t

en

in
m

rt a
re

s
ce
ui

rd
Un
m

eq

da
Ite

an
o/
R

St
c
if i

s/
Ye
ec
Sp

Is a documented Risk Analysis process used to ensure Security

Management
1 cost-effective security measures are used to mitigate yes Process
expected losses? §164.308(a)(1)
Are security measures implemented to reduce risks and Security
Management
2 vulnerabilities to an appropriate level for the no Process
organization? §164.308(a)(1)
Do documented policies and procedures exist regarding Security
Management
3 disciplinary actions (stipulations for misuse or uncertain Process
misconduct)? §164.308(a)(1)
Security
Have procedures been implemented to regularly review Management
4 no Process
information system activity?
§164.308(a)(1)
Assigned Security
Has the security responsibility for the unit been assigned
5 no Responsibility
to an individual or group? §164.308(a)(2)

Security Incident
Is there a formal process in place to allow the reporting
6 no Procedures
of security breaches? §164.308(a)(6)(i)

Are formal procedures followed for timely responding to Security Incident

7 no Procedures
incidents? §164.308(a)(6)(i)

Security Incident
Are procedures followed for mitigating incidents that
8 no Procedures
may occur? §164.308(a)(6)(i)

At the conclusion of an incident, are procedures Security Incident

9 followed to document and maintain the outcome of the no Procedures
incident investigation? §164.308(a)(6)(i)

Has a Data Backup Plan been documented, Contingency Plan

10 no §164.308(a)(7)(i)
implemented and followed within your organization?

Does the Data Backup Plan contain procedures for Contingency Plan
11 no §164.308(a)(7)(i)
testing and revision?

Does the organization follow Data Backup Plan

Contingency Plan
12 procedures that allow for an exact copy of information to no §164.308(a)(7)(i)
be retrieved?
 Does the Data Backup plan call for either full or Contingency Plan
13 no §164.308(a)(7)(i)
incremental backups?

Is the backup media safely stored for an appropriate Contingency Plan

14 no §164.308(a)(7)(i)
period of time?

Do physical protection mechanisms exist for local and Contingency Plan

15 no §164.308(a)(7)(i)
remote copies of backups?

Has a Disaster Recovery Plan been developed and Contingency Plan

16 no §164.308(a)(7)(i)
documented?

Has an Emergency Mode Operation Plan been

Contingency Plan
17 documented and tested to determine continual no §164.308(a)(7)(i)
operations?
Do the Emergency Mode Operation Plan and Disaster
Contingency Plan
18 Recovery Plan address physical access to appropriate yes §164.308(a)(7)(i)
personnel?

Has an internal or external entity performed a

documented assessment on any network or individual Evaluation
19 uncertain §164.308(a)(8)
system(s) within the network to determine if they meet a
pre-specified set of security standards?

Does the organization maintain a history of Technical Evaluation

20 no §164.308(a)(8)
Evaluations for computer system(s) and network(s)?

Has an documented inventory of all electronic data Business Associate

exchanges with third parties, vendors or business Contracts and Other
21 yes Arrangements
partners taken place and a Business Associate
§164.308(b)(1)
Agreement been executed, when needed?

If there are any trusted internal or external business Business Associate

connections, or any third party connections or accesses, Contracts and Other
22 no Arrangements
has a Business Associate Agreement or Memorandum
§164.308(b)(1)
of Understanding been completed?

Does the organization follow procedures for defined Workstation Use

23 yes §164.310(b)
acceptable workstation use?

Has the organization implemented physical safeguards

Workstation Security
24 to eliminate or minimize unauthorized access/viewing of no §164.310(c)
health information on workstations?

Does the organization implement console locking Workstation Security

25 uncertain §164.310(c)
features?

Does the organization follow procedures for the final Device and Media
26 disposition of electronic data (including PHI) and the uncertain Controls
hardware that it resides on? §164.310(d)(1)

Have procedures been developed for removing Device and Media

27 electronic Protected Health Information from media no Controls
before it is scheduled for re-use? §164.310(d)(1)
 Are unique user id(s) in place/use (network and Access Control
28 yes §164.312(a)(1)
application)?
Access Control
29 Are there NO shared ID's or non-unique ID's in use? no §164.312(a)(1)
Do all end users of network resources have a unique Access Control
30 yes §164.312(a)(1)
user ID?
Is an emergency access procedure documented and Access Control
31 no §164.312(a)(1)
followed?
Are networked systems configured to allow event Audit Controls
32 uncertain §164.312(b)
reporting?

Are auditing capabilities enabled for file/record Audit Controls

33 uncertain §164.312(b)
accesses, modifications, or deletions?

Are software or hardware solutions in place that will

Audit Controls
34 provide notification of abnormal conditions that may no §164.312(b)
occur in a networked system?
Person or Entity
Is the signature on the document/data verified as trust-
35 yes Authentication
worthy? §164.312(d)

Are Business Associate contracts in place between the Business Associate

unit and any business associate that might come in Contracts and Other
36 no Arrangements
contact with the organizations electronic Protected
§164.314(a)(1)
Health Information?
Policy and
We follow University guidelines regarding security of
37 yes Procedures
electronic information. §164.316(a)
Are documents related to electronic Protected Health
Documentation
38 Information maintained for the time period prescribed by no §164.316(b)(1)
this rule?
Is documentation available to those persons responsible
Documentation
39 for implementing the various procedures required by the uncertain §164.316(b)(1)
HIPAA security rule?

Totals:
Yes 8
No 24
Uncertain 7
N/A 0
Not Answered 0
Blank comments 39
 ts
en
s
ec

m
Sp

m
Co

Risk Analysis

Risk Management

Sanction Policy

Information System
Activity Review

No Implementation
Specifications

Response and
Reporting

Response and
Reporting

Response and
Reporting

Response and
Reporting

Data Backup Plan

Data Backup Plan

Data Backup Plan

Data Backup Plan

Data Backup Plan

Data Backup Plan

Disaster Recovery
Plan

Emergency Mode
Operation Plan

Emergency Mode
Operation Plan

No Implementation
Specifications

No Implementation
Specifications

Written Contract or
Other Arrangement

Written Contract or
Other Arrangement

No Implementation
Specifications

No Implementation
Specifications

No Implementation
Specifications

Disposal

Media Re-use
 Unique User
Identification
Unique User
Identification
Unique User
Identification

Emergency Access
Procedures

No Implementation
Specifications

No Implementation
Specifications

No Implementation
Specifications

No Implementation
Specifications

Business Associate
Contracts

No Implementation
Specifications

Time Limit

Availability
 tio ard
ca d

n
n
ifi an

tio
ec St

ip
n
n

cr
Sp le

io
tio

es
n Ru

t
ta
ita

tD
en
tio y
C

ta rit

en
em
AA

en ecu

m
pl
P

re
em S

Im
HI

ui
pl A

eq
Im IPA

R
H
164.308(a)(1)(i) Security Management Process Required

164.308(a)(1)(ii)(A) Risk Analysis Required

164.308(a)(1)(ii)(B) Risk Management Required

164.308(a)(1)(ii)(C) Sanction Policy Required

164.308(a)(1)(ii)(D) Information System Activity Review Required

164.308(a)(2) Assigned Security Responsibility Required

164.308(a)(3)(i) Workforce Security Required

164.308(a)(3)(ii)(A) Authorization and/or Supervision Addressable

164.308(a)(3)(ii)(B) Workforce Clearance Procedure Addressable

164.308(a)(3)(ii)(C) Termination Procedures Addressable

164.308(a)(4)(i) Information Access Management Required

Isolation Health Clearinghouse
164.308(a)(4)(ii)(A) Required
Functions
164.308(a)(4)(ii)(B) Access Authorization Addressable
Access Establishment and
164.308(a)(4)(ii)(C) Addressable
Modification
164.308(a)(5)(i) Security Awareness Training Required

164.308(a)(5)(ii)(A) Security Reminders Addressable

164.308(a)(5)(ii)(B) Protection from Malicious Software Addressable

164.308(a)(5)(ii)© Log-in Monitoring Addressable

164.308(a)(5)(ii)(D) Password Management Addressable

164.308(a)(6)(i) Security Incident Procedures Required

164.308(a)(6)(ii) Response and Reporting Required

164.308(a)(7)(i) Contingency Plan Required

164.308(a)(7)(ii)(A) Data Backup Plan Required

164.308(a)(7)(ii)(B) Disaster-Recovery Plan Required

164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required

164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable

Applications and Data Criticality

164.308(a)(7)(ii)(E) Addressable
Analysis

164.308(a)(8) Evaluation Required

Business Associate Contracts and Other
164.308(b)(1) Required
Arrangements
164.308(b)(4) Written Contract Required
164.310(a)(1) Facility Access Controls Required

164.310(a)(2)(i) Contingency Operations Addressable

164.310(a)(2)(ii) Facility Security Plan Addressable

Access Control and Validation
164.310(a)(2)(iii) Addressable
Procedures

164.310(a)(2)(iv) Maintenance Records Addressable

164.310(b) Workstation Use Required

164.310( c ) Workstation Security Required

164.310(d)(1) Device and Media Controls Required

164.310(d)(2)(i) Disposal Required

164.310(d)(2)(ii) Media Reuse Required

164.310(d)(2)(iii) Accountability Addressable

164.310(d)(2)(iv) Data Backup and Storage Addressable

164.312(a)(1) Access Control Required

164.312(a)(2)(i) Unique User Identification Required

164.312(a)(2)(ii) Emergency Access Procedure Required

164.312(a)(2)(iii) Automatic Logoff Addressable

164.312(a)(2)(iv) Encryption and Decryption Addressable

164.312(b) Audit Controls Required

164.312( c)(1) Integrity Required

Mechanism to Authenticate
164.312( c)(2) Electronic Protected Health Addressable
Information

