HIPAA checklist

Use this checklist to assess your HIPAA audit readiness and implementation status.

Want to improve your score and compliance? Let CyberArrow do it for you. Schedule a live demo

Control ID Control Name Control Description Implementation Status

164.306(a) General Covered entities and business associates
(1) Requirements - CIA must do the following: Ensure the
confidentiality, integrity, and availability of all Not Implemented
electronic protected health information the
covered entity or business associate creates,
receives, maintains, or transmits.
164.306(a) General Covered entities and business associates
(2) Requirements - must do the following: Protect against any
Protect Against reasonably anticipated threats or hazards to
Threats or Hazards the security or integrity of such information. Not Implemented

164.306(a) General Covered entities and business associates

(3) Requirements - must do the following: Protect against any
Protect Against reasonably anticipated uses or disclosures of
Unauthorized Uses or such information that are not permitted or
Disclosures required under subpart E of this part.
Not Implemented

164.306(a) General Covered entities and business associates

(4) Requirements - must do the following: Ensure compliance
Compliance with this with this subpart by its workforce.
Subpart
Not Implemented

164.306(e) Maintenance A covered entity or business associate must

(1) review and modify the security measures
implemented under this subpart as needed to
continue provision of reasonable and Not Implemented
appropriate protection of electronic protected
health information, and update

