T1 – §164.312(a)(1) Standard Does your practice have policies and procedures requiring safeguards to limit access to ePHI to those persons and software programs appropriate for their role?

T2 – § 164.312(a)(1) Standard Does your practice have policies and procedures to grant access to ePHI based on the person or software programs appropriate for their role?

T3 – §164.312(a)(1) Standard Does your practice analyze the activities performed by all of its workforce and service providers to identify the extent to which each needs access to ePHI?

T4 – §164.312(a)(1) Standard Does your practice identify the security settings for each of its information systems and electronic devices that control access?

T5 – §164.312(a)(2)(i) Required Does your practice have policies and procedures for the assignment of a unique identifier for each authorized user?

T6 – §164.312(a)(2)(i) Required Does your practice require that each user enter a unique user identifier prior to obtaining access to ePHI?

T7 – §164.312(a)(2)(ii) Required Does your practice have policies and procedures to enable access to ePHI in the event of an emergency?

T8 – §164.312(a)(2)(ii) Required Does your practice define what constitutes an emergency and identify the various types of emergencies that are likely to occur?

T9 – §164.312(a)(2)(ii) Required Does your practice have policies and procedures for creating an exact copy of ePHI as a backup?

T10 – §164.312(a)(2)(ii) Required Does your practice back up ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage, such as a cloud environment?

T11 – §164.312(a)(2)(ii) Required Does your practice have back up information systems so that it can access ePHI in the event of an emergency or when your practice’s primary systems become unavailable?

T12 – §164.312(a)(2)(ii) Required Does your practice have the capability to activate emergency access to its information systems in the event of a disaster?

T13 – §164.312(a)(2)(ii) Required Does your practice have policies and procedures to identify the role of the individual accountable for activating emergency access settings when necessary?

T14 – §164.312(a)(2)(ii) Required Does your practice designate a workforce member who can activate the emergency access settings for your information systems?

T15 – §164.312(a)(2)(ii) Required Does your practice test access when evaluating its ability to continue accessing ePHI and other health records during an emergency?

T16 – §164.312(a)(2)(ii) Required Does your practice effectively recover from an emergency and resume normal operations and access to ePHI?

T17 – §164.312(a)(2)(ii) Addressable Does your practice have policies and procedures that require an authorized user’s session to be automatically logged-off after a predetermined period of inactivity?

T18 – §164.312(a)(2)(ii) Addressable Does a responsible person in your practice know the automatic logoff settings for its information systems and electronic devices?

T19 – §164.312(a)(2)(ii) Addressable Does your practice activate an automatic logoff that terminates an electronic session after a predetermined period of user inactivity?

T20 – §164.312(a)(2)(iv) Addressable Does your practice have policies and procedures for implementing mechanisms that can encrypt and decrypt ePHI?

T21 – §164.312(a)(2)(iv) Addressable Does your practice know the encryption capabilities of its information systems and electronic devices?

T22 – §164.312(a)(2)(iv) Addressable Does your practice control access to ePHI and other health information by using encryption/decryption methods to deny access to unauthorized users?

T23 – §164.312(b) Standard Does your practice have policies and procedures identifying hardware, software, or procedural mechanisms that record or examine information systems activities?

T24 – §164.312(b) Standard Does your practice identify its activities that create, store, and transmit ePHI and the information systems that support these business processes?

T25 – §164.312(b) Standard Does your practice categorize its activities and information systems that create, transmit or store ePHI as high, moderate or low risk based on its risk analyses?

T26 – §164.312(b) Standard Does your practice use the evaluation from its risk analysis to help determine the frequency and scope of its audits, when identifying the activities that will be tracked?

T27 – §164.312(b) Standard Does your practice have audit control mechanisms that can monitor, record and/or examine information system activity?

T28 – §164.312(b) Standard Does your practice have policies and procedures for creating, retaining, and distributing audit reports to appropriate workforce members for review?

