|
New Section # |
New Text |
Old Section # |
Old Text |
|
308 |
§ 164.308 Administrative safeguards. |
308 |
§ 164.308 Administrative safeguards. |
|
308 (a) |
(a) A covered entity or business associate must, in
accordance with § 164.306 and 164.316, |
308 (a) |
(a) A covered entity or business associate must, in
accordance with § 164.306: |
|
308 (a)(1)(i) |
(1)(i) Standard: Security management process. |
||
|
implement all of
the following administrative safeguards to protect the confidentiality,
integrity, and availability of all electronic protected health information
that it creates, receives, maintains, or transmits: |
Implement policies and procedures to prevent, detect,
contain, and correct security violations. |
||
|
308 (a)(1)(ii) |
(ii) Implementation specifications: |
||
|
308 (a)(1) |
(1) Standard: Technology asset inventory |
|
|
|
|
—(i) General. |
|
|
|
|
Conduct and maintain an accurate and thorough written
inventory and a network map of the covered entity's or business associate's
electronic information systems and all technology assets that may affect the
confidentiality, integrity, or availability of electronic protected health
information. |
|
|
|
|
(ii) Implementation specifications |
|
|
|
|
—(A) Inventory. |
|
|
|
|
Develop a written inventory of the covered entity's or
business associate's technology assets that contains the identification,
version, person accountable, and location of each technology asset. |
|
|
|
|
(B) Network map. |
|
|
|
|
Develop a network map that illustrates the movement of
electronic protected health information throughout the covered entity's or
business associate's electronic information systems, including but not
limited to how electronic protected health information enters and exits such
information systems, and is accessed from outside of such information systems. |
|
|
|
|
(C) Maintenance. |
|
|
|
|
Review and update the written inventory of technology
assets required by paragraph (a)(1)(ii)(A) of this section and the network
map required by paragraph (a)(1)(ii)(B) of this section in the following
circumstances: |
|
|
|
|
(1) On an ongoing basis, but at least once every 12
months. |
|
|
|
|
(2) When there is a change in the covered entity's or
business associate's environment or operations that may affect electronic
protected health information, including but not limited to the adoption of
new technology assets; the upgrading, updating, or patching of technology
assets; newly recognized threats to the confidentiality, integrity, or
availability of electronic protected health information; a sale, transfer,
merger, or consolidation of all or part of the covered entity or business
associate with another person; a security incident that affects the
confidentiality, integrity, and availability of electronic protected health
information; and relevant changes in Federal, State, Tribal, or territorial
law. |
|
|
|
308 (a)(2) |
(2) Standard: Risk analysis |
308 (a)(1)(ii)(A) |
(A) Risk analysis (Required). |
|
|
—(i) General. |
|
|
|
|
Conduct an accurate and comprehensive written assessment
of the potential risks and vulnerabilities to the confidentiality, integrity,
and availability of all electronic protected health information created,
received, maintained, or transmitted by the covered entity or business
associate. |
|
Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information held by the covered
entity or business associate. |
|
|
(ii) Implementation specifications |
|
|
|
|
—(A) Assessment. |
|
|
|
|
The written assessment must include, at a minimum, all of
the following: |
|
|
|
|
(1) A review of the technology asset inventory required
by paragraph (a)(1)(ii)(A) of this section and the network map required by
paragraph (a)(1)(ii)(B) of this section to identify where electronic
protected health information may be created, received, maintained, or
transmitted within the covered entity's or business associate's electronic
information systems. |
|
|
|
|
(2) Identification of all reasonably anticipated threats
to the confidentiality, integrity, and availability of electronic protected
health information that the covered entity or business associate creates,
receives, maintains, or transmits. |
|
|
|
|
(3) Identification of potential vulnerabilities and
predisposing conditions to the covered entity's or business associate's
relevant electronic information systems. |
|
|
|
|
(4) An assessment and documentation of the security
measures the covered entity or business associate uses to ensure the
confidentiality, integrity, and availability of the electronic protected
health information created, received, maintained, or transmitted by the
covered entity or business associate. |
|
|
|
|
(5) A reasonable determination of the likelihood that
each threat identified in accordance with paragraph (a)(2)(ii)(A)(2) of this
section will exploit the vulnerabilities identified in accordance with
paragraph (a)(2)(ii)(A)( |
|
|
|
|
3) of this section. |
|
|
|
|
(6) A reasonable determination of the potential impact of