1 cyberarrow.io

164.308(a) Security Management
(1)(i) Process
164.308(a) Risk Analysis
(1)(ii)(A)
164.308(a) Risk Management
(1)(ii)(B)
164.308(a) Sanction Policy
(1)(ii)(C)
164.308(a) Information System
(1)(ii)(D) Activity Review
164.308(a) Assigned Security
(2) Responsibility
164.308(a) Workforce Security
(3)(i)
164.308(a) Authorization and/or
(3)(ii)(A) Supervision
164.308(a) Workforce Clearance
(3)(ii)(B) Procedure
2 cyberarrow.io
documentation of such security measures in
accordance with § 164.316(b)(2)(iii).
Implement policies and procedures to
prevent, detect, contain and correct security
violations. Not Implemented
Conduct an accurate and thorough
assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, Not Implemented
and availability of electronic protected health
information held by the covered entity.
Implement security measures sufficient to
reduce risks and vulnerabilities to a
Not Implemented
reasonable and appropriate level to comply
with Sec 164.306(a).
Apply appropriate sanctions against
workforce members who fail to comply with
the security policies and procedures of the Not Implemented
covered entity.
Implement procedures to regularly review
records of information system activity, such
as audit logs, access reports, and security Not Implemented
incident tracking reports.
Identify the security official who is responsible
for the development and implementation of
the policies and procedures required by this Not Implemented
subpart for the entity.
Implement policies and procedures to ensure
that all members of its workforce have
appropriate access to electronic protected
health information, as provided under
paragraph (a)(4) of this section, and to Not Implemented
prevent those workforce members who do not
have access under paragraph (a)(4) of this
section from obtaining access to electronic
protected health information.
Implement procedures for authorization
and/or supervision of workforce members
who work with electronic protected health Not Implemented
information or in locations where it might be
accessed.
Implement procedures to determine that the
access of a workforce member to electronic
protected health information is appropriate. Not Implemented
164.308(a) Termination
(3)(ii)(C) Procedures
164.308(a) Information Access
(4)(i) Management
164.308(a) Isolation Health
(4)(ii)(A) Clearinghouse
Functions
164.308(a) Access Authorization
(4)(ii)(B)
164.308(a) Access
(4)(ii)(C) Establishment and
Modification
164.308(a) Security Awareness
(5)(i) Training
164.308(a) Security Reminders
(5)(ii)(A)
164.308(a) Protection from
(5)(ii)(B) Malicious Software
164.308(a) Log-in Monitoring
(5)(ii)(C)
164.308(a) Password
(5)(ii)(D) Management
3 cyberarrow.io
Implement procedures for terminating access
to electronic protected health information
when the employment of a workforce member Not Implemented
ends or as required by determination made
as specified in paragraph (a)(3)(ii)(B) of this
section.
Implement policies and procedures for
authorizing access to electronic protected
health information that are consistent with the Not Implemented
applicable requirements of subpart E of this
part.
If a health care clearinghouse is part of a
larger organization, the clearinghouse must
implement polices and procedures that
protect the electronic protected health Not Implemented
information of the clearinghouse from
unauthorized access by the larger
organization.
Implement policies and procedures for
granting access to electronic protected health
information, for example, through access to a Not Implemented
workstation, transaction, program, process or
other mechanism.
Implement policies and procedures that,
based upon the entity's access authorization
policies, establish, document, review, and Not Implemented
modify a user's right of access to a
workstation, transaction, program, or process.
Implement a security awareness and training
program for all members of its workforce Not Implemented
(including management).
Conduct periodic security updates.
Not Implemented
Ensure documentation and implementation of
procedures for guarding against, detecting,
and reporting malicious software. Not Implemented
Ensure documentation and implementation of
procedures for monitoring log-in attempts and Not Implemented
reporting discrepancies.
Ensure documentation and implementation of
procedures for creating, changing, and Not Implemented
safeguarding passwords.
164.308(a) Security Incident
(6)(i) Procedures
164.308(a) Response and
(6)(ii) Reporting
164.308(a) Contingency Plan
(7)(i)
164.308(a) Data Backup Plan
(7)(ii)(A)
164.308(a) Disaster Recovery
(7)(ii)(B) Plan
164.308(a) Emergency Mode
(7)(ii)(C) Operation Plan
164.308(a) Testing and Revision
(7)(ii)(D) Procedures
164.308(a) Applications and Data
(7)(ii)(E) Criticality Analysis
164.308(a) Evaluation
(8)
4 cyberarrow.io
Implement policies and procedures to
address security incidents.
Not Implemented
Identify and respond to suspected or known
security incidents and mitigate, to the extent
practicable, harmful effects of security
incidents that are known to the entity and Not Implemented
document security incidents and their
outcomes.
Establish (and implement as needed) policies
and procedures for responding to an
emergency or other occurrence (for example,
fire, vandalism, system failure, and natural Not Implemented
disaster) that damages systems that contain
electronic protected health information.
Establish and implement procedures to
create and maintain retrievable exact copies Not Implemented
of electronic protected health information.
Establish (and implement as needed)
procedures to restore loss of data. Not Implemented
Establish (and implement as needed)
procedures to enable continuation of critical
business processes for protection of the
Not Implemented
security of electronic protected health
information while operating in emergency
mode.
Implement procedures for periodic testing
and revision of contingency plans.
Not Implemented
Assess the relative criticality of specific
applications and data in support of other
contingency plan components. Not Implemented
Perform a periodic technical and nontechnical
evaluation, based initially upon the standards
implemented under this rule and
subsequently, in response to environmental Not Implemented
or operational changes affecting the security
of electronic protected health information, that
established the extent to which an entity's
 security policies and procedures meet the
requirements of this subpart.
164.308(b) Business Associate A covered entity may permit a business
(1) Contracts and Other associate to create, receive, maintain, or
Arrangements transmit electronic protected health
information on the covered entity's behalf
only if the covered entity obtains satisfactory
assurances, in accordance with § 164.314(a), Not Implemented
that the business associate will appropriately
safeguard the information. A covered entity is
not required to obtain such satisfactory
assurances from a business associate that is
a subcontractor.
164.308(b) Subcontractors A business associate may permit a business
(2) associate that is a subcontractor to create,
receive, maintain, or transmit electronic
protected health information on its behalf only
Not Implemented
if the business associate obtains satisfactory
assurances, in accordance with § 164.314(a),
that the subcontractor will appropriately
safeguard the information.
164.308(b) Written Contract Document the satisfactory assurances
(3) (Written contract or other arrangement)
required by paragraph (b)(1) or (b)(2) of this
section through a written contract or other Not Implemented
arrangement with the business associate that
meets the applicable requirements of §
164.314(a).
164.310(a) Facility Access Implement policies and procedures to limit
(1) Controls physical access to its electronic information
systems and the facility or facilities in which Not Implemented
they are housed, while ensuring that properly
authorized access is allowed.
164.310(a) Contingency Establish (and implement as needed)
(2)(i) Operations procedures that allow facility access in
support of restoration of lost data under the Not Implemented
disaster recovery plan and emergency mode
operations plan in the event of an emergency.
164.310(a) Facility Security Plan Implement policies and procedures to
(2)(ii) safeguard the facility and the equipment
Not Implemented
therein from unauthorized physical access,
tampering, and theft.

