Authority Document - Unified Compliance

North America > US National Institute of Standards and Technology

NIST SP 800-66r2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule A Cybersecurity Resource Guide

AD ID

0003960

AD STATUS

NIST SP 800-66r2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule A Cybersecurity Resource Guide

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

NIST SP 800-66r2

NIST SP 800-66r2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule A Cybersecurity Resource Guide

EFFECTIVE

2024-02-01

ADDED

The document as a whole was last reviewed and released on 2024-10-15T00:00:00-0700.

URL

Click here

AD ID

0003960

AD STATUS

Free

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

NIST SP 800-66r2

NIST SP 800-66r2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule A Cybersecurity Resource Guide

EFFECTIVE

2024-02-01

ADDED

The document as a whole was last reviewed and released on 2024-10-15T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within NIST SP 800-66r2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule A Cybersecurity Resource Guide that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for NIST SP 800-66r2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule A Cybersecurity Resource Guide are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 291 Mandated Controls - bold
44 Implied Controls - italic 2523 Implementation

Number of Controls

2858 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Plan for acquiring facilities, technology, or services. CC ID 06892 [{information technology systems} {information technology services} Acquire Information Technology (IT) Systems and Services § 5.1.1. Table 8. Row 4 Key Activities 4.]	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain acquisition notices. CC ID 16682	Acquisition/Sale of Assets or Services	Preventive
Include the geographic locations of the organization in the acquisition notice. CC ID 16723	Acquisition/Sale of Assets or Services	Preventive
Include certification that the organizations meet applicable requirements in the acquisition notice. CC ID 16714	Acquisition/Sale of Assets or Services	Preventive
Include the capital ratios in the acquisition notice. CC ID 16712	Acquisition/Sale of Assets or Services	Preventive
Include the relevant authorities in the acquisition notice. CC ID 16711	Acquisition/Sale of Assets or Services	Preventive
Include a description of the subsidiary's activities in the acquisition notice. CC ID 16707	Acquisition/Sale of Assets or Services	Preventive
Include the subsidiary's contact information in the acquisition notice. CC ID 16704	Acquisition/Sale of Assets or Services	Preventive
Include in scope transactions in the acquisition notice. CC ID 16700	Acquisition/Sale of Assets or Services	Preventive
Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714	Acquisition/Sale of Assets or Services	Preventive
Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491	Communicate	Preventive
Establish, implement, and maintain system acquisition contracts. CC ID 14758	Establish/Maintain Documentation	Preventive
Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309	Establish/Maintain Documentation	Preventive
Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285	Communicate	Preventive
Document attempts to obtain system documentation. CC ID 14284	Process or Activity	Corrective
Obtain user documentation before acquiring products and services. CC ID 14283	Acquisition/Sale of Assets or Services	Preventive
Include instructions on how to use the security functions in the user documentation. CC ID 14314	Establish/Maintain Documentation	Preventive
Include security functions in the user documentation. CC ID 14313	Establish/Maintain Documentation	Preventive
Include user responsibilities for maintaining system security in the user documentation. CC ID 14312	Establish/Maintain Documentation	Preventive
Include a description of user interactions in the user documentation. CC ID 14311	Establish/Maintain Documentation	Preventive
Require the information system developer to create a continuous monitoring plan. CC ID 14307	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in system acquisition contracts. CC ID 14765	Establish/Maintain Documentation	Preventive
Include the acceptance criteria in system acquisition contracts. CC ID 14288	Acquisition/Sale of Assets or Services	Preventive
Include audit record generation capabilities in system acquisition contracts. CC ID 16427	Acquisition/Sale of Assets or Services	Preventive
Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256	Acquisition/Sale of Assets or Services	Preventive
Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231	Acquisition/Sale of Assets or Services	Preventive
Include environmental considerations in the acquisition feasibility study. CC ID 16224	Acquisition/Sale of Assets or Services	Preventive
Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666	Technical Security	Preventive
Establish, implement, and maintain a product and services acquisition policy. CC ID 14028	Establish/Maintain Documentation	Preventive
Obtain authorization for marketing new products. CC ID 16805	Business Processes	Preventive
Include compliance requirements in the product and services acquisition policy. CC ID 14163	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the product and services acquisition policy. CC ID 14162	Establish/Maintain Documentation	Preventive
Include management commitment in the product and services acquisition policy. CC ID 14161	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the product and services acquisition policy. CC ID 14160	Establish/Maintain Documentation	Preventive
Include the scope in the product and services acquisition policy. CC ID 14159	Establish/Maintain Documentation	Preventive
Include the purpose in the product and services acquisition policy. CC ID 14158	Establish/Maintain Documentation	Preventive
Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157	Communicate	Preventive
Establish, implement, and maintain product and services acquisition procedures. CC ID 14065	Establish/Maintain Documentation	Preventive
Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152	Communicate	Preventive
Establish, implement, and maintain the requirements for competitive bid documents. CC ID 16936	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain the requirements for off-contract purchases. CC ID 16929	Acquisition/Sale of Assets or Services	Preventive
Require prior approval from the appropriate authority for any off-contract purchases. CC ID 16928	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain acquisition approval requirements. CC ID 13704	Establish/Maintain Documentation	Preventive
Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706	Communicate	Preventive
Review and update the acquisition contracts, as necessary. CC ID 14279	Acquisition/Sale of Assets or Services	Corrective
Align the service management program with the Code of Conduct. CC ID 14211	Establish/Maintain Documentation	Preventive
Install software that originates from approved third parties. CC ID 12184	Technical Security	Preventive

Audits and risk management

366

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Decide whether the evaluation will be conducted with internal staff resources or external consultants. § 5.1.8. Table 15. Row 1 Description Bullet 1]	Establish Roles	Preventive
Rotate auditors, as necessary. CC ID 15589	Audits and Risk Management	Preventive
Withdraw the approvals of auditors, as necessary. CC ID 17260	Business Processes	Preventive
Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283	Communicate	Preventive
Define the qualification requirements for auditors. CC ID 17259	Human Resources Management	Preventive
Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265	Communicate	Preventive
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 [Use internal resources to supplement an external source of help because these internal resources can provide the best institutional knowledge and history of internal policies and practices. § 5.1.8. Table 15. Row 1 Description Bullet 3]	Establish Roles	Preventive
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [{external experts} {internal auditors} Engage external expertise to assist the internal evaluation team where additional skills and expertise are determined to be reasonable and appropriate. § 5.1.8. Table 15. Row 1 Description Bullet 2]	Audits and Risk Management	Preventive
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an audit program. CC ID 00684 [Develop and document organizational policies and procedures for conducting evaluation. § 5.1.8. Table 15. Row 2 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain audit policies. CC ID 13166	Establish/Maintain Documentation	Preventive
Define what constitutes a threat to independence. CC ID 16824	Audits and Risk Management	Preventive
Mitigate the threats to an auditor's independence. CC ID 17282	Process or Activity	Preventive
Determine if requested services create a threat to independence. CC ID 16823	Audits and Risk Management	Detective
Include resource requirements in the audit program. CC ID 15237	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the audit program. CC ID 15236	Establish/Maintain Documentation	Preventive
Establish and maintain audit terms. CC ID 13880	Establish/Maintain Documentation	Preventive
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973	Process or Activity	Preventive
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883	Establish/Maintain Documentation	Preventive
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an in scope system description. CC ID 14873	Establish/Maintain Documentation	Preventive
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551	Audits and Risk Management	Preventive
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558	Audits and Risk Management	Preventive
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548	Audits and Risk Management	Preventive
Include facility locations in the audit assertion's in scope system description. CC ID 17261	Establish/Maintain Documentation	Preventive
Include third party data in the audit assertion's in scope system description. CC ID 16554	Audits and Risk Management	Preventive
Include third party personnel in the audit assertion's in scope system description. CC ID 16552	Audits and Risk Management	Preventive
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506	Audits and Risk Management	Preventive
Include third party assets in the audit assertion's in scope system description. CC ID 16550	Audits and Risk Management	Preventive
Include third party services in the audit assertion's in scope system description. CC ID 16503	Establish/Maintain Documentation	Preventive
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501	Establish/Maintain Documentation	Preventive
Include availability commitments in the audit assertion's in scope system description. CC ID 14914	Establish/Maintain Documentation	Preventive
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549	Audits and Risk Management	Preventive
Include changes in the audit assertion's in scope system description. CC ID 14894	Establish/Maintain Documentation	Preventive
Include external communications in the audit assertion's in scope system description. CC ID 14913	Establish/Maintain Documentation	Preventive
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878	Establish/Maintain Documentation	Preventive
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911	Establish/Maintain Documentation	Preventive
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896	Establish/Maintain Documentation	Preventive
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895	Establish/Maintain Documentation	Preventive
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891	Establish/Maintain Documentation	Preventive
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889	Establish/Maintain Documentation	Preventive
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897	Establish/Maintain Documentation	Preventive
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502	Establish/Maintain Documentation	Preventive
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916	Establish/Maintain Documentation	Preventive
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910	Establish/Maintain Documentation	Preventive
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909	Establish/Maintain Documentation	Preventive
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907	Establish/Maintain Documentation	Preventive
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904	Establish/Maintain Documentation	Preventive
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893	Establish/Maintain Documentation	Preventive
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892	Establish/Maintain Documentation	Preventive
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887	Establish/Maintain Documentation	Preventive
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885	Establish/Maintain Documentation	Detective
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884	Establish/Maintain Documentation	Preventive
Include commitments to third parties in the audit assertion. CC ID 14899	Establish/Maintain Documentation	Preventive
Determine the completeness of the audit assertion's in scope system description. CC ID 14883	Establish/Maintain Documentation	Preventive
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449	Audits and Risk Management	Detective
Include system requirements in the audit assertion's in scope system description. CC ID 14881	Establish/Maintain Documentation	Preventive
Include third party controls in the audit assertion's in scope system description. CC ID 14880	Establish/Maintain Documentation	Preventive
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256	Audits and Risk Management	Preventive
Identify personnel who should attend the closing meeting. CC ID 15261	Business Processes	Preventive
Confirm audit requirements during the opening meeting. CC ID 15255	Audits and Risk Management	Detective
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254	Audits and Risk Management	Preventive
Include third party assets in the audit scope. CC ID 16504	Audits and Risk Management	Preventive
Examine the availability of the audit criteria in the audit program. CC ID 16520	Investigate	Preventive
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Establish/Maintain Documentation	Preventive
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and Risk Management	Preventive
Include in scope information in the audit program. CC ID 16198	Establish/Maintain Documentation	Preventive
Include the date of the audit in the representation letter. CC ID 16517	Audits and Risk Management	Preventive
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Establish/Maintain Documentation	Preventive
Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162	Audits and Risk Management	Preventive
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Establish/Maintain Documentation	Preventive
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Establish/Maintain Documentation	Preventive
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772	Establish/Maintain Documentation	Preventive
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769	Establish/Maintain Documentation	Preventive
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Establish/Maintain Documentation	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871	Establish/Maintain Documentation	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Establish/Maintain Documentation	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Establish/Maintain Documentation	Preventive
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Establish/Maintain Documentation	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Establish/Maintain Documentation	Preventive
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Establish/Maintain Documentation	Preventive
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Establish/Maintain Documentation	Corrective
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248	Communicate	Preventive
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263	Business Processes	Preventive
Refrain from performing an attestation engagement under defined conditions. CC ID 13952	Audits and Risk Management	Detective
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912	Business Processes	Preventive
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954	Behavior	Preventive
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951	Audits and Risk Management	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Business Processes	Preventive
Audit in scope audit items and compliance documents. CC ID 06730	Audits and Risk Management	Preventive
Conduct onsite inspections, as necessary. CC ID 16199	Testing	Preventive
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and Risk Management	Detective
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and Risk Management	Detective
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Investigate	Detective
Audit information systems, as necessary. CC ID 13010 [{security management} Begin auditing and logging activity. § 5.1.1. Table 8. Row 9 Description Bullet 2 Implement the Information System Activity Review and Audit Process § 5.1.1. Table 8. Row 9 Key Activities 9.]	Investigate	Detective
Audit the potential costs of compromise to information systems. CC ID 13012	Investigate	Detective
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and Risk Management	Detective
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Process or Activity	Detective
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Testing	Detective
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Process or Activity	Detective
Document test plans for auditing in scope controls. CC ID 06985	Testing	Detective
Determine the implementation status of in scope controls. CC ID 06981 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Testing	Detective
Determine the effectiveness of in scope controls. CC ID 06984 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 {align} {management controls} {operational controls} Determine whether these security features involve alignment with other existing management, operational, and technical controls, such as policy standards, personnel procedures, the maintenance and review of audit trails, the identification and authentication of users, and physical access controls. § 5.1.4. Table 11. Row 4 Description Bullet 2 Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Testing	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and Risk Management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and Risk Management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Process or Activity	Preventive
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and Risk Management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and Risk Management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and Risk Management	Detective
Implement procedures that collect sufficient audit evidence. CC ID 07153 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and Risk Management	Preventive
Refrain from using audit evidence that is not sufficient. CC ID 17163	Audits and Risk Management	Preventive
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Communicate	Preventive
Provide transactional walkthrough procedures for external auditors. CC ID 00672 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Testing	Preventive
Establish, implement, and maintain interview procedures. CC ID 16282	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the interview procedures. CC ID 16297	Human Resources Management	Preventive
Coordinate the scheduling of interviews. CC ID 16293	Process or Activity	Preventive
Create a schedule for the interviews. CC ID 16292	Process or Activity	Preventive
Identify interviewees. CC ID 16290	Process or Activity	Preventive
Verify statements made by interviewees are correct. CC ID 16299	Behavior	Detective
Discuss unsolved questions with the interviewee. CC ID 16298	Process or Activity	Detective
Allow interviewee to respond to explanations. CC ID 16296	Process or Activity	Detective
Explain the requirements being discussed to the interviewee. CC ID 16294	Process or Activity	Detective
Explain the testing results to the interviewee. CC ID 16291	Process or Activity	Preventive
Withdraw from the audit, when defined conditions exist. CC ID 13885	Process or Activity	Corrective
Establish and maintain work papers, as necessary. CC ID 13891	Establish/Maintain Documentation	Preventive
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Establish/Maintain Documentation	Preventive
Include audit irregularities in the work papers. CC ID 16774	Establish/Maintain Documentation	Preventive
Include corrective actions in the work papers. CC ID 16771	Establish/Maintain Documentation	Preventive
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Establish/Maintain Documentation	Preventive
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Establish/Maintain Documentation	Preventive
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Establish/Maintain Documentation	Preventive
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and Risk Management	Preventive
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971	Process or Activity	Preventive
Review the subject matter expert's findings. CC ID 16559	Audits and Risk Management	Detective
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894	Establish/Maintain Documentation	Preventive
Permit assessment teams to conduct audits, as necessary. CC ID 16430	Investigate	Detective
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968	Establish/Maintain Documentation	Preventive
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982	Establish/Maintain Documentation	Preventive
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981	Establish/Maintain Documentation	Preventive
Establish and maintain organizational audit reports. CC ID 06731	Establish/Maintain Documentation	Preventive
Determine what disclosures are required in the audit report. CC ID 14888	Establish/Maintain Documentation	Detective
Include the purpose in the audit report. CC ID 17263	Establish/Maintain Documentation	Preventive
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and Risk Management	Preventive
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and Risk Management	Preventive
Include audit subject matter in the audit report. CC ID 14882	Establish/Maintain Documentation	Preventive
Include an other-matter paragraph in the audit report. CC ID 14901	Establish/Maintain Documentation	Preventive
Identify the audit team members in the audit report. CC ID 15259	Human Resources Management	Detective
Include that the auditee did not provide comments in the audit report. CC ID 16849	Establish/Maintain Documentation	Preventive
Include written agreements in the audit report. CC ID 17266	Establish/Maintain Documentation	Preventive
Write the audit report using clear and conspicuous language. CC ID 13948	Establish/Maintain Documentation	Preventive
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Establish/Maintain Documentation	Preventive
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Establish/Maintain Documentation	Preventive
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Establish/Maintain Documentation	Preventive
Include a description of the financial information being reported on in the audit report. CC ID 13965	Establish/Maintain Documentation	Preventive
Include references to any adjustments of financial information in the audit report. CC ID 13964	Establish/Maintain Documentation	Preventive
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Establish/Maintain Documentation	Preventive
Include references to historical financial information used in the audit report. CC ID 13961	Establish/Maintain Documentation	Preventive
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Establish/Maintain Documentation	Preventive
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Establish/Maintain Documentation	Preventive
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Establish/Maintain Documentation	Preventive
Include any discussions of significant findings in the audit report. CC ID 13955	Establish/Maintain Documentation	Preventive
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Establish/Maintain Documentation	Preventive
Include the audit criteria in the audit report. CC ID 13945	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Establish/Maintain Documentation	Preventive
Include all hypothetical assumptions in the audit report. CC ID 13947	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931	Establish/Maintain Documentation	Preventive
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Establish/Maintain Documentation	Preventive
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Establish/Maintain Documentation	Preventive
Include a review of the subject matter expert's findings in the audit report. CC ID 13972	Establish/Maintain Documentation	Preventive
Include all restrictions on the audit in the audit report. CC ID 13930	Establish/Maintain Documentation	Preventive
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Establish/Maintain Documentation	Preventive
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Establish/Maintain Documentation	Preventive
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Establish/Maintain Documentation	Preventive
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Establish/Maintain Documentation	Preventive
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Establish/Maintain Documentation	Preventive
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Establish/Maintain Documentation	Preventive
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and Risk Management	Preventive
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Establish/Maintain Documentation	Preventive
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and Risk Management	Detective
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Establish/Maintain Documentation	Preventive
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Establish/Maintain Documentation	Preventive
Include recommended corrective actions in the audit report. CC ID 16197 [Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include the cost of corrective action in the audit report. CC ID 17015	Audits and Risk Management	Preventive
Include risks and opportunities in the audit report. CC ID 16196	Establish/Maintain Documentation	Preventive
Include the description of tests of controls and results in the audit report. CC ID 14898	Establish/Maintain Documentation	Preventive
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Establish/Maintain Documentation	Preventive
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Establish/Maintain Documentation	Preventive
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Establish/Maintain Documentation	Preventive
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and Risk Management	Preventive
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Establish/Maintain Documentation	Preventive
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Establish/Maintain Documentation	Preventive
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Establish/Maintain Documentation	Preventive
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Establish/Maintain Documentation	Preventive
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Establish/Maintain Documentation	Preventive
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Establish/Maintain Documentation	Preventive
Include deficiencies and non-compliance in the audit report. CC ID 14879	Establish/Maintain Documentation	Corrective
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Investigate	Detective
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Process or Activity	Detective
Include the results of the business impact analysis in the audit report. CC ID 17208	Establish/Maintain Documentation	Preventive
Include qualified opinions in the audit report. CC ID 13928	Establish/Maintain Documentation	Preventive
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Establish/Maintain Documentation	Corrective
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Establish/Maintain Documentation	Preventive
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Business Processes	Corrective
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Establish/Maintain Documentation	Preventive
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Establish/Maintain Documentation	Corrective
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Establish/Maintain Documentation	Preventive
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Establish/Maintain Documentation	Preventive
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Human Resources Management	Preventive
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Communicate	Preventive
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Communicate	Preventive
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Actionable Reports or Measurements	Corrective
Evaluate the competency of auditors. CC ID 15253	Human Resources Management	Detective
Include the audit criteria in the audit plan. CC ID 15262	Establish/Maintain Documentation	Preventive
Include a list of reference documents in the audit plan. CC ID 15260	Establish/Maintain Documentation	Preventive
Include the languages to be used for the audit in the audit plan. CC ID 15252	Establish/Maintain Documentation	Preventive
Include the allocation of resources in the audit plan. CC ID 15251	Establish/Maintain Documentation	Preventive
Include communication protocols in the audit plan. CC ID 15247	Establish/Maintain Documentation	Preventive
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246	Establish/Maintain Documentation	Preventive
Include meeting schedules in the audit plan. CC ID 15245	Establish/Maintain Documentation	Preventive
Include the time frames for the audit in the audit plan. CC ID 15244	Establish/Maintain Documentation	Preventive
Include the time frames for conducting the audit in the audit plan. CC ID 15243	Establish/Maintain Documentation	Preventive
Include the locations to be audited in the audit plan. CC ID 15242	Establish/Maintain Documentation	Preventive
Include the processes to be audited in the audit plan. CC ID 15241	Establish/Maintain Documentation	Preventive
Include audit objectives in the audit plan. CC ID 15240	Establish/Maintain Documentation	Preventive
Include the risks associated with audit activities in the audit plan. CC ID 15239	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238	Communicate	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051 [Implement a Risk Management Program Implementation Specification (Required) § 5.1.1. Table 8. Row 3 Key Activities 3. {risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Establish/Maintain Documentation	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Business Processes	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Business Processes	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2]	Business Processes	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Establish/Maintain Documentation	Preventive
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and Risk Management	Preventive
Include regular updating in the risk management system. CC ID 14990	Business Processes	Preventive
Establish, implement, and maintain a risk management policy. CC ID 17192 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Establish/Maintain Documentation	Preventive
Include data quality in the risk management strategies. CC ID 15308	Data and Information Management	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Establish/Maintain Documentation	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Human Resources Management	Detective
Establish, implement, and maintain insurance requirements. CC ID 16562	Establish/Maintain Documentation	Preventive
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Communicate	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Communicate	Preventive
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Acquisition/Sale of Assets or Services	Corrective
Address cybersecurity risks in the risk assessment program. CC ID 13193	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217	Audits and Risk Management	Preventive
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248	Establish/Maintain Documentation	Preventive
Include metrics in the fundamental rights impact assessment. CC ID 17249	Establish/Maintain Documentation	Preventive
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244	Establish/Maintain Documentation	Preventive
Include user safeguards in the fundamental rights impact assessment. CC ID 17255	Establish/Maintain Documentation	Preventive
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247	Establish/Maintain Documentation	Preventive
Include the purpose in the fundamental rights impact assessment. CC ID 17243	Establish/Maintain Documentation	Preventive
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254	Establish/Maintain Documentation	Preventive
Include risk management measures in the fundamental rights impact assessment. CC ID 17224	Establish/Maintain Documentation	Preventive
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223	Establish/Maintain Documentation	Preventive
Include risks in the fundamental rights impact assessment. CC ID 17222	Establish/Maintain Documentation	Preventive
Include affected parties in the fundamental rights impact assessment. CC ID 17221	Establish/Maintain Documentation	Preventive
Include the frequency in the fundamental rights impact assessment. CC ID 17220	Establish/Maintain Documentation	Preventive
Include the usage duration in the fundamental rights impact assessment. CC ID 17219	Establish/Maintain Documentation	Preventive
Include system use in the fundamental rights impact assessment. CC ID 17218	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Process or Activity	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Establish/Maintain Documentation	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Establish/Maintain Documentation	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Establish/Maintain Documentation	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Establish/Maintain Documentation	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Communicate	Preventive
Analyze the organization's information security environment. CC ID 13122	Technical Security	Preventive
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Human Resources Management	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{identify} {unauthorized sources} Conduct this activity as part of a risk analysis. § 5.3.3. Table 23. Row 2 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 [Remediation and corrective action plans that arise from incidents should serve as input to the risk assessment/management process. § 5.1.6. Table 13. Row 4 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and Risk Management	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [{authorized access} Assign degrees of significance to each vulnerability identified and ensure that proper access is allowed. § 5.2.1. Table 17. Row 1 Description Bullet 2 Identify Any Possible Unauthorized Sources That May Be Able to Intercept the Information and Modify It § 5.3.3. Table 23. Row 2 Key Activities 2. Identify scenarios that may result in modification to the ePHI by unauthorized sources (e.g., hackers, ransomware, insider threats, business competitors, user errors). § 5.3.3. Table 23. Row 2 Description Bullet 1 Identify Any Possible Unauthorized Sources That May Be Able to Intercept and/or Modify the Information § 5.3.5. Table 25. Row 1 Key Activities 1. Identify scenarios (e.g., telehealth, claims processing) that may result in access to or modification of the ePHI by unauthorized sources during transmission (e.g., hackers, disgruntled employees, business competitors). § 5.3.5. Table 25. Row 1 Description Bullet 2 Identify scenarios and pathways that may put ePHI at a high level of risk. § 5.3.5. Table 25. Row 1 Description Bullet 3]	Technical Security	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and Risk Management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Ensure that any risks associated with a device's surroundings are known and analyzed for possible negative impacts. § 5.2.2. Table 18. Row 3 Description Bullet 1]	Audits and Risk Management	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 {include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and Risk Management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Business Processes	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Communicate	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Identify points of electronic access that require or should require authentication. Ensure that the regulated entity's risk analysis properly assesses risks for such access points (e.g., risks of unauthorized access from within the enterprise could be different than those of remote unauthorized access). § 5.3.4. Table 24. Row 1 Description Bullet 2]	Testing	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075 [Conduct an Analysis of Existing Physical Security Vulnerabilities § 5.2.1. Table 17. Row 1 Key Activities 1. Inventory facilities and identify shortfalls and/or vulnerabilities in current physical security capabilities. § 5.2.1. Table 17. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627 [{include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Establish/Maintain Documentation	Detective
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Establish/Maintain Documentation	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Investigate	Detective
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Establish/Maintain Documentation	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Establish/Maintain Documentation	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Establish/Maintain Documentation	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Establish/Maintain Documentation	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Communicate	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Establish/Maintain Documentation	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Analyze the Risks Associated with Each Type of Access § 5.2.3. Table 19. Row 2 Key Activities 2. Determine which type of access identified in Key Activity 1 poses the greatest threat to the security of ePHI. § 5.2.3. Table 19. Row 2 Description Bullet 1]	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [{include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and Risk Management	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Process or Activity	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Process or Activity	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 Ensure that any risks associated with a device's surroundings are known and analyzed for possible negative impacts. § 5.2.2. Table 18. Row 3 Description Bullet 1]	Audits and Risk Management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Process or Activity	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Process or Activity	Detective
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Approve the risk acceptance level, as necessary. CC ID 17168	Process or Activity	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Establish/Maintain Documentation	Detective
Document the results of the gap analysis. CC ID 16271 [Document known gaps between identified risks, mitigating security controls, and any acceptance of risk, including justification. § 5.1.8. Table 15. Row 4 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [{management control} {operational control} Implement the decisions concerning the management, operational, and technical controls selected to mitigate identified risks. § 5.1.1. Table 8. Row 5 Description Bullet 1 Consider whether multiple access control methods are needed to protect ePHI according to the results of the risk assessment. § 5.1.4. Table 11. Row 2 Description Bullet 8]	Audits and Risk Management	Preventive
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Establish/Maintain Documentation	Preventive
Include time information in the risk treatment plan. CC ID 16993	Establish/Maintain Documentation	Preventive
Include allocation of resources in the risk treatment plan. CC ID 16989	Establish/Maintain Documentation	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Establish/Maintain Documentation	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and Risk Management	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Establish/Maintain Documentation	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Communicate	Preventive
Document residual risk in a residual risk report. CC ID 13664	Establish/Maintain Documentation	Corrective
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Business Processes	Preventive
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Establish/Maintain Documentation	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Establish/Maintain Documentation	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Business Processes	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and Risk Management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and Risk Management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and Risk Management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Communicate	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Communicate	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Establish/Maintain Documentation	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Communicate	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Business Processes	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Establish/Maintain Documentation	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Establish/Maintain Documentation	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Establish/Maintain Documentation	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Establish/Maintain Documentation	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Communicate	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Establish/Maintain Documentation	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Establish/Maintain Documentation	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Establish/Maintain Documentation	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Establish/Maintain Documentation	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Communicate	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Human Resources Management	Preventive
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Process or Activity	Detective
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Communicate	Preventive

