Description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
Levels:Automated: yes
Selections:Description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Levels:Automated: yes
Selections:Description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
Levels:Automated: yes
Selections:Description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
Levels:Automated: yes
Selections:Description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Levels:Automated: yes
Selections:Description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
Levels:Automated: yes
Selections:Description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
Levels:Automated: yes
Selections:Description: Periodic security updates.
Levels:Automated: yes
Selections:Description: Procedures for guarding against, detecting, and reporting malicious software.
Levels:Automated: yes
Selections:Description: Procedures for monitoring log-in attempts and reporting discrepancies.
Levels:Automated: yes
Selections:Description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
Levels:Automated: yes
Selections:Description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Levels:Automated: yes
Selections:Description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
Levels:Automated: yes
Selections:Description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
Levels:Automated: yes
Selections:Description: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor
Levels:Automated: yes
Selections:Description: A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Levels:Automated: yes
Selections:Description: Establish (and implement as needed) procedures that allow facility access in support of restoration of los data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Levels:Automated: yes
Selections:Description: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Levels:Automated: yes
Selections:Description: Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Levels:Automated: yes
Selections:Description: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Levels:Automated: yes
Selections:Description: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Levels:Automated: yes
Selections:Description: Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Levels:Automated: yes
Selections:Description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Levels:Automated: yes
Selections:Description: Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Levels:Automated: yes
Selections:Description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
Levels:Automated: yes
Selections:Description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
Levels:Automated: yes
Selections:Description: Assign a unique name and/or number for identifying and tracking user identity.
Levels:Automated: yes
Selections:Description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Levels:Automated: yes
Selections:Description: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Levels:Automated: yes
Selections:Description: Implement a mechanism to encrypt and decrypt electronic protected health information.
Levels:Automated: yes
Selections:Description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Levels:Automated: yes
Selections:Description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Levels:Automated: yes
Selections:Description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Levels:Automated: yes
Selections:Description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Levels:Automated: yes
Selections:Description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Levels:Automated: yes
Selections:Description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Levels:Automated: yes
Selections:Description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Levels:Automated: yes
Selections:Description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
Levels:Automated: yes
Selections:Description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Levels:Automated: yes
Selections:Description: Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.
Levels:Automated: yes
Selections:Description: The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.
Levels:Automated: yes
Selections:Description: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
Levels:Automated: yes
Selections: