Scribd Logo
Upload

Welcome to Scribd!

  • HIPAA Standards

    Uploaded by

    girija
    5 views12 pages

    Original Title

    Untitled

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views12 pages

    HIPAA Standards

    Uploaded by

    girija

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    HIPAA Standards

    Security Management Process

    Assigned Security Responsibility

    Workforce Security

    Information Access Management

    Security Awareness and Training

    Security Incident Procedures

    Contingency Plan

    Evaluation

    Business Associate Contracts and Other Arrangement

    Facility Access Controls

    Workstation Use
    Workstation Security

    Device and Media Controls


    Device and Media Controls

    Access Control

    Audit Controls

    Integrity

    Person or Entity Authentication

    Transmission Security

    Privacy Rule obligations for business associates

    Privacy Rule obligations for business associates

    Privacy Rule obligations for business associates

    Enforcement Rule obligations for business associates

    Breach Notification Rule obligations for business associates


    Breach Notification Rule obligations for business associates

    TOTAL
    HIPAA Implementation Specifications
    164.308(a)(1)
    Risk Analysis (R)
    Risk Management (R)
    Sanction Policy (R)
    Information System Activity Review (R)
    164.308(a)(2)
    164.308(a)(3)
    Authorization and/or Supervision (A)
    Workforce Clearance Procedure
    Termination Procedures (A)
    164.308(a)(4)
    Isolating Health care Clearinghouse
    Function (R)
    Access Authorization (A)
    Access Establishment and Modification (A)
    164.308(a)(5)
    Security Reminders (A)
    Protection from Malicious Software (A)
    Log-in Monitoring (A)
    Password Management (A)
    164.308(a)(6)
    Response and Reporting (R)
    164.308(a)(7)
    Data Backup Plan (R)
    Disaster Recovery Plan (R)
    Emergency Mode Operation Plan (R)
    Testing and Revision Procedure (A)
    Applications and Data Criticality Analysis
    (A)
    164.308(a)(8)

    164.308(b)(1)
    Written Contract or Other Arrangement (R)
    164.310(a)(1)
    Contingency Operations (A)
    Facility Security Plan (A)
    Access Control and Validation Procedures
    (A)
    Maintenance Records (A)
    164.310(b)
    164.310(c)
    164.310(d)(1)
    Disposal (R)
    Media Re-use (R)
    Accountability (A)
    Data Backup and Storage (A)
    164.312(a)(1)
    Unique User Identification (R)
    Emergency Access Procedure (R)
    Automatic Logoff (A)
    Encryption and Decryption (A)
    164.312(b)
    164.312(c)(1)
    Mechanism to Authenticate Electronic
    Protected Health Information (A)

    164.312(d)

    164.312(e)(1)
    Integrity Controls (A)
    Encryption (A)
    Limiting uses or disclosures of PHI to only
    those (i) provided for within their business
    associate agreement or (ii) permitted or
    required under HIPAA
    Limiting permissible disclosures or requests
    for disclosures of PHI to the minimum
    necessary
    Providing an accounting of disclosures;
    Providing access to PHI kept in a
    designated record set for covered entities
    or individuals
    Providing PHI to the U.S. Department of
    Health and Human Services (HHS) to
    demonstrate compliance during
    investigations
    Entering into business associate
    agreements with subcontractors that
    comply with the provisions governing
    business associate agreements
    between covered entities and business
    associates
    Maintaining compliance records and
    submitting reports to HHS when HHS
    requires such disclosures to determine
    whether a covered entity
    or business associate is complying with
    HIPAA.
    Providing a breach notification to its
    covered entity upon discovering a privacy or
    security “breach,” as defined under HIPAA,
    and
    performing a risk assessment, in
    accordance with the final rule, when
    determining whether a breach has
    occurred.
    ISO 27002 Security Clauses & Categories Controls

    5.1 INFORMATION SECURITY POLICY 2

    6.1.3 Allocation of information security responsibilities 1

    8 HUMAN RESOURCES SECURITY 8

    11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL

    11.2 USER ACCESS MANAGEMENT


    5

    8.2.2 Information security awareness, education, and training


    11.3.1 Password use
    2

    13 INFORMATION SECURITY INCIDENT MANAGEMENT 5

    14 BUSINESS CONTINUITY MANAGEMENT 5

    15.2 COMPLIANCE WITH SECURITY POLICIES AND


    2
    STANDARDS, AND TECHNICAL COMPLIANCE

    N/A 0

    9.1 SECURE AREAS 6

    7.1.3 Acceptable use of assets 1


    9.2 EQUIPMENT SECURITY 5
    7.1 RESPONSIBILITY FOR ASSETS
    9.2.6 Secure disposal or re-use of equipment
    9.2.7 Removal of property 8
    8
    10.5 BACK-UP
    10.7 MEDIA HANDLING

    11.5 OPERATING SYSTEM ACCESS CONTROL 6

    15.3.1 Information systems audit controls 1

    12.2 CORRECT PROCESSING IN APPLICATIONS 4

    11.4.2 User authentication for external connections


    2
    11.5.2 User identification and authentication

    12.3 CRYPTOGRAPHIC CONTROLS 2

    15.1.4 Data protection and privacy of personal information 1

    13.2.3 Collection of evidence 1

    6.2.3 Addressing security in third party agreements 1

    15.1.1 Identification of applicable legislation 1

    13.1.1 Reporting information security events 1


    13.1.1 Reporting information security events 1

    70
    REMARKS/IMPLEMENTATION

    361.35

    You might also like