§ 160.310 Responsibilities of
covered entities and business
associates. (a) Provide records and
compliance reports. A covered
entity or business associate must
keep such records and submit
such compliance reports, in such
time and manner and containing
such information, as the
Secretary may determine to be
necessary to enable the
Secretary to ascertain whether
the covered entity or business
associate has complied or is
complying with the applicable
administrative simplification
provisions.
(b) Cooperate with complaint
investigations and compliance
reviews. A covered entity or
business associate must
cooperate with the Secretary, if
the Secretary undertakes an
investigation or compliance
review of the policies,
procedures, or practices of the
covered entity or business
associate to determine whether it
is complying with the applicable
administrative simplification
provisions.
Implementation
specification: Retention period .
A covered entity must retain the
documentation as required by
paragraph (c)(1) of this section
for 6 years from the date of its
creation or the date when it last
was in effect, whichever is later.
(A) Risk analysis (Required).
(B) Risk management
(Required).
(C) Sanction policy (Required).
(D) Information system activity
review (Required).
(2) Standard: Assigned security
responsibility. Identify the
security official who is
responsible for the development
and implementation of the
policies and procedures required
by this subpart for the covered
entity or business associate.
(3)(i) Standard: Workforce
security. Implement policies and
procedures to ensure that all
members of its workforce have
appropriate access to electronic
protected health information, as
provided under paragraph (a)(4)
of this section, and to prevent
those workforce members who
do not have access under
paragraph (a)(4) of this section
from obtaining access to
electronic protected health
information.
(ii) Implementation
specifications:
(A) Authorization and/or
supervision (Addressable).
Implement procedures for the
authorization and/or supervision
of workforce members who
work with electronic protected
health information or in
locations where it might be
accessed.
(B) Workforce clearance
procedure (Addressable).
Implement procedures to
determine that the access of a
workforce member to electronic
protected health information is
appropriate.
(C) Termination procedures
(Addressable). Implement
procedures for terminating
access to electronic protected
health information when the
employment of, or other
arrangement with, a workforce
member ends or as required by
determinations made as
specified in paragraph
(a)(3)(ii)(B) of this section.
(4)(i) Standard: Information
access management. Implement
policies and procedures for
authorizing access to electronic
protected health information that
are consistent with the
applicable requirements of
subpart E of this part.
(ii) Implementation
specifications:
(A) Isolating health care
clearinghouse functions
(Required). If a health care
clearinghouse is part of a larger
organization, the clearinghouse
must implement policies and
procedures that protect the
electronic protected health
information of the clearinghouse
from unauthorized access by the
larger organization.
(B) Access authorization
(Addressable). Implement
policies and procedures for
granting access to electronic
protected health information, for
example, through access to a
workstation, transaction,
program, process, or other
mechanism.
(C) Access establishment and
modification (Addressable).
Implement policies and
procedures that, based upon the
covered entity’s or the business
associate’s access authorization
policies, establish, document,
review, and modify a user’s right
Appendix A to Subpart C of Part
164—Security Standards: Matrix
Standards Sections Implementation Specifications (R)=Required,
(A)=Addressable
Administrative Safeguards
Security Management Process 164.308(a)(1) Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) (R)
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Information Access Management 164.308(a)(4) Isolating Health care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5) Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
Evaluation 164.308(a)(8) (R)
Business Associate Contracts and Other
Arrangement 164.308(b)(1) Written Contract or Other Arrangement (R)
Physical Safeguards
Facility Access Controls 164.310(a)(1) Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use 164.310(b) (R)
Workstation Security 164.310(c) (R)
Device and Media Controls 164.310(d)(1) Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
Technical Safeguards(see § 164.312)
Access Control 164.312(a)(1) Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
HIPAA Administrative Simplification Regulation Text
March 2013
70
Standards Sections Implementation Specifications (R)=Required,
(A)=Addressable
Encryption and Decryption (A)
Audit Controls 164.312(b) (R)
Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health
Information (A)
Person or Entity Authentication 164.312(d) (R)
Transmission Security 164.312(e)(1) Integrity Controls (A)
Encryption (A)
