IHS HIPAA Security Checklist

IHS HIPAA Security Checklist

HIPAASECURITYSAFEGUARD

RULE

REFERENCEUIREDA=ADDRESSABLE

Administrative Safeguards

STATUSCOMPLETE,NIA

164.308(a)(1)(1)

164.308(a)(1)(ii)(A)

Securityl\lanagen1entProcess:In1pJen1entpoliciesandproceduresto

prevent, detect, contain, and col'rect security,·iolations.

Has a Risk Analysis been completed IAW NISTGuidelines?

R

164.308(a)(1)(11)(8)Has tbe Risk Management process been completed IAWNISTGuidelines? R

164.308(a)(1)(ll)(C)Do you have formal sanctions against employees who fail tocom I withsecuritolicies and rocedures?R

Have you implemented procedures to regularly reviewrecords

164.308(a)(1)(ii)(D)

164.308(a)(2)

164.308(a)(3)(i)

164.308(a)(3)(ii)(A)

164.308(a)(3)(ii)(B)

164.308(a)(3)(ii)(C)

164.308(a)(4)(i)

164.308(a)(4)(ii)(A)

164.308(a)(4)(ii)(B)

l64.308(a)(4)(ii)(C)

164.308(a)(S)(i)

of!Sactivitysuchasauditlogs,accessreports,andsecmityincident trackin ?(R)

AssignedSecurityResponsibility:Identifythesecurityofficial,vhois

responsible for the de,·elopruent and implementation of the policies andCOMPLETE

procedures required by this subpart for the entity.

\'VorkforceSecurity:Implen1entpoliciesandprocedurestoensurethatallmembersofits,vorkforcehaveappropriateaccesstoEPID,asprovidedunderparagraph(a)(4)ofthiss«tion,andtopreventthose'i\'orkforcemen1bers,Yhodonothaveaccessunderparagraph(a)(4)ofthissectionfron1obtainin accesstoelectronic rotectedhealthinformation IP

Have you implemented procedures for the authorizationand!or supervision of employees who work with EPHI or inlocationswhere it mi ht be accessed?(A

Have you implemented procedures to determine that theAccessof an em lo ee to EPHI isaro riate? A

Have you implemented procedures for te1minating accesstoEPHI when an employee leaves you organization or asrequiredbara a h a (3 ii of this section? A

Information Access l\fanagement: In1plen1ent policies and proceduresforauthorizingaccesstoEPIDthatareconsistent,Yiththeapplicable

reulrementsofsubartEofthisart.

Ifyou are a clearinghouse that is pa1t of a largerorganization,have you implemented policies and procedures to protectEPHIfrom the lar er or anization? A

Have you implemented policies and procedures forgrantingaccess to EPHI, for example, through access to aworkstation,transaction, ro am, or rocess?A

Have you implemented policies and procedures tbat arebasedupon yom access authorization policies, established, document,review,andmodifyauser'srightofaccess toaworkstation,transaction ro am or rocess?(A)

Security A,Yareness and Training: Implement a security a,varenessandtraining program for all men1bcrs of its v,orkforce(including

mana en1ent.

164.308(a)(5)(ii)(A)Do you provide periodic information security reminders? (A)

I64.308(a)(S)(ii)(B)Do you have policies and procedures for guardingagainst,detectin , and re ortin malicious software?(A

164.308(a)(5)(ii)(C)Do you have procedures for monitoring login attemptsandre 011in discre ancies? A

Do you have procedures for creating, changing,and

164.308(a)(5)(ii)(D)

safeuardinasswords? A

164.308(a)(6)(i)SecurityIncidentProcedures:Imp)ementpoliciesandprocedurestoaddress securi incidents.

Do you have procedures to identify and respond to suspectedor

164.308(a)(6)(ii)

164.308(a)(7)(i)

164.308(a)(7)(ii)(A)

164.308(a)(7)(ii)(B)

164.308(a)(7)(ii)(C)

know security incidents; mitigate to the extentpracticable,hannful effects of known security incidents; anddocumentincidents and their outcomes? R)

Contingency Plan: Establish (and in1plen1ent as needed) policiesand

proceduresforrespondingtoanemergencyorotheroccurrence(forexan1ple,fire,vandalism,systentfailure,andnaturaldisaster)thatdamn es s stems that containEPID,

Have you established and implemented procedures to createandmaintain retrievable exact co ies of EPHI? R

Have you established (and implemented as needed)proceduresto restore any loss of EPHI data that is storedelectronically?

R

Have you established (and implemented as needed)proceduresto enable continuation of critical business processes andforrotection of EPHI whileo ratin in the emer enc mode? R

164.308(a)(7)(ii)(D)Have youimplemented procedures for periodic testing and revision of continenc lans? A

Have you assessed the relative criticality ofspecific

164.308(a)(7)(1i)(E)

164.308(a)(8)

164.308(b)(1)

164.308{b)(4)

uards

164.310(a)(1)

164.310(a)(2)(1)

applications and data in support of other contingencyplancom onents? A

Haveyouestablishedaplanforperiodictechnicalandnontechnicalevaluation, based initially upon the standards in1plen1ented underthisruleandsubsequently,inresponsetoen,·ironmentnloroperationalchangesaffectingthesecurityofEPID,thatestabJishestheextentto

,vhichanentity'ssecuritypoliciesandproceduresmeettherequirementsof this subart?

BusinessAssociateContractsandOtherArrangements:Aco,·eredentity,innccordancenithSec.164,306,maypern1itabusinessassociatetocreate,receive,n1aintain,ortransmitEPmonthecoYeredentity'sbehalfonlyoftheco\'eredentityobtainssatisfactoryassurances,inaccordance

,vithSec.164,314(a)thatthebusinessassociateappropriatelysafeguardtheinformation.

Haveyouestablished,vrittencontractsorotherarrangements,vithyourtradingpartnersthatdocumentssatisfactoryassurancesrequiredbyparagraph(b)(l)ofthissectionthatmeetstheapplicablerequire1nentsofSec.

164.314(a ?R

FacilityAccessControls:Implen1entpoliciesandprocedurestolimitphysicalaccesstoitselectronicinformationsysten1sandthefacilityorfacilitiesin,vhichtheyarehoused,,vhileensuringthatproperlyauthorized access isallon·ed.

Have you established (and implemented as needed)proceduresthat allow facility access in supp011of restoration of lostdataunder the disasterrecove lan and emer enc mode

164.310(a)(2)(11)

164.310(a)(2)(1ii)

164.310(a)(2)(1v)

164.310(b)

164.310(c)

164.310(d)(1)

164.310(d)(2)(1)

Have you implemented policies and procedures to safeguardthefacility and the equipment therein from unauthorizedphysicalaccess, tam erin and theft? A

Have you implemented procedures to control and validateaperson's access to facilities based on their role orfunction,including visitor control, and control of access tosoftwarero ·ams for testin and revision? A

Have you implemented policies and procedures todocumentrepairs and modifications to the physical components ofafacility, which are related to security (for example,hardware,walls doors and locks ?A

Haveyouimplementedpoliciesandproceduresthatspecifytheproperfunctionstobeperformed,themannerin,vhichthosefunctionsaretobeperformed,andthephysicalattributesofthesurroundingsofaspecificu·orkstationorclassofworkstationthatcanaccessEPID?

Have you in1plemented physical safeguards for aH ,vorkstationsthataccess EPHI to restrict access to authorized users? (R)

Deviceandl\fediaControls:In1plen1entpoliciesandproceduresthatgovern the receipt and ren1oval of hardware and electronic media thatcontainEPHIintoandoutofafacility,andthen1ovementoftheseitemswithin the faclli .

Have you implemented policies and procedures to addressfinaldispositionofEPHI,and/orhardwareorelectronicmediaonwhich it is stored? R

164.310(d)(2)(ii)Have you implemented procedures for removal of EPHIfromelectronic media before the media are available for reuse?(R)

Do you maintain a record of the movements of hardwareand

164.310(d)(2)(iii)

164.310(d)(2)(1v)

TechnicalSafe

164.312(a)(1)

164.312(a)(2)(1)

164.312(a)(2)(11)

164.312(a)(2)(1il)

164.312(a)(2)(iv)

164.312(b)

electronic media and the person responsible for itsmovement?

A

Do you create a retrievable, exact copy of EPHI, whenneeded,before movement of e ui ment? A

uards

AccessControls:ImplementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainEPIDtoallo,vaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsas s ecified in Sec. 164.308 a 4 ,

Have you assigned a unique name and/or numberforidenti in and trackin user identi ? R

Have you established (and implemented as needed)procedmesfor obtaining for obtaining necessary EPHI dmingand

emer enc ? R)

Have you implemented procedmes that terminate anelectronicsession after a redetermined time of inactivi ? A

Have you implemented a mechanism to encrypt anddecryptEPHI? A

Haveyouin1plen1entcdAuditControls,hnrdn·are,sofh,·are,and/orproceduralruechn.nisn1sthatrecordandexn.mineactivityininforn1ationsystentsthatcontainoruseEPHI?(R)