each threat identified in accordance with paragraph (a)(2)(ii)(A)(2) of this
section successfully exploiting the vulnerabilities identified in accordance
with paragraph (a)(2)(ii)(A)(3) of this section. |
|
|
|
|
(7) An assessment of risk level for each threat
identified in accordance with paragraph (a)(2)(ii)(A)(2) of this section and
vulnerability identified in accordance with paragraph (a)(2)(ii)(A)(3) of
this section, based on the determinations made in accordance with paragraphs
(a)(2)(ii)(A)(5) and (6) of this section. |
|
|
|
|
(8) An assessment of the risks to electronic protected
health information posed by entering into or continuing a business associate
contract or other written arrangement with any prospective or current
business associate, respectively, based on the written verification obtained
from the prospective or current business associate in accordance with
paragraph (b)(1) of this section. |
|
|
|
|
(B) Maintenance. |
|
|
|
|
Review, verify, and update the written assessment on an
ongoing basis, but at least once every 12 months and, in accordance with
paragraph (a)(1)(ii)(C)(2) of this section, in response to a change in the
covered entity's or business associate's environment or operations that may
affect electronic protected health information. |
|
|
|
308 (a)(3) |
(3) Standard: Evaluation |
|
|
|
|
—(i) General. |
|
|
|
|
Perform a written technical and nontechnical evaluation
to determine whether a change in the covered entity's or business associate's
environment or operations may affect the confidentiality, integrity, or
availability of electronic protected health information. |
|
|
|
|
(ii) Implementation specifications |
|
|
|
|
—(A) Performance. |
|
|
|
|
Perform a written technical and nontechnical evaluation
within a reasonable period of time before making a change in the covered
entity's or business associate's environment or operations as described in
paragraph (a)(1)(ii)(C)(2) of this section. |
|
|
|
|
(B) Response. |
|
|
|
|
Respond to the written technical and nontechnical
evaluation in accordance with the covered entity's or business associate's
risk management plan required by paragraph (a)(5)(ii)(A) of this section. |
|
|
|
308 (a)(4) |
(4) Standard: Patch management |
|
|
|
|
—(i) General. |
|
|
|
|
Implement written policies and procedures for applying
patches and updating the configuration(s) of the covered entity's or business
associate's relevant electronic information systems. |
|
|
|
|
(ii) Implementation specifications |
|
|
|
|
—(A) Policies and procedures. |
|
|
|
|
Establish written policies and procedures for
identifying, prioritizing, acquiring, installing, evaluating, and verifying
the timely installation of patches, updates, and upgrades throughout the
covered entity's or business associate's relevant electronic information
systems. |
|
|
|
|
(B) Maintenance. |
|
|
|
|
Review and test written policies and procedures required
by paragraph (a)(4)(ii)(A) of this section at least once every 12 months, and
modify such policies and procedures as reasonable and appropriate. |
|
|
|
|
(C) Application. |
|
|
|
|
Patch, update, and upgrade the configurations of relevant
electronic information systems in accordance with the written policies and
procedures required by paragraph (a)(4)(ii)(A) of this section and based on
the results of the covered entity's or business associate's risk analysis
required by paragraph (a)(2) of this section, the vulnerability scans
required by § 164.312(h)(2)(i), the monitoring of authoritative sources
required by § 164.312(h)(2)(ii), and penetration tests required by
§ 164.312(h)(2)(iii), within a reasonable and appropriate period of time, as
follows, except to the extent that an exception at paragraph (a)(4)(ii)(D) of
this section applies: |
|
|
|
|
(1) Within 15 calendar days of identifying the need to
patch, update, or upgrade the configuration of a relevant electronic
information system to address a critical risk in accordance with this
paragraph (a)(4)(ii)(C), where a patch, update, or upgrade is available; or,
where a patch, update, or upgrade is not available, within 15 calendar days
of a patch, update, or upgrade becoming available. |
|
|
|
|
(2) Within 30 calendar days of identifying the need to
patch, update, or upgrade the configuration of a relevant electronic
information system to address a high risk in accordance with this paragraph
(a)(4)(ii)(C), where a patch, update, or upgrade is available; or, where a
patch, update, or upgrade is not available, within 30 calendar days of a
patch, update, or upgrade becoming available. |
|
|
|
|
(3) As determined by and documented in the covered
entity's or business associate's policies and procedures under paragraph
(a)(4)(ii)(A) of this section for all other patches, updates, and upgrades to
the configuration of a relevant electronic information system. |
|
|
|
|
(D) Exceptions. |
|
|
|
|
This paragraph (a)(4)(ii)(D) applies only to the extent
that a covered entity or business associate documents that an exception in
this paragraph (a)(4)(ii)(D) applies and that all other applicable conditions
