

Assign unique IDs to support tracking metadirectories

Procedures to support emergency access Procedures

Time-outs, proximity tokens, scheduled access

Session termination mechanisms control

File and folder encryption, hard drive encryption, e-

Mechanism for encryption of stored PHI mail encryption

Procedures and mechanisms for monitoring system Log aggregation, log analysis, security event

activity management, host IDS

Policies and procedures to safeguard PHI

unauthorized alteration Policies and procedures





Mechanisms to corroborate PHI is not altered PKI, digital signatures, OS/database/file hashing



SAML, PKI, ID management software, single sign-

on, metadirectoreis, passwords, authentication

Procedures to verify identities tokens, digital certificates, biometrics

Measures to guard against unauthorized access to

transmitted PHI Controls



Measures to ensure integrity of PHI on transmission Ipsec, VPN, S/MIME, PGP

Ipsec, VPN, PPTP VPN, SSL VPN, S/MIME, SSH,

Mechanism for encryption of transmitted PHI PGP


Related docs
Hipaa Compliance Checklist for Business Associates
Views: 23  |  Downloads: 0
Checklist HIPAA Privacy and HIPAA Security
Views: 32  |  Downloads: 0
Checklist HIPAA Privacy and HIPAA Security
Views: 70  |  Downloads: 1
Checklist HIPAA Privacy and HIPAA Security
Views: 130  |  Downloads: 2
HIPAA Security Checklist
Views: 122  |  Downloads: 6
Hipaa Products
Views: 28  |  Downloads: 1
Hipaa Certificate
Views: 31  |  Downloads: 0
Business Associate Checklist - HIPAA
Views: 6  |  Downloads: 0
HIPAA CHECKLIST FOR PATIENT AUTHORIZATIONS
Views: 6  |  Downloads: 1
HIPAA Authorization Form Checklist
Views: 21  |  Downloads: 0
PROVIDER HIPAA CHECKLIST
Views: 13  |  Downloads: 2
HIPAA Security Rule Checklist
Views: 25  |  Downloads: 1
WHAT IS HIPAA
Views: 82  |  Downloads: 8
HIPAA SECURITY STANDARDS CHECKLIST
Views: 40  |  Downloads: 4
IHS HIPAA Security Checklist
Views: 20  |  Downloads: 1
Other docs by RyanTannehill
SkyTeam Transatlantic Routes
Views: 9  |  Downloads: 0
MR Credit 1.1-1.2 Construction, Demolition and Renovation Waste
Views: 3  |  Downloads: 0
Jan
Views: 41  |  Downloads: 0
SME Banking (Transitional)
Views: 55  |  Downloads: 3
Anticipated acquisition by AAH Pharmaceuticals Limited of East
Views: 129  |  Downloads: 0
OFT(07)5 minutes Minutes of the Office of Fair Trading
Views: 1  |  Downloads: 0
Sustainable Transportation Working Group
Views: 5  |  Downloads: 0
SLP Skill Competency Evaluation
Views: 206  |  Downloads: 4
esb08301
Views: 2  |  Downloads: 0
ARTS ON EDGE
Views: 11  |  Downloads: 0
By registering with docstoc.com you agree to our
privacy policy
Close

You are almost ready to download!

close

You are almost ready to download!