Health Care Privacy Compliance Handbook, 3rd Edition

Security Management Process

45 C.F.R. § 164.308(a)(1)

Risk Analysis

(R)

Risk Management

(R)

Sanction Policy

(R)

Information System Activity Review

(R)

Assigned Security Responsibility

45 C.F.R. § 164.308(a)(2)

(R)

Workforce Security

45 C.F.R. § 164.308(a)(3)

Authorization and/or Supervision

(A)

Workforce Clearance Procedure

(A)

Termination Procedures

(A)

Information Access Management

45 C.F.R. § 164.308(a)(4)

Isolating Healthcare Clearinghouse Function

(R)

Access Authorization

(A)

Access Establishment and Modification

(A)

Security Awareness and Training

45 C.F.R. § 164.308(a)(5)

Security Reminders

(A)

Protection from Malicious Software

(A)

Log-in Monitoring

(A)

Password Management

(A)

Security Incident Procedures

45 C.F.R. § 164.308(a)(6)

Response and Reporting

(R)

Contingency Plan

45 C.F.R. § 164.308(a)(7)

Data Backup Plan

(R)

Disaster Recovery Plan

(R)

Emergency Mode Operation Plan

(R)

Testing and Revision Procedures

(A)

Applications and Data Criticality Analysis

(A)

Evaluation

45 C.F.R. § 164.308(a)(8)

(R)

Business Associate Contracts and Other Arrangements

45 C.F.R. § 164.308(b)(1)

Written Contract or Other Arrangement

(R)