Professional Documents
Culture Documents
1. Choose a Privacy Officer who will be responsible for overseeing the development,
implementation, maintenance of, and adherence to privacy policies and procedures regarding the
safe use and handling of PHI and a Security Officer who will be in charge of the ongoing management
of information security policies, procedures, and technical systems.
2. Conduct a risk assessment and implement a security management process a. Review and
document workplace operations for potential risks/vulnerabilities b. Check all computers, mobile
devices, paper records and storage of records, and additional security measures to ensure that all
PHI is being stored, used, and distributed appropriately and securely c. Conduct risk assessments
after any breach or theft of PHI and after any major change in hardware or software
3. Develop and implement policies and procedures a. Utilize policies and procedures to manage and
mitigate HIPAA risks b. Clearly document all policies and procedures and make them accessible to
workforce members c. Review and update policies and procedures regularly
4. Train workforce members on HIPAA regulations and the organization’s policies and compliance
plan a. Communicate HIPAA regulations with patients
Technical Safeguard
1. Access Control - Unique User Identification (required): Assign a unique name and/or number
for identifying and tracking user identity.
2. Access Control - Emergency Access Procedure (required): Establish (and implement as
needed) procedures for obtaining necessary ePHI during an emergency.
3. Access Control - Automatic Logoff (addressable): Implement electronic procedures that
terminate an electronic session after a predetermined time of inactivity.
4. Access Control - Encryption and Decryption (addressable): Implement a mechanism to
encrypt and decrypt ePHI.
5. Audit Controls (required): Implement hardware, software, and/or procedural mechanisms
that record and examine activity in information systems that contain or use ePHI.
6. Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic
mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized
manner.
7. Authentication (required): Implement procedures to verify that a person or entity seeking
access to ePHI is the one claimed.
8. Transmission Security - Integrity Controls (addressable): Implement security measures to
ensure that electronically transmitted ePHI is not improperly modified without detection
until disposed of.
9. Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI
whenever deemed appropriate.
Physical Safeguard
Administrative Safeguards