About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
Administrative, Physical, and Technical Safeguard Standards Compliance Worksheet
David G. Jensen, JD (former Staff Attorney) The Therapist May/June 2017
ADMINISTRATIVE SAFEGUARDS
1 Security management process. A covered entity (“CE”) must implement policies and procedures (“P&Ps”) to prevent, detect, punish, and correct security violations.
2 Assigned security responsibility. A CE must designate a person responsible for developing and implementing the CE’s security P&Ps.
3 Workforce security. A CE must implement P&Ps to ensure that its employees have appropriate access to EPHI.
4 Information access management. A CE must implement P&Ps for authorizing access to EPHI.
5 Security awareness and training. A CE must implement a security awareness and training program for its workforce.
6 Security incident procedures. A CE must implement P&Ps on reporting and responding to known security incidents.
7 Contingency plan. A CE must implement P&Ps for responding to an emergency or other occurrence that damages the CE’s equipment or systems containing EPHI.
8 Evaluation. A CE must perform a periodic technical and nontechnical evaluation to determine the extent to which the entity’s security P&Ps meet the requirements of the security regulations.
9 Business associate contracts & other arrangements. A CE must get satisfactory assurances from its business associates who create, receive, maintain, or transmit the entity’s EPHI or PHI that the business associate will care for the EPHI or PHI appropriately.
PHYSICAL SAFEGUARDS
1 Facility access controls. A CE must implement P&Ps that limit physical access to electronic information systems and their locations to authorized individuals only.
2 Workstation use. A CE must implement P&Ps that describe what tasks can be performed at a particular workstation, how those tasks are to be performed, and the physical surroundings of workstations that can access EPHI.
3 Workstation security. A CE must implement physical safeguards for workstations that can access EPHI to protect them from unauthorized users.
4 Device & media controls. A CE must implement P&Ps governing the transport (receipt & removal) of hardware and electronic media that contain EPHI into, out of, and within the organization.
TECHNICAL SAFEGUARDS
1 Access control. A CE must implement P&Ps to limit access to electronic information systems that contain EPHI only to persons or software programs with access rights.
2 Audit controls. A CE must install hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.
3 Integrity. A CE must implement P&Ps to protect EPHI from being improperly changed or destroyed. a. Given my technical capabilities, my technical infrastructure, my financial resources, and my desire to minimize to an acceptable level the risk of unauthorized uses or disclosures of EPHI, what can I do to ensure that EPHI is not altered without my knowledge or approval? Keep in mind, however, that if the CE is not hooked up to the Internet and if it has adequate access controls, then data authentication may not be necessary.
4 Person or entity authentication. A CE must implement P&Ps to ensure that persons or organizations seeking access to EPHI are who they claim to be.
5 Transmission security. A CE must implement security measures to prevent unauthorized access to EPHI that is being transmitted over an electronic communications network.
ORGANIZATIONAL & DOCUMENTATION REQUIREMENTS
1 Business associate contracts. A CE must ensure that its contracts or other arrangements (i.e., memorandum of understanding or agreement) with the CE’s business associates are amended to address the security regulations.
2 Policies and procedures. A CE must adopt P&Ps as reasonable and appropriate for the entity to meet the standards, implementation specifications, and other requirements of the security regulations.
3 Documentation. A CE must maintain in written or electronic form the P&Ps that it has implemented to comply with the security standards. It must also document in written or electronic form any action, activity, or assessment that is required by the security regulations.