Professional Documents
Culture Documents
HIPAA Checklist
HIPAA Checklist
Use this checklist to assess your HIPAA audit readiness and implementation status.
Want to improve your score and compliance? Let CyberArrow do it for you. Schedule a live demo
1 cyberarrow.io
documentation of such security measures in
accordance with § 164.316(b)(2)(iii).
164.308(a) Security Management Implement policies and procedures to
(1)(i) Process prevent, detect, contain and correct security
violations. Not Implemented
2 cyberarrow.io
164.308(a) Termination Implement procedures for terminating access
(3)(ii)(C) Procedures to electronic protected health information
when the employment of a workforce member Not Implemented
ends or as required by determination made
as specified in paragraph (a)(3)(ii)(B) of this
section.
164.308(a) Information Access Implement policies and procedures for
(4)(i) Management authorizing access to electronic protected
health information that are consistent with the Not Implemented
applicable requirements of subpart E of this
part.
164.308(a) Isolation Health If a health care clearinghouse is part of a
(4)(ii)(A) Clearinghouse larger organization, the clearinghouse must
Functions implement polices and procedures that
protect the electronic protected health Not Implemented
information of the clearinghouse from
unauthorized access by the larger
organization.
164.308(a) Access Authorization Implement policies and procedures for
(4)(ii)(B) granting access to electronic protected health
information, for example, through access to a Not Implemented
workstation, transaction, program, process or
other mechanism.
164.308(a) Access Implement policies and procedures that,
(4)(ii)(C) Establishment and based upon the entity's access authorization
Modification policies, establish, document, review, and Not Implemented
modify a user's right of access to a
workstation, transaction, program, or process.
164.308(a) Security Awareness Implement a security awareness and training
(5)(i) Training program for all members of its workforce Not Implemented
(including management).
164.308(a) Security Reminders Conduct periodic security updates.
(5)(ii)(A) Not Implemented
3 cyberarrow.io
164.308(a) Security Incident Implement policies and procedures to
(6)(i) Procedures address security incidents.
Not Implemented
4 cyberarrow.io
security policies and procedures meet the
requirements of this subpart.
164.308(b) Business Associate A covered entity may permit a business
(1) Contracts and Other associate to create, receive, maintain, or
Arrangements transmit electronic protected health
information on the covered entity's behalf
only if the covered entity obtains satisfactory
assurances, in accordance with § 164.314(a), Not Implemented
that the business associate will appropriately
safeguard the information. A covered entity is
not required to obtain such satisfactory
assurances from a business associate that is
a subcontractor.
164.308(b) Subcontractors A business associate may permit a business
(2) associate that is a subcontractor to create,
receive, maintain, or transmit electronic
protected health information on its behalf only
Not Implemented
if the business associate obtains satisfactory
assurances, in accordance with § 164.314(a),
that the subcontractor will appropriately
safeguard the information.
164.308(b) Written Contract Document the satisfactory assurances
(3) (Written contract or other arrangement)
required by paragraph (b)(1) or (b)(2) of this
section through a written contract or other Not Implemented
arrangement with the business associate that
meets the applicable requirements of §
164.314(a).
164.310(a) Facility Access Implement policies and procedures to limit
(1) Controls physical access to its electronic information
systems and the facility or facilities in which Not Implemented
they are housed, while ensuring that properly
authorized access is allowed.
164.310(a) Contingency Establish (and implement as needed)
(2)(i) Operations procedures that allow facility access in
support of restoration of lost data under the Not Implemented
disaster recovery plan and emergency mode
operations plan in the event of an emergency.
164.310(a) Facility Security Plan Implement policies and procedures to
(2)(ii) safeguard the facility and the equipment
Not Implemented
therein from unauthorized physical access,
tampering, and theft.
5 cyberarrow.io
164.310(a) Access Control Implement procedures to control and validate
(2)(iii) Validation a person's access to facilities based on their
Procedures role or function, including visitor control, and Not Implemented
control of access to software programs for
testing and revision.
164.310(a) Maintenance Records Implement policies and procedures to
(2)(iv) document repairs and modifications to the
physical components of a facility that are Not Implemented
related to security (for example, hardware,
walls, doors, and locks).
164.310(b) Workstation Use Implement policies and procedures that
(1) specify the proper functions to be performed,
the manner in which those functions are to be
performed, and the physical attributes of the Not Implemented
surroundings of a specific workstation or
class of workstation that can access
electronic protected health information.