Human Resources management

177

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [Identify the individual who has final responsibility for security. § 5.1.2. Table 9. Row 1 Description Bullet 1 {security responsibility} Assign and Document the Individual's Responsibility § 5.1.2. Table 9. Row 2 Key Activities 2.]	Establish Roles	Preventive
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 [Select a Security Official to be Assigned Responsibility for HIPAA Security § 5.1.2. Table 9. Row 1 Key Activities 1.]	Human Resources Management	Preventive
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [If available, consider engaging corporate, legal, or regulatory compliance staff when conducting the analysis. § 5.1.8. Table 15. Row 2 Description Bullet 6 Determine in advance what departments and/or staff will participate in the evaluation. § 5.1.8. Table 15. Row 3 Description Bullet 1]	Business Processes	Preventive
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143	Human Resources Management	Preventive
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267 [Define roles and responsibilities for all job functions. § 5.1.3. Table 10. Row 2 Description Bullet 1 Establish Clear Job Descriptions and Responsibilities § 5.1.3. Table 10. Row 2 Key Activities 2. Establish Criteria and Procedures for Hiring and Assigning Tasks § 5.1.3. Table 10. Row 3 Key Activities 3.]	Human Resources Management	Preventive
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources Management	Preventive
Document the use of external experts. CC ID 16263	Human Resources Management	Preventive
Define and assign roles and responsibilities for the biometric system. CC ID 17004	Human Resources Management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Human Resources Management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources Management	Preventive
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777	Establish Roles	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Establish Roles	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources Management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources Management	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources Management	Preventive
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources Management	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018 [Implement Policies and Procedures for Authorization and/or Supervision Implementation Specification (Addressable) § 5.1.3. Table 10. Row 1 Key Activities 1. Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. § 5.1.3. Table 10. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Categorize the gender of all employees. CC ID 15609	Human Resources Management	Preventive
Categorize all employees by racial groups and ethnic groups. CC ID 15627	Human Resources Management	Preventive
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822	Human Resources Management	Preventive
Establish and maintain Personnel Files for all employees. CC ID 12438	Human Resources Management	Preventive
Include credit check results in each employee's personnel file. CC ID 12447	Human Resources Management	Preventive
Include any criminal records in each employee's personnel file. CC ID 12446	Human Resources Management	Preventive
Include all employee information in each employee's personnel file. CC ID 12445	Human Resources Management	Preventive
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444	Human Resources Management	Preventive
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441	Human Resources Management	Preventive
Include referral follow-up results in each employee's personnel file. CC ID 12440	Human Resources Management	Preventive
Include background check results in each employee's personnel file. CC ID 12439	Human Resources Management	Preventive
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760	Establish/Maintain Documentation	Preventive
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761	Human Resources Management	Preventive
Require all new hires to sign the Code of Conduct. CC ID 06665	Establish/Maintain Documentation	Preventive
Require all new hires to sign Acceptable Use Policies. CC ID 06662	Establish/Maintain Documentation	Preventive
Require new hires to sign nondisclosure agreements. CC ID 06668	Establish/Maintain Documentation	Preventive
Train all new hires, as necessary. CC ID 06673	Behavior	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security policy. CC ID 14025	Establish/Maintain Documentation	Preventive
Include compliance requirements in the personnel security policy. CC ID 14154	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the personnel security policy. CC ID 14114	Establish/Maintain Documentation	Preventive
Include management commitment in the personnel security policy. CC ID 14113	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the personnel security policy. CC ID 14112	Establish/Maintain Documentation	Preventive
Include the scope in the personnel security policy. CC ID 14111	Establish/Maintain Documentation	Preventive
Include the purpose in the personnel security policy. CC ID 14110	Establish/Maintain Documentation	Preventive
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personnel security procedures. CC ID 14058	Establish/Maintain Documentation	Preventive
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141	Communicate	Preventive
Establish, implement, and maintain security clearance level criteria. CC ID 00780	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain staff position risk designations. CC ID 14280	Human Resources Management	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Ensure that workforce members have the necessary knowledge, skills, and abilities to fulfill particular roles (e.g., positions involving access to and use of sensitive information). § 5.1.3. Table 10. Row 3 Description Bullet 1]	Testing	Detective
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources Management	Detective
Assign security clearance procedures to qualified personnel. CC ID 06812	Establish Roles	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Establish Roles	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700 [Implement appropriate screening of persons who will have access to ePHI. § 5.1.3. Table 10. Row 4 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Perform a background check during personnel screening. CC ID 11758	Human Resources Management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources Management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Establish/Maintain Documentation	Preventive
Include all residences in the criminal records check. CC ID 13306	Process or Activity	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Establish/Maintain Documentation	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources Management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources Management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Establish/Maintain Documentation	Preventive
Perform a drug test during personnel screening. CC ID 06648	Testing	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources Management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources Management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources Management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Communicate	Preventive
Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977	Communicate	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources Management	Preventive
Document the personnel risk assessment results. CC ID 11764	Establish/Maintain Documentation	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783 [Implement a procedure for obtaining clearance from appropriate offices or individuals where access is provided or terminated. § 5.1.3. Table 10. Row 4 Description Bullet 3 Establish a Workforce Clearance Procedure Implementation Specification (Addressable) § 5.1.3. Table 10. Row 4 Key Activities 4.]	Establish/Maintain Documentation	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources Management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources Management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources Management	Preventive
Document the security clearance procedure results. CC ID 01635	Establish/Maintain Documentation	Detective
Identify and watch individuals that pose a risk to the organization. CC ID 10674	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Establish Termination Procedures Implementation Specification (Addressable) § 5.1.3. Table 10. Row 5 Key Activities 5.]	Establish/Maintain Documentation	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614 [{user account} Deactivate computer access accounts (e.g., disable user IDs and passwords) and facility access (e.g., change facility security codes/PINs). § 5.1.3. Table 10. Row 5 Description Bullet 3]	Technical Security	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Implement procedures for terminating access to ePHI when the employment of or other arrangement with a workforce member ends or as required by determinations made as specified in §164.308(a)(3)(ii)(B). § 5.1.3. Table 10. Row 5 Description Bullet 1 Terminate Access if it is No Longer Required § 5.3.1. Table 21. Row 9 Key Activities 9. Ensure that access to ePHI is terminated if the access is no longer authorized. § 5.3.1. Table 21. Row 9 Description Bullet 1]	Technical Security	Corrective
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources Management	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Data and Information Management	Corrective
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources Management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Behavior	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Communicate	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources Management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources Management	Corrective
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Behavior	Preventive
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources Management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Establish/Maintain Documentation	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources Management	Detective
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [{security role} Communicate this assigned role to the entire organization. § 5.1.2. Table 9. Row 2 Description Bullet 2 Establish Clear Job Descriptions and Responsibilities § 5.1.3. Table 10. Row 2 Key Activities 2. Document the assignment to one individual's responsibilities in a job description. § 5.1.2. Table 9. Row 2 Description Bullet 1]	Establish Roles	Detective
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [Establish Criteria and Procedures for Hiring and Assigning Tasks § 5.1.3. Table 10. Row 3 Key Activities 3. {workforce security} Ensure that these requirements are included as part of the personnel hiring process. § 5.1.3. Table 10. Row 3 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Establish and maintain an annual report on compensation. CC ID 14801	Establish/Maintain Documentation	Preventive
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804	Establish/Maintain Documentation	Preventive
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800	Communicate	Preventive
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798	Establish/Maintain Documentation	Preventive
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794	Establish/Maintain Documentation	Preventive
Refrain from using employees' privacy choices to take punitive actions. CC ID 16815	Human Resources Management	Preventive
Establish, implement, and maintain job applications. CC ID 16180	Establish/Maintain Documentation	Preventive
Include a space for the applicant's name on the job application. CC ID 16190	Human Resources Management	Preventive
Include a space for the applicant's current address on the job application. CC ID 16189	Human Resources Management	Preventive
Include a space for the applicant's social security number on the job application. CC ID 16188	Human Resources Management	Preventive
Include a space for the applicant's date of birth on the job application. CC ID 16186	Human Resources Management	Preventive
Include a space for previous employers and business relationships on the job application. CC ID 16185	Human Resources Management	Preventive
Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184	Human Resources Management	Preventive
Include a space for the start date on the job application. CC ID 16187	Human Resources Management	Preventive
Include a space to explain legal penalties on the job application. CC ID 16183	Human Resources Management	Preventive
Approve the wording of job applications. CC ID 16182	Human Resources Management	Preventive
Include a space for past aliases and other used names on job applications. CC ID 12301	Human Resources Management	Preventive
Include a space for previous addresses and previous residences on the job application. CC ID 12302	Human Resources Management	Preventive
Include a space to explain employment gaps on the job application. CC ID 12303	Human Resources Management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785 [Monitor the training program implementation to ensure that all workforce members participate. § 5.1.5. Table 12. Row 7 Description Bullet 4 In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Behavior	Preventive
Provide new hires limited network access to complete computer-based training. CC ID 17008	Training	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671 [{security awareness and training program} Consider using a variety of media and avenues according to what is appropriate for the organization based on workforce size, location, level of education, and other factors. § 5.1.5. Table 12. Row 4 Description Bullet 3]	Business Processes	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Establish/Maintain Documentation	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Establish/Maintain Documentation	Preventive
Submit applications for professional certification. CC ID 16192	Training	Preventive
Retrain all personnel, as necessary. CC ID 01362 [{environmental changes} Training should be an ongoing, evolving process in response to environmental and operational changes that affect the security of ePHI. § 5.1.5. Table 12. Row 4 Description Bullet 4 Conduct training whenever changes occur in the technology and practices, as appropriate. § 5.1.5. Table 12. Row 7 Description Bullet 3]	Behavior	Preventive
Conduct tests and evaluate training. CC ID 06672 [Conduct a Training Needs Assessment § 5.1.5. Table 12. Row 1 Key Activities 1. Determine the training needs of the organization. § 5.1.5. Table 12. Row 1 Description Bullet 1 Interview and involve key personnel in assessing security training needs. § 5.1.5. Table 12. Row 1 Description Bullet 2 Use feedback and analysis of past events to help determine training needs. § 5.1.5. Table 12. Row 1 Description Bullet 3 Review organizational behavior issues, past incidents, and/or breaches to determine what training is missing or needs reinforcement, improvement, or periodic reminders. § 5.1.5. Table 12. Row 1 Description Bullet 4 In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Testing	Detective
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources Management	Preventive
Establish, implement, and maintain training plans. CC ID 00828 [{training plan} Develop and Approve a Training Strategy and a Plan § 5.1.5. Table 12. Row 2 Key Activities 2. Monitor and Evaluate the Training Plan § 5.1.5. Table 12. Row 7 Key Activities 7.]	Establish/Maintain Documentation	Preventive
Approve training plans, as necessary. CC ID 17193 [{training plan} Develop and Approve a Training Strategy and a Plan § 5.1.5. Table 12. Row 2 Key Activities 2.]	Training	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Training	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Training	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Training	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Training	Detective
Develop or acquire content to update the training plans. CC ID 12867 [{security awareness and training program} Incorporate new information from email advisories, online IT security, daily news, websites, and periodicals, as reasonable and appropriate. § 5.1.5. Table 12. Row 4 Description Bullet 2]	Training	Preventive
Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101	Training	Preventive
Designate training facilities in the training plan. CC ID 16200	Training	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Establish/Maintain Documentation	Preventive
Include insider threats in the security awareness program. CC ID 16963	Training	Preventive
Conduct personal data processing training. CC ID 13757	Training	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Training	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2 HIPAA Standard: Implement a security awareness and training program for all members of its workforce (including management). § 5.1.5. ¶ 1 Develop Appropriate Awareness and Training Content, Materials, and Methods § 5.1.5. Table 12. Row 4 Key Activities 4. {security awareness training} Implement the Training § 5.1.5. Table 12. Row 5 Key Activities 5. {security awareness training} Schedule and conduct the training outlined in the strategy and plan. § 5.1.5. Table 12. Row 5 Description Bullet 1 {keep current} Keep the security awareness and training program current. § 5.1.5. Table 12. Row 7 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Complete security awareness training prior to being granted access to information systems or data. CC ID 17009	Training	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092 [Address the specific HIPAA policies that require security awareness and training in the security awareness and training program. § 5.1.5. Table 12. Row 2 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Communicate	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Establish/Maintain Documentation	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Establish/Maintain Documentation	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Establish/Maintain Documentation	Preventive
Include media protection in the security awareness program. CC ID 16368	Training	Preventive
Document security awareness requirements. CC ID 12146 [Select topics to be included in the training materials, and consider current and relevant topics (e.g., phishing, email security) for the protection of ePHI. § 5.1.5. Table 12. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046 [Set organizational expectations for protecting ePHI. § 5.1.5. Table 12. Row 2 Description Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Monitoring login attempts and reporting discrepancies; and § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Creating, changing, and safeguarding passwords. § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 3]	Establish/Maintain Documentation	Preventive
Include identity and access management in the security awareness program. CC ID 17013	Training	Preventive
Include the encryption process in the security awareness program. CC ID 17014	Training	Preventive
Include physical security in the security awareness program. CC ID 16369	Training	Preventive
Include data management in the security awareness program. CC ID 17010	Training	Preventive
Include e-mail and electronic messaging in the security awareness program. CC ID 17012	Training	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184 [Implement Security Reminders Implementation Specification (Addressable) § 5.1.5. Table 12. Row 6 Key Activities 6. Implement periodic security updates. § 5.1.5. Table 12. Row 6 Description Bullet 1 Provide periodic security updates to staff, business associates, and contractors. § 5.1.5. Table 12. Row 6 Description Bullet 2]	Training	Preventive
Include cybersecurity in the security awareness program. CC ID 13183 [As reasonable and appropriate, train workforce members regarding procedures for: Guarding against, detecting, and reporting malicious software; § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 1]	Training	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Training	Preventive
Include social networking in the security awareness program. CC ID 17011	Training	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Training	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [Incorporate information concerning workforce members' roles and responsibilities in implementing these implementation specifications into training and awareness efforts. § 5.1.5. Table 12. Row 3 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Establish/Maintain Documentation	Preventive
Include remote access in the security awareness program. CC ID 13892	Establish/Maintain Documentation	Preventive
Document the goals of the security awareness program. CC ID 12145 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Establish/Maintain Documentation	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources Management	Preventive
Document the scope of the security awareness program. CC ID 12148 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Establish/Maintain Documentation	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources Management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3 Consider the benefits of ongoing communication with staff (e.g., emails, newsletters) on training topics to achieve HIPAA compliance and protect ePHI. § 5.1.5. Table 12. Row 6 Description Bullet 3 Implement any reasonable technique to disseminate the security messages in an organization, including newsletters, screensavers, video recordings, email messages, teleconferencing sessions, staff meetings, and computer-based training. § 5.1.5. Table 12. Row 5 Description Bullet 2]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [As reasonable and appropriate, train workforce members regarding procedures for: Monitoring login attempts and reporting discrepancies; and § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Guarding against, detecting, and reporting malicious software; § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 1]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262 [Solicit trainee feedback to determine whether the training and awareness are successfully reaching the intended audience. § 5.1.5. Table 12. Row 7 Description Bullet 2]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Establish/Maintain Documentation	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Develop and Implement a Sanction Policy Implementation Specification (Required) § 5.1.1. Table 8. Row 6 Key Activities 6. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. § 5.1.1. Table 8. Row 6 Description Bullet 1 Develop policies and procedures for imposing appropriate sanctions (e.g., reprimand, termination) for noncompliance with the organization's security policies. § 5.1.1. Table 8. Row 6 Description Bullet 2 Implement sanction policy as cases arise. § 5.1.1. Table 8. Row 6 Description Bullet 3]	Behavior	Corrective

