CHPC Study Group

Standards

Sections

Implementation Specifications R = Required, A = Addressable

Administrative Safeguards

Security management process

164.308(a)(1)

Risk Analysis (R)

Risk Management (R)

Sanction Policy (R)

Information System Activity Review (R)

Assigned Security Responsibility

164.308(a)(2)

(R)

Workforce Security

164.308(a)(3)

Authorization and/or Supervision (A)

Workforce Clearence Procedure (A)

Termination Procedures (A)

Information Access Management

164.308(a)(4)

Isolating Healthcare Clearing House Function (R)

Access Authorization (A)

Access Establishment and Modification (A)

Security Awareness and Training

164.308(a)(5)

Security Reminders (A)

Protection from Malicious Software (A)

Log-In Monitoring (A)

Password Management (A)

Security Incident Procedures

164.308(a)(6)

Response and Reporting (R)

Contingency Plan

164.308(a)(7)

Data Backup Plan (R)

Disaster Recovery Plan (R)

Emergency Mode Operation Plan (R)

Testing and Revision Procedure (A)

Application and Data Criticality Analysis (A)

Evaluation

164.308(a)(8)

(R)

Business Associate Contracts and Other Arrangements

164.308(b)(1)

Written Contract or Other Arrangement (R)

Physical Safeguards

Facility Access Controls

164.310(a)(1)

Contingency Operations (A)

Facility Security Plan (A)

Access Control and Validation Procedures (A)

Maintenance Records (A)

Workstation Use

164.310(b)

(R)

Workstation Security

164.310(c)

(R)

Device and Media Controls

164.310(d)(1)

Disposal (R)

Media Re-Use (R)

Accountability (A)

Data Backup and Storage (A)

Technical Safeguards

Access Control

164.312(a)(1)

Unique User Identification (R)

Emergency Access Procedure (R)

Automatic Logoff (A)

Encryption and Decryption (A)

Audit Controls

164.312(b)

(R)

Integrity

164.312(c)(1)

Mechanism to Authenticate Electronic Protected Health Information (A)

Person or Entity Authentication

164.312(d)

(R)

Transmission Security

164.312(e)(1)

Integrity Controls (A)

Encryption (A)