Professional Documents
Culture Documents
en
in
m
rt a
re
s
ce
ui
rd
Un
m
eq
da
Ite
an
o/
R
St
c
if i
s/
Ye
ec
Sp
Security Incident
Is there a formal process in place to allow the reporting
6 no Procedures
of security breaches? §164.308(a)(6)(i)
Security Incident
Are procedures followed for mitigating incidents that
8 no Procedures
may occur? §164.308(a)(6)(i)
Does the Data Backup Plan contain procedures for Contingency Plan
11 no §164.308(a)(7)(i)
testing and revision?
Does the organization follow procedures for the final Device and Media
26 disposition of electronic data (including PHI) and the uncertain Controls
hardware that it resides on? §164.310(d)(1)
Totals:
Yes 8
No 24
Uncertain 7
N/A 0
Not Answered 0
Blank comments 39
ts
en
s
ec
m
Sp
m
Co
Risk Analysis
Risk Management
Sanction Policy
Information System
Activity Review
No Implementation
Specifications
Response and
Reporting
Response and
Reporting
Response and
Reporting
Response and
Reporting
Disaster Recovery
Plan
Emergency Mode
Operation Plan
Emergency Mode
Operation Plan
No Implementation
Specifications
No Implementation
Specifications
Written Contract or
Other Arrangement
Written Contract or
Other Arrangement
No Implementation
Specifications
No Implementation
Specifications
No Implementation
Specifications
Disposal
Media Re-use
Unique User
Identification
Unique User
Identification
Unique User
Identification
Emergency Access
Procedures
No Implementation
Specifications
No Implementation
Specifications
No Implementation
Specifications
No Implementation
Specifications
Business Associate
Contracts
No Implementation
Specifications
Time Limit
Availability
tio ard
ca d
n
n
ifi an
tio
ec St
ip
n
n
cr
Sp le
io
tio
es
n Ru
t
ta
ita
tD
en
tio y
C
ta rit
en
em
AA
en ecu
m
pl
P
re
em S
Im
HI
ui
pl A
eq
Im IPA
R
H
164.308(a)(1)(i) Security Management Process Required
n
tio
tD
lu
en
So
m
re
ui
eq
R
Procedures to terminate PHI access security Single sign-on, identity management, access
policy document management controls
Policies and procedures to authorize access to
PHI
Policies and procedures to separate PHI from Application proxy, firewall, mandatory VPN,
other operations SOCKS
Policies and procedures to authorize access to Mandatory, discretionary and role-based
PHI access control
Policies and procedures to grant access to PHI Security policy document management
Procedures and monitoring of log-in attempts Log aggregation, log analysis, security event
host IDS management
Password management software, single sign-
Procedures for password management
on, metadirectories
Policies and procedures to manage security
incidents
Helpdesk, vulnerability management, security
Mitigate and document security incidents
event management
Emergency response policies and procedures