Leadership and high level objectives

104

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Analyze organizational objectives, functions, and activities. CC ID 00598 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Monitor and Evaluate Occurrences	Preventive
Analyze the business environment in which the organization operates. CC ID 12798 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Business Processes	Preventive
Align assets with business functions and the business environment. CC ID 13681 [Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: Applicability of the IT solution to the intended environment; § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 1 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: The organization's security policies, procedures, and standards; and § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 3 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: The sensitivity of the data; § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 2 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: Other requirements, such as resources available for operation, maintenance, and training. § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 4]	Business Processes	Preventive
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200	Communicate	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591	Establish/Maintain Documentation	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Communicate	Preventive
Include value distribution in the value generation model. CC ID 15603	Establish/Maintain Documentation	Preventive
Include value retention in the value generation model. CC ID 15600	Establish/Maintain Documentation	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain value generation objectives. CC ID 15583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Establish/Maintain Documentation	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Establish/Maintain Documentation	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Establish/Maintain Documentation	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Communicate	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005 [Each regulated entity (i.e., covered entity or business associate) is responsible for its own Security Rule compliance and violations and should review the following key activities, descriptions, and sample questions through the lens of its own organization. § 5. ¶ 5 {monitoring processes} Review existing processes to determine whether objectives are being addressed. § 5.3.3. Table 23. Row 6 Description Bullet 1]	Business Processes	Preventive
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584	Process or Activity	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998	Establish/Maintain Documentation	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Establish/Maintain Documentation	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Establish/Maintain Documentation	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085	Establish/Maintain Documentation	Preventive
Include the data source in the data governance and management practices. CC ID 17211	Data and Information Management	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Establish/Maintain Documentation	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Establish/Maintain Documentation	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Establish/Maintain Documentation	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Establish/Maintain Documentation	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Establish/Maintain Documentation	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081	Establish/Maintain Documentation	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Establish/Maintain Documentation	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Data and Information Management	Preventive
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046	Data and Information Management	Preventive
Approve the data classification scheme. CC ID 13858	Establish/Maintain Documentation	Detective
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804	Communicate	Preventive
Refrain from including metadata in the data dictionary. CC ID 13529	Establish/Maintain Documentation	Preventive
Include information needed to understand each data element and population in the data dictionary. CC ID 13528	Establish/Maintain Documentation	Preventive
Include format requirements for data elements in the data dictionary. CC ID 17108	Data and Information Management	Preventive
Include notification requirements for data elements in the data dictionary. CC ID 17107	Data and Information Management	Preventive
Ensure the data dictionary is complete and accurate. CC ID 13527	Investigate	Detective
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525	Establish/Maintain Documentation	Preventive
Include the date or time period the data was observed in the data dictionary. CC ID 13524	Establish/Maintain Documentation	Preventive
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522	Establish/Maintain Documentation	Preventive
Include the uncertainty of each data element in the data dictionary. CC ID 13521	Establish/Maintain Documentation	Preventive
Include the measurement units for each data element in the data dictionary. CC ID 13534	Establish/Maintain Documentation	Preventive
Include the precision of the measurement in the data dictionary. CC ID 13520	Establish/Maintain Documentation	Preventive
Include the data source in the data dictionary. CC ID 13519	Establish/Maintain Documentation	Preventive
Include the nature of each element in the data dictionary. CC ID 13518	Establish/Maintain Documentation	Preventive
Include the population of events or instances in the data dictionary. CC ID 13517	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data reconciliation procedures. CC ID 17118	Data and Information Management	Preventive
Involve all stakeholders in the architecture review process. CC ID 16935	Process or Activity	Preventive
Establish, implement, and maintain an organizational structure. CC ID 16310	Establish/Maintain Documentation	Preventive
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Communicate	Corrective
Include supply chain management standards in the Quality Management framework. CC ID 13701	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Quality Management policy. CC ID 13694	Establish/Maintain Documentation	Preventive
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700	Establish/Maintain Documentation	Preventive
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695	Communicate	Preventive
Align the quality objectives with the Quality Management policy. CC ID 13697	Establish/Maintain Documentation	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Communicate	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Communicate	Preventive
Include quality objectives in the Quality Management program. CC ID 13693	Establish/Maintain Documentation	Preventive
Include monitoring and analysis capabilities in the quality management program. CC ID 17153	Monitor and Evaluate Occurrences	Preventive
Include records management in the quality management system. CC ID 15055	Establish/Maintain Documentation	Preventive
Include risk management in the quality management system. CC ID 15054	Establish/Maintain Documentation	Preventive
Include data management procedures in the quality management system. CC ID 15052	Establish/Maintain Documentation	Preventive
Include a post-market monitoring system in the quality management system. CC ID 15027	Establish/Maintain Documentation	Preventive
Include operational roles and responsibilities in the quality management system. CC ID 15028	Establish/Maintain Documentation	Preventive
Include resource management in the quality management system. CC ID 15026	Establish/Maintain Documentation	Preventive
Include communication protocols in the quality management system. CC ID 15025	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the quality management system. CC ID 15023	Establish/Maintain Documentation	Preventive
Include technical specifications in the quality management system. CC ID 15021	Establish/Maintain Documentation	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2]	Establish/Maintain Documentation	Preventive
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Identify All ePHI and Relevant Information Systems § 5.1.1. Table 8. Row 1 Key Activities 1.]	Business Processes	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [{organizational requirements} Create and Deploy Policies and Procedures § 5.5.1. Table 28. Row 1 Key Activities 1. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 1 Description Bullet 1 Periodically evaluate written policies and procedures to verify that: Policies and procedures accurately reflect the actual activities and practices exhibited by the regulated entity, its staff, its systems, and its business associates. § 5.5.1. Table 28. Row 1 Description Bullet 3 Sub-Bullet 2 Update the Documentation of the Policy and Procedures § 5.5.1. Table 28. Row 2 Key Activities 2. Periodically evaluate written policies and procedures to verify that: Policies and procedures are sufficient to address the standards, implementation specifications, and other requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 1 Description Bullet 3 Sub-Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Establish/Maintain Documentation	Preventive
Include contact information in the organization's policies, standards, and procedures. CC ID 17167	Establish/Maintain Documentation	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. § 5.5.2. Table 29. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Establish/Maintain Documentation	Detective
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Business Processes	Preventive
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 5.5.2. ¶ 1 Draft, Maintain, and Update Required Documentation § 5.5.2. Table 29. Row 1 Key Activities 1. Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. § 5.5.2. Table 29. Row 1 Description Bullet 2 Use feedback from risk assessments and contingency plan tests to help determine when to update documentation. § 5.5.2. Table 29. Row 1 Description Bullet 4 Update Documentation as Required Implementation Specification (Required) § 5.5.2. Table 29. Row 4 Key Activities 4.]	Establish/Maintain Documentation	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 [{contingency plan} Identify Preventive Measures § 5.1.7. Table 14. Row 3 Key Activities 3.]	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{do not exist} If no clearinghouse functions exist, document this finding. If a clearinghouse exists within the organization, implement procedures for access that are consistent with the HIPAA Privacy Rule. § 5.1.4. Table 11. Row 1 Description Bullet 3]	Establish/Maintain Documentation	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Document known gaps between identified risks, mitigating security controls, and any acceptance of risk, including justification. § 5.1.8. Table 15. Row 4 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Communicate	Preventive
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 [{person responsible} Ensure That Documentation is Available to Those Responsible for Implementation Implementation Specification (Required) § 5.5.2. Table 29. Row 3 Key Activities 3. {make available} Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. § 5.5.2. Table 29. Row 3 Description Bullet 1]	Behavior	Preventive
Establish, implement, and maintain a public oversight system. CC ID 17284	Business Processes	Preventive
Establish, implement, and maintain an oversight plan. CC ID 17302	Establish/Maintain Documentation	Preventive
Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308	Communicate	Preventive
Establish, implement, and maintain an oversight team. CC ID 17303	Process or Activity	Preventive
Include roles and responsibilities in the public oversight system. CC ID 17285	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security planning policy. CC ID 14027	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security planning policy. CC ID 14128 [Select an individual who is able to assess effective security to serve as the point of contact for security policy, implementation, and monitoring. § 5.1.2. Table 9. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [{management controls} {operational controls} Document decisions concerning the management, operational, and technical controls selected to mitigate identified risks. § 5.5.2. Table 29. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Align business continuity objectives with the business continuity policy. CC ID 12408 [Define the organization's overall contingency objectives. § 5.1.7. Table 14. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [Establish a Monitoring Process to Assess How the Implemented Process is Working § 5.3.3. Table 23. Row 6 Key Activities 6.]	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [{security management} Begin auditing and logging activity. § 5.1.1. Table 8. Row 9 Description Bullet 2 Evaluate existing system capabilities and determine whether any changes or upgrades are necessary. § 5.3.2. Table 22. Row 2 Description Bullet 1 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.3.2. Table 22. Row 4 Description Bullet 1 {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.1.1. Table 8. Row 8 Description Bullet 1]	Log Management	Detective
Establish, implement, and maintain an audit and accountability policy. CC ID 14035 [Develop and Deploy the Information System Activity Review/Audit Policy § 5.3.2. Table 22. Row 3 Key Activities 3.]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the audit and accountability policy. CC ID 14103	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the audit and accountability policy. CC ID 14102	Establish/Maintain Documentation	Preventive
Include the purpose in the audit and accountability policy. CC ID 14100	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the audit and accountability policy. CC ID 14098	Establish/Maintain Documentation	Preventive
Include management commitment in the audit and accountability policy. CC ID 14097	Establish/Maintain Documentation	Preventive
Include the scope in the audit and accountability policy. CC ID 14096	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095	Communicate	Preventive
Establish, implement, and maintain audit and accountability procedures. CC ID 14057 [{logging procedures} Begin logging and auditing procedures. § 5.3.2. Table 22. Row 5 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137	Communicate	Preventive
Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 5.3.2. ¶ 1 Activate the necessary audit system. § 5.3.2. Table 22. Row 5 Description Bullet 1]	Log Management	Preventive
Review and approve the use of continuous security management systems. CC ID 13181	Process or Activity	Preventive
Monitor and evaluate system telemetry data. CC ID 14929	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169	Establish/Maintain Documentation	Preventive
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Acquisition/Sale of Assets or Services	Preventive
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [Determine the appropriate scope of audit controls that will be necessary in information systems that contain or use ePHI based on the regulated entity's risk assessment and other organizational factors. § 5.3.2. Table 22. Row 1 Description Bullet 1]	Log Management	Detective
Establish, implement, and maintain an event logging policy. CC ID 15217	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain event logging procedures. CC ID 01335 [{logging procedures} Begin logging and auditing procedures. § 5.3.2. Table 22. Row 5 Description Bullet 2]	Log Management	Detective
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Data and Information Management	Preventive
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Develop and Deploy the Information System Activity Review Process Implementation Specification (Required) § 5.1.1. Table 8. Row 7 Key Activities 7. Implement regular reviews of information system activity and consider ways to automate the review for the protection of ePHI. § 5.1.1. Table 8. Row 7 Description Bullet 2 Implement the Information System Activity Review and Audit Process § 5.1.1. Table 8. Row 9 Key Activities 9.]	Log Management	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Data and Information Management	Preventive
Include identity information of suspects in the suspicious activity report. CC ID 16648	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain log analysis tools. CC ID 17056	Technical Security	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596 [Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 5.1.1. Table 8. Row 7 Description Bullet 1 Activate the necessary review process. § 5.1.1. Table 8. Row 9 Description Bullet 1 Implement the Audit/System Activity Review Process § 5.3.2. Table 22. Row 5 Key Activities 5. Determine the frequency of audit log reviews based on the risk assessment and risk management processes. § 5.3.2. Table 22. Row 4 Description Bullet 2]	Log Management	Detective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Log Management	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Technical Security	Detective
Document the event information to be logged in the event information log specification. CC ID 00639 [Determine the Activities That Will Be Tracked or Audited § 5.3.2. Table 22. Row 1 Key Activities 1. Determine what activities need to be captured using the results of the risk assessment and risk management processes. § 5.3.2. Table 22. Row 1 Description Bullet 2 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.3.2. Table 22. Row 4 Description Bullet 1 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.1.1. Table 8. Row 8 Description Bullet 1]	Configuration	Preventive
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Configuration	Preventive
Erase payment applications when suspicious activity is confirmed. CC ID 12193	Technical Security	Corrective
Establish, implement, and maintain network monitoring operations. CC ID 16444	Monitor and Evaluate Occurrences	Preventive
Monitor and evaluate the effectiveness of detection tools. CC ID 13505	Investigate	Detective
Monitor and review retail payment activities, as necessary. CC ID 13541	Monitor and Evaluate Occurrences	Detective
Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546	Investigate	Detective
Review retail payment service reports, as necessary. CC ID 13545	Investigate	Detective
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Process or Activity	Detective
Implement file integrity monitoring. CC ID 01205 [Consider how the organization will detect unauthorized modification to ePHI. § 5.3.3. Table 23. Row 2 Description Bullet 3]	Monitor and Evaluate Occurrences	Detective
Log account usage times. CC ID 07099	Log Management	Detective
Log account usage durations. CC ID 12117	Monitor and Evaluate Occurrences	Detective
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Communicate	Detective
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 [Conduct Evaluation § 5.1.8. Table 15. Row 3 Key Activities 3. Determine when evaluations are conducted in response to an environmental or operational change that affects the security of ePHI (e.g., prior to the change, contemporaneous with the change, after the change). § 5.1.8. Table 15. Row 3 Description Bullet 3 {regular basis} Repeat Evaluations Periodically § 5.1.8. Table 15. Row 5 Key Activities 5. In addition to periodic reevaluations, consider repeating evaluations when environmental and operational changes that affect the security of ePHI are made to the organization (e.g., if new technology is adopted or if there are newly recognized risks to the security of ePHI). § 5.1.8. Table 15. Row 5 Description Bullet 2 {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4 {if} {is appropriate} Determine Whether Internal or External Evaluation is Most Appropriate § 5.1.8. Table 15. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Implement automated audit tools. CC ID 04882 [Implement regular reviews of information system activity and consider ways to automate the review for the protection of ePHI. § 5.1.1. Table 8. Row 7 Description Bullet 2 Implement tools that can provide reports on the level of compliance, integration, or maturity of a particular security safeguard deployed to protect ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 5 Select the Tools That Will Be Deployed for Auditing and System Activity Reviews § 5.3.2. Table 22. Row 2 Key Activities 2. {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4]	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve test plans. CC ID 13071 [Secure management support for the evaluation process to ensure participation. § 5.1.8. Table 15. Row 3 Description Bullet 4]	Human Resources Management	Preventive
Establish, implement, and maintain a testing program. CC ID 00654	Behavior	Preventive
Test security systems and associated security procedures, as necessary. CC ID 11901 [{technical evaluation} HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 5.1.8. ¶ 1]	Technical Security	Detective
Document improvement actions based on test results and exercises. CC ID 16840 [Develop security program priorities and establish targets for continuous improvement. § 5.1.8. Table 15. Row 4 Description Bullet 3 Utilize the results of evaluations to inform impactful security changes to protect ePHI. § 5.1.8. Table 15. Row 4 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Define the test requirements for each testing program. CC ID 13177 [Decide how to segment the type of testing based on the assessment of business impact and the acceptability of a sustained loss of service. § 5.1.7. Table 14. Row 7 Description Bullet 6]	Establish/Maintain Documentation	Preventive
Include test requirements for the use of production data in the testing program. CC ID 17201	Testing	Preventive
Include test requirements for the use of human subjects in the testing program. CC ID 16222	Testing	Preventive
Define the test frequency for each testing program. CC ID 13176 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Perform penetration tests, as necessary. CC ID 00655 [Conduct penetration testing (where testers attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate. § 5.1.8. Table 15. Row 3 Description Bullet 6]	Testing	Detective
Ensure protocols are free from injection flaws. CC ID 16401	Process or Activity	Preventive
Prevent adversaries from disabling or compromising security controls. CC ID 17057	Technical Security	Preventive
Document and maintain test results. CC ID 17028 [{evaluation} Document Results § 5.1.8. Table 15. Row 4 Key Activities 4. Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Testing	Preventive
Include the pass or fail test status in the test results. CC ID 17106	Establish/Maintain Documentation	Preventive
Include time information in the test results. CC ID 17105	Establish/Maintain Documentation	Preventive
Include a description of the system tested in the test results. CC ID 17104	Establish/Maintain Documentation	Preventive
Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 [Communicate evaluation results, metrics, and/or measurements to relevant organizational personnel. § 5.1.8. Table 15. Row 4 Description Bullet 5]	Communicate	Preventive
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule § 5.1.8. Table 15. Row 2 Key Activities 2.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics standard and template. CC ID 02157 [Consider determining any specific evaluation metrics and/or measurements to be captured during evaluation. Metrics and/or measurements can assist in tracking progress over time. § 5.1.8. Table 15. Row 2 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594 [Ensure that system activity can be traced to a specific user. § 5.3.1. Table 21. Row 3 Description Bullet 2]	Log Management	Preventive
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Implement corrective actions when problems arise. § 5.1.5. Table 12. Row 7 Description Bullet 5 Identify Corrective Measures § 5.2.1. Table 17. Row 2 Key Activities 2. Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Monitor and Evaluate Occurrences	Detective
Align corrective actions with the level of environmental impact. CC ID 15193	Business Processes	Preventive
Include evidence of the closure of findings in the corrective action plan. CC ID 16978	Actionable Reports or Measurements	Preventive
Include roles and responsibilities in the corrective action plan. CC ID 16926 [Identify and assign responsibility for the measures and activities necessary to correct deficiencies and ensure that proper physical access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Establish/Maintain Documentation	Preventive
Include actions taken to resolve issues in the corrective action plan. CC ID 16884	Establish/Maintain Documentation	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Establish/Maintain Documentation	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Establish/Maintain Documentation	Preventive
Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883	Communicate	Preventive
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Document and communicate to the workforce the organization's decisions on audits and reviews. § 5.3.2. Table 22. Row 3 Description Bullet 1]	Actionable Reports or Measurements	Corrective