are met. |
|
|
|
|
(1) A patch, update, or upgrade to the configuration of a
relevant electronic information system is not available to address a risk
identified in the risk analysis under paragraph (a)(2) of this section. |
|
|
|
|
(2) The only available patch, update, or upgrade would
adversely affect the confidentiality, integrity, or availability of
electronic protected health information. |
|
|
|
|
(E) Alternative measures. |
|
|
|
|
Where an exception at paragraph (a)(4)(ii)(D) of this
section applies, a covered entity or business associate must document in
real-time the existence of an applicable exception and implement reasonable
and appropriate compensating controls in accordance with paragraph
(a)(4)(ii)(F) of this section. |
|
|
|
|
(F) Compensating controls. |
|
|
|
|
To the extent that a covered entity or business associate
determines that an exception at paragraph (a)(4)(ii)(D) of this section
applies, a covered entity or business associate must implement reasonable and
appropriate security measures to address the identified risk in a timely manner
as required by paragraph (a)(5)(ii)(D) of this section until a patch, update,
or upgrade that does not adversely affect the confidentiality, integrity, or
availability of electronic protected health information becomes available. |
|
|
|
308 (a)(5) |
(5) Standard: Risk management |
308 (a)(1)(ii)(B) |
(B) Risk management (Required). |
|
|
—(i) General. |
|
|
|
|
Implement security measures sufficient to reduce risks
and vulnerabilities to all electronic protected health information to a
reasonable and appropriate level. |
|
Implement security measures sufficient to reduce risks
and vulnerabilities to a reasonable and appropriate level to comply with §
164.306(a). |
|
|
(ii) Implementation specifications |
|
|
|
|
—(A) Planning. |
|
|
|
|
Establish and implement a written risk management plan
for reducing risks to all electronic protected health information, including
but not limited to those risks identified by the risk analysis under
paragraph (a)(2)(ii)(A) of this section, to a reasonable and appropriate
level. |
|
|
|
|
(B) Maintenance. |
|
|
|
|
Review the written risk management plan required by
paragraph (a)(5)(ii)(A) of this section at least once every 12 months and as
reasonable and appropriate in response to changes in the risk analysis made
in accordance with paragraph (a)(2)(ii)(B) of this section, and modify as
reasonable and appropriate. |
|
|
|
|
(C) Priorities. |
|
|
|
|
The written risk management plan must prioritize the
risks identified in the risk analysis required by paragraph (a)(2)(ii)(A) of
this section, based on the risk levels determined by such risk analysis. |
|
|
|
|
(D) Implementation. |
|
|
|
|
Implement security measures in a timely manner to address
the risks identified in the covered entity's or business associate's risk
analysis in accordance with the priorities established under paragraph
(a)(5)(ii)(C) of this section. |
|
|
|
308 (a)(6) |
(6) Standard: Sanction policy |
308 (a)(1)(ii)(C) |
(C) Sanction policy (Required). |
|
|
—(i) General. |
|
|
|
|
Apply appropriate sanctions against workforce members who
fail to comply with the security policies and procedures of the covered
entity or business associate. |
|
Apply appropriate sanctions against workforce members who
fail to comply with the security policies and procedures of the covered
entity or business associate. |
|
|
(ii) Implementation specifications |
|
|
|
|
—(A) Policies and procedures. |
|
|
|
|
Establish written policies and procedures for sanctioning
workforce members who fail to comply with the security policies and
procedures of the covered entity or business associate. |
|
|
|
|
(B) Modifications. |
|
|
|
|
Review written sanctions policies and procedures at least
once every 12 months, and modify as reasonable and appropriate. |
|
|
|
|
(C) Application. |
|
|
|
|
Apply and document appropriate sanctions against
workforce members who fail to comply with the security policies and
procedures of the covered entity or business associate in accordance with the
written policies and procedures for sanctioning workforce members required by
paragraph (a)(6)(ii)(A) of this section. |
|
|
|
308 (a)(7) |
(7) Standard: Information system activity review |
308 (a)(1)(ii)(D) |
(D) Information system activity review (Required). |
|
—(i) General. |
|||
|
Implement written policies and procedures for regularly
reviewing records of activity in the covered entity's or business associate's
relevant electronic information systems. |
Implement procedures to regularly review records of
information system activity, such as audit logs, access reports, and security
incident tracking reports. |
||
|
|
(ii) Implementation specifications |
|
|
|
|
—(A) Policies and procedures. |
|
|
|
|
Establish written policies and procedures for retaining
and reviewing records of activity in the covered entity's or business
associate's relevant electronic information systems by persons and technology
