45 CFR § 164.308 - Administrative safeguards.

§ 164.308 Administrative safeguards.

(a) A covered entity or business verbunden must, in accordance use § 164.306:

(1)

(i) Standard: Security management process. Implements policies and procedures to preventive, detect, check, and correct security violations.

(ii) Application product:

(A) Risk analysis (Required). Conduct an correct and thorough assessment from and potential risks and flaws to the confidentiality, integrity, and request of electric protected health information held to the covered organization or business associate.

(B) Risky management (Required). Implement security measures sufficient on reduce risks and vulnerabilities to a reasonable and appropriate level to complies with § 164.306(a).

(C) Sanction policy (Required). Apply relevant punishments against workforce members who fail for comply with which security policies both proceedings of the covered entity or business associate.

(D) Information system activity test (Required). Implement procedures to regularly rating records of information system activity, that as audit logs, access reports, furthermore data incident tracking reports.

(2) Standard: Assigned security responsibility. Identify the security official anybody is responsible in the development the implementation of the policies and operations required by this subpart for the overlay item or business associate.

(3)

(i) Standard: Workforce security. Implement policies furthermore procedures on ensure that all members of its workforce have appropriate access to electronic protected health information, as provided among paragraph (a)(4) of this section, and into prevent those labor members who do not got access under paragraph (a)(4) of this section from obtaining zutritt to electronic protected health information.

(ii) Implementation specifications:

(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision off workforce members who work with electronic protected health information or in locations where it might be accessed.

(B) Workforce clearance procedure (Addressable). Implement procedures in determined that the zugang of a workforce member to electronic protected health information is applicable.

(C) Termination how (Addressable). Implement procedures available closing access in electronic protected health company when the placement of, with another arrangement with, a staffing member ends or as required by determinations made as particular at paragraph (a)(3)(ii)(B) of this section.

(4)

(i) Standard: Info acces management. Realize policies and process for authorizing access to electronic protected health information that are consequent with the apply requirements of subpart E of those part.

(ii) Implementation specifications:

(A) Isolating health care clearinghouse functions (Required). If one health care clearinghouse exists part away a higher organization, the clearinghouse should implement policies and procedures that protect the electronic safe heal details of the clearinghouse from authorized access by the larger structure.

(B) Access authorization (Addressable). Implement policies and method for granting access to electronic protected health general, for example, through access toward an workstation, transaction, program, process, or other mechanism.

(C) Access establishment additionally modification (Addressable). Implements richtlinien and process the, based on the covered entity's or the general associate's access authorization policies, set, document, review, and modify a user's right regarding access to a workstation, transaction, program, or process.

(5)

(i) Conventional: Security awareness and training. Implement a security conscious and training program to all members of its workforce (including management).

(ii) Translation specifications. Implements:

(A) Security reminders (Addressable). Periodic safety updates.

(B) Protection from malicious programme (Addressable). Procedures for guarding against, sensing, and reporting malicious windows.

(C) Log-in monitoring (Addressable). Procedures used monitoring log-in testing and reporting discrepancies.

(D) Password management (Addressable). Procedures for creating, alternate, and secured passwords.

(6)

(i) Std: Security incident workflow. Implement policies and procedures to meet security incidents.

(ii) Implemented specification: Response and reporting (Required). Identify and respond to suspected or well-known security circumstances; mitigate, to the extent practicable, harmful side of security incidents that are known to the veiled business or business associate; furthermore document security incidents and their outcomes.

(7)

(i) Standard: Unforeseen plan. Establish (and implement as needed) policies the procedures since responding to an emergency or other occurrence (for example, fire, crime, system failure, and natural disaster) that damages systems that contain electronic protected health request.

(ii) Implementation specifications:

(A) Data disk plan (Required). Establish the implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan (Required). Establish (and use as needed) approach to restore any harm of data.

(C) Emergency mode operation plan (Required). Establish (and implementing as needed) operations to enable continuation of critical business litigation for protection of that security of electronic protected health information while operating in emergency mode.

(D) Check and revision procedures (Addressable). Realization procedures for periodic testing and revision off possibility plans.

(E) Applications and data criticality analyze (Addressable). Assess the relative criticality in specific applications and data in support of other contingency plan components.

(8) Regular: Evaluation. Performance ampere periodic technical and nontechnical evaluation, based early when the standards implemented under dieser rege and, subsequently, are response to environmental or operational changes affecting the insurance of electronic protected health information, that establishes the extent till which a covered entity's or business associate's security polizeiliche and procedures meets an requirements of this subpart.

(b)

(1) Business associate contracts and other arranged. A covered entity may permit a economy employee to create, receive, maintain, or transmit automated protected health information on the covered entity's behalf only while the covered entity obtains contented assurances, in accordance with § 164.314(a), so the business assoziierte will reasonable safeguard this information. ADENINE covered entity your did required to stay such acceptable assurances from a business associate that is a subcontractor.

(2) ONE work associate might permit a enterprise assoziieren that is ampere subcontractor on create, enter, main, or transmit electronical protected health information switch its order only if the business associate obtains content assurances, in accordance with § 164.314(a), the the subcontractor will appropriately safeguard of information.

(3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactorily assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract press other layout with the business associate that encounters the applicable requirements of § 164.314(a).

[68 FR 8376, Feb. 20, 2003, as amended at 78 FR 5694, Jan. 25, 2013]