A1 – §164.308(a)(1)(i) Standard Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its Electronic Protected Health Information (ePHI)?

A2 – §164.308(a)(1)(i) Standard Does your practice have a process for periodically reviewing its risk analysis policies and procedures and making updates as necessary?

A3 – §164.308(a)(1)(ii)(A) Required Does your practice categorize its information systems based on the potential impact to your practice should they become unavailable?

A4 – §164.308(a)(1)(ii)(A) Required Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of a significant event or change in your business organization or environment?

A5 – §164.308(a)(1)(ii)(B) Required Does your practice have a formal documented program to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis?

A6 – §164.308(a)(1)(ii)(B) Required Does your practice assure that its risk management program prevents against the impermissible use and disclosure of ePHI.

A7 – §164.308(a)(1)(ii)(B) Required Does your practice document the results of its risk analysis and assure the results are distributed to appropriate members of the workforce who are responsible for mitigating the threats and vulnerabilities to ePHI identified through the risk analysis?

A8 – §164.308(a)(1)(ii)(B) Required Does your practice formally document a security plan?

A9 – §164.308(a)(1)(ii)(C) Required Does your practice have a formal and documented process or regular human resources policy to discipline workforce members who have access to your organization’s ePHI if they are found to have violated the office’s policies to prevent system misuse, abuse, and any harmful activities that involve your practice’s ePHI?

A10 – §164.308(a)(1)(ii)(C) Required Does your practice include its sanction policies and procedures as part of its security awareness and training program for all workforce members?

A11 – §164.308(a)(1)(ii)(D) Required Does your practice have policies and procedures for the review of information system activity?

A12 – §164.308(a)(1)(ii)(D) Required Does your practice regularly review information system activity?

A13 – §164.308(a)(2) Required Does your practice have a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact? 29
A14 – §164.308(a)(2) Required Is your practice’s security point of contact qualified to assess its security protections as well as serve as the point of contact for security policies, procedures, monitoring, and training?

A15 – §164.308(a)(2) Required Does your practice have a job description for its security point of contact that includes that person’s duties, authority, and accountability?

A16 – §164.308(a)(2) Required Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems?

A17 – §164.308(a)(3)(i) Required Does your practice have a list that includes all members of its workforce, the roles assigned to each, and the corresponding access that each role enables for your practice’s facilities, information systems, electronic devices, and ePHI?

A18 – §164.308(a)(3)(i) Required Does your practice know all business associates and the access that each requires for your practice’s facilities, information systems, electronic devices, and ePHI?

A19 – §164.308(a)(3)(i) Required Does your practice clearly define roles and responsibilities along logical lines and assures that no one person has too much authority for determining who can access your practice’s facilities, information systems, and ePHI?

A20 – §164.308(a)(3)(i) Required Does your practice have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access?

A21 – §164.308(a)(3)(i) Required Has your practice chosen someone whose job duty is to decide who can access ePHI (and under what conditions) and to create ePHI access rules that others can follow?

A22 – §164.308(a)(3)(ii)(A) Addressable Does your practice define roles and job duties for all job functions and keep written job descriptions that clearly set forth the qualifications?

A23 – §164.308(a)(3)(ii)(A) Addressable Does your practice have policies and procedures for access authorization that support segregation of duties?

A24 – §164.308(a)(3)(ii)(A) Addressable Does your practice implement procedures for authorizing users and changing authorization permissions?

A25 – §164.308(a)(3)(ii)(A) Addressable Do your practice’s policies and procedures for access authorization address the needs of those who are not members of its workforce?

A26 – §164.308(a)(3)(ii)(B) Addressable Does your organization have policies and procedures that authorize members of your workforce to have access to ePHI and describe the types of access that are permitted?

A27 – §164.308(a)(3)(ii)(B) Addressable Do your practice’s policies and procedures require screening workforce members prior to enabling access to its facilities, information systems, and ePHI to verify that users are trustworthy?

A28 – §164.308(a)(3)(ii)(C) Addressable Does your practice have policies and procedures for terminating authorized access to its facilities, information systems, and ePHI once the need for access no longer exists?

A29 – §164.308(a)(3)(ii)(C) Addressable Does your practice have formal policies and policies and procedures to support when a workforce member’s employment is terminated and/or a relationship with a business associate is terminated?

A30 – §164.308(a)(4)(i) Standard Do your practice’s policies and procedures describe the methods it uses to limit access to its ePHI?

A31 – §164.308(a)(4)(ii)(B) Does your practice have policies and procedures that explain how it grants access to ePHI to its workforce members and to other entities (business associates)?

A32 – §164.308(a)(4)(ii)(C) Addressable Do the roles and responsibilities assigned to your practice’s workforce members support and enforce segregation of duties?

A33 – §164.308(a)(4)(ii)(C) Addressable Does your practice’s policies and procedures explain how your practice assigns user authorizations (privileges), including the access that are permitted?

A34 – §164.308(a)(5)(i) Standard Does your practice have a training program that makes each individual with access to ePHI aware of security measures to reduce the risk of improper access, uses, and disclosures?

A35 – §164.308(a)(5)(i) Standard Does your practice periodically review and update its security awareness and training program in response to changes in your organization, facilities or environment?

A36 – §164.308(a)(5)(i) Standard Does your practice provide ongoing basic security awareness to all workforce members, including physicians?

A37 – §164.308(a)(5)(i) Standard Does your practice provide role-based training to all new workforce members?

A38 – §164.308(a)(5)(i) Standard Does your practice keep records that detail when each workforce member satisfactorily completed periodic training?

A39 – §164.308(a)(5)(ii)(A) Addressable As part of your practice’s ongoing security awareness activities, does your practice prepare and communicate periodic security reminders to communicate about new or important issues?

A40 – §164.308(a)(5)(ii)(B) Addressable Does your practice’s awareness and training content include information about the importance of implementing software patches and updating antivirus software when requested?

A41 – §164.308(a)(5)(ii)(B) Addressable Does your practice’s awareness and training content include information about how malware can get into your systems?

A42 – §164.308(a)(5)(ii)(C) Addressable Does your practice include log-in monitoring as part of its awareness and training programs?

A43 – §164.308(a)(5)(ii)(D) Addressable Does your practice include password management as part of its awareness and training programs?

A44 – §164.308(a)(6)(i) Standard Does your practice have policies and procedures designed to help prevent, detect and respond to security incidents?

A45 – §164.308(a)(6)(ii) Required Does your practice have incident response policies and procedures that assign roles and responsibilities for incident response?

A46 – §164.308(a)(6)(ii) Required Does your practice identify members of its incident response team and assure workforce members are trained and that incident response plans are tested?

A47 – §164.308(a)(6)(ii) Required Does your practice’s incident response plan align with its emergency operations and contingency plan, especially when it comes to prioritizing system recovery actions or events to restore key processes, systems, applications, electronic device and media, and information (such as ePHI)?

A48 – §164.308(a)(6)(ii) Required Does your practice implement the information system’s security protection tools to protect against malware?

A49 – §164.308(a)(7)(i) Standard Does your practice know what critical services and ePHI it must have available to support decision making about a patient’s treatment during an emergency?

A50 – §164.308(a)(7)(i) Standard Does your practice consider how natural or man-made disasters could damage its information systems or prevent access to ePHI and develop policies and procedures for responding to such a situation?

A51 – §164.308(a)(7)(i) Standard Does your practice regularly review/update its contingency plan as appropriate?

A52 – §164.308(a)(7)(ii)(A) Required Does your practice have policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster?

A53 – §164.308(a)(7)(ii)(B) Required Does your practice have policies and procedures for contingency plans to provide access to ePHI to continue operations after a natural or human-made disaster?

A54 – §164.308(a)(7)(ii)(C) Required Does your practice have an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation?

A55 – §164.308(a)(7)(ii)(D) Addressable Does your practice have policies and procedures for testing its contingency plans on a periodic basis?

A56 – §164.308(a)(7)(ii)(E) Addressable Does your practice implement procedures for identifying and assessing the criticality of its information system applications and the storage of data containing ePHI that would be accessed through the implementation of its contingency plans?

A57 – §164.308(a)(8) Standard Does your practice maintain and implement policies and procedures for assessing risk to ePHI and engaging in a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of your practice’s ePHI?

A58 – §164.308(a)(8) Standard Does your practice periodically monitor its physical environment, business operations, and information system to gauge the effectiveness of security safeguards?

A59 – §164.308(a)(8) Standard Does your practice identify the role responsible and accountable for assessing risk and engaging in ongoing evaluation, monitoring, and reporting?

A60 – §164.308(b)(1) Standard Does your practice identify the role responsible and accountable for making sure that business associate agreements are in place before your practice enables a service provider to begin to create, access, store or transmit ePHI on your behalf?

A61 – §164.308(b)(1) Standard Does your practice maintain a list of all of its service providers, indicating which have access to your practice’s facilities, information systems and ePHI?

A62 – §164.308(b)(1) Standard Does your practice have policies and implement procedures to assure it obtains business associate agreements?

A63 – §164.308(b)(2) Required If your practice is the business associate of another covered entity and your practice has subcontractors performing activities to help carry out the activities that you have agreed to carry out for the other covered entity that involve ePHI, does your practice require these subcontractors to provide satisfactory assurances for the protection of the ePHI?

A64 – §164.308(b)(3) Required Does your practice execute business associate agreements when it has a contractor creating, transmitting or storing ePHI?

O1 – §164.314(a)(1)(i) Standard Does your practice assure that its business associate agreements include satisfactory assurances for safeguarding ePHI?

O2 – §164.314(a)(2)(i) Required Do the terms and conditions of your practice’s business associate agreements state that the business associate will implement appropriate security safeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the practice and timely report security incidents to your practice?

O3 – §164.314(a)(2)(iii) Required If your practice is the business associate of a covered entity do the terms and conditions of your practice’s business associate agreements state that your subcontractor (business associate) will implement appropriate security safeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the covered entity?

PO1 -§164.316(a) Standard Do your practice’s processes enable the development and maintenance of policies and procedures that implement risk analysis, informed risk-based decision making for security risk mitigation, and effective mitigation and monitoring that protects the privacy, confidentiality, integrity, and availability of ePHI?

PO2 – §164.316(b)(1)(i) Standard Does your practice assure that its policies and procedures are maintained in a manner consistent with other business records?

PO3 – §164.316(b)(1)(ii) Standard Does your practice assure that its other security program documentation is maintained in written manuals or in electronic form?

PO4 – §164.316(b)(2)(i) Required Does your practice assure that its policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer?

PO5 – §164.316(b)(2)(ii) Required Does your practice assure that its policies, procedures and other security program documentation are available to those who need it to perform the responsibilities associated with their role?

PO6 – §164.316(b)(2)(iii) Required Does your practice assure that it periodically reviews and updates (when needed) its policies, procedures, and other security program documentation?