assets, including the frequency for reviewing such records. |
|
|
|
|
(B) Scope. |
|
|
|
|
Records of activity in the covered entity's or business
associate's relevant electronic information systems by persons and/or
technology assets include but are not limited to audit trails, event logs,
firewall logs, system logs, data backup logs, access reports, anti-malware
logs, and security incident tracking reports. |
|
|
|
|
(C) Record review. |
|
|
|
|
Review records of activity in a covered entity's or
business associate's relevant electronic information systems by persons and
technology assets as often as reasonable and appropriate for the type of
report or log and document such review. |
|
|
|
|
(D) Record retention. |
|
|
|
|
Retain records of activity in the covered entity's or
business associate's relevant electronic information systems by persons and
technology assets for a period of time that is reasonable and appropriate for
the type of report or log. |
|
|
|
|
(E) Response. |
|
|
|
|
Where a suspected or known security incident is
identified during the review required by paragraph (a)(7)(ii)(C) of this
section, respond in accordance with the covered entity's or business
associate's security incident response plan required by paragraph
(a)(12)(ii)(A)(1) of this section. |
|
|
|
|
(F) Maintenance. |
|
|
|
|
Review and test the written policies and procedures
required by paragraph (a)(7)(ii)(A) of this section at least once every 12
months and modify as reasonable and appropriate. |
|
|
|
308 (a)(8) |
(8) Standard: Assigned security responsibility. |
308 (a)(2) |
(2) Standard: Assigned security responsibility. |
|
In writing, identify the security official who is
responsible for the development and implementation of the policies and
procedures, written or otherwise, and deployment of technical controls
required by this subpart for the covered entity or business associate. |
Identify the security official who is responsible for the
development and implementation of the policies and procedures required by
this subpart for the covered entity or business associate. |
||
|
308 (a)(9) |
(9) Standard: Workforce security |
308 (a)(3)(i) |
(3) (i) Standard: Workforce security. |
|
308 (a)(9)(i) |
—(i) General. |
||
|
Implement written policies and procedures to ensure that
all members of its workforce have appropriate access to electronic protected
health information and relevant electronic information systems, and to
prevent those workforce members who are not authorized to have access from
obtaining access to electronic protected health information and relevant
electronic information systems. |
Implement policies and procedures to ensure that all
members of its workforce have appropriate access to electronic protected
health information, as provided under paragraph (a)(4) of this section, and
to prevent those workforce members who do not have access under paragraph
(a)(4) of this section from obtaining access to electronic protected health
information. |
||
|
308 (a)(9)(ii) |
(ii) Implementation specifications |
308 (a)(3)(ii) |
(ii) Implementation specifications: |
|
308 (a)(9)(ii)(A) |
—(A) Authorization and/or supervision. |
308 (a)(3)(ii)(A) |
(A) Authorization and/or supervision (Addressable). |
|
Establish and implement written procedures for the
authorization and/or supervision of workforce members who access electronic
protected health information or relevant electronic information systems, or
who work in facilities where electronic protected health information or
relevant electronic information systems might be accessed. |
Implement
procedures for the authorization and/or supervision of workforce members who
work with electronic protected health information or in locations where it
might be accessed. |
||
|
308 (a)(9)(ii)(B) |
(B) Workforce clearance procedure. |
308 (a)(3)(ii)(B) |
(B) Workforce clearance procedure (Addressable). |
|
Establish and implement written procedures to determine
that the access of a workforce member to electronic protected health
information or relevant electronic information systems is appropriate in
accordance with paragraph (a)(10)(ii)(B) of this section. |
Implement procedures to determine that the access of a
workforce member to electronic protected health information is appropriate. |
||
|
308 (a)(9)(ii)(C) |
(C) Modification and termination procedures. |
308 (a)(3)(ii)(C) |
(C) Termination procedures (Addressable). |
|
308 (a)(9)(ii)(C)(1) |
(1) Establish and implement written procedures, in
accordance with paragraph (a)(9)(ii)(C)(2) of this section, to terminate a
workforce member's access to electronic protected health information and
relevant electronic information systems, and to facilities where electronic
protected health information or relevant electronic information systems might
be accessed. |
Implement procedures for terminating access to electronic
protected health information when the employment of, or other arrangement
with, a workforce member ends or as required by determinations made as
specified in paragraph (a)(3)(ii)(B) of this section. |
|
|
|
