HIPAA Security Rule

Implement policies and procedures to prevent, detect, contain, and correct security violations. Includes risk analysis, risk management, sanction policy, and information system activity review.

Identify the security official who is responsible for the development and implementation of the policies and procedures required for the entity.

Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access.

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

Implement a security awareness and training program for all members of its workforce including management. Includes protection from malicious software, log-in monitoring, and password management.

Implement policies and procedures to address security incidents. Includes identification and response to suspected or known security incidents, mitigation of harmful effects, and documentation.

Establish and implement policies and procedures for responding to an emergency or other occurrence that damages systems containing ePHI. Includes data backup, disaster recovery, emergency mode operation, testing, and applications/data criticality analysis.

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI.

A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.

Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form. Retain documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.