164.310(c) Workstation Security Implement physical safeguards for all
(1) workstations that access electronic protected Not Implemented
health information, to restrict access to
authorized users.
164.310(d) Device and Media Implement policies and procedures that
(1) Controls govern the receipt and removal of hardware
and electronic media that contain electronic
Not Implemented
protected health information into and out of a
facility, and the movement of these items
within the facility.
164.310(d) Disposal Implement policies and procedures to
(2)(i) address the final disposition of electronic
protected health information, and/or the Not Implemented
hardware or electronic media on which it is
stored.
164.310(d) Media Re-use Implement procedures for removal of
(2)(ii) electronic protected health information from
electronic media before the media are made Not Implemented
available for re-use.
164.310(d) Accountability Maintain a record of the movements of
(2)(iii) hardware and electronic media and any Not Implemented
person responsible therefore.
164.310(d) Data Backup and Create a retrievable, exact copy of electronic
(2)(iv) Storage protected health information, when needed,
before movement of equipment. Not Implemented
6 cyberarrow.io
information to allow access only to those
persons or software programs that have been
granted access rights as specified in §
164.308(a)(4).
164.312(a) Unique User Assign a unique name and/or number for
(2)(i) Identification identifying and tracking user identity.
Not Implemented
7 cyberarrow.io
164.312(e) Integrity Controls Implement security measures to ensure that
(2)(i) electronically transmitted electronic protected
Not Implemented
health information is not improperly modified
without detection until disposed off.
164.312(e) Encryption Implement a mechanism to encrypt electronic
(2)(ii) protected health information whenever Not Implemented
deemed appropriate.
164.314(a) Business Associate The contract or other arrangement (Business
(1) Contracts Associate Contracts or Other Arrangements)
required by § 164.308(b)(3) must meet the Not Implemented
requirements of paragraph (a)(2)(i), (a)(2)(ii),
or (a)(2)(iii) of this section, as applicable.
164.314(a) Business Associate The contract (Business Associate Contracts
(2)(i)(A) Contracts Safeguards (R)) between a covered entity and a business
- Comply associate must provide that the business
associate will comply with the applicable Not Implemented
requirements of this subpart.
8 cyberarrow.io
covered entity or its business associate)
contains requirements applicable to the
business associate that accomplish the
Not Implemented
objectives of paragraph (a)(2)(i) of this
section
9 cyberarrow.io
164.314(b) Group Health Plans – The Group Health Plan documents of the
(2)(iii) Associates group health plan must be amended to
Safeguards incorporate provisions to require the plan
Not Implemented
sponsor to: (iii) Ensure that any agent,
including a subcontractor, to whom it provides
this information, agrees to implement
reasonable and appropriate security
measures to protect the information.
164.314(b) Group Health Plans – The Group Health Plan documents of the
(2)(iv) Incident Reporting group health plan must be amended to
incorporate provisions to require the plan Not Implemented
sponsor to: (iv) Report to the group health
plan any security incident of which it becomes
aware.
164.316(a) Policies and Implement reasonable and appropriate
(1) Procedures – policies and procedures to comply with the
Reasonable and standards, implementation specifications, or
Appropriate other requirements of this subpart, taking into
account those factors specified in §
164.306(b)(2)(i), (ii), (iii), and (iv). This
standard is not to be construed to permit or
excuse an action that violates any other Not Implemented
standard, implementation specification, or
other requirements of this subpart. A covered
entity may change its policies and procedures
at any time, provided that the changes are
documented and are implemented in
accordance with this subpart.
164.316(b) Documentation of Ensure that the below documentation is
(1) Procedures and maintained: (i) Maintain the policies and
Actions procedures implemented to comply with this
subpart in written (which may be electronic)
form; and (ii) If an action, activity or
Not Implemented
assessment is required by this subpart to be
documented, maintain a written (which may
be electronic) record of the action, activity, or
assessment.
164.316(b) Documentation – Retain the documentation required by
(2)(i) Time Limit paragraph (b)(1) of this section for six years
from the date of its creation or the date when Not Implemented
it last was in effect, whichever is later.
164.316(b) Documentation – Make documentation available to those
(2)(ii) Availability persons responsible for implementing the
procedures to which the documentation Not Implemented
pertains.
10 cyberarrow.io
164.316(b) Documentation – Review documentation periodically, and
(2)(iii) Updates update as needed, in response to
environmental or operational changes Not Implemented
affecting the security of the electronic
protected health information.
11 cyberarrow.io