(2) A workforce member's access must be terminated as
soon as possible but no later than one hour after the employment of, or other
arrangement with, a workforce member ends. |
|
|
|
308 (a)(9)(ii)(D) |
(D) Notification. |
|
|
|
|
(1) Establish and implement written procedures, in
accordance with paragraph (a)(9)(ii)(D)(2) of this section, to notify another
covered entity or business associate of a change in or termination of access
where the workforce member is or was authorized to access such electronic
protected health information or relevant electronic information systems by
the covered entity or business associate making the notification. |
|
|
|
|
(2) Notification must occur as soon as possible but no
later than 24 hours after a change in or termination of a workforce member's
authorization to access electronic protected health information or relevant
electronic information systems maintained by such other covered entity or
business associate. |
|
|
|
308 (a)(9)(ii)(E) |
(E) Maintenance. |
|
|
|
|
Review and test written policies and procedures required
under paragraph (a)(9)(ii)(A) through (D) of this section at least once every
12 months, and modify as reasonable and appropriate. |
|
|
|
308 (a)(10) |
(10) Standard: Information access management |
308 (a)(4)(i) |
(4)(i) Standard: Information access management. |
|
|
—(i) General. |
|
|
|
|
Establish and implement written policies and procedures
for authorizing access to electronic protected health information and
relevant electronic information systems that are consistent with the
applicable requirements of subpart E of this part. |
|
Implement policies and procedures for authorizing access
to electronic protected health information that are consistent with the
applicable requirements of subpart E of this part. |
|
|
(ii) Implementation specifications |
308 (a)(4)(ii) |
(ii) Implementation specifications: |
|
308 (a)(10)(A) |
—(A) Isolating health care clearinghouse functions. |
308 (a)(4)(ii)(A) |
(A) Isolating health care clearinghouse functions
(Required). |
|
If a health care clearinghouse is part of a larger
organization, the clearinghouse must establish and implement written policies
and procedures that protect the electronic protected health information and
relevant electronic information systems of the clearinghouse from
unauthorized access by the larger organization. |
If a health care clearinghouse is part of a larger
organization, the clearinghouse must implement policies and procedures that
protect the electronic protected health information of the clearinghouse from
unauthorized access by the larger organization. |
||
|
308 (a)(10)(B) |
(B) Access authorization. |
308 (a)(4)(ii)(B) |
(B) Access authorization (Addressable). |
|
Establish and implement written policies and procedures
for granting and revising access to electronic protected health information
and relevant electronic information systems as necessary and appropriate for
each prospective user and technology asset to carry out their assigned
function(s). |
Implement policies and procedures for granting access to
electronic protected health information, for example, through access to a
workstation, transaction, program, process, or other mechanism. |
||
|
308 (a)(10)(C) |
(C) Authentication management. |
|
|
|
|
Establish and implement written policies and procedures
for verifying the identities of users and technology assets prior to
accessing the covered entity's or business associate's relevant electronic
information systems, including written policies and procedures for
implementing multi-factor authentication technical controls required by
§ 164.312(f)(2)(ii) through (v). |
|
|
|
308 (a)(10)(D) |
(D) Access determination and modification. |
308 (a)(4)(ii)(C) |
(C) Access establishment and modification
(Addressable). |
|
Establish and implement written policies and procedures
that, based upon the covered entity's or the business associate's access
authorization policies, determine, document, review, and modify the access of
each user and technology asset to specific components of the covered entity's
or business associate's relevant electronic information systems. |
Implement policies and procedures that, based upon the
covered entity's or the business associate's access authorization policies,
establish, document, review, and modify a user's right of access to a
workstation, transaction, program, or process. |
||
|
308 (a)(10)(E) |
(E) Network segmentation. |
|
|
|
|
Establish and implement written policies and procedures
that ensure that a covered entity's or business associate's relevant
electronic information systems are segmented to limit access to electronic
protected health information to authorized workstations. |
|
|
|
308 (a)(10)(F) |
(F) Maintenance. |
|
|
|
|
Review and test the written policies and procedures
required by this paragraph (a)(10)(ii) at least once every 12 months, and
modify as reasonable and appropriate. |
|
|
|
308 (a)(11) |
(11) Standard: Security awareness training |
308 (a)(5)(i) |
(5)(i) Standard: Security awareness and training. |
