| Standard | Status | Remarks |
|---|---|---|
| Administrative Safeguards | ||
| 164.308(a)(1) - Security Management Process | ||
| Risk Analysis - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. | 12/01/2024 | This report shall serve as witness |
| Risk Management - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) | Verified | |
| Sanction Policy - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate | Reviewed | No Action needed |
| Information system activity review - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. | Reviewed | Monthly |
| 164.308(a)(2) - Assigned Security Responsibility | ||
| Assigned security responsibility - Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. | Verified | |
| 164.308(a)(3) - Workforce Security | ||
| Authorization and/or supervision - Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. | Verified | Role based access |
| Workforce clearance procedure - Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. | Verified | Role based access |
| Termination procedures - Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. | Verified | |
| 164.308(a)(4) - Information Access Management | ||
| Isolating health care clearinghouse functions - If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. | N/A | No clearing house used |
| Access authorization - Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. | Verified | Role based access |
| Access establishment and modification - Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. | Verified | |
| 164.308(a)(5) - Security Awareness Training | ||
| Training - Minimum HIPAA training requirements | Verified | Annual |
| Security reminders - Periodic security updates. | Verified | Monthly |
| Protection from malicious software - Procedures for guarding against, detecting, and reporting malicious software. | Verified | |
| Log-in monitoring - Procedures for monitoring log-in attempts and reporting discrepancies. | Verified | |
| Password management - Procedures for creating, changing, and safeguarding passwords. | Verified | |
| 164.308(a)(6) - Security incident procedures | ||
| Response and reporting - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. | Reviewed | Addressed in Policy & Procedures |
| 164.308(a)(7) - Contingency Plan | ||
| Data backup plan - Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. | Verified | Daily |
| Disaster recovery plan - Establish (and implement as needed) procedures to restore any loss of data. | Verified | Published |
| Emergency mode operation plan - Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. | Verified | Published |
| Testing and revision procedures - Implement procedures for periodic testing and revision of contingency plans. | Verified | Monthly |
| Applications and data criticality analysis - Assess the relative criticality of specific applications and data in support of other contingency plan components. | Verified | |
| 164.308(a)(8) - Evaluation | ||
| Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. | Reviewed | |
| 164.308(b)(1) - Business Associate Agreements | ||
| Written contract or other arrangement - Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a). | Verified | |
| Physical Safeguards | ||
| 164.310(a)(1) - Facility Access Controls | ||
| Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. | Verified | |
| 164.310(a)(2) - Facility Access Controls | ||
| Contingency operations - Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. | Verified | Tested |
| Facility security plan - Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. | Verified | |
| Access control and validation procedures - Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. | Verified | |
| Maintenance records - Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). | Verified | |
| 164.310(b) - Workstation Use | ||
| Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. | Verified | |
| 164.310(c) - Workstation security | ||
| Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. | Verified | |
| 164.310(d)(1,2) - Device and Media Controls | ||
| Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. | Verified | |
| Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. | Verified | |
| Media re-use - Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. | Verified | |
| Accountability - Maintain a record of the movements of hardware and electronic media and any person responsible therefore. | Verified | |
| Data backup and storage - Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. | Verified | |
| Technical Safeguards | ||
| 164.312(a) - Access Control | ||
| Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). | Verified | |
| Unique user identification - Assign a unique name and/or number for identifying and tracking user identity. | Verified | |
| Emergency access procedure - Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. | Verified | |
| Automatic logoff - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. | Verified | |
| Encryption and decryption - Implement a mechanism to encrypt and decrypt electronic protected health information. | Verified | |
| 164.312(b) - Audit Controls | ||
| Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | Verified | |
| 164.312(c) - Integrity | ||
| Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. | Verified | |
| Mechanism to authenticate electronic protected health information - Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. | Reviewed | |
| 164.312(d) - Person or entity authentication | ||
| Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. | Verified | |
| 164.312(e) - Transmission Security | ||
| Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. | Verified | |
| Integrity controls - Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. | Verified | |
| Encryption - Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. | Verified | TLS 1.3 |
THE INFORMATION FROM OR THROUGH THE SITE ARE PROVIDED “AS-IS,” “AS AVAILABLE,” AND ALL WARRANTIES, EXPRESS OR IMPLIED, ARE DISCLAIMED (INCLUDING BUT NOT LIMITED TO THE DISCLAIMER OF ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE). THE INFORMATION AND SERVICES MAY CONTAIN BUGS, ERRORS, PROBLEMS OR OTHER LIMITATIONS. WE AND OUR AFFILIATED PARTIES HAVE NO LIABILITY WHATSOEVER FOR YOUR USE OF ANY INFORMATION OR SERVICE. IN PARTICULAR, BUT NOT AS A LIMITATION THEREOF, WE AND OUR AFFILIATED PARTIES ARE NOT LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED ON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE NEGATION OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN US AND YOU. THIS SITE AND THE INFORMATION WOULD NOT BE PROVIDED WITHOUT SUCH LIMITATIONS. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM US THROUGH THE SITE SHALL CREATE ANY WARRANTY, REPRESENTATION OR GUARANTEE NOT EXPRESSLY STATED IN THIS AGREEMENT. ALL RESPONSIBILITY OR LIABILITY FORANY DAMAGES CAUSED BY VIRUSES CONTAINED WITHIN THE ELECTRONIC FILE CONTAINING THE FORM OR DOCUMENT IS DISCLAIMED. WE WILL NOT BE LIABLE TO YOU FOR ANY INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OF ANY KIND THAT MAY RESULT FROM USE OF OR INABILITY TO USE OUR SITE. OUR MAXIMUM LIABILITY TO YOU UNDER ALL CIRCUMSTANCES WILL BE EQUAL TO THE PURCHASE PRICE PAID FOR ANY GOODS, SERVICES OR INFORMATION. WHILE THE INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED WITH THE FULL INTENT OF BEING ACCURATE, THE NATURE OF COMPUTERS, SOFTWARE AND STANDARDS MAY CHANGE AND THEREFORE MAY PROVIDE EXCEPTION. CHECK IN SYSTEMS INC GIVES NO GUARANTEE OF COMPLIANCE.