5 cyberarrow.io
164.310(a) Access Control Implement procedures to control and validate
(2)(iii) Validation a person's access to facilities based on their
Procedures role or function, including visitor control, and Not Implemented
control of access to software programs for
testing and revision.
164.310(a) Maintenance Records Implement policies and procedures to
(2)(iv) document repairs and modifications to the
physical components of a facility that are Not Implemented
related to security (for example, hardware,
walls, doors, and locks).
164.310(b) Workstation Use Implement policies and procedures that
(1) specify the proper functions to be performed,
the manner in which those functions are to be
performed, and the physical attributes of the Not Implemented
surroundings of a specific workstation or
class of workstation that can access
electronic protected health information.
164.310(c) Workstation Security Implement physical safeguards for all
(1) workstations that access electronic protected Not Implemented
health information, to restrict access to
authorized users.
164.310(d) Device and Media Implement policies and procedures that
(1) Controls govern the receipt and removal of hardware
and electronic media that contain electronic
Not Implemented
protected health information into and out of a
facility, and the movement of these items
within the facility.
164.310(d) Disposal Implement policies and procedures to
(2)(i) address the final disposition of electronic
protected health information, and/or the Not Implemented
hardware or electronic media on which it is
stored.
164.310(d) Media Re-use Implement procedures for removal of
(2)(ii) electronic protected health information from
electronic media before the media are made Not Implemented
available for re-use.
164.310(d) Accountability Maintain a record of the movements of
(2)(iii) hardware and electronic media and any Not Implemented
person responsible therefore.
164.310(d) Data Backup and Create a retrievable, exact copy of electronic
(2)(iv) Storage protected health information, when needed,
before movement of equipment. Not Implemented

164.312(a) Access Control Implement technical policies and procedures

(1) for electronic information systems that Not Implemented
maintain electronic protected health

6 cyberarrow.io
 information to allow access only to those
persons or software programs that have been
granted access rights as specified in §
164.308(a)(4).
164.312(a) Unique User Assign a unique name and/or number for
(2)(i) Identification identifying and tracking user identity.
Not Implemented

164.312(a) Emergency Access Establish (and implement as needed)

(2)(ii) Procedure procedures for obtaining necessary electronic
Not Implemented
protected health information during an
emergency.
164.312(a) Automatic Logoff Implement electronic procedures that
(2)(iii) terminate an electronic session after a Not Implemented
predetermined time of inactivity.
164.312(a) Encryption and Implement a mechanism to encrypt and
(2)(iv) Decryption decrypt electronic protected health
Not Implemented
information.

164.312(b) Audit Controls Implement hardware, software, and/or

(1) procedural mechanisms that record and
examine activity in information systems that Not Implemented
contain or use electronic protected health
information.
164.312(c) Integrity Implement policies and procedures to protect
(1) electronic protected health information from Not Implemented
improper alteration or destruction.
164.312(c) Mechanism to Implement electronic mechanisms to
(2) Authenticate corroborate that electronic protected health
Electronic Protected information has not been altered or destroyed
Health Information in an unauthorized manner.
Not Implemented

164.312(d) Person or Entity Implement procedures to verify that a person

(1) Authentication or entity seeking access to electronic
protected health information is the one Not Implemented
claimed.
164.312(e) Transmission Implement technical security measures to
(1) Security guard against unauthorized access to
electronic protected health information that is Not Implemented
being transmitted over an electronic
communications network.

7 cyberarrow.io
164.312(e) Integrity Controls
(2)(i)
164.312(e) Encryption
(2)(ii)
164.314(a) Business Associate
(1) Contracts
164.314(a) Business Associate
(2)(i)(A) Contracts Safeguards
- Comply
164.314(a) Business Associate
(2)(i)(B) Contracts Safeguards
- Subcontractors
164.314(a) Business Associate
(2)(i)(C) Contracts Safeguards
- Report Security
Incidents
164.314(a) Business Associate
(2)(ii) Contracts – Other
Arrangements
8 cyberarrow.io
Implement security measures to ensure that
electronically transmitted electronic protected
Not Implemented
health information is not improperly modified
without detection until disposed off.
Implement a mechanism to encrypt electronic
protected health information whenever Not Implemented
deemed appropriate.
The contract or other arrangement (Business
Associate Contracts or Other Arrangements)
required by § 164.308(b)(3) must meet the Not Implemented
requirements of paragraph (a)(2)(i), (a)(2)(ii),
or (a)(2)(iii) of this section, as applicable.
The contract (Business Associate Contracts
(R)) between a covered entity and a business
associate must provide that the business
associate will comply with the applicable Not Implemented
requirements of this subpart.
The contract (Business Associate Contracts
(R)) between a covered entity and a business
associate must provide that the business
associate will in accordance with §
164.308(b)(2), ensure that any
subcontractors that create, receive, maintain,
or transmit electronic protected health Not Implemented
information on behalf of the business
associate agree to comply with the applicable
requirements of this subpart by entering into
a contract or other arrangement that complies
with this section.
The contract (Business Associate Contracts
(R)) between a covered entity and a business
associate must provide that the business
associate will report to the covered entity any
security incident of which it becomes aware, Not Implemented
including breaches of unsecured protected
health information as required by § 164.410.
[See Managed Template: HIPAA Privacy and
Breach 1.0v2 ].
The covered entity is in compliance with
paragraph (a)(1) of this section, if: (1) It
enters into a memorandum of understanding
with the business associate that contains
Not Implemented
terms that accomplish the objectives of
paragraph (a)(2)(i) of this section; or (2) Other
law (including regulations adopted by the
 covered entity or its business associate)
contains requirements applicable to the
business associate that accomplish the
Not Implemented
objectives of paragraph (a)(2)(i) of this
section