Operational and Systems Continuity

162

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210 [HIPAA Standard: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. § 5.1.7. ¶ 1]	Establish/Maintain Documentation	Preventive
Involve auditors in reviewing and testing the business continuity program. CC ID 13211	Testing	Detective
Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212	Investigate	Detective
Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218	Investigate	Detective
Establish, implement, and maintain a business continuity policy. CC ID 12405 [Develop a Contingency Planning Policy § 5.1.7. Table 14. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Include escalation procedures in the business continuity policy. CC ID 17203	Systems Continuity	Preventive
Include compliance requirements in the business continuity policy. CC ID 14237	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the business continuity policy. CC ID 14235	Establish/Maintain Documentation	Preventive
Include management commitment in the business continuity policy. CC ID 14233	Establish/Maintain Documentation	Preventive
Include the scope in the business continuity policy. CC ID 14231	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the business continuity policy. CC ID 14190	Establish/Maintain Documentation	Preventive
Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198	Communicate	Preventive
Include the purpose in the business continuity policy. CC ID 14188	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a business continuity testing policy. CC ID 13235	Establish/Maintain Documentation	Preventive
Include testing cycles and test scope in the business continuity testing policy. CC ID 13236	Establish/Maintain Documentation	Preventive
Include documentation requirements in the business continuity testing policy. CC ID 14377	Establish/Maintain Documentation	Preventive
Include reporting requirements in the business continuity testing policy. CC ID 14397	Establish/Maintain Documentation	Preventive
Include test requirements for crisis management in the business continuity testing policy. CC ID 13240	Establish/Maintain Documentation	Preventive
Include test requirements for support functions in the business continuity testing policy. CC ID 13239	Establish/Maintain Documentation	Preventive
Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238	Establish/Maintain Documentation	Preventive
Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237	Establish/Maintain Documentation	Preventive
Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257	Establish/Maintain Documentation	Preventive
Include data recovery in the business continuity testing strategy. CC ID 13262	Establish/Maintain Documentation	Preventive
Include testing critical applications in the business continuity testing strategy. CC ID 13261	Establish/Maintain Documentation	Preventive
Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265	Testing	Detective
Include reconciling transaction data in the business continuity testing strategy. CC ID 13260	Establish/Maintain Documentation	Preventive
Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732 [{contingency plan} Establish the organizational framework, roles, and responsibilities for this area. § 5.1.7. Table 14. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Establish and maintain the scope of the continuity framework. CC ID 11908 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Systems Continuity	Detective
Include network security in the scope of the continuity framework. CC ID 16327	Establish/Maintain Documentation	Preventive
Refrain from including exclusions that could affect business continuity. CC ID 12740	Records Management	Preventive
Include business functions in the scope of the continuity framework. CC ID 12699	Establish/Maintain Documentation	Preventive
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Systems Continuity	Preventive
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [{contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a shelter in place plan. CC ID 16260	Establish/Maintain Documentation	Preventive
Designate safe rooms in the shelter in place plan. CC ID 16276	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{contingency plan} Establish the organizational framework, roles, and responsibilities for this area. § 5.1.7. Table 14. Row 1 Description Bullet 2]	Establish Roles	Preventive
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573	Communicate	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Develop and Implement an Emergency Mode Operation Plan Implementation Specification (Required) § 5.1.7. Table 14. Row 6 Key Activities 6.]	Establish/Maintain Documentation	Preventive
Identify all stakeholders in the continuity plan. CC ID 13256	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Communicate	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Human Resources Management	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Establish/Maintain Documentation	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Human Resources Management	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Systems Continuity	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Configuration	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Establish/Maintain Documentation	Preventive
Restore systems and environments to be operational. CC ID 13476	Systems Continuity	Corrective
Include tolerance levels in the continuity plan. CC ID 17305	Systems Continuity	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Establish/Maintain Documentation	Preventive
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Process or Activity	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Process or Activity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Establish/Maintain Documentation	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Establish/Maintain Documentation	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Establish Roles	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236 [{contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Establish Contingency Operations Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 5 Key Activities 5. Identify a method for supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems. § 5.3.1. Table 21. Row 7 Description Bullet 2]	Establish/Maintain Documentation	Corrective
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Communicate	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [Establish (and implement as needed) procedures to restore any loss of data. § 5.1.7. Table 14. Row 5 Description Bullet 2 Develop Recovery Strategy § 5.1.7. Table 14. Row 4 Key Activities 4. {be cost-effective} Establish cost-effective strategies for recovering these critical services or processes. § 5.1.7. Table 14. Row 2 Description Bullet 7]	Establish/Maintain Documentation	Preventive
Include procedures to restore system interconnections in the recovery plan. CC ID 17100	Establish/Maintain Documentation	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include voltage and frequency requirements in the recovery plan. CC ID 17098	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [Develop Data Backup and Storage Procedures Implementation Specification (Addressable) § 5.2.4. Table 20. Row 4 Key Activities 4.]	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Systems Continuity	Preventive
Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045	Communicate	Preventive
Identify and document critical facilities. CC ID 17304	Systems Continuity	Preventive
Identify telecommunication facilities critical to the continuity of operations. CC ID 12732	Systems Continuity	Detective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [{are feasible} Ensure that identified preventive measures are practical and feasible in terms of their applicability in a given environment. § 5.1.7. Table 14. Row 3 Description Bullet 2 {contingency plan} Identify preventive measures for each defined scenario that could result in the loss of a critical service operation involving the use of ePHI. § 5.1.7. Table 14. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include emergency operating procedures in the continuity plan. CC ID 11694 [{emergency mode operation} "Emergency mode" operation involves only those critical business processes that must occur to protect the security of ePHI during and immediately after a crisis situation. § 5.1.7. Table 14. Row 6 Description Bullet 2 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Establish (and implement as needed) procedures to enable the continuation of critical business processes to protect the security of ePHI while operating in emergency mode. § 5.1.7. Table 14. Row 6 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include load-shedding in the emergency operating procedures. CC ID 17133	Establish/Maintain Documentation	Preventive
Include redispatch of generation requests in the emergency operating procedures. CC ID 17132	Establish/Maintain Documentation	Preventive
Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130	Establish/Maintain Documentation	Preventive
Include outages in the emergency operating procedures. CC ID 17129	Establish/Maintain Documentation	Preventive
Include energy resource management in the emergency operating procedures. CC ID 17128	Establish/Maintain Documentation	Preventive
Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369	Establish/Maintain Documentation	Preventive
Define and prioritize critical business functions. CC ID 00736 [Identify the activities and material involving ePHI that are critical to business operations. § 5.1.7. Table 14. Row 2 Description Bullet 2 {critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Develop security program priorities and establish targets for continuous improvement. § 5.1.8. Table 15. Row 4 Description Bullet 3 {contingency plan} Conduct an Applications and Data Criticality Analysis Implementation Specification (Addressable) § 5.1.7. Table 14. Row 2 Key Activities 2. Assess the relative criticality of specific applications and data in support of other Contingency Plan components. § 5.1.7. Table 14. Row 2 Description Bullet 1]	Establish/Maintain Documentation	Detective
Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719	Systems Continuity	Preventive
Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [Determine the amount of time that the organization can tolerate disruptions to these operations, materials, or services (e.g., due to power outages). § 5.1.7. Table 14. Row 2 Description Bullet 4 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Define and prioritize critical business records. CC ID 11687 [Identify the activities and material involving ePHI that are critical to business operations. § 5.1.7. Table 14. Row 2 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Identify all critical business records. CC ID 00737	Records Management	Detective
Include the protection of personnel in the continuity plan. CC ID 06378	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a critical personnel list. CC ID 00739	Establish/Maintain Documentation	Detective
Identify alternate personnel for each person on the critical personnel list. CC ID 12771 [Consider assigning secondary personnel to be part of the incident response team in the event that primary personnel are unavailable. § 5.1.6. Table 13. Row 2 Description Bullet 3]	Human Resources Management	Preventive
Establish, implement, and maintain a critical third party list. CC ID 06815 [Consider whether any vendor/service provider arrangements are critical to operations and address them as appropriate to ensure availability and reliability. § 5.1.7. Table 14. Row 2 Description Bullet 6]	Establish/Maintain Documentation	Preventive
Include the capacity of critical resources in the critical resource list. CC ID 17099	Establish/Maintain Documentation	Preventive
Include website continuity procedures in the continuity plan. CC ID 01380	Establish/Maintain Documentation	Preventive
Include a backup rotation scheme in the backup policy. CC ID 16219	Establish/Maintain Documentation	Preventive
Include naming conventions in the backup policy. CC ID 16218	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Establish and implement procedures to create and maintain retrievable exact copies of ePHI. § 5.1.7. Table 14. Row 5 Description Bullet 1 {contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Develop Data Backup and Storage Procedures Implementation Specification (Addressable) § 5.2.4. Table 20. Row 4 Key Activities 4.]	Systems Continuity	Preventive
Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271	Communicate	Preventive
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Systems Continuity	Preventive
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Data and Information Management	Preventive
Perform full backups in accordance with organizational standards. CC ID 16376	Data and Information Management	Preventive
Perform incremental backups in accordance with organizational standards. CC ID 16375	Data and Information Management	Preventive
Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374	Data and Information Management	Preventive
Review the beneficiaries of the insurance policy. CC ID 16563	Business Processes	Detective
Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281	Establish/Maintain Documentation	Detective
Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283	Establish/Maintain Documentation	Detective
Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282	Establish/Maintain Documentation	Detective
Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827	Establish/Maintain Documentation	Preventive
Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279	Establish/Maintain Documentation	Preventive
Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280	Establish/Maintain Documentation	Preventive
Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278	Establish/Maintain Documentation	Preventive
Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277	Establish/Maintain Documentation	Detective
Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080	Communicate	Preventive
Train personnel on the continuity plan. CC ID 00759 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Train those with defined plan responsibilities in their roles. § 5.1.7. Table 14. Row 7 Description Bullet 3]	Behavior	Preventive
Include coordination and interfaces among third parties in continuity plan training. CC ID 17102	Training	Preventive
Include cross-team coordination in continuity plan training. CC ID 16235	Training	Preventive
Include stay at home order training in the continuity plan training. CC ID 14382	Training	Preventive
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388	Training	Preventive
Include personal protection in continuity plan training. CC ID 14394	Training	Preventive
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Testing	Preventive
Establish, implement, and maintain a continuity test plan. CC ID 04896 [Make key decisions regarding how the testing is to occur (e.g., tabletop exercise versus staging a real operational scenario, including actual loss of capability). § 5.1.7. Table 14. Row 7 Description Bullet 5 Implement procedures for the periodic testing and revision of contingency plans. § 5.1.7. Table 14. Row 7 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include success criteria for testing the plan in the continuity test plan. CC ID 14877	Establish/Maintain Documentation	Preventive
Include recovery procedures in the continuity test plan. CC ID 14876	Establish/Maintain Documentation	Preventive
Include test scripts in the continuity test plan. CC ID 14875	Establish/Maintain Documentation	Preventive
Include test objectives and scope of testing in the continuity test plan. CC ID 14874	Establish/Maintain Documentation	Preventive
Include escalation procedures in the continuity test plan, as necessary. CC ID 14400	Establish/Maintain Documentation	Preventive
Include the succession plan in the continuity test plan, as necessary. CC ID 14401	Establish/Maintain Documentation	Preventive
Include contact information in the continuity test plan. CC ID 14399	Establish/Maintain Documentation	Preventive
Include testing all system components in the continuity test plan. CC ID 13508	Establish/Maintain Documentation	Preventive
Include test scenarios in the continuity test plan. CC ID 13506	Establish/Maintain Documentation	Preventive
Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243	Establish/Maintain Documentation	Preventive
Include the risk assessment results in the continuity test plan. CC ID 17205	Establish/Maintain Documentation	Preventive
Include the business impact analysis test results in the continuity test plan CC ID 17204	Establish/Maintain Documentation	Preventive
Test the continuity plan, as necessary. CC ID 00755 [Test the contingency plan on a predefined cycle (stated in the policy developed under Key Activity 1), if reasonable and appropriate. § 5.1.7. Table 14. Row 7 Description Bullet 2]	Testing	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Testing	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Testing	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Testing	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [If possible, involve external entities (e.g., vendors, alternative site or service providers) in testing exercises. § 5.1.7. Table 14. Row 7 Description Bullet 4]	Testing	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Testing	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Testing	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Testing	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Testing	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Testing	Detective
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Establish/Maintain Documentation	Preventive
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Testing	Preventive
Review all third party's continuity plan test results. CC ID 01365	Testing	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Testing	Detective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Actionable Reports or Measurements	Preventive
Address identified deficiencies in the continuity plan test results. CC ID 17209	Testing	Preventive
Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134	Communicate	Preventive
Approve the continuity plan test results. CC ID 15718	Systems Continuity	Preventive
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Testing	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Testing	Detective
Conduct external audits of the Business Continuity Plan testing program. CC ID 13216	Testing	Detective