164.312(d) Person or Entity Authentication Required

164.312(e)(1) Transmission Security Required

164.312(e)(2)(i) Integrity Controls Addressable

164.312(e)(2)(ii) Encryption Addressable

 n
tio
ip
cr
es

n
tio
tD

lu
en

So
m
re
ui
eq
R

Policies and procedures to manage security

violations
Conduct vulerability assessment Penetration test, vulnerability assessment

Implement security measures to reduce risk of SIM/SEM, patch management, vulnerability

security breaches management, asset management, helpdesk
Worker sanction for policies and procedures
Security policy document management
violations
Log aggregation, log analysis, security event
Procedures to review system activity
management, host IDS
Identify security official responsible for policies
and procedures
Implement policies and procedures to ensure
appropriate PHI access
Mandatory, discretionary and role-based
Authorization/supervision for PHI access access control: ACL, native OS policy
enforcement
Procedures to ensure appropriate PHI access Background checks

Procedures to terminate PHI access security Single sign-on, identity management, access
policy document management controls
Policies and procedures to authorize access to
PHI
Policies and procedures to separate PHI from Application proxy, firewall, mandatory VPN,
other operations SOCKS
Policies and procedures to authorize access to Mandatory, discretionary and role-based
PHI access control
Policies and procedures to grant access to PHI Security policy document management

Training program for workers and managers

Sign-on screen, screen savers, monthly
Distribute periodic security updates
memos, e-mail, banners
Procedures to guard against malicious software
host/network IPS, unified threat management,
network anomaly detection, patch Network firewall, desktip firewall, antivirus,
management, firmware management, anti-spam
host/network IDS, OS access controls (least-
privileged user), content filtering

Procedures and monitoring of log-in attempts Log aggregation, log analysis, security event
host IDS management
Password management software, single sign-
Procedures for password management
on, metadirectories
Policies and procedures to manage security
incidents
Helpdesk, vulnerability management, security
Mitigate and document security incidents
event management
Emergency response policies and procedures

Data backup planning and procedures Backup support on-site/off-site

Data recovery planning and procedures

Business continuity procedures

Contingency-planning periodic testing
procedures
Prioritize data and system criticality for Change management control software, asset
contingency planning management software

Periodic security evaluation Perform a periodic compliance assessment

CE implement BACs to ensure safeguards

Implement coompliant BACs Contracts
Policies and procedures to limit access to
Policies and procedures
systems and facilities
Procedures to support emergency ooperations
Procedures
and recovery
Policies and procedures to safeguard
Policies and procedures
equipment and facilities
Card readers, locks, biometrics, proximity
Facility access procedures for personnel
badges, tokens
Policies and procedures to document security-
Policies and procedures
related repairs and modifications

Policies and procedures to specify workstation Desktop management, policy management,

environment and use application management
Card readers, locks, biometrics, tokens,
Physical safeguards for workstation access hardware cables, proximity tokens, locking
screen savers
Policies and procedures to govern receipt and
removal of hardware and media
Policies and procedures to manage media and
Destruction, recycling
equipment disposal
Policies and procedures to remove PHI from
Zeroing, degaussing
media and equipment
Document hardware and media movement Logs, receipts, cameras

Backup PHI before moving equipment Tape/network backup, encrypted backup

Technical (administrative) policies and

procedures to manage PHI access
Assign unique IDs to support tracking
Procedures to support emergency access
Session termination mechanisms
Mechanism for encryption of stored PHI
Procedures and mechanisms for monitoring
system activity
Policies and procedures to safeguard PHI
unauthorized alteration
Mechanisms to corroborate PHI is not altered
Policies and procedures
Directories, OS user directories, ERP software,
ID management software, single sign-on,
metadirectories
Procedures
Time-outs, proximity tokens, scheduled access
control
File and folder encryption, hard drive
encryption, e-mail encryption
Log aggregation, log analysis, security event
management, host IDS
Policies and procedures
PKI, digital signatures, OS/database/file
hashing

SAML, PKI, ID management software, single

sign-on, metadirectoreis, passwords,
Procedures to verify identities
authentication tokens, digital certificates,
biometrics

Measures to guard against unauthorized access

Controls
to transmitted PHI
Measures to ensure integrity of PHI on
Ipsec, VPN, S/MIME, PGP
transmission
Ipsec, VPN, PPTP VPN, SSL VPN, S/MIME, SSH,
Mechanism for encryption of transmitted PHI
PGP