HIPAA Security Template Policy Manual Table of Contents

 

Policy

Regulation

Required or Addressable

Page(s)

Organizational policies

Policies and procedures

45 C.F.R. 164.316(a)

Required*

6

Documentation

45 C.F.R. 164.316(b)

Required*

7

Time Limit

 45 C.F.R. 164.316(b)(2)(i)

Required*

7

Availability

 45 C.F.R. 164.316(b)(2)(ii)

Required*

7

Updates

 45 C.F.R. 164.316(b)(2)(iii)

Required*

7

Administrative Safeguards

Security Management Process

45 C.F.R. 164.308(a)(1) and 312

Required*

9

Risk Analysis

45 C.F.R. 164.308(a)(1)(ii)(A)

Required

9

Risk Management

45 C.F.R. 164.308(a)(1)(ii)(B)

Required

9-10

Sanctions

45 C.F.R. 164.308(a)(1)(ii)(C)

Required

10

Information System Activity Review

45 C.F.R. 164.308(a)(1)(ii)(D)

Required

11

Evaluation

45 C.F.R. 164.308(a)(8)

Required*

12

Assigned Security Responsibility

45 C.F.R. 164.308(a)(2)

Required*

13

Workforce Security

45 C.F.R. 164.308(a)(3)

Required*

15

Authorization and/or Supervision

45 C.F.R. 164.308(a)(1)(ii)(A)

Addressable

15

Workforce Clearance Procedure

45 C.F.R. 164.308(a)(1)(ii)(B)

Addressable

15-16

Termination Procedures

45 C.F.R. 164.308(a)(1)(ii)(C)

Addressable

18-19

Information Access Management

45 C.F.R. 164.308(a)(4)

Required*

16-17

Isolating health care clearinghouse functions

45 C.F.R. 164.308(a)(4)(ii)(A)

Required

N/A (if this applies to you, please consult your legal counsel)

Access Authorization

45 C.F.R. 164.308(a)(4)(ii)(B)

Addressable

16-17

Access Establishment and Modification

45 C.F.R. 164.308(a)(1)(ii)(C)

Addressable

16-17

Security Awareness and Training

45 C.F.R. 164.308(a)(5)

Required*

20

Security Reminders

45 C.F.R. 164.308(a)(5)(ii)(A)

Addressable

20

Protection from Malicious Software

45 C.F.R. 164.308(a)(5)(ii)(B)

Addressable

21

Log-In Monitoring

45 C.F.R. 164.308(a)(5)(ii)(C)

Addressable

21-22

Password Management

45 C.F.R. 164.308(a)(5)(ii)(D)

Addressable

22

Security Incidents

45 C.F.R. 164.308(a)(6)

Required*

24-25

Response and reporting

45 C.F.R. 164.308(a)(6)(ii)

Required

24-25

Contingency Plan

45 C.F.R. 164.308(a)(7)

Required*

26

Data Backup Plan

45 C.F.R. 164.308(a)(7)(ii)(A)

Required

26-27

Disaster Recovery Plan

45 C.F.R. 164.308(a)(7)(ii)(B)

Required

27

Emergency Mode Operation Plan

45 C.F.R. 164.308(a)(7)(ii)(C)

Required

27-28

Testing and Revision Procedures

45 C.F.R. 164.308(a)(7)(ii)(D)

Addressable

28

Applications and Data Criticality Analysis

45 C.F.R. 164.308(a)(7)(ii)(E)

Addressable

28-29

Physical Safeguard: Data Backup and Storage

45 C.F.R. 164.310(d)(2)(iv)

Addressable

26-27

Business Associate Contracts

45 C.F.R. 164.308(b)(1) and (4); 164.314(a)(1); 164.314(a)(2)(i)

Required*

30

Physical Safeguards

Facility Access Controls

45 C.F.R. 164.310(a)(1)

Required*

31-33

Contingency Operations

45 C.F.R. 164.310(a)(2)(i)

Addressable

33-34

Facility Security Plan

45 C.F.R. 164.310(a)(2)(ii)

Addressable

31

Access Control and Validation

45 C.F.R. 164.310(a)(2)(iii)

Addressable

31-33

Maintenance Records

45 C.F.R. 164.310(a)(2)(iv)

Addressable

34

Workstation Use & Workstation Security

45 C.F.R. 164.310(b); and 164.310(c)

Required*

35-36

Device and Media Controls

45 C.F.R. 164.310(d)

Required*

38-39

Disposal

45 C.F.R. 164.310(d)(2)(i)

Required

39

Media Re-Use

45 C.F.R. 164.310(d)(2)(ii)

Required

39

Accountability

45 C.F.R. 164.310(d)(2)(iii)

Addressable

40

Physical Safeguard: Data Backup and Storage

 

45 C.F.R. 164.310(d)(2)(i)

Addressable

See Administrative Safeguards

Technical Safeguards

Access Control

45 C.F.R. 164.312(a) and 164.312(e)

Required*

42-44

Unique User Identification

45 C.F.R. 164.312(a)(2)(i)

Required

42

Emergency Access Procedure

45 C.F.R. 164.312(a)(2)(i)(ii)

Required

42-43

Automatic Logoff

45 C.F.R. 164.312(a)(2)(iii)

Addressable

43

Encryption and Decryption

45 C.F.R. 164.312(a)(2)(iv)

Addressable

43-44

Encryption

45 C.F.R. 164.312(e)(2)(ii)

Addressable

50

Audit Controls

45 C.F.R. 164.312(b)

Required*

46

Integrity

45 C.F.R. 164.312(c)

Required*

47-48

Mechanism to Authenticate ePHI

45 C.F.R. 164.312(c)(2)

Addressable

47-48

Person or Entity Authentication

45 C.F.R. 164.312(d)

Required*

49

Transmission Security

45 C.F.R. 164.312(e) 

Required*

50-51

Integrity Controls

45 C.F.R. 164.312(e)(2)(i)

Addressable

50-51

Encryption

45 C.F.R. 164.312(e)(2)(ii)

Addressable

50-51

Appendices

Appendix 1: Definitions

N/A

N/A

53-57

Appendix 2: Selected Resources:

NIST

HITECH.gov

HEALTHIT.gov

OCR

N/A

N/A

 

58

58

58

59-60

* denotes an item that is not a “Safeguard” designated as “Required” or “Addressable”; this item is required by statute.