HIPAA Security Resources
- Security Policies and Procedures Memo (January 24, 2005)
- Definitions & Acronyms
- Recommended Security Practices
SECURITY POLICY TEMPLATES
Administrative Standards
- Risk Analysis (R) & Risk Management (R)
- Sanctions (R)
- Information System Activity Review (R)
- Workforce Authorization & Supervision and Clearance Procedures (A)
- Workforce Termination Procedures (A)
- Isolating Health Care Clearinghouse Function (R)
- Access Authorization, Establishment & Modification (A)
- Security Reminders (A)
- Guarding Against, Detecting, and Reporting Malicious Software (A)
- Log-In Monitoring (A)
- Password Management (A)
- Security Incident Response & Reporting (R)
- Data Backup Plan (R)
- Disaster Recovery Plan & Emergency Mode Operation Plan (R)
- Testing and Revision (A)
- Applications & Data Criticality Analysis (A)
- Evaluation of Policies & Procedures (R)
- Written Contracts & Other Agreements (R)
Additional Sample Policies Not Required by the Security Rule
Physical Standards
- Facility Access Controls:
Facility Security Plan (A)
Access Control/Validation Procedures(A)
Maintenance Records (A) - Contingency Operations (A)
- Workstation Use & Workstation Security (R)
- Device & Media Controls:
Disposal (R)
Media Re-Use (R)
Accountability (A)
Data Back-Up & Storage (A)
Technical Safeguards
- Access Control:
Unique User Identification (R)
Emergency Access Procedures (R)
Automatic Logoff (A)
Encryption & Decryption (A) - Audit Control (R)
- Integrity:
Mechanism to Authenticate EPHI (A) - Person or Entity Authentication (R)
- Transmission Security:
Integrity Controls (A)
Encryption (A)
(R) = Required Policy
(A) = Addressable Policy
- Security Memo to Boards (April 30, 2004)
- HIPAA Security Requirements: Security Matrix
Attachment A - Risk Management Guide for IT Systems
Attachment B - CMS Information Security Risk Assessment (RA) Methodology
Attachment C - Security Self-Evaluation Checklist
Attachment D - Server Table
Attachment E - Hardware Environment
Attachment F - Applications Developed/Maintained on the Entity’s Systems
Attachment G - 900-Information Technology (IT) – Division of Information Systems
Attachment H - Users/Groups Table
Attachment I - Links to Free Security Software
Attachment J