Operational management

412

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a capacity management plan. CC ID 11751	Establish/Maintain Documentation	Preventive
Utilize resource capacity management controls. CC ID 00939	Testing	Detective
Perform system performance reviews. CC ID 11866 [Identify the Expected Performance of Each Type of Workstation and Device § 5.2.2. Table 18. Row 2 Key Activities 2.]	Testing	Detective
Document the organization's business processes. CC ID 13035 [{critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3]	Establish/Maintain Documentation	Detective
Correlate business processes and applications. CC ID 16300	Business Processes	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Establish/Maintain Documentation	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Establish/Maintain Documentation	Preventive
Include the scope in the compliance policy. CC ID 14812	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Establish/Maintain Documentation	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Communicate	Preventive
Include management commitment in the compliance policy. CC ID 14808	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Establish/Maintain Documentation	Preventive
Conduct governance meetings, as necessary. CC ID 16946	Process or Activity	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Communicate	Preventive
Include governance threshold requirements in the governance policy. CC ID 16933	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Define the scope for the internal control framework. CC ID 16325	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Leverage actionable information to support internal controls. CC ID 12414 [Leverage any existing reports or documentation that may already be prepared by the organization addressing the compliance, integration, or maturity of a particular security safeguard deployed to protect ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 7]	Business Processes	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Establish/Maintain Documentation	Preventive
Include cloud services in the internal control framework. CC ID 17262	Establish/Maintain Documentation	Preventive
Include cloud security controls in the internal control framework. CC ID 17264	Establish/Maintain Documentation	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Establish/Maintain Documentation	Preventive
Share security information with interested personnel and affected parties. CC ID 11732 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Communicate	Preventive
Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152	Process or Activity	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Communicate	Preventive
Establish, implement, and maintain a cybersecurity framework. CC ID 17276	Establish/Maintain Documentation	Preventive
Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279	Establish/Maintain Documentation	Preventive
Include protection measures in the cybersecurity framework. CC ID 17278	Establish/Maintain Documentation	Preventive
Include the scope in the cybersecurity framework. CC ID 17277	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Communicate	Preventive
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations. § 5.1.1. ¶ 1 {security management} Create and Deploy Policies and Procedures § 5.1.1. Table 8. Row 5 Key Activities 5. {security management} Establish a frequency for reviewing policy and procedures. § 5.1.1. Table 8. Row 5 Description Bullet 4 Consider the importance of documenting processes and procedures for demonstrating the adequate implementation of recognized security practices. § 5.5.1. Table 28. Row 1 Description Bullet 2 Consider the importance of documenting the processes and procedures for demonstrating the adequate implementation of recognized security practices. § 5.5.2. Table 29. Row 1 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386 [Evaluate Existing Security Measures Related to Access Controls § 5.1.4. Table 11. Row 4 Key Activities 4. Evaluate the security features of access controls that are already in place or those of any planned for implementation, as appropriate. § 5.1.4. Table 11. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380 [{security management} Include all hardware and software that are used to collect, store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117	Communicate	Preventive
Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116	Communicate	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744 [Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule § 5.1.8. Table 15. Row 2 Key Activities 2. Once security controls have been implemented in response to the organization's risk assessment and management processes, periodically review these implemented security measures to ensure their continued effectiveness in protecting ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 2]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [{security management} Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. § 5.1.1. Table 8. Row 5 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include data localization requirements in the information security policy. CC ID 16932	Establish/Maintain Documentation	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006 [Create procedures to be followed to accomplish particular security-related tasks. § 5.1.1. Table 8. Row 5 Description Bullet 3 {technical evaluation} HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 5.1.8. ¶ 1]	Business Processes	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2]	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [{security management} Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. § 5.1.1. Table 8. Row 5 Description Bullet 2 HIPAA Standard: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. § 5.1.2. ¶ 1]	Human Resources Management	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Require social media users to clarify that their communications do not represent the organization. CC ID 17046	Communicate	Preventive
Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044	Communicate	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Define the nomenclature requirements in the operating instructions. CC ID 17112	Establish/Maintain Documentation	Preventive
Define the situations that require time information in the operating instructions. CC ID 17111	Establish/Maintain Documentation	Preventive
Implement alternative actions for oral communications not received or understood. CC ID 17122	Communicate	Preventive
Reissue operating instructions, as necessary. CC ID 17121	Communicate	Preventive
Include congestion management actions in the operational control procedures. CC ID 17135	Establish/Maintain Documentation	Preventive
Update the congestion management actions in a timely manner. CC ID 17145	Establish/Maintain Documentation	Preventive
Coordinate alternate congestion management actions with affected parties. CC ID 17136	Process or Activity	Preventive
Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138	Process or Activity	Preventive
Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146	Establish/Maintain Documentation	Preventive
Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110	Communicate	Detective
Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120	Communicate	Preventive
Include continuous monitoring in the operational control procedures. CC ID 17137	Establish/Maintain Documentation	Preventive
Repeat operating instructions received by oral communications to the issuer. CC ID 17119	Communicate	Preventive
Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109	Establish/Maintain Documentation	Preventive
Coordinate the transmission of electricity between affected parties. CC ID 17114	Business Processes	Preventive
Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113	Behavior	Detective
Include coordination amongst entities in the operational control procedures. CC ID 17147	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an outage coordination process. CC ID 17161	Process or Activity	Preventive
Coordinate outages with affected parties. CC ID 17160	Process or Activity	Preventive
Coordinate energy resource management with affected parties. CC ID 17150	Process or Activity	Preventive
Coordinate the control of voltage with affected parties. CC ID 17149	Process or Activity	Preventive
Coordinate energy shortages with affected parties. CC ID 17148	Process or Activity	Preventive
Include roles and responsibilities in the operational control procedures. CC ID 17159	Establish/Maintain Documentation	Preventive
Include alternative actions in the operational control procedures. CC ID 17096	Establish/Maintain Documentation	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Establish/Maintain Documentation	Preventive
Approve or deny requests in a timely manner. CC ID 17095	Process or Activity	Preventive
Comply with requests from relevant parties unless justified in not complying. CC ID 17094	Business Processes	Preventive
Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151	Communicate	Preventive
Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093	Communicate	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Develop Appropriate Standard Operating Procedures § 5.1.1. Table 8. Row 8 Key Activities 8. Develop Appropriate Standard Operating Procedures § 5.3.2. Table 22. Row 4 Key Activities 4.]	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include system use information in the standard operating procedures manual. CC ID 17240	Establish/Maintain Documentation	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include logging procedures in the standard operating procedures manual. CC ID 17214	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include resources in the standard operating procedures manual. CC ID 17212	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include human oversight measures in the standard operating procedures manual. CC ID 17213	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1]	Establish/Maintain Documentation	Preventive
Include usage restrictions in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962	Establish/Maintain Documentation	Preventive
Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979	Establish/Maintain Documentation	Preventive
Include consequences in the fax machine and multifunction device usage policy. CC ID 16957	Establish/Maintain Documentation	Preventive
Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965	Communicate	Preventive
Validate recipients prior to sending electronic messages. CC ID 16981	Business Processes	Preventive
Establish, implement, and maintain a Global Address List. CC ID 16934	Data and Information Management	Preventive
Include roles and responsibilities in the e-mail policy. CC ID 17040	Establish/Maintain Documentation	Preventive
Include content requirements in the e-mail policy. CC ID 17041	Establish/Maintain Documentation	Preventive
Include the personal use of business e-mail in the e-mail policy. CC ID 17037	Establish/Maintain Documentation	Preventive
Include usage restrictions in the e-mail policy. CC ID 17039	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Include message format requirements in the e-mail policy. CC ID 17038	Establish/Maintain Documentation	Preventive
Include the consequences of sending restricted data in the e-mail policy. CC ID 16970	Establish/Maintain Documentation	Preventive
Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980	Communicate	Preventive
Identify the sender in all electronic messages. CC ID 13996	Data and Information Management	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Establish/Maintain Documentation	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Business Processes	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Business Processes	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Business Processes	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Business Processes	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Each regulated entity (i.e., covered entity or business associate) is responsible for its own Security Rule compliance and violations and should review the following key activities, descriptions, and sample questions through the lens of its own organization. § 5. ¶ 5]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Develop and document policies and procedures related to the proper use and performance of devices that create, store, process, or transmit ePHI. § 5.2.2. Table 18. Row 2 Description Bullet 1 Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2]	Business Processes	Preventive
Establish, implement, and maintain an asset management policy. CC ID 15219	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the asset management policy. CC ID 16424	Business Processes	Preventive
Establish, implement, and maintain asset management procedures. CC ID 16748	Establish/Maintain Documentation	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Human Resources Management	Preventive
Define the requirements for where assets can be located. CC ID 17051	Business Processes	Preventive
Define and prioritize the importance of each asset in the asset management program. CC ID 16837	Business Processes	Preventive
Include life cycle requirements in the security management program. CC ID 16392	Establish/Maintain Documentation	Preventive
Include program objectives in the asset management program. CC ID 14413	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the asset management program. CC ID 14412	Establish/Maintain Documentation	Preventive
Include compliance with applicable requirements in the asset management program. CC ID 14411	Establish/Maintain Documentation	Preventive
Include installation requirements in the asset management program. CC ID 17195	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Business Processes	Preventive
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Communicate	Preventive
Classify assets according to the Asset Classification Policy. CC ID 07186 [Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2 Classify devices based on the capabilities, connections, and allowable activities for each device used. § 5.2.2. Table 18. Row 1 Description Bullet 3]	Establish Roles	Preventive
Classify virtual systems by type and purpose. CC ID 16332	Business Processes	Preventive
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2]	Establish Roles	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3]	Business Processes	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Identify all systems that house ePHI. Be sure to identify mobile devices, medical equipment, and IoT devices that store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 2 Inventory facilities and identify shortfalls and/or vulnerabilities in current physical security capabilities. § 5.2.1. Table 17. Row 1 Description Bullet 1 Inventory workstations and devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.2. Table 18. Row 1 Description Bullet 1 Inventory workstations and devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.2. Table 18. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Establish/Maintain Documentation	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 [Identify all systems that house ePHI. Be sure to identify mobile devices, medical equipment, and IoT devices that store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 2 Identify systems covered by the contract/agreement. § 5.1.9. Table 16. Row 1 Description Bullet 3]	Data and Information Management	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Technical Security	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Data and Information Management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Establish/Maintain Documentation	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Data and Information Management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Data and Information Management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Establish/Maintain Documentation	Preventive
Include source code in the asset inventory. CC ID 14858	Records Management	Preventive
Record the review date for applicable assets in the asset inventory. CC ID 14919	Establish/Maintain Documentation	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Establish/Maintain Documentation	Preventive
Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196	Data and Information Management	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Establish/Maintain Documentation	Preventive
Record the software version in the asset inventory. CC ID 12196	Establish/Maintain Documentation	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Establish/Maintain Documentation	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Establish/Maintain Documentation	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Establish/Maintain Documentation	Preventive
Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194	Data and Information Management	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Establish/Maintain Documentation	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 [Identify Workstation and Device Types and Functions or Uses § 5.2.2. Table 18. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Establish/Maintain Documentation	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Establish/Maintain Documentation	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Establish/Maintain Documentation	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Data and Information Management	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Establish/Maintain Documentation	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636 [Identify Workstation and Device Types and Functions or Uses § 5.2.2. Table 18. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Data and Information Management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Data and Information Management	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640 [Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Establish/Maintain Documentation	Preventive
Record all changes to assets in the asset inventory. CC ID 12190 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Prevent users from disabling required software. CC ID 16417	Technical Security	Preventive
Establish, implement, and maintain digital legacy procedures. CC ID 16524	Establish/Maintain Documentation	Preventive
Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968	Configuration	Preventive
Establish, implement, and maintain a system disposal program. CC ID 14431	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain disposal procedures. CC ID 16513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Establish/Maintain Documentation	Preventive
Obtain management approval prior to disposing of information technology assets. CC ID 17270	Business Processes	Preventive
Destroy systems in accordance with the system disposal program. CC ID 16457	Business Processes	Preventive
Approve the release of systems and waste material into the public domain. CC ID 16461	Business Processes	Preventive
Establish, implement, and maintain system destruction procedures. CC ID 16474	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Establish/Maintain Documentation	Preventive
Establish and maintain maintenance reports. CC ID 11749 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3 Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (e.g., hardware, walls, doors, and locks). § 5.2.1. Table 17. Row 6 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088	Maintenance	Preventive
Include a description of the maintenance performed in the maintenance report. CC ID 17087	Maintenance	Preventive
Include roles and responsibilities in the maintenance report. CC ID 17086	Maintenance	Preventive
Include the date and time of maintenance in the maintenance report. CC ID 17085	Maintenance	Preventive
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Establish/Maintain Documentation	Preventive
Include compliance requirements in the system maintenance policy. CC ID 14217	Establish/Maintain Documentation	Preventive
Include management commitment in the system maintenance policy. CC ID 14216	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Establish/Maintain Documentation	Preventive
Include the scope in the system maintenance policy. CC ID 14214	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Communicate	Preventive
Include the purpose in the system maintenance policy. CC ID 14187	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Communicate	Preventive
Establish, implement, and maintain a technology refresh schedule. CC ID 16940	Establish/Maintain Documentation	Preventive
Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938	Communicate	Preventive
Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174	Process or Activity	Preventive
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Business Processes	Preventive
Log the performance of all remote maintenance. CC ID 13202	Log Management	Preventive
Conduct offsite maintenance in authorized facilities. CC ID 16473	Maintenance	Preventive
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Maintenance	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Maintenance	Preventive
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 [Maintain Maintenance Records Implementation Specification (Addressable) § 5.2.1. Table 17. Row 6 Key Activities 6.]	Establish/Maintain Documentation	Preventive
Restart systems on a periodic basis. CC ID 16498	Maintenance	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Maintenance	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Human Resources Management	Preventive
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Process or Activity	Preventive
Refrain from protecting physical assets when no longer required. CC ID 13484	Physical and Environmental Protection	Corrective
Establish, implement, and maintain an end-of-life management process. CC ID 16540	Establish/Maintain Documentation	Preventive
Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937	Communicate	Preventive
Dispose of hardware and software at their life cycle end. CC ID 06278 [Determine and document the appropriate methods to dispose of hardware, software, and the data. § 5.2.4. Table 20. Row 1 Description Bullet 2]	Business Processes	Preventive
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Business Processes	Preventive
Establish, implement, and maintain disposal contracts. CC ID 12199	Establish/Maintain Documentation	Preventive
Include disposal procedures in disposal contracts. CC ID 13905	Establish/Maintain Documentation	Preventive
Remove asset tags prior to disposal of an asset. CC ID 12198	Business Processes	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [HIPAA Standard: Implement policies and procedures to address security incidents. § 5.1.6. ¶ 1]	Business Processes	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Establish/Maintain Documentation	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Communicate	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Establish/Maintain Documentation	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Establish/Maintain Documentation	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173 [Gain an understanding as to what constitutes a true security incident. Under the HIPAA Security Rule, a security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (45 CFR § 164.304). § 5.1.6. Table 13. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include a definition of affected transactions in the incident criteria. CC ID 17180	Establish/Maintain Documentation	Preventive
Include a definition of affected parties in the incident criteria. CC ID 17179	Establish/Maintain Documentation	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Business Processes	Detective
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Determine the cost of the incident when assessing security incidents. CC ID 17188	Process or Activity	Detective
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182	Process or Activity	Detective
Determine the duration of the incident when assessing security incidents. CC ID 17181	Process or Activity	Detective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Monitor and Evaluate Occurrences	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Monitor and Evaluate Occurrences	Detective
Respond to and triage when an incident is detected. CC ID 06942 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Process or Activity	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Process or Activity	Corrective
Wipe data and memory after an incident has been detected. CC ID 16850	Technical Security	Corrective
Include the investigation methodology in the forensic investigation report. CC ID 17071	Establish/Maintain Documentation	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Establish/Maintain Documentation	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Establish/Maintain Documentation	Preventive
Redact restricted data before sharing incident information. CC ID 16994	Data and Information Management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Remediate security violations according to organizational standards. CC ID 12338 [Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Business Processes	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975	Establish/Maintain Documentation	Corrective
Refrain from charging for providing incident response notifications. CC ID 13876	Business Processes	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include the incident classification criteria in incident response notifications. CC ID 17293	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include the incident reference code in incident response notifications. CC ID 17292	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include activations of the business continuity plan in incident response notifications. CC ID 17295	Establish/Maintain Documentation	Preventive
Include costs associated with the incident in incident response notifications. CC ID 17300	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Communicate	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Process or Activity	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Process or Activity	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Communicate	Corrective
Establish, implement, and maintain a containment strategy. CC ID 13480	Establish/Maintain Documentation	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Establish/Maintain Documentation	Preventive
Include response times in the containment strategy. CC ID 13485	Establish/Maintain Documentation	Preventive
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Data and Information Management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Data and Information Management	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233 [Update the procedures as required based on changing organizational needs. § 5.1.6. Table 13. Row 3 Description Bullet 6 Incorporate Post-Incident Analysis Into Updates and Revisions § 5.1.6. Table 13. Row 4 Key Activities 4. Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4 Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Test incident monitoring procedures. CC ID 13194	Testing	Detective
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 [Establish (and implement as needed) procedures that allow facility access in support of the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency. § 5.2.1. Table 17. Row 5 Description Bullet 1 Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. § 5.3.1. Table 21. Row 7 Description Bullet 1 Establish an Emergency Access Procedure Implementation Specification (Required) § 5.3.1. Table 21. Row 7 Key Activities 7.]	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Establish/Maintain Documentation	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Process or Activity	Detective
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Investigate	Detective
Identify the affected parties during incident investigations. CC ID 16781	Investigate	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Investigate	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Investigate	Detective
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Establish/Maintain Documentation	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Data and Information Management	Preventive
Include who the incident was reported to in the incident management audit log. CC ID 16487	Log Management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Log Management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Develop and Implement Policy and Procedures to Respond to and Report Security Incidents Implementation Specification (Required) § 5.1.6. Table 13. Row 3 Key Activities 3. Establish a reporting mechanism and a process to coordinate responses to the security incident. § 5.1.6. Table 13. Row 1 Description Bullet 4 Establish a specific policy for security incident reporting. § 5.4.2. Table 27. Row 4 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579 [Ensure that the incident response program covers all parts of the organization in which ePHI is created, stored, processed, or transmitted. § 5.1.6. Table 13. Row 1 Description Bullet 2 Develop and Implement Policy and Procedures to Respond to and Report Security Incidents Implementation Specification (Required) § 5.1.6. Table 13. Row 3 Key Activities 3.]	Establish/Maintain Documentation	Preventive
Create an incident response report. CC ID 12700 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include entities notified of the incident in the incident response report. CC ID 17294	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in the incident response report. CC ID 17298	Establish/Maintain Documentation	Preventive
Include the incident reference code in the incident response report. CC ID 17297	Establish/Maintain Documentation	Preventive
Include how the incident was discovered in the incident response report. CC ID 16987	Establish/Maintain Documentation	Preventive
Include the categories of data that were compromised in the incident response report. CC ID 16985	Establish/Maintain Documentation	Preventive
Include disciplinary actions taken in the incident response report. CC ID 16810	Establish/Maintain Documentation	Preventive
Include the persons responsible for the incident in the incident response report. CC ID 16808	Establish/Maintain Documentation	Preventive
Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789	Establish/Maintain Documentation	Preventive
Include recovery measures in the incident response report. CC ID 17299	Establish/Maintain Documentation	Preventive
Include the date and time of recovery from the incident in the incident response report. CC ID 17296	Establish/Maintain Documentation	Preventive
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182	Acquisition/Sale of Assets or Services	Preventive
Define target resolution times for incident response in the Incident Response program. CC ID 13072 [Determine the Goals of an Incident Response § 5.1.6. Table 13. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Mitigate reported incidents. CC ID 12973 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Actionable Reports or Measurements	Preventive
Include addressing external communications in the incident response plan. CC ID 13351	Establish/Maintain Documentation	Preventive
Include addressing internal communications in the incident response plan. CC ID 13350	Establish/Maintain Documentation	Preventive
Include change control procedures in the incident response plan. CC ID 15479	Establish/Maintain Documentation	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349	Establish/Maintain Documentation	Preventive
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Establish/Maintain Documentation	Preventive
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Establish/Maintain Documentation	Preventive
Include the management support needed for incident response in the incident response plan. CC ID 14300	Establish/Maintain Documentation	Preventive
Include root cause analysis in the incident response plan. CC ID 16423	Establish/Maintain Documentation	Preventive
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Establish/Maintain Documentation	Preventive
Include the resources needed for incident response in the incident response plan. CC ID 14292	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a cyber incident response plan. CC ID 13286	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838	Communicate	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237 [Develop and Deploy an Incident Response Team or Other Reasonable and Appropriate Response Mechanism § 5.1.6. Table 13. Row 2 Key Activities 2. Determine whether the size, scope, mission, and other aspects of the organization justify the reasonableness and appropriateness of maintaining a standing incident response team. § 5.1.6. Table 13. Row 2 Description Bullet 1 Identify appropriate individuals to be part of a formal incident response team if the organization has determined that implementing an incident response team is reasonable and appropriate. § 5.1.6. Table 13. Row 2 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include identifying remediation actions in the incident response plan. CC ID 13354	Establish/Maintain Documentation	Preventive
Include log management procedures in the incident response program. CC ID 17081	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an incident response policy. CC ID 14024 [Ensure that an organizational incident response policy is in place that addresses all parts of the organization in which ePHI is created, stored, processed, or transmitted. § 5.1.6. Table 13. Row 3 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the incident response policy. CC ID 14108	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the incident response policy. CC ID 14107 [Establish a reporting mechanism and a process to coordinate responses to the security incident. § 5.1.6. Table 13. Row 1 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Include management commitment in the incident response policy. CC ID 14106	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the incident response policy. CC ID 14105	Establish/Maintain Documentation	Preventive
Include the scope in the incident response policy. CC ID 14104	Establish/Maintain Documentation	Preventive
Include the purpose in the incident response policy. CC ID 14101	Establish/Maintain Documentation	Preventive
Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099	Communicate	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Document incident response procedures that can provide a single point of reference to guide the day-to-day operations of the incident response team. § 5.1.6. Table 13. Row 3 Description Bullet 3 Determine how the organization will respond to a security incident. § 5.1.6. Table 13. Row 1 Description Bullet 3]	Establish/Maintain Documentation	Detective
Include time information in the chain of custody. CC ID 17068	Log Management	Preventive
Include actions performed on evidence in the chain of custody. CC ID 17067	Log Management	Preventive
Include individuals who had custody of evidence in the chain of custody. CC ID 17066	Log Management	Preventive
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Establish/Maintain Documentation	Preventive
Prepare digital forensic equipment. CC ID 08688	Investigate	Detective
Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Test the incident response procedures. CC ID 01216 [Consider conducting tests of the incident response plan. § 5.1.6. Table 13. Row 3 Description Bullet 5]	Testing	Detective
Document the results of incident response tests and provide them to senior management. CC ID 14857	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Determine what constitutes an environmental or operational change that affects the security of ePHI. § 5.1.8. Table 15. Row 3 Description Bullet 2 Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1 Evaluate existing system capabilities and determine whether any changes or upgrades are necessary. § 5.3.2. Table 22. Row 2 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include version control in the change control program. CC ID 13119	Establish/Maintain Documentation	Preventive
Include service design and transition in the change control program. CC ID 13920	Establish/Maintain Documentation	Preventive
Perform emergency changes, as necessary. CC ID 12707	Process or Activity	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Process or Activity	Preventive
Log emergency changes after they have been performed. CC ID 12733	Establish/Maintain Documentation	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Process or Activity	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Investigate	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Investigate	Detective
Implement changes according to the change control program. CC ID 11776 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Business Processes	Preventive
Provide audit trails for all approved changes. CC ID 13120 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a transition strategy. CC ID 17049	Establish/Maintain Documentation	Preventive
Include monitoring requirements in the transition strategy. CC ID 17290	Establish/Maintain Documentation	Preventive
Include resources in the transition strategy. CC ID 17289	Establish/Maintain Documentation	Preventive
Include time requirements in the transition strategy. CC ID 17288	Establish/Maintain Documentation	Preventive
Document the sources of all software updates. CC ID 13316	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Establish/Maintain Documentation	Preventive
Review the patch log for missing patches. CC ID 13186	Technical Security	Detective
Test software patches for any potential compromise of the system's security. CC ID 13175	Testing	Detective
Patch the operating system, as necessary. CC ID 11824	Technical Security	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Configuration	Corrective
Remove outdated software after software has been updated. CC ID 11792	Configuration	Corrective
Review changes to computer firmware. CC ID 12226	Testing	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Testing	Detective
Establish, implement, and maintain traceability documentation. CC ID 16388	Systems Design, Build, and Implementation	Preventive
Update associated documentation after the system configuration has been changed. CC ID 00891 [Review documentation periodically and update as needed in response to environmental or operational changes that affect the security of the ePHI. § 5.5.2. Table 29. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Establish and maintain a service catalog. CC ID 13634 [{critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include a service description in the service catalog. CC ID 13917	Establish/Maintain Documentation	Preventive
Assign unique reference numbers to all services in the service catalog. CC ID 14424	Establish/Maintain Documentation	Preventive
Include service deliverables for each service description in the service catalog. CC ID 13918	Establish/Maintain Documentation	Preventive
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914	Establish/Maintain Documentation	Preventive
Categorize services in the service catalog. CC ID 14419	Establish/Maintain Documentation	Preventive
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426	Establish/Maintain Documentation	Preventive
Communicate the service catalog to interested personnel and affected parties. CC ID 13910	Communicate	Preventive

Physical and environmental protection

135

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757 [Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. § 5.2.1. Table 17. Row 3 Description Bullet 1 HIPAA Standard: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. § 5.2.1. ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain physical security plans. CC ID 13307	Establish/Maintain Documentation	Preventive
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309	Establish/Maintain Documentation	Preventive
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315	Establish/Maintain Documentation	Preventive
Conduct external audits of the physical security plan. CC ID 13314	Audits and Risk Management	Detective
Report damaged property to interested personnel and affected parties. CC ID 13702	Communicate	Corrective
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211	Configuration	Preventive
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215	Configuration	Preventive
Monitor for evidence of when tampering indicators are being identified. CC ID 11905	Monitor and Evaluate Occurrences	Detective
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319	Communicate	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Develop a Facility Security Plan Implementation Specification (Addressable) § 5.2.1. Table 17. Row 3 Key Activities 3. If there are impediments to physically securing devices and/or the facilities where devices are located, additional safeguards should be considered, such as: § 5.2.3. Table 19. Row 3 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Establish/Maintain Documentation	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Establish/Maintain Documentation	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Behavior	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Establish/Maintain Documentation	Preventive
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Technical Security	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Establish/Maintain Documentation	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and Environmental Protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Establish/Maintain Documentation	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Establish/Maintain Documentation	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Communicate	Preventive
Detect anomalies in physical barriers. CC ID 13533	Investigate	Detective
Identify and document physical access controls for all physical entry points. CC ID 01637 [Identify points of access to the facility and existing security controls. § 5.2.1. Table 17. Row 3 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Control physical access to (and within) the facility. CC ID 01329 [{authorized access} Assign degrees of significance to each vulnerability identified and ensure that proper access is allowed. § 5.2.1. Table 17. Row 1 Description Bullet 2 Identify and assign responsibility for the measures and activities necessary to correct deficiencies and ensure that proper physical access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 1 {authorized access} Develop and deploy policies and procedures to ensure that repairs, upgrades, and/or modifications are made to the appropriate physical areas of the facility while ensuring that proper access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 2 Identify points of access to the facility and existing security controls. § 5.2.1. Table 17. Row 3 Description Bullet 4]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629 [Determine which types of facilities require access controls to safeguard ePHI, such as: § 5.2.1. Table 17. Row 1 Description Bullet 3 Implement procedures to provide facility access to authorized personnel and visitors and exclude unauthorized persons. § 5.2.1. Table 17. Row 4 Description Bullet 2 Develop Access Control and Validation Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 4 Key Activities 4. Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 [Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Log the individual's address in the facility access list. CC ID 16921	Log Management	Preventive
Log the contact information for the person authorizing access in the facility access list. CC ID 16920	Log Management	Preventive
Log the organization's name in the facility access list. CC ID 16919	Log Management	Preventive
Log the individual's name in the facility access list. CC ID 16918	Log Management	Preventive
Log the purpose in the facility access list. CC ID 16982	Log Management	Preventive
Log the level of access in the facility access list. CC ID 16975	Log Management	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Develop Access Control and Validation Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 4 Key Activities 4.]	Establish/Maintain Documentation	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Human Resources Management	Preventive
Implement physical identification processes. CC ID 13715	Process or Activity	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Process or Activity	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and Environmental Protection	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Establish/Maintain Documentation	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Establish/Maintain Documentation	Corrective
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and Environmental Protection	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Human Resources Management	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and Environmental Protection	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Establish/Maintain Documentation	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Business Processes	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Establish/Maintain Documentation	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and Environmental Protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and Environmental Protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and Environmental Protection	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Human Resources Management	Preventive
Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001	Business Processes	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Establish/Maintain Documentation	Preventive
Restrict physical access mechanisms to authorized parties. CC ID 16924	Process or Activity	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Establish/Maintain Documentation	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and Environmental Protection	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Establish/Maintain Documentation	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Communicate	Preventive
Record the purpose of the visit in the visitor log. CC ID 16917	Log Management	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Establish/Maintain Documentation	Preventive
Record the date and time of departure in the visitor log. CC ID 16897	Log Management	Preventive
Record the type of identification used in the visitor log. CC ID 16916	Log Management	Preventive
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Investigate	Detective
Log when the cabinet is accessed. CC ID 11674	Log Management	Detective
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Monitor and Evaluate Occurrences	Preventive
Include the requestor's name in the physical access log. CC ID 16922	Log Management	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [HIPAA Standard: Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. § 5.2.3. ¶ 1 Identify All Methods of Physical Access to Workstations and Devices § 5.2.3. Table 19. Row 1 Key Activities 1. Document the different ways that users access workstations and other devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.3. Table 19. Row 1 Description Bullet 1 Document the different ways that users access workstations and other devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.3. Table 19. Row 1 Description Bullet 1 Identify and Implement Physical Safeguards for Workstations and Devices § 5.2.3. Table 19. Row 3 Key Activities 3. If there are impediments to physically securing devices and/or the facilities where devices are located, additional safeguards should be considered, such as: § 5.2.3. Table 19. Row 3 Description Bullet 2]	Physical and Environmental Protection	Preventive
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Maintain Accountability for Hardware and Electronic Media Implementation Specification (Addressable) § 5.2.4. Table 20. Row 3 Key Activities 3.]	Records Management	Preventive
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Log Management	Preventive
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Technical Security	Preventive
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and Environmental Protection	Preventive
Restrict physical access to distributed assets. CC ID 11865 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2 Implement physical safeguards and other security measures to minimize the possibility of inappropriate access to ePHI through computing devices. § 5.2.3. Table 19. Row 3 Description Bullet 1]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a media protection policy. CC ID 14029	Establish/Maintain Documentation	Preventive
Include compliance requirements in the media protection policy. CC ID 14185	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the media protection policy. CC ID 14184	Establish/Maintain Documentation	Preventive
Include management commitment in the media protection policy. CC ID 14182	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the media protection policy. CC ID 14180	Establish/Maintain Documentation	Preventive
Include the scope in the media protection policy. CC ID 14167	Establish/Maintain Documentation	Preventive
Include the purpose in the media protection policy. CC ID 14166	Establish/Maintain Documentation	Preventive
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165	Communicate	Preventive
Establish, implement, and maintain media protection procedures. CC ID 14062	Establish/Maintain Documentation	Preventive
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186	Communicate	Preventive
Establish, implement, and maintain removable storage media controls. CC ID 06680 [Identify removable media and their uses. § 5.2.4. Table 20. Row 2 Description Bullet 3]	Data and Information Management	Preventive
Treat archive media as evidence. CC ID 00960	Records Management	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and Environmental Protection	Preventive
Include Information Technology assets in the asset removal policy. CC ID 13162	Establish/Maintain Documentation	Preventive
Obtain management approval prior to decommissioning assets. CC ID 17269	Business Processes	Preventive
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1]	Physical and Environmental Protection	Preventive
Control the removal of assets through physical entry points and physical exit points. CC ID 11681 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1]	Physical and Environmental Protection	Preventive
Maintain records of all system components entering and exiting the facility. CC ID 14304	Log Management	Preventive
Monitor the location of distributed assets. CC ID 11684 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1 Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Monitor and Evaluate Occurrences	Detective
Remote lock any distributed assets reported lost or stolen. CC ID 14008	Technical Security	Corrective
Remote wipe any distributed asset reported lost or stolen. CC ID 12197	Process or Activity	Corrective
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1 Determine the proper function and manner by which specific workstations or classes of workstations are permitted to access ePHI (e.g., applications permitting access to ePHI that are allowed on workstations used by a hospital's customer service call center or its radiology department). § 5.2.2. Table 18. Row 1 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Data and Information Management	Preventive
Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925	Communicate	Preventive
Establish, implement, and maintain a mobile device management program. CC ID 15212	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a mobile device management policy. CC ID 15214	Establish/Maintain Documentation	Preventive
Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998	Communicate	Preventive
Establish, implement, and maintain mobile device activation procedures. CC ID 16999	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [Consider any mobile devices that leave the physical facility as well as remote workers who access devices that create, store, process, or transmit ePHI. § 5.2.3. Table 19. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include a "Return to Sender" text file on mobile devices. CC ID 17075	Process or Activity	Preventive
Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076	Establish/Maintain Documentation	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Business Processes	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and Environmental Protection	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Data and Information Management	Preventive
Remove dormant systems from the network, as necessary. CC ID 13727	Process or Activity	Corrective
Secure system components from unauthorized viewing. CC ID 01437 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537 [Develop a standard set of procedures that should be followed to recover access control devices (e.g., identification badges, keys, access cards) when employment ends. § 5.1.3. Table 10. Row 5 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Protect customer property under the care of the organization. CC ID 11685	Physical and Environmental Protection	Preventive
Provide storage media shelving capable of bearing all potential loads. CC ID 11400	Physical and Environmental Protection	Preventive
Establish, implement, and maintain returned card procedures. CC ID 13567	Establish/Maintain Documentation	Preventive
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572	Business Processes	Preventive
Establish, implement, and maintain a mailing control log. CC ID 16136	Establish/Maintain Documentation	Preventive
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134	Establish Roles	Preventive
Inventory payment cards, as necessary. CC ID 13547	Records Management	Preventive
Establish, implement, and maintain payment card disposal procedures. CC ID 16135	Establish/Maintain Documentation	Preventive
Color code cables in accordance with organizational standards. CC ID 16422	Physical and Environmental Protection	Preventive
Install and maintain network jacks and outlet boxes. CC ID 08635	Physical and Environmental Protection	Preventive
Color code outlet boxes in accordance with organizational standards. CC ID 16451	Physical and Environmental Protection	Preventive
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142	Physical and Environmental Protection	Preventive
Install and maintain network patch panels. CC ID 08636	Physical and Environmental Protection	Preventive
Establish, implement, and maintain facility maintenance procedures. CC ID 00710 [{authorized access} Develop and deploy policies and procedures to ensure that repairs, upgrades, and/or modifications are made to the appropriate physical areas of the facility while ensuring that proper access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Design the Information Technology facility with a low profile. CC ID 16140	Physical and Environmental Protection	Preventive
Require critical facilities to have adequate room for evacuation. CC ID 11686	Physical and Environmental Protection	Preventive
Build critical facilities according to applicable building codes. CC ID 06366	Physical and Environmental Protection	Preventive
Build critical facilities with materials that limit electromagnetic interference. CC ID 16131	Physical and Environmental Protection	Preventive
Remotely control operational conditions at unmanned facilities. CC ID 11680	Technical Security	Preventive
Establish, implement, and maintain facility demolition procedures. CC ID 16133	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain work environment requirements. CC ID 06613 [Analyze Physical Surroundings for Physical Attributes § 5.2.2. Table 18. Row 3 Key Activities 3. HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1]	Establish/Maintain Documentation	Preventive
Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141	Physical and Environmental Protection	Preventive

