Sample Security Policies

Comprehensive policy covering most requirements for large health systems

Policies Covering Specific Sections:

(R) = Required
(A) = Addressable
Sample Policies
and Sources
Security Standards: General Rules
164.306(a) General Requirements (R)  
164.306(a)(1) Ensure confidentiality, integrity and availability of ePHI created, received, maintained or transmitted (R)  
164.306(a)(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information (R)  
164.306(a)(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required (R)  
164.306(a)(4) Ensure compliance by workforce (R)  
164.306(b) Flexibility of Approach (R)  
164.306(c)(1) Standards (R)  
164.306(d) Implementation Specifications (R)  
164.306(d)(1) Required or Addressable (R)  
164.306(d)(2)(i) Assess Applicability for Addressable (R)  
164.306(d)(2)(ii)(A) Implement if reasonable and appropriate (R)  
164.306(d)(2)(ii)(B) If not reasonable and appropriate: (R)  
164.306(d)(2)(ii)(B)(1) Document why not and rationale (R)  
164.306(d)(2)(ii)(B)(2) Implement an equivalent alternative (R)  
164.306(e) Maintenance - continuous review and modification (R)  
Administrative Safeguards
164.308(a)(1)(i) Security Management Process University of Alabama
164.308(a)(1)(ii)(A) Risk Analysis (R) University of Alabama
164.308(a)(1)(ii)(B) Risk Management (R) University of Alabama
164.308(a)(1)(ii)(C) Sanction Policy (R) University of Alabama
164.308(a)(1)(ii)(D) Information System Activity Review (R) Baystate Health System
164.308(a)(2) Assigned Security Responsibility (R) Baystate Health System
University of Alabama
164.308(a)(3)(i) Workforce Security (R) University of Alabama
164.308(a)(3)(ii)(A) Authorization and/or Supervision (A) University of Alabama
164.308(a)(3)(ii)(B) Workforce Clearance Procedure (A) University of Alabama
164.308(a)(3)(ii)(C) Termination Procedures (A) University of Alabama`
164.308(a)(4)(i) Information Access Management (R) University of Alabama
164.308(a)(4)(ii)(A) Isolating Health Care Clearinghouse Function (R)  
164.308(a)(4)(ii)(B) Access Authorization (A) University of Alabama
164.308(a)(4)(ii)(C) Access Establishment and Modification (A) University of Alabama
164.308(a)(5)(i) Security Awareness and Training (R) University of Alabama
University of Alabama
164.308(a)(5)(ii)(A) Security Reminders (A) University of Alabama
164.308(a)(5)(ii)(B) Protection from Malicious Software (A) University of Alabama
164.308(a)(5)(ii)(C) Log-in Monitoring (A) University of Alabama
164.308(a)(5)(ii)(D) Password Management (A) Baystate Health System
University of Alabama
164.308(a)(6)(i) Security Incident Procedures (R) University of Alabama
164.308(a)(6)(ii) Response and Reporting (R) University of Alabama
164.308(a)(7)(i) Contingency Plan (R) University of Alabama
164.308(a)(7)(ii)(A) Data Backup Plan (R) University of Alabama
164.308(a)(7)(ii)(B) Disaster Recovery Plan (R) University of Alabama
164.308(a)(5)(ii)(C) Emergency Mode Operation Plan (R) University of Alabama
164.308(a)(7)(ii)(D) Testing and Revision Procedure (A) University of Alabama
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis (A) University of Alabama
164.308(a)(8) Evaluation (R) University of Alabama (technical review only)
164.308(b)(1) Business Associate Contracts and Other Arrangements (R) NCHICA
University of Alabama
164.308(b)(4) Written Contract or Other Arrangement (R)  
Physical Safeguards
164.310(a)(1) Facility Access Controls (R) University of Alabama
164.310(a)(2)(i) Contingency Operations (A) University of Alabama
164.310(a)(2)(ii) Facility Security Plan (A) University of Alabama
164.310(a)(2)(iii) Access Control and Validation Procedures (A) University of Alabama
164.310(a)(2)(iv) Maintenance Records (A) University of Alabama
164.310(b) Workstation Use (R) University of Alabama
164.310(c) Workstation Security (R) Baystate Health System
University of Alabama
164.310(d)(1) Device and Media Controls (R) University of Alabama
164.310(d)(2)(i) Disposal (R) University of Alabama
164.310(d)(2)(ii) Media Re-Use (R) University of Alabama
164.310(d)(2)(iii) Accountability (A) University of Alabama
164.310(d)(2)(iv) Data Backup and Storage (A) University of Alabama
Technical Safeguards
164.312(a)(1) Access Control (R) University of Alabama
164.312(a)(2)(i) Unique User Identification (R) Baystate Health System
University of Alabama
164.312(a)(2)(ii) Emergency Access Procedure (R) University of Alabama
164.312(a)(2)(iii) Automatic Logoff (A) University of Alabama
164.312(a)(2)(iv) Encryption and Decryption (A) University of Alabama
164.312(b) Audit Controls (R) University of Alabama
164.312(c)(1) Integrity (R) University of Alabama
164.312(c)(2) Mechanism to Authenticate Electronic PHI (A)  
164.312(d) Person or Entity Authentication (R) University of Alabama
164.312(e)(1) Transmission Security (R) University of Alabama
164.312(e)(2)(i) Integrity Controls (A) University of Alabama
164.312(e)(2)(ii) Encryption (A) University of Alabama
Organizational Requirements
164.314(a)(1) Business Associate Contracts or Other Arrangements (R)  
164.314(a)(2)(i) Business Associate Contracts (R)  
164.314(a)(2)(ii) Other Arrangements (R)  
164.314(b)(1) Requirements for Group Health Plans (R)  
164.314(b)(2) Amend Group Health Plan Documents (R)  
164.314(b)(2)(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan (R)  
164.314(b)(2)(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures (R)  
164.314(b)(2)(iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information (R)  
164.314(b)(2)(iv) Report to the group health plan any security incident of which it becomes aware (R)  
Polices & Procedures and Documentation Requirements
164.316(a) Policies and Procedures (R)  
164.316(b)(1) Documentation  
164.316(b)(1)(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form (R)  
164.316(b)(1)(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment (R)  
164.316(b)(2)(i) Time Limit (R)  
164.316(b)(2)(ii) Availability (R)  
164.316(b)(2)(iii) Updates (R)