|
—(i) General. |
|||
|
Implement security awareness training for all workforce
members on protection of electronic protected health information and
information systems as necessary and appropriate for the members of the
workforce to carry out their assigned function(s). |
Implement a security awareness and training program for
all members of its workforce (including management). |
||
|
(ii) Implementation specifications |
(ii) Implementation specifications. Implement: |
||
|
308 (a)(5)(ii)(A) |
(A) Security reminders (Addressable). Periodic security updates. |
||
|
308 (a)(5)(ii)(C) |
(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts
and reporting discrepancies. |
||
|
308 (a)(11)(ii)(A) |
—(A) Training. |
||
|
A covered entity or business associate must develop and
implement security awareness training for all workforce members that
addresses all of the following: |
|||
|
308 (a)(11)(ii)(A)(1) |
(1) The written policies and procedures with respect to
electronic protected health information required by this subpart as necessary
and appropriate for the workforce members to carry out their assigned
functions. |
||
|
308 (a)(11)(ii)(A)(2) |
(2) Guarding against, detecting, and reporting suspected
or known security incidents, including but not limited to, malicious software
and social engineering. |
308 (a)(5)(ii)(B) |
(B) Protection from malicious software
(Addressable). Procedures for guarding
against, detecting, and reporting malicious software. |
|
308 (a)(11)(ii)(A)(3) |
(3) The written policies and procedures for accessing the
covered entity's or business associate's relevant electronic information
systems, including but not limited to: safeguarding passwords; setting unique
passwords of sufficient strength to ensure the confidentiality, integrity,
and availability of electronic protected health information; and limitations
on sharing passwords. |
308 (a)(5)(ii)(D) |
(D) Password management (Addressable). Procedures for creating, changing, and
safeguarding passwords. |
|
|
(B) Timing. |
|
|
|
|
A covered entity or business associate must provide
security awareness training as follows: |
|
|
|
|
(1) As required by paragraph (a)(11)(ii)(A) of this
section, to each member of its workforce by no later than the compliance
date, and at least once every 12 months thereafter. |
|
|
|
|
(2) As required by paragraph (a)(11)(ii)(A) of this
section, to each new member of its workforce within a reasonable period of
time but no later than 30 days after the person first has access to the
covered entity's or business associate's relevant electronic information
systems. |
|
|
|
|
(3) On a material change to the policies or procedures
required by this subpart, to each member of its workforce whose functions are
affected by such change, within a reasonable period of time but no later than
30 days after the material change occurs. |
|
|
|
|
(C) Ongoing education. |
|
|
|
|
A covered entity or business associate must provide its
workforce members ongoing reminders of their security responsibilities and
notifications of relevant threats, including but not limited to new and
emerging malicious software and social engineering. |
|
|
|
|
(D) Documentation. |
|
|
|
|
A covered entity or business associate must document that
the training required by paragraph (a)(11)(ii)(A) of this section and ongoing
reminders required by paragraph (a)(11)(ii)(C) of this section have been
provided. |
|
|
|
308 (a)(12) |
(12) Standard: Security incident procedures |
308 (a)(6)(i) |
(6)(i) Standard: Security incident procedures. |
|
308 (a)(12)(i) |
—(i) General. |
|
|
|
Implement written policies and procedures to respond to
security incidents. |
|
Implement policies and procedures to address security
incidents. |
|
|
308 (a)(12)(ii) |
(ii) Implementation specifications |
308 (a)(6)(ii) |
(ii) Implementation specification: |
|
|
—(A) Planning and testing. |
|
|
|
308 (a)(12)(ii)(A)(1) |
(1) Establish written security incident response plan(s)
and procedures documenting how workforce members are to report suspected or
known security incidents and how the covered entity or business associate
will respond to suspected or known security incidents in accordance with
paragraph (a)(12)(ii)(B) of this section. |
|
|
|
308 (a)(12)(ii)(A)(2) |
(2) Implement written procedures for testing and revising
security incident response plan(s) required by paragraph (a)(12)(ii)(A)(1) of
this section. |
|
|
|
308 (a)(12)(ii)(A)(3) |
(3) Review and test security incident response plan(s)
and procedures required by paragraph (a)(12)(ii)(A)(1) of this section at
least once every 12 months, document the results of such tests, and modify
security incident response plan(s) and procedures as reasonable and
appropriate. |
|
|
|
308 (a)(12)(ii)(B) |
(B) Response. |
308 (a)(6)(ii)(B) |
Response and reporting (Required). |
|
308 (a)(12)(ii)(B)(1) |
(1) Identify and respond to suspected or known security
incidents. |
308 (a)(6)(ii)(B)(1) |
Identify and respond to suspected or known security
incidents; |
|