Privacy protection for information and data

1027

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Determine whether a component of the regulated entity constitutes a ass="term_primary-noun">healthcare clearinghouse under the HIPAA Security Rule. Determine whether a component of the regulated entity constitutes a healthcare clearinghouse under the HIPAA Security Rule. § 5.1.4. Table 11. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy notice. CC ID 16543	Establish/Maintain Documentation	Preventive
Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258	Establish/Maintain Documentation	Preventive
Include contact information in the privacy notice. CC ID 14432	Establish/Maintain Documentation	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Establish/Maintain Documentation	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Establish/Maintain Documentation	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Establish/Maintain Documentation	Preventive
Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257	Establish/Maintain Documentation	Preventive
Include prohibitions of use or disclosure in the privacy notice. CC ID 17252	Establish/Maintain Documentation	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Establish/Maintain Documentation	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Establish/Maintain Documentation	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Establish/Maintain Documentation	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Establish/Maintain Documentation	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Establish/Maintain Documentation	Preventive
Specify the time frame that notice will be given. CC ID 00385	Establish/Maintain Documentation	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312	Establish/Maintain Documentation	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Establish/Maintain Documentation	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Communicate	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Update privacy notices, as necessary. CC ID 13474	Communicate	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Communicate	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Communicate	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Communicate	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Establish/Maintain Documentation	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Establish/Maintain Documentation	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Establish/Maintain Documentation	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Establish/Maintain Documentation	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Establish/Maintain Documentation	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Establish/Maintain Documentation	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Establish/Maintain Documentation	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Establish/Maintain Documentation	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Communicate	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Communicate	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Communicate	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Communicate	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Communicate	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Data and Information Management	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Communicate	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Communicate	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Establish/Maintain Documentation	Preventive
Deliver notices to the intended parties. CC ID 06240	Data and Information Management	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Communicate	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Communicate	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Process or Activity	Detective
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Data and Information Management	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Communicate	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Establish/Maintain Documentation	Preventive
Establish and maintain a records request manual. CC ID 00381	Establish/Maintain Documentation	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Establish/Maintain Documentation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Establish Roles	Preventive
Include the verification method in the registration notice. CC ID 16798	Establish/Maintain Documentation	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Data and Information Management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Process or Activity	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Establish/Maintain Documentation	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Establish/Maintain Documentation	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Process or Activity	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Data and Information Management	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Data and Information Management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Technical Security	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Records Management	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Records Management	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Records Management	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Records Management	Corrective
Define the criteria for waivers of data subjects' rights. CC ID 16858	Behavior	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Behavior	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Establish/Maintain Documentation	Preventive
Disclose educational data, as necessary. CC ID 00223	Data and Information Management	Preventive
Grant access to education records in support of educational program audits. CC ID 13032	Records Management	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Records Management	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Communicate	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Data and Information Management	Preventive
Disclose education records when written consent is received. CC ID 00224	Data and Information Management	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Establish/Maintain Documentation	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Establish/Maintain Documentation	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Establish/Maintain Documentation	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Establish/Maintain Documentation	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Communicate	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Communicate	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Communicate	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Data and Information Management	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Data and Information Management	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Communicate	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Data and Information Management	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Data and Information Management	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Data and Information Management	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Data and Information Management	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Data and Information Management	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Data and Information Management	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Process or Activity	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Process or Activity	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Process or Activity	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Process or Activity	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Process or Activity	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Establish/Maintain Documentation	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Establish/Maintain Documentation	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Data and Information Management	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Communicate	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Establish/Maintain Documentation	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Process or Activity	Preventive
Make telephone directory information available to the public. CC ID 08698	Establish/Maintain Documentation	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Technical Security	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Establish/Maintain Documentation	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Process or Activity	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Establish/Maintain Documentation	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Establish/Maintain Documentation	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Establish/Maintain Documentation	Detective
Write privacy notices in the official languages required by law. CC ID 16529	Establish/Maintain Documentation	Preventive
Define what is included in the privacy policy. CC ID 00404	Establish/Maintain Documentation	Preventive
Define the information being collected in the privacy policy. CC ID 13115	Establish/Maintain Documentation	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Establish/Maintain Documentation	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114	Establish/Maintain Documentation	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Establish/Maintain Documentation	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Establish/Maintain Documentation	Preventive
Include management commitment in the privacy policy. CC ID 14668	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Establish/Maintain Documentation	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Establish/Maintain Documentation	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Establish/Maintain Documentation	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Establish/Maintain Documentation	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Establish/Maintain Documentation	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Establish/Maintain Documentation	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Establish/Maintain Documentation	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Establish/Maintain Documentation	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy policy. CC ID 00406	Establish/Maintain Documentation	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Establish/Maintain Documentation	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407	Establish/Maintain Documentation	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116	Establish/Maintain Documentation	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Establish/Maintain Documentation	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Establish/Maintain Documentation	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Establish/Maintain Documentation	Preventive
Include opt-out instructions in the privacy policy. CC ID 00411	Establish/Maintain Documentation	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Establish/Maintain Documentation	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Establish/Maintain Documentation	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Establish/Maintain Documentation	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Establish/Maintain Documentation	Preventive
Post the privacy policy in an easily seen location. CC ID 00401	Establish/Maintain Documentation	Preventive
Define who will receive the privacy policy. CC ID 00402	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Communicate	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Communicate	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Process or Activity	Preventive
Approve the privacy plan. CC ID 14700	Business Processes	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Establish/Maintain Documentation	Preventive
Include the information types in the privacy plan. CC ID 14695	Establish/Maintain Documentation	Preventive
Include threats in the privacy plan. CC ID 14694	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Establish/Maintain Documentation	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Establish/Maintain Documentation	Preventive
Include security controls in the privacy plan. CC ID 14681	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Communicate	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Establish/Maintain Documentation	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943	Behavior	Preventive
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Communicate	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334	Business Processes	Preventive
Disseminate private communications when required by law. CC ID 14335	Communicate	Corrective
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Establish/Maintain Documentation	Preventive
Provide a copy of the data subject's consent to the data subject. CC ID 17234	Communicate	Preventive
Date the data subject's consent. CC ID 17233	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546	Establish/Maintain Documentation	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Human Resources Management	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Business Processes	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Establish/Maintain Documentation	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Establish/Maintain Documentation	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Establish/Maintain Documentation	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Establish/Maintain Documentation	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Establish/Maintain Documentation	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Establish/Maintain Documentation	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Establish/Maintain Documentation	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Establish/Maintain Documentation	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Establish/Maintain Documentation	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Business Processes	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Business Processes	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Data and Information Management	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Business Processes	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Business Processes	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Data and Information Management	Preventive
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Technical Security	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Business Processes	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Process or Activity	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Establish/Maintain Documentation	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Business Processes	Preventive
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Communicate	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Records Management	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Data and Information Management	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Data and Information Management	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469	Data and Information Management	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551	Data and Information Management	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Human Resources Management	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Human Resources Management	Preventive
Notify the supervisory authority. CC ID 00472	Behavior	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Establish/Maintain Documentation	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Business Processes	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Communicate	Preventive
Include required information in the approval application. CC ID 16628	Establish/Maintain Documentation	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Business Processes	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Process or Activity	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Respond to questions about submissions in a timely manner. CC ID 16930	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Cooperate with Data Protection Authorities. CC ID 06870	Data and Information Management	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Establish/Maintain Documentation	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Human Resources Management	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Establish/Maintain Documentation	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Establish/Maintain Documentation	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Establish/Maintain Documentation	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Establish/Maintain Documentation	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Establish/Maintain Documentation	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Establish/Maintain Documentation	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Establish/Maintain Documentation	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Establish/Maintain Documentation	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Establish/Maintain Documentation	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Establish/Maintain Documentation	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Establish/Maintain Documentation	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Establish/Maintain Documentation	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Establish/Maintain Documentation	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Establish/Maintain Documentation	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Establish/Maintain Documentation	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Establish/Maintain Documentation	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Establish/Maintain Documentation	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Establish/Maintain Documentation	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Establish/Maintain Documentation	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Establish/Maintain Documentation	Preventive
Notify the data controller of any changes in data processors. CC ID 12648	Communicate	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Establish/Maintain Documentation	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Establish/Maintain Documentation	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Establish/Maintain Documentation	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Establish/Maintain Documentation	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Establish/Maintain Documentation	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Establish/Maintain Documentation	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Establish/Maintain Documentation	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Establish/Maintain Documentation	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Establish/Maintain Documentation	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Establish/Maintain Documentation	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Establish/Maintain Documentation	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Human Resources Management	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Data and Information Management	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Data and Information Management	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Establish/Maintain Documentation	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Behavior	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Behavior	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2 Ensure that ePHI is properly destroyed and cannot be recreated. § 5.2.4. Table 20. Row 1 Description Bullet 3 Implement Methods for the Final Disposal of ePHI Implementation Specification (Required) § 5.2.4. Table 20. Row 1 Key Activities 1.]	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Establish/Maintain Documentation	Preventive
Allow data subjects to submit data requests. CC ID 16545	Process or Activity	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Data and Information Management	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Data and Information Management	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Data and Information Management	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Data and Information Management	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Data and Information Management	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Establish/Maintain Documentation	Preventive
Define what is to be included in a data access request. CC ID 08699	Establish/Maintain Documentation	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Business Processes	Preventive
Respond to data access requests in a timely manner. CC ID 00421	Behavior	Preventive
Respond to data access requests in an official language. CC ID 17176	Communicate	Preventive
Delay responding to data access requests, as necessary. CC ID 15504	Data and Information Management	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Data and Information Management	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Behavior	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Behavior	Detective
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Business Processes	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Process or Activity	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Establish/Maintain Documentation	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Data and Information Management	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Notify third parties of data access requests that relates to the third party. CC ID 08703	Establish/Maintain Documentation	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Process or Activity	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Data and Information Management	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Communicate	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247	Behavior	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551	Records Management	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Process or Activity	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Process or Activity	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Business Processes	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Process or Activity	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Data and Information Management	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Data and Information Management	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Business Processes	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Business Processes	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Business Processes	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Business Processes	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Business Processes	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Business Processes	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Business Processes	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Business Processes	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Process or Activity	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Establish/Maintain Documentation	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Records Management	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Records Management	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Records Management	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Records Management	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Records Management	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Records Management	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Records Management	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Records Management	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Records Management	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Records Management	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Records Management	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Records Management	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Records Management	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Records Management	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Records Management	Preventive
Process restricted data lawfully and carefully. CC ID 00086	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250	Business Processes	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251	Business Processes	Preventive
Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256	Business Processes	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Communicate	Corrective
Process personal data for the purposes of employment. CC ID 16527	Data and Information Management	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537	Data and Information Management	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Process or Activity	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Data and Information Management	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Data and Information Management	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Data and Information Management	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Data and Information Management	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Data and Information Management	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Data and Information Management	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Data and Information Management	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Data and Information Management	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Data and Information Management	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Data and Information Management	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Data and Information Management	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Data and Information Management	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Data and Information Management	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577	Data and Information Management	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Data and Information Management	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Data and Information Management	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Data and Information Management	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Data and Information Management	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Data and Information Management	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Data and Information Management	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Data and Information Management	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Data and Information Management	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Data and Information Management	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Data and Information Management	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Data and Information Management	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Behavior	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Establish/Maintain Documentation	Preventive
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Communicate	Corrective
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967	Records Management	Preventive
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Communicate	Corrective
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Data and Information Management	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Establish/Maintain Documentation	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Establish/Maintain Documentation	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Data and Information Management	Detective
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Establish/Maintain Documentation	Preventive
Define how a data subject may give consent. CC ID 00160	Establish/Maintain Documentation	Preventive
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Data and Information Management	Preventive
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Communicate	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Data and Information Management	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Data and Information Management	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Data and Information Management	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Data and Information Management	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Data and Information Management	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Data and Information Management	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Data and Information Management	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Data and Information Management	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Data and Information Management	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Data and Information Management	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Data and Information Management	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Data and Information Management	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Data and Information Management	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Data and Information Management	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Data and Information Management	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Data and Information Management	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Data and Information Management	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Data and Information Management	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Data and Information Management	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Data and Information Management	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Data and Information Management	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Data and Information Management	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Data and Information Management	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Data and Information Management	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Data and Information Management	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Data and Information Management	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Data and Information Management	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Data and Information Management	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Data and Information Management	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Data and Information Management	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Establish/Maintain Documentation	Detective
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Data and Information Management	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Data and Information Management	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Data and Information Management	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Data and Information Management	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Data and Information Management	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Communicate	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Business Processes	Preventive
Refrain from selling restricted data, as necessary. CC ID 17165	Data and Information Management	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Data and Information Management	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Data and Information Management	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Establish/Maintain Documentation	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Data and Information Management	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Data and Information Management	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Data and Information Management	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Data and Information Management	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Data and Information Management	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Data and Information Management	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Data and Information Management	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Data and Information Management	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Data and Information Management	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Behavior	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Data and Information Management	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Data and Information Management	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Establish/Maintain Documentation	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Data and Information Management	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Data and Information Management	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Communicate	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Data and Information Management	Preventive
Review personal data disclosure requests. CC ID 07129	Data and Information Management	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Communicate	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Include cookie management in the privacy framework. CC ID 13809	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Establish/Maintain Documentation	Preventive
Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953	Data and Information Management	Preventive
Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Data and Information Management	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269	Data and Information Management	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Business Processes	Detective
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831	Data and Information Management	Preventive
Post the collection purpose. CC ID 00101	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Data and Information Management	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Establish/Maintain Documentation	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Data and Information Management	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Data and Information Management	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Data and Information Management	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Behavior	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Data and Information Management	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Data and Information Management	Preventive
Establish and maintain a personal data definition. CC ID 00028	Establish/Maintain Documentation	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Data and Information Management	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Data and Information Management	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Data and Information Management	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Data and Information Management	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Data and Information Management	Preventive
Include the number of children in the personal data definition. CC ID 13759	Establish/Maintain Documentation	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Establish/Maintain Documentation	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Data and Information Management	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Data and Information Management	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Data and Information Management	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Data and Information Management	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Data and Information Management	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Data and Information Management	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Data and Information Management	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Establish/Maintain Documentation	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Establish/Maintain Documentation	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Data and Information Management	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Establish/Maintain Documentation	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Data and Information Management	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Data and Information Management	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Establish/Maintain Documentation	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Data and Information Management	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Data and Information Management	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Data and Information Management	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Data and Information Management	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Establish/Maintain Documentation	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Data and Information Management	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Data and Information Management	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Data and Information Management	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Data and Information Management	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Data and Information Management	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Data and Information Management	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Data and Information Management	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Data and Information Management	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Data and Information Management	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Data and Information Management	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Data and Information Management	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Data and Information Management	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Data and Information Management	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Data and Information Management	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Data and Information Management	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Data and Information Management	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Data and Information Management	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Data and Information Management	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Data and Information Management	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Data and Information Management	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Data and Information Management	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Data and Information Management	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Data and Information Management	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Data and Information Management	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Data and Information Management	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Data and Information Management	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Data and Information Management	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Data and Information Management	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Data and Information Management	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Data and Information Management	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Data and Information Management	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Data and Information Management	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Establish/Maintain Documentation	Preventive
Define specially restricted data. CC ID 00037	Data and Information Management	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Data and Information Management	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Data and Information Management	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Data and Information Management	Preventive
Implement a nondiscrimination principle. CC ID 00081	Data and Information Management	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Data and Information Management	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Data and Information Management	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Data and Information Management	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Technical Security	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Data and Information Management	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Behavior	Preventive
Manage health data collection. CC ID 00050	Data and Information Management	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Data and Information Management	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Data and Information Management	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Data and Information Management	Preventive
Remove personal data before disclosing health data. CC ID 00055	Data and Information Management	Preventive
Give special attention to collecting children's data. CC ID 00038	Data and Information Management	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Behavior	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Establish/Maintain Documentation	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Data and Information Management	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Establish/Maintain Documentation	Preventive
Collect personal data directly from the data subject. CC ID 00011	Data and Information Management	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Data and Information Management	Preventive
Provide unlinkability for users and resources. CC ID 04550	Data and Information Management	Preventive
Provide unobservability of users and resources. CC ID 04551	Technical Security	Preventive
Confirm the data quality of personal data collected from third parties. CC ID 13510	Investigate	Detective
Collect restricted data in a fair and lawful manner. CC ID 00010	Data and Information Management	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Data and Information Management	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014	Data and Information Management	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Data and Information Management	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Data and Information Management	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Data and Information Management	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Data and Information Management	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Data and Information Management	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Data and Information Management	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Data and Information Management	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Data and Information Management	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Data and Information Management	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Data and Information Management	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Data and Information Management	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Data and Information Management	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Data and Information Management	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293	Data and Information Management	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Data and Information Management	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019	Data and Information Management	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020	Data and Information Management	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287	Data and Information Management	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Data and Information Management	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Data and Information Management	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078	Data and Information Management	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Data and Information Management	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027	Data and Information Management	Preventive
Collect restricted data when required by law. CC ID 00031	Data and Information Management	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Data and Information Management	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Data and Information Management	Preventive
Collect restricted data for legal purposes. CC ID 00036	Data and Information Management	Preventive
Validate the business need for maintaining collected restricted data. CC ID 17090	Data and Information Management	Preventive
Review the methods for collecting personal data, as necessary. CC ID 13511	Investigate	Detective
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Communicate	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024	Establish/Maintain Documentation	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Establish/Maintain Documentation	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Establish/Maintain Documentation	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Data and Information Management	Preventive
Protect electronic messaging information. CC ID 12022	Technical Security	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Data and Information Management	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Configuration	Preventive
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Testing	Detective
Store payment card data in secure chips, if possible. CC ID 13065	Configuration	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Configuration	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Technical Security	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Data and Information Management	Preventive
Log the disclosure of personal data. CC ID 06628	Log Management	Preventive
Log the modification of personal data. CC ID 11844	Log Management	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Technical Security	Preventive
Implement security measures to protect personal data. CC ID 13606 [Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). § 5.1.1. Table 8. Row 3 Description Bullet 1 Implement physical safeguards and other security measures to minimize the possibility of inappropriate access to ePHI through computing devices. § 5.2.3. Table 19. Row 3 Description Bullet 1 Ensure that an exact retrievable copy of the data is retained and protected to maintain the integrity of ePHI during equipment relocation. § 5.2.4. Table 20. Row 4 Description Bullet 2 Amend Plan Documents of the Group Health Plan to Address the Plan Sponsor's Security of ePHI Implementation Specification (Required) § 5.4.2. Table 27. Row 1 Key Activities 1. HIPAA Standard: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. § 5.4.2. ¶ 1]	Technical Security	Preventive
Implement physical controls to protect personal data. CC ID 00355 [Implement appropriate measures to provide physical security protection for ePHI in a regulated entity's possession. § 5.2.1. Table 17. Row 3 Description Bullet 2]	Testing	Preventive
Limit data leakage. CC ID 00356 [Ensure that ePHI is not inadvertently released or shared with any unauthorized party. § 5.2.4. Table 20. Row 3 Description Bullet 2]	Data and Information Management	Preventive
Conduct personal data risk assessments. CC ID 00357 [Conduct Risk Assessment Implementation Specification (Required) § 5.1.1. Table 8. Row 2 Key Activities 2. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate. § 5.1.1. Table 8. Row 2 Description Bullet 1]	Testing	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Business Processes	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Establish/Maintain Documentation	Detective
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Data and Information Management	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Data and Information Management	Detective
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Investigate	Detective
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Behavior	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Data and Information Management	Detective
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Log Management	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Monitor and Evaluate Occurrences	Corrective
Log dates for account name changes or address changes. CC ID 04876	Log Management	Detective
Review accounts that are changed for additional user requests. CC ID 11846	Monitor and Evaluate Occurrences	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Data and Information Management	Detective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Acquisition/Sale of Assets or Services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Process or Activity	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Process or Activity	Preventive
Review monitored websites for data leakage. CC ID 10593	Monitor and Evaluate Occurrences	Detective
Take appropriate action when a data leakage is discovered. CC ID 14716	Process or Activity	Corrective
Include text about data ownership in the data handling policy. CC ID 15720	Data and Information Management	Preventive
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain call metadata controls. CC ID 04790	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126	Data and Information Management	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Data and Information Management	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535	Data and Information Management	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Data and Information Management	Preventive
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Communicate	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756	Establish/Maintain Documentation	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Establish/Maintain Documentation	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Data and Information Management	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Data and Information Management	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Data and Information Management	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Data and Information Management	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Data and Information Management	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Data and Information Management	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Data and Information Management	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Data and Information Management	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Data and Information Management	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Data and Information Management	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Data and Information Management	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Data and Information Management	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Data and Information Management	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Data and Information Management	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Data and Information Management	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Data and Information Management	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Data and Information Management	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Data and Information Management	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Data and Information Management	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Data and Information Management	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Data and Information Management	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Data and Information Management	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Data and Information Management	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Data and Information Management	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Data and Information Management	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Data and Information Management	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Data and Information Management	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Data and Information Management	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Data and Information Management	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Data and Information Management	Preventive
Define an out of scope privacy breach. CC ID 04677	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Business Processes	Preventive
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Monitor and Evaluate Occurrences	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Monitor and Evaluate Occurrences	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Monitor and Evaluate Occurrences	Preventive
Conduct internal data processing audits. CC ID 00374	Testing	Detective
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Communicate	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Establish/Maintain Documentation	Preventive
Obtain consent from an individual prior to transferring personal data. CC ID 06948	Data and Information Management	Preventive
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Establish/Maintain Documentation	Preventive
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Business Processes	Preventive
Notify data subjects when their personal data is transferred. CC ID 00352	Behavior	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Establish/Maintain Documentation	Preventive
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414	Communicate	Preventive
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314	Data and Information Management	Preventive
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Data and Information Management	Preventive
Prohibit personal data transfers when security is inadequate. CC ID 00345	Data and Information Management	Preventive
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Data and Information Management	Preventive
Refrain from transferring past the first transfer. CC ID 00347	Data and Information Management	Preventive
Document transfer disagreements by the data subject in writing. CC ID 00348	Establish/Maintain Documentation	Preventive
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Data and Information Management	Preventive
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Records Management	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Behavior	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Establish/Maintain Documentation	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Data and Information Management	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Data and Information Management	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Data and Information Management	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Data and Information Management	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Data and Information Management	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Data and Information Management	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Data and Information Management	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Data and Information Management	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Data and Information Management	Preventive
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Data and Information Management	Preventive
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Business Processes	Preventive
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Data and Information Management	Preventive
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Data and Information Management	Preventive
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Data and Information Management	Preventive
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Data and Information Management	Preventive
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Data and Information Management	Preventive
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Data and Information Management	Preventive
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Communicate	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Behavior	Preventive
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Establish/Maintain Documentation	Preventive
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Data and Information Management	Preventive
Obtain consent prior to downloading software to an individual's computer. CC ID 06951	Data and Information Management	Preventive
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Process or Activity	Preventive
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Process or Activity	Preventive
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Process or Activity	Preventive
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Data and Information Management	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [Consider the impact of a merger or acquisition on risks to ePHI. During a merger or acquisition, new data pathways may be introduced that lead to ePHI being stored, processed, or transmitted in previously unanticipated places. § 5.1.1. Table 8. Row 1 Description Bullet 5]	Establish/Maintain Documentation	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Establish/Maintain Documentation	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Establish/Maintain Documentation	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Establish/Maintain Documentation	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Establish/Maintain Documentation	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Establish/Maintain Documentation	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Establish/Maintain Documentation	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Establish/Maintain Documentation	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Business Processes	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Communicate	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490	Human Resources Management	Detective
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Data and Information Management	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Behavior	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476	Data and Information Management	Corrective
File privacy rights violation complaints in writing. CC ID 00477	Establish/Maintain Documentation	Corrective
Include supporting documentation in the privacy rights violation complaint. CC ID 16997	Establish/Maintain Documentation	Preventive
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Establish/Maintain Documentation	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Establish/Maintain Documentation	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Behavior	Corrective
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Business Processes	Preventive
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Behavior	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526	Establish/Maintain Documentation	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Establish/Maintain Documentation	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Establish/Maintain Documentation	Preventive
Document unresolved challenges. CC ID 13568	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Establish/Maintain Documentation	Preventive
Notify individuals of their right to challenge personal data. CC ID 00457	Data and Information Management	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Data and Information Management	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Configuration	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Human Resources Management	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Data and Information Management	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Communicate	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Data and Information Management	Preventive
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Behavior	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Behavior	Corrective
Notify third parties of unresolved challenges. CC ID 13559	Communicate	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Establish/Maintain Documentation	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Establish/Maintain Documentation	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Data and Information Management	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Behavior	Detective
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Business Processes	Corrective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Behavior	Detective
Include the allegations against the organization in the notice of investigation. CC ID 13031	Establish/Maintain Documentation	Preventive
Investigate privacy rights violation complaints in private. CC ID 00492	Behavior	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Behavior	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Behavior	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Behavior	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Behavior	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Behavior	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Behavior	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Behavior	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Communicate	Corrective
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Establish/Maintain Documentation	Corrective
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Behavior	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497	Establish/Maintain Documentation	Detective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Behavior	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Behavior	Corrective
Award damages based on applicable law. CC ID 00501	Behavior	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Data and Information Management	Corrective
Define the organization's liability based on the applicable law. CC ID 00504	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Establish/Maintain Documentation	Preventive
Define the appeal process based on the applicable law. CC ID 00506	Establish/Maintain Documentation	Preventive
Define the fee structure for the appeal process. CC ID 16532	Process or Activity	Preventive
Define the time requirements for the appeal process. CC ID 16531	Process or Activity	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Communicate	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Communicate	Preventive
Provide notice of proposed penalties. CC ID 06216	Establish/Maintain Documentation	Preventive
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Behavior	Preventive
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Testing	Detective

