HIPAA Rules

The following rules can be used to create HIPAA Policies & Procedures for your organization.

https://www.law.cornell.edu/cfr/text/45/part-164


  1. HIPAA 164.308(a)(4)(i) Administrative Safeguards - Information Access Management

    Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

  2. HIPAA 164.308(a)(5)(ii)(D) Administrative Safeguards - Password Management

    Procedures for creating, changing, and safeguarding passwords.

  3. HIPAA 164.310(a)(1) Physical Safeguards - Facility Access Controls

    Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

  4. HIPAA164.310(b) Physical Safeguards - Workstation Use

    Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

  5. HIPAA 164.310(d)(1) Physical Safeguards - Device and Media Controls

    Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

  6. HIPAA 164.308(a)(3)(ii)(A) Administrative Safeguards -Authorization and/or Supervision

    Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

  7. HIPAA 164.310(c) Physical Safeguards - Workstation Security

    Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

  8. HIPAA 164.312(c)(1) Technical Safeguards – Integrity

    Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

  9. HIPAA 164.308(a)(2) Administrative Safeguards -Assigned Security Responsibility

    Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

  10. HIPAA 164.312(a)(2)(iii) Technical Safeguards -Automatic Logoff

    Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

  11. HIPAA 164.308(a)(1)(ii)(C) Administrative Safeguards - Sanction Policy

    Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

  12. HIPAA 164.308(a)(1)(i) Administrative Safeguards - Security Management Process

    Implement policies and procedures to prevent, detect, contain, and correct security violations.

  13. HIPAA 164.316(b)(2)(iii) Policies and Procedures and Documentation Requirements – Updates

    Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

  14. HIPAA 164.316(b)(2)(ii) Policies and Procedures and Documentation Requirements – Availability

    Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

  15. HIPAA 164.308 (a)(3)(i) Administrative Safeguards - Workforce Security

    Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

  16. HIPAA 164.310(a)(2)(iii) Physical Safeguards -Access Control and Validation Procedures

    Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

  17. HIPAA 164.308(a)(4)(ii)(C) Administrative Safeguards - Access Establishment and Modification

    Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

  18. HIPAA 164.308(a)(3)(ii)(B) Administrative Safeguards - Workforce Clearance Procedure

    Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

  19. HIPAA 164.312(a)(1) Technical Safeguards -Access Control

    Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

  20. HIPAA 164.312(b) Technical Safeguards - Audit Controls

    Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

  21. HIPAA 164.312(e)(2)(i) Technical Safeguards - Integrity Controls

    Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

  22. HIPAA 164.308(a)(5)(ii)(C) Administrative Safeguards - Log-in Monitoring

    Procedures for monitoring log-in attempts and reporting discrepancies.

  23. HIPAA 164.308(a)(3)(ii)(A) Administrative Safeguards - Authorization and/or Supervision

    Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

  24. HIPAA 164.308(a)(4)(ii)(B) Administrative Safeguards - Access Authorization

    Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

  25. HIPAA 164.312(a)(2)(ii) Technical Safeguards - Emergency Access Procedure

    Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

  26. HIPAA 164.312(a)(2)(i) Technical Safeguards - Unique User Identification

    Assign a unique name and/or number for identifying and tracking user identity.

  27. HIPAA 164.312(d) Technical Safeguards - Person or Entity Authentication

    Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

  28. HIPAA 164.308(a)(7)(ii)(A) Administrative Safeguards - Data Backup Plan

    Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

  29. HIPAA 164.310(d)(2)(iv) Physical Safeguards - Data Backup and Storage

    Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

  30. HIPAA 164.308(a)(7)(ii)(E) Administrative Safeguards - Applications and Data Criticality Analysis

    Assess the relative criticality of specific applications and data in support of other contingency plan components.

  31. HIPAA 164.312(a)(2)(iv) Technical Safeguards - Encryption and Decryption

    Implement a mechanism to encrypt and decrypt electronic protected health information.

  32. HIPAA 164.312(e)(2)(ii) Technical Safeguards – Encryption

    Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

  33. HIPAA 164.310(d)(2)(i) Physical Safeguards - Disposal

    Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

  34. HIPAA 164.308(a)(5)(ii)(B) Administrative Safeguards - Protection from Malicious Software

    Procedures for guarding against, detecting, and reporting malicious software.

  35. HIPAA 164.308(a)(1)(ii)(B) Administrative Safeguards - Risk Management

    Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

  36. HIPAA 164.310(d)(2)(ii) Media Protection - Media Re-use

    Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

  37. HIPAA 164.310(d)(2)(iii) Media Protection – Accountability

    Maintain a record of the movements of hardware and electronic media and any person responsible, therefore.

  38. HIPAA164.308 (a)(6)(i) Administrative Safeguards - Security Incident Procedures

    Implement policies and procedures to address security incidents.

  39. HIPAA 164.308 (a)(1)(ii)(D) Administrative Safeguards - Information System Activity Review

    Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

  40. HIPAA 164.308 (a)(6)(ii) Administrative Safeguards - Response and Reporting

    Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

  41. HIPAA 164.308 (a)(5)(ii)(A) Administrative Safeguards - Security Reminders

    Periodic security updates.

  42. HIPAA 164.314 (a)(2)(i) Organizational Requirements - Business Associate Contracts

    The contract must provide that the business associate will: • Comply with the applicable requirements of this subpart; • In accordance with §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and • Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by 164.410.

  43. HIPAA 164.308 (a)(8) Administrative Safeguards – Evaluation

    Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

  44. HIPAA 164.316 (b)(2)(i) Policies and Procedures and Documentation Requirements - Time Limit

    Retain the documentation required by paragraph (b)(l) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

  45. HIPAA 164.308(a)(5)(i) Administrative Safeguards - Security Awareness and Training

    Implement a security awareness and training program for all members of its workforce (including management).

  46. HIPAA 164.308(a)(7)(ii)(D) Administrative Safeguards - Testing and Revision Procedures

    Implement procedures for periodic testing and revision of contingency plans.

  47. HIPAA 164.308 (a)(1)(ii)(A) Administrative Safeguards - Risk Analysis

    Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

  48. HIPAA 164.308(b)(1) Administrative Safeguards - Business Associate Contracts and Other Arrangements

    A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

  49. HIPAA 164.308 (b)(3) Administrative Safeguards - Written Contract or Other Arrangement

    Document the satisfactory assurances required by paragraph (b)(l) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).

  50. HIPAA 164.308 (b)(2) Administrative Safeguards

    A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information.

  51. HIPAA 164.314 (a)(2)(i)(B) Organizational Requirements

    In accordance with §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section

  52. HIPAA 164.314 (a)(2)(i)(C) Organizational Requirements

    Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.

  53. HIPAA 164.314 (a)(2)(iii) Organizational Requirements - Business Associate Contracts with Subcontractors

    The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by §164.308 (b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

  54. HIPAA 164.314 (a)(1) Organizational Requirements - Business Associate Contracts or Other Arrangements

    The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.