308 (a)(12)(ii)(B)(2) |
(2) Mitigate, to the extent practicable, harmful effects
of security incidents that are suspected or known to the covered entity or
business associate. |
308 (a)(6)(ii)(B)(2) |
mitigate, to the extent practicable, harmful effects of
security incidents that are known to the covered entity or business
associate; |
|
308 (a)(12)(ii)(B)(3) |
(3) Identify and remediate, to the extent practicable,
the root cause(s) of security incidents that are suspected or known to the
covered entity or business associate. |
|
|
|
308 (a)(12)(ii)(B)(4) |
(4) Eradicate the security incidents that are suspected
or known to the covered entity or business associate. |
|
|
|
308 (a)(12)(ii)(B)(5) |
(5) For suspected and known security incidents, develop
and maintain documentation of investigations, analyses, mitigation, and
remediation. |
and document security incidents and their outcomes. |
|
|
308 (a)(13) |
(13) Standard: Contingency plan |
308 (a)(7)(i) |
(7)(i) Standard: Contingency plan. |
|
308 (a)(13)(i) |
—(i) General. |
||
|
Establish and implement as needed a written contingency
plan, consisting of written policies and procedures for responding to an
emergency or other occurrence—including but not limited to fire, vandalism,
system failure, natural disaster, or security incident—that adversely affects
relevant electronic information systems. |
Establish (and implement as needed) policies and
procedures for responding to an emergency or other occurrence (for example,
fire, vandalism, system failure, and natural disaster) that damages systems
that contain electronic protected health information. |
||
|
308 (a)(13)(ii) |
(ii) Implementation specifications |
308 (a)(7)(ii) |
(ii) Implementation specifications: |
|
308 (a)(13)(ii)(A) |
—(A) Criticality analysis. |
308 (a)(7)(ii)(E) |
(E) Applications and data criticality analysis
(Addressable). |
|
Perform and document an assessment of the relative
criticality of the covered entity's or business associate's relevant
electronic information systems and technology assets in its relevant
electronic information systems. |
Assess the relative criticality of specific applications
and data in support of other contingency plan components. |
||
|
308 (a)(13)(ii)(B) |
(B) Data backups. |
308 (a)(7)(ii)(A) |
(A) Data backup plan (Required). |
|
Establish and implement written procedures to create and
maintain exact retrievable copies of electronic protected health information,
including verification that the electronic protected health information has
been copied accurately. |
Establish and implement procedures to create and maintain
retrievable exact copies of electronic protected health information. |
||
|
308 (a)(13)(ii)(C) |
(C) Information systems backups. |
|
|
|
|
Establish and implement written procedures to create and
maintain backups of the covered entity's or business associate's relevant
electronic information systems, including verification of success of backups. |
|
|
|
308 (a)(13)(ii)(D) |
(D) Disaster recovery plan. |
308 (a)(7)(ii)(B) |
(B) Disaster recovery plan (Required). |
|
308 (a)(13)(ii)(D)(1) |
(1) Establish (and implement as needed) written
procedures to restore loss of the covered entity's or business associate's
critical relevant electronic information systems and data within 72 hours of
the loss. |
Establish (and implement as needed) procedures to restore
any loss of data. |
|
|
308 (a)(13)(ii)(D)(2) |
(2) Establish (and implement as needed) written
procedures to restore loss of the covered entity's or business associate's
other relevant electronic information systems and data in accordance with the
criticality analysis required by paragraph (a)(13)(ii)(A) of this section. |
|
|
|
308 (a)(13)(ii)(E) |
(E) Emergency mode operation plan. |
308 (a)(7)(ii)(C) |
(C) Emergency mode operation plan (Required). |
|
Establish (and implement as needed) written procedures to
enable continuation of critical business processes for protection of the
security of electronic protected health information while operating in
emergency mode. |
Establish (and implement as needed) procedures to enable
continuation of critical business processes for protection of the security of
electronic protected health information while operating in emergency mode. |
||
|
308 (a)(13)(ii)(F) |
(F) Testing and revision procedures. |
308 (a)(7)(ii)(D) |
(D) Testing and revision procedures (Addressable). |
|
308 (a)(13)(ii)(F)(1) |
(1) Establish written procedures for testing and revising
contingency plans as required by this paragraph (a)(13) in accordance with
paragraph (a)(13)(ii)(F)(2) of this section. |
Implement procedures for periodic testing and revision of
contingency plans. |
|
|
308 (a)(13)(ii)(F)(2) |
(2) Review and test contingency plans required by this
paragraph (a)(13) at least once every 12 months, document the results of such
tests, and modify such contingency plans as reasonable and appropriate in
accordance with the results of those tests. |
|
|
|
308 (a)(14) |
(14) Standard: Compliance audit. |
308 (a)(8) |
(8) Standard: Evaluation.