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an information management program. CC ID 14315 [Periodically evaluate written policies and procedures to verify that: § 5.5.1. Table 28. Row 1 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Ensure data sets have the appropriate characteristics. CC ID 15000	Data and Information Management	Detective
Ensure data sets are complete, are accurate, and are relevant. CC ID 14999	Data and Information Management	Detective
Retain records in accordance with applicable requirements. CC ID 00968 [Retain Documentation for at Least Six Years Implementation Specification (Required) § 5.5.2. Table 29. Row 2 Key Activities 2. Retain documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later. § 5.5.2. Table 29. Row 2 Description Bullet 1]	Records Management	Preventive
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored. § 5.2.4. Table 20. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Perform destruction at authorized facilities. CC ID 17074	Business Processes	Preventive
Supervise media destruction in accordance with organizational standards. CC ID 16456	Business Processes	Preventive
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 [Ensure that ePHI previously stored on any electronic media cannot be accessed and reused. § 5.2.4. Table 20. Row 2 Description Bullet 2]	Data and Information Management	Preventive
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Implement procedures for the removal of ePHI from electronic media before the media become available for reuse. § 5.2.4. Table 20. Row 2 Description Bullet 1 Ensure that ePHI is removed from reusable media before they are used to record new information. § 5.2.4. Table 20. Row 2 Description Bullet 4]	Data and Information Management	Preventive
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485	Process or Activity	Preventive
Use approved media sanitization equipment for destruction. CC ID 16459	Business Processes	Preventive
Establish, implement, and maintain records disposition procedures. CC ID 00971 [Determine and document the appropriate methods to dispose of hardware, software, and the data. § 5.2.4. Table 20. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Require authorized individuals be present to witness records disposition. CC ID 12313	Data and Information Management	Preventive
Include the sanitization method in the disposal record. CC ID 17073	Log Management	Preventive
Include time information in the disposal record. CC ID 17072	Log Management	Preventive
Include the name of the signing officer in the disposal record. CC ID 15710	Establish/Maintain Documentation	Preventive
Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891	Communicate	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Capture the records required by organizational compliance requirements. CC ID 00912 [Collect and document all needed information. Collection methods may include the use of interviews, surveys, and the outputs of automated tools, such as access control auditing tools, system logs, and the results of penetration testing. § 5.1.8. Table 15. Row 3 Description Bullet 5 HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 5.5.2. ¶ 1]	Records Management	Detective
Establish, implement, and maintain authorization records. CC ID 14367	Establish/Maintain Documentation	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Establish/Maintain Documentation	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Establish/Maintain Documentation	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic health records. CC ID 14436	Data and Information Management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Data and Information Management	Preventive
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records Management	Preventive
Display required information automatically in electronic health records. CC ID 14442	Process or Activity	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Establish/Maintain Documentation	Preventive
Provide the patient with a summary of care record, as necessary. CC ID 14441	Actionable Reports or Measurements	Preventive
Create export summaries, as necessary. CC ID 14446	Process or Activity	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Data and Information Management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Data and Information Management	Preventive
Identify patient-specific education resources. CC ID 14439	Process or Activity	Detective
Establish and maintain an implantable device list. CC ID 14444	Records Management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Data and Information Management	Preventive
Establish, implement, and maintain decision support interventions. CC ID 14443	Business Processes	Preventive
Include attributes in the decision support intervention. CC ID 16766	Data and Information Management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records Management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records Management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records Management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records Management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Log Management	Preventive
Include record integrity techniques in the records management procedures. CC ID 06418 [Identify and implement methods that will be used to protect ePHI from unauthorized modification. § 5.3.3. Table 23. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Implement a Mechanism to Authenticate ePHI Implementation Specification (Addressable) § 5.3.3. Table 23. Row 5 Key Activities 5. Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. § 5.3.3. Table 23. Row 5 Description Bullet 1 Consider possible mechanisms for integrity verification, such as: § 5.3.3. Table 23. Row 5 Description Bullet 2 Implement Integrity Controls Implementation Specification (Addressable) § 5.3.5. Table 25. Row 3 Key Activities 3.]	Establish Roles	Preventive
Compare each record's data input to its final form. CC ID 11813	Records Management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Process or Activity	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [Develop and Implement Procedures for the Reuse of Electronic Media Implementation Specification (Required) § 5.2.4. Table 20. Row 2 Key Activities 2.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information preservation policy. CC ID 16483	Establish/Maintain Documentation	Preventive
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Create a retrievable exact copy of ePHI, when needed, before movement of equipment. § 5.2.4. Table 20. Row 4 Description Bullet 1 Ensure that an exact retrievable copy of the data is retained and protected to maintain the integrity of ePHI during equipment relocation. § 5.2.4. Table 20. Row 4 Description Bullet 2]	Records Management	Preventive
Establish, implement, and maintain a removable storage media log. CC ID 12317 [Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Log Management	Preventive
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Establish/Maintain Documentation	Preventive
Include the date and time in the removable storage media log. CC ID 12318	Establish/Maintain Documentation	Preventive
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Establish/Maintain Documentation	Preventive
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Establish/Maintain Documentation	Preventive
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Establish/Maintain Documentation	Preventive
Include the sender's name in the removable storage media log. CC ID 12752	Establish/Maintain Documentation	Preventive
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Establish/Maintain Documentation	Preventive
Include the reason for transfer in the removable storage media log. CC ID 12316	Establish/Maintain Documentation	Preventive
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 [{transmitted} Identify where ePHI is generated within the organization, where it enters the organization, where it moves within the organization, where it is stored, and where it leaves the organization. § 5.1.1. Table 8. Row 1 Description Bullet 1]	Business Processes	Detective
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Process or Activity	Detective
Review the electronic storage media for the information the organization collects and processes. CC ID 13009	Process or Activity	Detective
Remove non-public information from publicly accessible systems. CC ID 14246	Data and Information Management	Corrective

System hardening through configuration management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: Implement electronic procedures that terminate an electronic session after a predetermined period of inactivity. § 5.3.1. Table 21. Row 8 Description Bullet 1 Sub-Bullet 1]	Configuration	Preventive
Refrain from using assertion lifetimes to limit each session. CC ID 13871	Technical Security	Preventive
Configure Session Configuration settings in accordance with organizational standards. CC ID 07698	Configuration	Preventive
Invalidate unexpected session identifiers. CC ID 15307	Configuration	Preventive
Configure the "MaxStartups" settings to organizational standards. CC ID 15329	Configuration	Preventive
Reject session identifiers that are not valid. CC ID 15306	Configuration	Preventive
Configure the "MaxSessions" settings to organizational standards. CC ID 15330	Configuration	Preventive
Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328	Configuration	Preventive
Configure Logging settings in accordance with organizational standards. CC ID 07611	Configuration	Preventive
Configure all logs to capture auditable events or actionable events. CC ID 06332 [Ensure that the necessary data is available in the system logs to support audit and other related business functions. § 5.3.1. Table 21. Row 3 Description Bullet 3]	Configuration	Preventive
Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494	Log Management	Preventive
Configure the log to capture startups and shutdowns. CC ID 16491	Log Management	Preventive
Configure the log to capture user queries and searches. CC ID 16479	Log Management	Preventive
Configure the log to capture Internet Protocol addresses. CC ID 16495	Log Management	Preventive
Configure the log to capture error messages. CC ID 16477	Log Management	Preventive
Configure the log to capture system failures. CC ID 16475	Log Management	Preventive
Configure the log to capture account lockouts. CC ID 16470	Configuration	Preventive
Configure the log to capture execution events. CC ID 16469	Configuration	Preventive
Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078	Log Management	Preventive
Configure the log to capture AWS Organizations changes. CC ID 15445	Configuration	Preventive
Configure the log to capture Identity and Access Management policy changes. CC ID 15442	Configuration	Preventive
Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441	Configuration	Preventive
Configure the log to capture route table changes. CC ID 15439	Configuration	Preventive
Configure the log to capture virtual private cloud changes. CC ID 15435	Configuration	Preventive
Configure the log to capture changes to encryption keys. CC ID 15432	Configuration	Preventive
Configure the log to capture unauthorized API calls. CC ID 15429	Configuration	Preventive
Configure the log to capture changes to network gateways. CC ID 15421	Configuration	Preventive
Configure the "logging level" to organizational standards. CC ID 14456	Configuration	Detective
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	Log Management	Preventive