164.314(a) Business Associate The requirements of paragraphs (a)(2)(i) and

(2)(iii) Contractors with (a)(2)(ii) of this section apply to the contract
Subcontractors or other arrangement between a business
associate and a subcontractor required by §
164.308(b)(4) in the same manner as such Not Implemented
requirements apply to contracts or other
arrangements between a covered entity and
business associate.
164.314(b) Requirements For Except when the only electronic protected
(1) Group Health Plans health information disclosed to a plan
sponsor is disclosed pursuant to §
164.504(f)(1)(ii) or (iii), or as authorized under
§ 164.508, a group health plan must ensure
that its plan documents provide that the plan Not Implemented
sponsor will reasonably and appropriately
safeguard electronic protected health
information created, received, maintained, or
transmitted to or by the plan sponsor on
behalf of the group health plan.
164.314(b) Group Health Plans The Group Health Plan documents of the
(2)(i) Safeguards group health plan must be amended to
incorporate provisions to require the plan
sponsor to: (i) Implement administrative,
physical, and technical safeguards that
reasonably and appropriately protect the Not Implemented
confidentiality, integrity, and availability of the
electronic protected health information that it
creates, receives, maintains, or transmits on
behalf of the group health plan.
164.314(b) Group Health Plans – The Group Health Plan documents of the
(2)(ii) Separation group health plan must be amended to
incorporate provisions to require the plan
sponsor to: (ii) Ensure that the adequate
Not Implemented
separation required by § 164.504(f)(2)(iii) is
supported by reasonable and appropriate
security measures.

9 cyberarrow.io
164.314(b) Group Health Plans – The Group Health Plan documents of the
(2)(iii) Associates group health plan must be amended to
Safeguards incorporate provisions to require the plan
Not Implemented
sponsor to: (iii) Ensure that any agent,
including a subcontractor, to whom it provides
this information, agrees to implement
reasonable and appropriate security
measures to protect the information.
164.314(b) Group Health Plans – The Group Health Plan documents of the
(2)(iv) Incident Reporting group health plan must be amended to
incorporate provisions to require the plan Not Implemented
sponsor to: (iv) Report to the group health
plan any security incident of which it becomes
aware.
164.316(a) Policies and Implement reasonable and appropriate
(1) Procedures – policies and procedures to comply with the
Reasonable and standards, implementation specifications, or
Appropriate other requirements of this subpart, taking into
account those factors specified in §
164.306(b)(2)(i), (ii), (iii), and (iv). This
standard is not to be construed to permit or
excuse an action that violates any other Not Implemented
standard, implementation specification, or
other requirements of this subpart. A covered
entity may change its policies and procedures
at any time, provided that the changes are
documented and are implemented in
accordance with this subpart.
164.316(b) Documentation of Ensure that the below documentation is
(1) Procedures and maintained: (i) Maintain the policies and
Actions procedures implemented to comply with this
subpart in written (which may be electronic)
form; and (ii) If an action, activity or
Not Implemented
assessment is required by this subpart to be
documented, maintain a written (which may
be electronic) record of the action, activity, or
assessment.
164.316(b) Documentation – Retain the documentation required by
(2)(i) Time Limit paragraph (b)(1) of this section for six years
from the date of its creation or the date when Not Implemented
it last was in effect, whichever is later.
164.316(b) Documentation – Make documentation available to those
(2)(ii) Availability persons responsible for implementing the
procedures to which the documentation Not Implemented
pertains.

10 cyberarrow.io
164.316(b) Documentation – Review documentation periodically, and
(2)(iii) Updates update as needed, in response to
environmental or operational changes Not Implemented
affecting the security of the electronic
protected health information.

11 cyberarrow.io