164.308(a)(5)(i): Security Awareness and Training
Implement a security awareness and training program for all workforce members.
—164.308(a)(4)(ii)(C): Access Establishment and Modification
Implement policies and procedures that establish, document, review, and modify access to ePHI.
—164.308(a)(4)(ii)(B): Access Authorization
Implement policies and procedures for granting access to ePHI.
—164.308(a)(4)(ii)(A): Isolating Health Care Clearinghouse Functions
Implement policies and procedures to protect ePHI when clearinghouse functions are performed.
Information Access Management
Implement policies and procedures for authorizing access to ePHI.
Termination Procedures
Implement procedures for terminating access to ePHI when the employment of a workforce member ends.
Workforce Clearance Procedure
Implement procedures to determine that the access of a workforce member to ePHI is appropriate.
Authorization, Supervision
Implement procedures for the authorization and/or supervision of workforce members who work with ePHI.
Workforce Security
Implement policies and procedures to ensure that all members of the workforce have appropriate access to ePHI.
Assigned Security Responsibility
Identify the security official responsible for the development and implementation of the policies and procedures required by this subpart.
Information System Activity Review
Regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Sanction Policy
The HIPAA Sanction Policy is a crucial component of an organization's overall HIPAA compliance strategy. It outlines the consequences for workforce members who fail to adhere to the established security policies and procedures designed to protect patient health information.
Risk Management
HIPAA 164.308(a)(1)(ii)(B) requires covered entities and business associates to: "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]."
This guide provides specific guidance for engineers, analysts, and management to effectively implement this requirement.
Risk Analysis
“Security is always going to be a cat and mouse game because there’ll be people out there that are hunting for the zero day award, you have people that don’t have configuration management, don’t have vulnerability management, don’t have patch management.”
— Kevin Mitnick
Security Management Process
Governance, risk management, and policy development. This includes conducting regular risk analyses, implementing risk management plans, developing and enforcing policies (including sanctions policies), reviewing system activity, providing training, managing business associates, maintaining documentation, and ensuring continuous improvement of the security management process.