T29 – §164.312(b) Standard Does your practice generate the audit reports and distribute them to the appropriate people for review?

T30 – §164.312(b) Standard Does your practice have policies and procedures establishing retention requirements for audit purposes?

T31 – §164.312(b) Standard Does your practice retain copies of its audit/access records?

T31 – §164.312(b) Standard Does your practice retain copies of its audit/access records?

T32 – §164.312(c)(1) Standard Does your practice have policies and procedures for protecting ePHI from unauthorized modification or destruction?

T33 – §164.312(c)(2) Addressable Does your practice have mechanisms to corroborate that ePHI has not been altered, modified or destroyed in an unauthorized manner?

T34 – §164.312(d) Required Does your practice have policies and procedures for verification of a person or entity seeking access to ePHI is the one claimed?

T35 – §164.312(d) Required Does your practice know the authentication capabilities of its information systems and electronic devices to assure that a uniquely identified user is the one claimed?

T36 – §164.312(d) Required Does your practice use the evaluation from its risk analysis to select the appropriate authentication mechanism?

T37 – §164.312(d) Required Does your practice protect the confidentiality of the documentation containing access control records (list of authorized users and passwords)?

T38 – §164.312(e)(1) Standard Does your practice have policies and procedures for guarding against unauthorized access of ePHI when it is transmitted on an electronic network?

T39 – §164.312(e)(1) Standard Do your practice implement safeguards, to assure that ePHI is not accessed while en-route to its intended recipient?

T40 – §164.312(e)(2)(i) Addressable Does your practice know what encryption capabilities are available to it for encrypting ePHI being transmitted from one point to another?

T41 – §164.312(e)(2)(i) Addressable Does your practice take steps to reduce the risk that ePHI can be intercepted or modified when it is being sent electronically?

T42 – §164.312(e)(2)(i) Addressable Does your practice implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted from one point to another?

T44 – §164.312(e)(2)(ii) Addressable Does your practice have policies and procedures for encrypting ePHI when deemed reasonable and appropriate?

T45 – §164.312(e)(2)(ii) Addressable When analyzing risk, does your practice consider the value of encryption for assuring the integrity of ePHI is not accessed or modified when it is stored or transmitted?

The HIPAA Security Rule 164.308(a)(7)(i)

We can help! TechWorks Inc meets or beats the serious requirements under HIPAA security rule 164.308(a)(7)(i) as it relates to data backup and disaster recovery. This rule identifies Contingency Plan as a standard under Administrative Safeguards. Whether you are a medical group practice, clinic, outpatient facility or a long term care facility TechWorks Inc will help keep stay compliant!

Data Backup Plan 164.308(a)(7)(ii)(A): “The objective of the data backup plan is to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information”.

– TechWorks Inc can provide you daily offsite backup.
Benefits of file compression

Disaster Recovery Plan 164.308(a)(7)(ii)(B): “The objective of a disaster recovery plan is to establish (and implement as needed) procedures to restore any loss of data. A disaster recovery plan is the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.”

– A healthy service provides two recovery options; 1) Onsite directly from the server and 2) Recovery from the TechWorks Inc Datacenter.

Testing & Revision Procedures 164.308(a)(7)(ii)(D): “The objective of testing and revision procedures is to implement procedures for periodic testing and revision of contingency plans.”

– With TechWorks Inc, customers can choose to perform test restores as frequently as their procedures require.

Data Backup and Storage 164.310(d)(2)(iv): “The covered entity must create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. Continual and consistent backup of data is required…”

– TechWorks Inc will provide AUTOMATED continual daily backups to help you cover this section.

Application & Data Criticality Analysis 164.308(a)(7)(ii)(E): “The objective of applications and data criticality analysis is to assess the relative criticality of specific applications and data in support of other contingency plan components……..This procedure begins with an application and data inventory.”

– TechWorks Inc will provide daily backup status reports, and backup job detail reports. For more information on Health Information Privacy, please visit the U.S. Department of Health and Human Services.