top of page
HIPAA Security Checklist HIPAA SECURITY RULE REFERENCE / 
SAFEGUARD (R) = REQUIRED, (A) = ADDRESSABLE

 

Administrative Safeguards

​

164.308(a)(1)(i) / Security Management Process: Implement policies and procedures to prevent, detect, contain, and correct security violations.

​

164.308(a)(1)(ii)(A) / Has a Risk Analysis been completed IAW NIST Guidelines? (R)

​

164.308(a)(1)(ii)(B) / Has the Risk Management process been completed IAW NIST Guidelines? (R)

​

164.308(a)(1)(ii)(C) / Do you have formal sanctions against employees who fail to comply with security policies and procedures? (R)

​

164.308(a)(1)(ii)(D) / Have you implemented procedures to regularly review records of IS activity such as audit logs, access reports, and security incident tracking? (R)

​

164.308(a)(2) / Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.

​

164.308(a)(3)(i) / Workforce Security: Implement policies and procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information (EPHI).

​

164.308(a)(3)(ii)(A) / Have you implemented procedures for the authorization and/or supervision of employees who work with EPHI or in locations where it might be accessed? (A)

​

164.308(a)(3)(ii)(B) / Have you implemented procedures to determine that the Access of an employee to EPHI is appropriate? (A)

​

164.308(a)(3)(ii)(C) / Have you implemented procedures for terminating access to EPHI when an employee leaves you organization or as required by paragraph (a)(3)(ii)(B) of this section? (A)

​

164.308(a)(4)(i) / Information Access Management: Implement policies and procedures for authorizing access to EPHI that are consistent with the applicable requirements of subpart E of this part.

​

164.308(a)(4)(ii)(A) / If you are a clearinghouse that is part of a larger organization, have you implemented policies and procedures to protect EPHI from the larger organization? (A)

​

164.308(a)(4)(ii)(B) / Have you implemented policies and procedures for granting access to EPHI, for example,

through access to a workstation, transaction, program, or process? (A)

​

164.308(a)(4)(ii)(C) / Have you implemented policies and procedures that are based upon your access authorization policies, established, document, review, and modify a user’s right of access to a workstation, transaction, program, or process? (A)

​

164.308(a)(5)(i) / Security Awareness and Training: Implement a security awareness and training program for all members of its workforce (including management).

​

bottom of page