HIPAA Controls Knowledge Base
Comprehensive guide to HIPAA Security Rule controls with implementation guidance, NIST references, and best practices
Security Officer
164.308(a)(1)A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures....
Workforce Security
164.308(a)(2)Implement policies and procedures to ensure that all members of the workforce have appropriate access to electronic protected health information (ePHI...
Information Access Management
164.308(a)(3)Implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of the Security Rule....
Security Awareness and Training
164.308(a)(4)Implement a security awareness and training program for all members of the workforce (including management)....
Security Incident Procedures
164.308(a)(5)Implement policies and procedures to address security incidents....
Contingency Plan
164.308(a)(6)Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system f...
Evaluation
164.308(a)(7)Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in respons...
Facility Access Controls
164.310(a)(1)Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, ...
Workstation Use
164.310(a)(2)Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the ...
Workstation Controls
164.310(a)(2)(ii)Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users....
Media Controls
164.310(b)Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, a...
Device and Media Controls
164.310(c)Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored....
Access Control
164.312(a)(1)Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software pr...
Audit Controls
164.312(a)(2)Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI....
Integrity
164.312(b)Implement policies and procedures to protect ePHI from improper alteration or destruction....
Person or Entity Authentication
164.312(c)Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed....
Transmission Security
164.312(e)Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network...
Business Associate Contracts or Other Arrangements
164.314(a)(1)A covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity's behalf only if the covered ent...
Requirements for Group Health Plans
164.314(a)(2)Except when the only ePHI disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as permitted under 164.508(a)(3)(i), a g...
Policies and Procedures
164.316(a)Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of thi...
Documentation
164.316(b)(1)Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form....
Time Limit
164.316(b)(2)Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect...