HIPAA Standards

Security Management Process

Assigned Security Responsibility

Workforce Security

Information Access Management

Security Awareness and Training

Security Incident Procedures

Contingency Plan

Evaluation
Business Associate Contracts and Other Arrangement

Facility Access Controls

Workstation Use

Workstation Security

Device and Media Controls

Access Control

Audit Controls
Integrity
Person or Entity Authentication
Transmission Security

Privacy Rule obligations for business associates

Privacy Rule obligations for business associates

Privacy Rule obligations for business associates

Enforcement Rule obligations for business associates

Enforcement Rule obligations for business associates

Breach Notification Rule obligations for business associates

TOTAL

HIPAA Implementation Specifications

164.308(a)(1)
Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
164.308(a)(2)
164.308(a)(3)
Authorization and/or Supervision (A)
Workforce Clearance Procedure
Termination Procedures (A)
164.308(a)(4)
Isolating Health care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
164.308(a)(5)
Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
164.308(a)(6)
Response and Reporting (R)
164.308(a)(7)
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
164.308(a)(8)
164.308(b)(1)
Written Contract or Other Arrangement (R)
164.310(a)(1)
Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
164.310(b)

164.310(c)
164.310(d)(1)
Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
164.312(a)(1)
Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
164.312(b)
164.312(c)(1)
Mechanism to Authenticate Electronic Protected Health
Information (A)
164.312(d)
164.312(e)(1)
Integrity Controls (A)
Encryption (A)
Limiting uses or disclosures of PHI to only those (i)
provided for within their business associate agreement
or (ii) permitted or
required under HIPAA
Limiting permissible disclosures or requests for
disclosures of PHI to the minimum necessary
Providing an accounting of disclosures;
Providing access to PHI kept in a designated record set
for covered entities or individuals
Providing PHI to the U.S. Department of Health and
Human Services (HHS) to demonstrate compliance
during investigations
Entering into business associate agreements with
subcontractors that comply with the provisions
governing business associate agreements
between covered entities and business associates
Maintaining compliance records and submitting reports
to HHS when HHS requires such disclosures to
determine whether a covered entity

or business associate is complying with HIPAA.

Providing a breach notification to its covered entity
upon discovering a privacy or security breach, as
defined under HIPAA, and
performing a risk assessment, in accordance with the
final rule, when determining whether a breach has
occurred.

ISO 27002 Security Clauses & Categories

Controls

5.1 INFORMATION SECURITY POLICY

6.1.3 Allocation of information security responsibilities

8 HUMAN RESOURCES SECURITY

11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL

11.2 USER ACCESS MANAGEMENT

8.2.2 Information security awareness, education, and training

11.3.1 Password use

13 INFORMATION SECURITY INCIDENT MANAGEMENT

14 BUSINESS CONTINUITY MANAGEMENT

15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND

TECHNICAL COMPLIANCE

N/A

9.1 SECURE AREAS

7.1.3 Acceptable use of assets

9.2 EQUIPMENT SECURITY

7.1 RESPONSIBILITY FOR ASSETS
9.2.6 Secure disposal or re-use of equipment
9.2.7 Removal of property
10.5 BACK-UP
10.7 MEDIA HANDLING

11.5 OPERATING SYSTEM ACCESS CONTROL

15.3.1 Information systems audit controls

12.2 CORRECT PROCESSING IN APPLICATIONS

11.4.2 User authentication for external connections

11.5.2 User identification and authentication

12.3 CRYPTOGRAPHIC CONTROLS

15.1.4 Data protection and privacy of personal information

13.2.3 Collection of evidence

6.2.3 Addressing security in third party agreements

15.1.1 Identification of applicable legislation

15.1.1 Identification of applicable legislation

13.1.1 Reporting information security events

70

REMARKS/IMPLEMENTATION

361.35