|
|
Perform and document an audit at least once every 12
months of the covered entity's or business associate's compliance with each
standard and implementation specification in this subpart. |
Perform a periodic technical and nontechnical evaluation,
based initially upon the standards implemented under this rule and,
subsequently, in response to environmental or operational changes affecting
the security of electronic protected health information, that establishes the
extent to which a covered entity's or business associate's security policies
and procedures meet the requirements of this subpart. |
||
|
308 (b)(1)(i) |
(b)(1) Standard: Business associate contracts and other
arrangements. |
308 (b)(1) |
(b)(1) Business associate contracts and other
arrangements. |
|
(i)(A) A covered entity may permit a business associate
to create, receive, maintain, or transmit electronic protected health
information on the covered entity's behalf only if the covered entity obtains
satisfactory assurances, in accordance with § 164.314(a), that the business
associate will comply with this subpart and verifies that the business
associate has deployed technical safeguards in accordance with the
requirements of § 164.312. |
A covered entity may permit a business associate to
create, receive, maintain, or transmit electronic protected health
information on the covered entity's behalf only if the covered entity obtains
satisfactory assurances, in accordance with § 164.314(a), that the business
associate will appropriately safeguard the information. |
||
|
(B) A covered entity is not required to obtain such
satisfactory assurances or verification from a business associate that is a
subcontractor. |
A covered entity is not required to obtain such
satisfactory assurances from a business associate that is a subcontractor. |
||
|
308 (b)(1)(ii) |
(ii) A business associate may permit a business associate
that is a subcontractor to create, receive, maintain, or transmit electronic
protected health information on its behalf only if the business associate
obtains satisfactory assurances, in accordance with § 164.314(a), that the
subcontractor will comply with the requirements of this subpart and verifies
that the business associate that is a subcontractor has deployed technical
safeguards in accordance with the requirements of § 164.312. |
308 (b)(2) |
(2) A business associate may permit a business associate
that is a subcontractor to create, receive, maintain, or transmit electronic
protected health information on its behalf only if the business associate
obtains satisfactory assurances, in accordance with § 164.314(a), that the
subcontractor will appropriately safeguard the information. |
|
308 (b)(2) |
(2) Implementation specifications |
308 (b)(3) |
(3) Implementation specifications: |
|
—(i) Written contract or other arrangement. |
Written contract or other arrangement (Required). |
||
|
Document the satisfactory assurances required by
paragraph (b)(1)(i) or (ii) of this section through a written contract or
other arrangement with the business associate that meets the applicable
requirements of § 164.314(a). |
Document the
satisfactory assurances required by paragraph (b)(1) or (b)(2) of this
section through a written contract or other arrangement with the business
associate that meets the applicable requirements of § 164.314(a). |
||
|
|
(ii) Written verification. |
|
|
|
|
Obtain written verification from the business associate
at least once every 12 months that the business associate has deployed the
technical safeguards as required by § 164.312 through both of the following: |
|
|
|
|
(A) A written analysis of the business associate's
relevant electronic information systems by a person with appropriate
knowledge of and experience with generally accepted cybersecurity principles
and methods for ensuring the confidentiality, integrity, and availability of
electronic protected health information to verify compliance with each
standard and implementation specification in § 164.312. |
|
|
|
|
(B) A written certification that the analysis has been
performed and is accurate by a person who has the authority to act on behalf
of the business associate. |
|
|
|
|
(3) Standard: Delegation to business associate. |
|
|
|
|
(i) A covered entity or business associate may permit a
business associate to serve as their designated security official. |
|
|
|
|
(ii) A covered entity or business associate that
delegates actions, activities, or assessments required by this subpart to a
business associate remains liable for compliance with all applicable
provisions of this subpart. |
|
|