Technical security

199

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a digital identity management program. CC ID 13713	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain digital identification procedures. CC ID 13714 [HIPAA Standard: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. § 5.3.4. ¶ 1]	Establish/Maintain Documentation	Preventive
Implement digital identification processes. CC ID 13731	Process or Activity	Preventive
Implement identity proofing processes. CC ID 13719	Process or Activity	Preventive
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Process or Activity	Preventive
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Process or Activity	Preventive
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Process or Activity	Detective
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Process or Activity	Preventive
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Establish/Maintain Documentation	Preventive
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Configuration	Preventive
Interact with the data subject when performing remote proofing. CC ID 13777	Process or Activity	Detective
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Process or Activity	Preventive
View all applicant actions when performing remote proofing. CC ID 13804	Process or Activity	Detective
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Process or Activity	Preventive
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Process or Activity	Detective
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Process or Activity	Detective
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Process or Activity	Preventive
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Process or Activity	Preventive
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Process or Activity	Detective
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Process or Activity	Preventive
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Configuration	Preventive
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Configuration	Preventive
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Configuration	Preventive
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Process or Activity	Preventive
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Process or Activity	Detective
Validate proof of identity during the identity proofing process. CC ID 13756	Process or Activity	Detective
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Business Processes	Detective
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Process or Activity	Detective
Verify proof of identity records. CC ID 13761	Investigate	Detective
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Process or Activity	Detective
Allow records that relate to the data subject as proof of identity. CC ID 13772	Process or Activity	Preventive
Conduct in-person proofing with physical interactions. CC ID 13775	Process or Activity	Detective
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Process or Activity	Preventive
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Process or Activity	Preventive
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Process or Activity	Preventive
Refrain from approving attributes in the identity proofing process. CC ID 13716	Process or Activity	Preventive
Reperform the identity proofing process for each individual, as necessary. CC ID 13762	Process or Activity	Detective
Establish, implement, and maintain an access control program. CC ID 11702 [Implement policies and procedures for granting access to ePHI, such as through access to a workstation, transaction, program, process, or other mechanism. § 5.1.4. Table 11. Row 2 Description Bullet 1 If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization. § 5.1.4. Table 11. Row 1 Description Bullet 1 Implement Policies and Procedures for Access Establishment and Modification Implementation Specification (Addressable) § 5.1.4. Table 11. Row 3 Key Activities 3. Implement policies and procedures that – based on the covered entity or business associate's access authorization policies – establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. § 5.1.4. Table 11. Row 3 Description Bullet 1 HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). § 5.3.1. ¶ 1 {access control} Integrate these activities into the access granting and management process. § 5.3.1. Table 21. Row 1 Description Bullet 3 Develop Access Control Policy and Procedures § 5.3.1. Table 21. Row 4 Key Activities 4. {access control} Implement the policy and procedures using existing or additional hardware or software solutions. § 5.3.1. Table 21. Row 5 Description Bullet 1 {access control} Enforce the policy and procedures as a matter of ongoing operations. § 5.3.1. Table 21. Row 6 Description Bullet 1 Identify Technical Access Control Capabilities § 5.3.1. Table 21. Row 2 Key Activities 2. HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 5.1.3. ¶ 1 Implement Policies and Procedures for Authorizing Access Implementation Specification (Addressable) Implement Policies and Procedures for Authorizing Access Implementation Specification (Addressable) § 5.1.4. Table 11. Row 2 Key Activities 2.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain access control policies. CC ID 00512 [Establish a formal policy for access control that will guide the development of procedures. § 5.3.1. Table 21. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the access control policy. CC ID 14006 [{are feasible} {are cost-effective} Specify requirements for access control that are both feasible and cost-effective. § 5.3.1. Table 21. Row 4 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the access control policy. CC ID 14005	Establish/Maintain Documentation	Preventive
Include management commitment in the access control policy. CC ID 14004	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the access control policy. CC ID 14003	Establish/Maintain Documentation	Preventive
Include the scope in the access control policy. CC ID 14002	Establish/Maintain Documentation	Preventive
Include the purpose in the access control policy. CC ID 14001	Establish/Maintain Documentation	Preventive
Document the business need justification for user accounts. CC ID 15490	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513 [HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. § 5.1.4. ¶ 1]	Establish/Maintain Documentation	Preventive
Implement safeguards to protect access credentials from unauthorized access. CC ID 16433	Technical Security	Preventive
Inventory all user accounts. CC ID 13732	Establish/Maintain Documentation	Preventive
Identify information system users. CC ID 12081 [Identify authorized users with access to ePHI, including data owners and data custodians. § 5.1.4. Table 11. Row 2 Description Bullet 7 Identify All Users Who Have Been Authorized to Access ePHI § 5.3.3. Table 23. Row 1 Key Activities 1. Identify all approved users with the ability to alter or destroy ePHI, if reasonable and appropriate. § 5.3.3. Table 23. Row 1 Description Bullet 1 {authorized user} Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2. § 5.3.3. Table 23. Row 1 Description Bullet 2]	Technical Security	Detective
Establish and maintain contact information for user accounts, as necessary. CC ID 15418	Data and Information Management	Preventive
Control access rights to organizational assets. CC ID 00004 [Select the basis for restricting access to ePHI. § 5.1.4. Table 11. Row 2 Description Bullet 3 Decide and document how access to ePHI will be granted for privileged functions § 5.1.4. Table 11. Row 2 Description Bullet 5 Implement technical access controls to limit access to ePHI to only that which has been granted in accordance with the regulated entity's information access management policies and procedures (see 45 CFR 164.308(a)(4)). § 5.3.1. Table 21. Row 2 Description Bullet 3]	Technical Security	Preventive
Configure access control lists in accordance with organizational standards. CC ID 16465	Configuration	Preventive
Assign user permissions based on job responsibilities. CC ID 00538 [Analyze Workloads and Operations to Identify the Access Needs of All Users § 5.3.1. Table 21. Row 1 Key Activities 1.]	Technical Security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Isolate Healthcare Clearinghouse Functions Implementation Specification (Required) § 5.1.4. Table 11. Row 1 Key Activities 1.]	Configuration	Preventive
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Configuration	Preventive
Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164	Communicate	Preventive
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Communicate	Corrective
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Configuration	Preventive
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Configuration	Preventive
Configure the "tlscert" argument to organizational standards. CC ID 14520	Configuration	Preventive
Configure the "tlskey" argument to organizational standards. CC ID 14519	Configuration	Preventive
Enable access control for objects and users on each system. CC ID 04553 [Determine the access control capabilities of all systems with ePHI. § 5.3.1. Table 21. Row 2 Description Bullet 1 Authentication requires establishing the validity of a transmission source and/or verifying an individual's claim that they have been authorized for specific access privileges to information and information systems. § 5.3.4. Table 24. Row 1 Description Bullet 3]	Configuration	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [Consider all applications and systems containing ePHI that should only be available to authorized users, processes, and services. § 5.3.1. Table 21. Row 1 Description Bullet 2]	Technical Security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical Security	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [Ensure that the modification of technical controls that affect a user's access to ePHI continue to limit access to ePHI to that which has been granted in accordance with the regulated entity's information access management policies and procedures (see 45 CFR 164.308(a)(4)). § 5.3.1. Table 21. Row 6 Description Bullet 3 {plan sponsor} Amend Plan Documents of the Group Health Plan to Address Adequate Separation Implementation Specification (Required) § 5.4.2. Table 27. Row 2 Key Activities 2. Amend the plan documents to incorporate provisions to require the plan sponsor to ensure that the adequate separation between the group health plan and plan sponsor required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. § 5.4.2. Table 27. Row 2 Description Bullet 1 HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 5.1.3. ¶ 1]	Data and Information Management	Preventive
Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005	Establish/Maintain Documentation	Preventive
Review all user privileges, as necessary. CC ID 06784 [Regularly review personnel access to ePHI to ensure that access is still authorized and needed § 5.1.4. Table 11. Row 3 Description Bullet 4 Review and Update Access for Users and Processes § 5.3.1. Table 21. Row 6 Key Activities 6. Consider implementing a user recertification process to ensure that least privilege is enforced. § 5.3.1. Table 21. Row 9 Description Bullet 2]	Technical Security	Preventive
Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [{user account} Deactivate computer access accounts (e.g., disable user IDs and passwords) and facility access (e.g., change facility security codes/PINs). § 5.1.3. Table 10. Row 5 Description Bullet 3]	Behavior	Corrective
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [Determine whether direct access to ePHI will ever be appropriate for individuals external to the organization (e.g., business partners or patients seeking access to their own ePHI). § 5.1.4. Table 11. Row 2 Description Bullet 9 Implement procedures to determine that the access of a workforce member to ePHI is appropriate. § 5.1.3. Table 10. Row 4 Description Bullet 1 Establish standards for granting access to ePHI. § 5.1.4. Table 11. Row 3 Description Bullet 2 Modify personnel access to ePHI, as needed, based on review activities. § 5.1.4. Table 11. Row 3 Description Bullet 5 Establish procedures for updating access when users require the following: Increased access § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 2 Establish procedures for updating access when users require the following: Initial access § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 1 Establish procedures for updating access when users require the following: Access to different systems or applications than those they currently have § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 3]	Technical Security	Preventive
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [Ensure that there is a list of personnel with authority to approve user requests to access ePHI and systems with ePHI. § 5.1.4. Table 11. Row 2 Description Bullet 6]	Establish/Maintain Documentation	Preventive
Refrain from storing logon credentials for third party applications. CC ID 13690	Technical Security	Preventive
Notify interested personnel when user accounts are added or deleted. CC ID 14327	Communicate	Detective
Establish, implement, and maintain a password policy. CC ID 16346	Establish/Maintain Documentation	Preventive
Enforce the password policy. CC ID 16347	Technical Security	Preventive
Maintain a log of the overrides of the biometric system. CC ID 17000	Log Management	Preventive
Establish, implement, and maintain biometric collection procedures. CC ID 15419	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663 [{do not exist} If no clearinghouse functions exist, document this finding. If a clearinghouse exists within the organization, implement procedures for access that are consistent with the HIPAA Privacy Rule. § 5.1.4. Table 11. Row 1 Description Bullet 3 Decide and document procedures for how access to ePHI will be granted to workforce members within the organization. § 5.1.4. Table 11. Row 2 Description Bullet 2 Select an access control method (e.g., identity-based, rolebased, or other reasonable and appropriate means of access.) § 5.1.4. Table 11. Row 2 Description Bullet 4 Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1 Identify an approach for access control. § 5.3.1. Table 21. Row 1 Description Bullet 1 Implement Access Control Procedures Using Selected Hardware and Software § 5.3.1. Table 21. Row 5 Key Activities 5. Determine whether any changes are needed for access control mechanisms. § 5.3.1. Table 21. Row 6 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Grant access to authorized personnel or systems. CC ID 12186 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2 Provide formal authorization from the appropriate authority before granting access to ePHI. § 5.1.4. Table 11. Row 3 Description Bullet 3]	Configuration	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Communicate	Preventive
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 [Identify in writing who has the business need and who has been granted permission to view, alter, retrieve, and store ePHI and at what times, under what circumstances, and for what purposes. § 5.1.3. Table 10. Row 2 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Establish/Maintain Documentation	Preventive
Include the user's location in the system record. CC ID 16996	Log Management	Preventive
Include the date and time that access was reviewed in the system record. CC ID 16416	Data and Information Management	Preventive
Include the date and time that access rights were changed in the system record. CC ID 16415	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Communicate	Corrective
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Establish/Maintain Documentation	Preventive
Include the purpose in the identification and authentication policy. CC ID 14234	Establish/Maintain Documentation	Preventive
Include the scope in the identification and authentication policy. CC ID 14232	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the identification and authentication policy. CC ID 14230	Establish/Maintain Documentation	Preventive
Include management commitment in the identification and authentication policy. CC ID 14229	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the identification and authentication policy. CC ID 14227	Establish/Maintain Documentation	Preventive
Include compliance requirements in the identification and authentication policy. CC ID 14225	Establish/Maintain Documentation	Preventive
Establish the requirements for Authentication Assurance Levels. CC ID 16958	Establish/Maintain Documentation	Preventive
Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197	Communicate	Preventive
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Identify the methods available for authentication. Under the HIPAA Security Rule, authentication is the corroboration that a person is the one claimed (45 CFR § 164.304). § 5.3.4. Table 24. Row 1 Description Bullet 1 Evaluate Available Authentication Options § 5.3.4. Table 24. Row 2 Key Activities 2. Weigh the relative advantages and disadvantages of commonly used authentication approaches. § 5.3.4. Table 24. Row 2 Description Bullet 1 Select and Implement Authentication Options § 5.3.4. Table 24. Row 3 Key Activities 3. {authentication methods} Implement the methods selected in organizational operations and activities. § 5.3.4. Table 24. Row 3 Description Bullet 2 Consider the results of the analysis conducted under Key Activity 2 and select appropriate authentication methods based on the results of the risk assessment and risk management processes. § 5.3.4. Table 24. Row 3 Description Bullet 1 Determine Authentication Applicability to Current Systems/Applications § 5.3.4. Table 24. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002	Technical Security	Preventive
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Communicate	Preventive
Employ unique identifiers. CC ID 01273 [Ensure That All System Users Have Been Assigned a Unique Identifier Implementation Specification (Required) § 5.3.1. Table 21. Row 3 Key Activities 3. Assign a unique name and/or number for identifying and tracking user identity. § 5.3.1. Table 21. Row 3 Description Bullet 1]	Testing	Detective
Require individuals to report lost or damaged authentication mechanisms. CC ID 17035	Communicate	Preventive
Establish and maintain a memorized secret list. CC ID 13791	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007	Process or Activity	Preventive
Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006	Technical Security	Preventive
Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003	Technical Security	Preventive
Notify a user when an authenticator for a user account is changed. CC ID 13820	Communicate	Preventive
Establish, implement, and maintain a system and information integrity policy. CC ID 14034 [{integrity requirements} Develop the Integrity Policy and Requirements § 5.3.3. Table 23. Row 3 Key Activities 3.]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the system and information integrity policy. CC ID 14151 [{risk analysis} Establish a formal written set of integrity requirements based on the results of the analysis completed in Key Activities 1 and 2. § 5.3.3. Table 23. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the system and information integrity policy. CC ID 14150	Establish/Maintain Documentation	Preventive
Include management commitment in the system and information integrity policy. CC ID 14149	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system and information integrity policy. CC ID 14148	Establish/Maintain Documentation	Preventive
Include the scope in the system and information integrity policy. CC ID 14147	Establish/Maintain Documentation	Preventive
Include the purpose in the system and information integrity policy. CC ID 14146	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system and information integrity policy to interested personnel and affected parties. CC ID 14145	Communicate	Preventive
Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. § 5.3.3. ¶ 1 {integrity requirements} Implement Procedures to Address These Requirements § 5.3.3. Table 23. Row 4 Key Activities 4. Identify and implement tools and techniques to be developed or procured that support the assurance of integrity. § 5.3.3. Table 23. Row 4 Description Bullet 2 Continually reassess integrity processes as technology and operational environments change to determine whether they need to be revised. § 5.3.3. Table 23. Row 6 Description Bullet 2 Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. § 5.3.5. Table 25. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142	Communicate	Preventive
Identify and control all network access controls. CC ID 00529 [Determine whether network infrastructure can limit access to systems with ePHI (e.g., network segmentation) § 5.3.1. Table 21. Row 2 Description Bullet 2 Identify points of electronic access that require or should require authentication. Ensure that the regulated entity's risk analysis properly assesses risks for such access points (e.g., risks of unauthorized access from within the enterprise could be different than those of remote unauthorized access). § 5.3.4. Table 24. Row 1 Description Bullet 2]	Technical Security	Preventive
Establish, implement, and maintain network segmentation requirements. CC ID 16380	Establish/Maintain Documentation	Preventive
Enforce the network segmentation requirements. CC ID 16381	Process or Activity	Preventive
Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063	Technical Security	Preventive
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385	Technical Security	Preventive
Include compliance requirements in the network security policy. CC ID 14205	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the network security policy. CC ID 14204	Establish/Maintain Documentation	Preventive
Include management commitment in the network security policy. CC ID 14203	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the network security policy. CC ID 14202	Establish/Maintain Documentation	Preventive
Include the scope in the network security policy. CC ID 14201	Establish/Maintain Documentation	Preventive
Include the purpose in the network security policy. CC ID 14200	Establish/Maintain Documentation	Preventive
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199	Communicate	Preventive
Establish, implement, and maintain system and communications protection procedures. CC ID 14052	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206	Communicate	Preventive
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443	Establish/Maintain Documentation	Preventive
Include the date of the most recent update on the network diagram. CC ID 14319	Establish/Maintain Documentation	Preventive
Include virtual systems in the network diagram. CC ID 16324	Data and Information Management	Preventive
Include the organization's name in the network diagram. CC ID 14318	Establish/Maintain Documentation	Preventive
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735	Process or Activity	Detective
Include Internet Protocol addresses in the network diagram. CC ID 16244	Establish/Maintain Documentation	Preventive
Include Domain Name System names in the network diagram. CC ID 16240	Establish/Maintain Documentation	Preventive
Accept, by formal signature, the security implications of the network topology. CC ID 12323	Establish/Maintain Documentation	Preventive
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137	Communicate	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059 [Identify all pathways by which ePHI will be transmitted into, within, and outside of the organization. § 5.3.5. Table 25. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Process or Activity	Detective
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Establish/Maintain Documentation	Detective
Include information flows to third parties in the data flow diagram. CC ID 13185	Establish/Maintain Documentation	Preventive
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Communicate	Preventive
Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050	Technical Security	Preventive
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical Security	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical Security	Preventive
Implement gateways between security domains. CC ID 16493	Systems Design, Build, and Implementation	Preventive
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical Security	Preventive
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical Security	Preventive
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881	Technical Security	Preventive
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical Security	Preventive
Secure the network access control standard against unauthorized changes. CC ID 11920	Establish/Maintain Documentation	Preventive
Configure network ports to organizational standards. CC ID 14007	Configuration	Preventive
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Establish/Maintain Documentation	Preventive
Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089	Communicate	Preventive
Protect data stored at external locations. CC ID 16333	Data and Information Management	Preventive
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical Security	Preventive
Filter packets based on IPv6 header fields. CC ID 17048	Technical Security	Preventive
Filter traffic at firewalls based on application layer attributes. CC ID 17054	Technical Security	Preventive
Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [Authentication requires establishing the validity of a transmission source and/or verifying an individual's claim that they have been authorized for specific access privileges to information and information systems. § 5.3.4. Table 24. Row 1 Description Bullet 3]	Testing	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [HIPAA Standard: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. § 5.3.5. ¶ 1 Establish a formal written set of requirements for transmitting ePHI. § 5.3.5. Table 25. Row 2 Description Bullet 1 Develop and Implement Transmission Security Policy and Procedures § 5.3.5. Table 25. Row 2 Key Activities 2.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a document printing policy. CC ID 14384	Establish/Maintain Documentation	Preventive
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information exchange procedures. CC ID 11782 [Identify methods of transmission that will be used to safeguard ePHI. § 5.3.5. Table 25. Row 2 Description Bullet 2 Identify tools and techniques that will be used to support the transmission security policy. § 5.3.5. Table 25. Row 2 Description Bullet 3 Implement procedures for transmitting ePHI using hardware and/or software, if needed. § 5.3.5. Table 25. Row 2 Description Bullet 4 Develop and Implement Transmission Security Policy and Procedures § 5.3.5. Table 25. Row 2 Key Activities 2.]	Establish/Maintain Documentation	Preventive
Include the connected Information Technology assets in the information exchange procedures. CC ID 17025	Establish/Maintain Documentation	Preventive
Include connection termination procedures in the information exchange procedures. CC ID 17027	Establish/Maintain Documentation	Preventive
Include the data sensitivity levels in the information exchange procedures. CC ID 17024	Establish/Maintain Documentation	Preventive
Include communication requirements in the information exchange procedures. CC ID 17026	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information exchange procedures. CC ID 17023	Establish/Maintain Documentation	Preventive
Include contact information in the information exchange procedures. CC ID 17307	Establish/Maintain Documentation	Preventive
Include implementation procedures in the information exchange procedures. CC ID 17022	Establish/Maintain Documentation	Preventive
Include security controls in the information exchange procedures. CC ID 17021	Establish/Maintain Documentation	Preventive
Include testing procedures in the information exchange procedures. CC ID 17020	Establish/Maintain Documentation	Preventive
Include measurement criteria in the information exchange procedures. CC ID 17019	Establish/Maintain Documentation	Preventive
Include training requirements in the information exchange procedures. CC ID 17017	Establish/Maintain Documentation	Preventive
Test the information exchange procedures. CC ID 17115	Testing	Preventive
Perform content sanitization on data-in-transit. CC ID 16512	Data and Information Management	Preventive
Perform content conversion on data-in-transit. CC ID 16510	Data and Information Management	Preventive
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Data and Information Management	Preventive
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Log Management	Preventive
Revoke membership in the allowlist, as necessary. CC ID 13827	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234	Data and Information Management	Preventive
Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 [Consider any mobile devices that leave the physical facility as well as remote workers who access devices that create, store, process, or transmit ePHI. § 5.2.3. Table 19. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include information security requirements in the remote access and teleworking program. CC ID 15704	Establish/Maintain Documentation	Preventive
Implement multifactor authentication techniques. CC ID 00561 [Consider implementing MFA solutions when the risk to ePHI is sufficiently high. § 5.3.4. Table 24. Row 2 Description Bullet 4]	Configuration	Preventive
Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173	Technical Security	Preventive
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical Security	Preventive
Document and approve requests to bypass multifactor authentication. CC ID 15464	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: Implement a mechanism to encrypt and decrypt ePHI. § 5.3.1. Table 21. Row 8 Description Bullet 1 Sub-Bullet 2]	Establish/Maintain Documentation	Preventive
Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207	Establish/Maintain Documentation	Preventive
Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206	Establish/Maintain Documentation	Preventive
Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Implement Encryption Implementation Specification (Addressable) § 5.3.5. Table 25. Row 4 Key Activities 4. Implement a mechanism to encrypt ePHI whenever appropriate. § 5.3.5. Table 25. Row 4 Description Bullet 1]	Data and Information Management	Preventive
Digitally sign records and data, as necessary. CC ID 16507	Data and Information Management	Preventive
Decrypt restricted data for the minimum time required. CC ID 12308	Data and Information Management	Preventive
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Data and Information Management	Preventive
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Communicate	Preventive
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Data and Information Management	Preventive

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [If part of the strategy depends on external organizations for support, ensure that formal agreements are in place with specific requirements stated. § 5.1.7. Table 14. Row 4 Description Bullet 2 Consider whether any vendor/service provider arrangements are critical to operations and address them as appropriate to ensure availability and reliability. § 5.1.7. Table 14. Row 2 Description Bullet 6 Execute new or update existing agreements or arrangements, as appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 2 Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met § 5.1.9. Table 16. Row 2 Key Activities 2.]	Establish/Maintain Documentation	Preventive
Review and update all contracts, as necessary. CC ID 11612 [Execute new or update existing agreements or arrangements, as appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Document the satisfactory assurances required by this standard through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a). Readers may find useful resources in Appendix F, including OCR BAA guidance and/or templates that include applicable language. § 5.1.9. Table 16. Row 3 Description Bullet 1 {organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1]	Process or Activity	Detective
Write contractual agreements in clear and conspicuous language. CC ID 16923	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Establish/Maintain Documentation	Preventive
Include the purpose in the information flow agreement. CC ID 17016	Establish/Maintain Documentation	Preventive
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Establish/Maintain Documentation	Preventive
Include the costs in the information flow agreement. CC ID 17018	Establish/Maintain Documentation	Preventive
Include the security requirements in the information flow agreement. CC ID 14244	Establish/Maintain Documentation	Preventive
Include the interface characteristics in the information flow agreement. CC ID 14240	Establish/Maintain Documentation	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Establish/Maintain Documentation	Preventive
Include the contract duration in third party contracts. CC ID 16221	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487 [{contract} Identify roles and responsibilities. § 5.1.9. Table 16. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include cryptographic keys in third party contracts. CC ID 16179	Establish/Maintain Documentation	Preventive
Include bankruptcy provisions in third party contracts. CC ID 16519	Establish/Maintain Documentation	Preventive
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Establish/Maintain Documentation	Preventive
Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186	Establish/Maintain Documentation	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Contract Must Provide That Business Associates Will Comply With the Applicable Requirements of the Security Rule Implementation Specification (Required) § 5.4.1. Table 26. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410. § 5.4.1. Table 26. Row 3 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410. § 5.4.1. Table 26. Row 3 Description Bullet 1 Contract Must Provide That Business Associates Will Report Security Incidents Implementation Specification (Required) § 5.4.1. Table 26. Row 3 Key Activities 3. Amend plan documents to incorporate provisions to require the plan sponsor to report any security incident of which it becomes aware to the group health plan. § 5.4.2. Table 27. Row 4 Description Bullet 1 Establish a reporting mechanism and a process for the plan sponsor to use in the event of a security incident. § 5.4.2. Table 27. Row 4 Description Bullet 3 Amend Plan Documents of Group Health Plans to Address the Reporting of Security Incidents Implementation Specification (Required) § 5.4.2. Table 27. Row 4 Key Activities 4.]	Establish/Maintain Documentation	Preventive
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Establish/Maintain Documentation	Preventive
Include a reporting structure in third party contracts. CC ID 06532 [Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI per the BAA or contract. § 5.1.9. Table 16. Row 2 Description Bullet 1 Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract. § 5.4.1. Table 26. Row 3 Description Bullet 2 Establish a reporting mechanism and a process for the plan sponsor to use in the event of a security incident. § 5.4.2. Table 27. Row 4 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include points of contact in third party contracts. CC ID 12355 [Identify the individual or department who will be responsible for coordinating the execution of business associate agreements or other arrangements. § 5.1.9. Table 16. Row 1 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Include financial reporting in third party contracts, as necessary. CC ID 13573	Establish/Maintain Documentation	Preventive
Include on-site visits in third party contracts. CC ID 17306	Establish/Maintain Documentation	Preventive
Include training requirements in third party contracts. CC ID 16367 [Specify any training requirements associated with the contract/agreement or arrangement, if reasonable and appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 5]	Acquisition/Sale of Assets or Services	Preventive
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [Business associates must have a BAA in place with each of their subcontractor business associates. Subcontractor business associates are also directly liable for their own Security Rule violations. § 5.1.9. Table 16. Row 1 Description Bullet 4]	Establish/Maintain Documentation	Preventive
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.3 14(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 5.1.9. ¶ 1 {organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1 In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section. § 5.4.1. Table 26. Row 2 Description Bullet 1 Contract Must Provide That the Business Associates Enter Into Contracts With Subcontractors to Ensure the Protection of ePHI Implementation Specification (Required) § 5.4.1. Table 26. Row 2 Key Activities 2.]	Establish/Maintain Documentation	Preventive
Include location requirements in third party contracts. CC ID 16915	Acquisition/Sale of Assets or Services	Preventive
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Establish/Maintain Documentation	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [Establish a reporting mechanism and a process for the business associate to use in the event of a security incident or breach. § 5.4.1. Table 26. Row 3 Description Bullet 3]	Establish/Maintain Documentation	Preventive
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026	Establish/Maintain Documentation	Preventive
Include end-of-life information in third party contracts. CC ID 15265	Establish/Maintain Documentation	Preventive
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Include security requirements in business associate contracts and agreements to address the confidentiality, integrity, and availability of ePHI. § 5.1.9. Table 16. Row 3 Description Bullet 4 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2 Amend plan documents to incorporate provisions to require the plan sponsor to ensure that any agent to whom it provides ePHI agrees to implement reasonable and appropriate security measures to protect the ePHI. § 5.4.2. Table 27. Row 3 Description Bullet 1 {administrative safeguards} {physical safeguards} Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity. § 5.4.1. Table 26. Row 1 Description Bullet 1 Amend Plan Documents of the Group Health Plan to Address the Security of ePHI Supplied to the Plan Sponsors' Agents and Subcontractors Implementation Specification (Required) § 5.4.2. Table 27. Row 3 Key Activities 3.]	Testing	Detective
Establish the third party's service continuity. CC ID 00797 [{geographic separation} Evaluate the current and available levels of redundancy and geographic distribution of any storage service providers to identify risks to service availability and determine restoration times. § 5.1.7. Table 14. Row 2 Description Bullet 5]	Testing	Detective
Approve or deny third party recovery plans, as necessary. CC ID 17124	Systems Continuity	Preventive
Review third party recovery plans. CC ID 17123	Systems Continuity	Detective
Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301	Communicate	Preventive
Establish and maintain a Third Party Service Provider list. CC ID 12480 [{individual} {is current} Reevaluate the list of business associates to determine who has access to ePHI in order to assess whether the list is complete and current. § 5.1.9. Table 16. Row 1 Description Bullet 2]	Establish/Maintain Documentation	Preventive
Include required information in the Third Party Service Provider list. CC ID 14429	Establish/Maintain Documentation	Preventive
Include the organization's name in the Third Party Service Provider list. CC ID 17287	Data and Information Management	Preventive
Include disclosure requirements in the Third Party Service Provider list. CC ID 17189	Establish/Maintain Documentation	Preventive
Include storage locations in the Third Party Service Provider list. CC ID 17184	Establish/Maintain Documentation	Preventive
Include the processing location in the Third Party Service Provider list. CC ID 17183	Establish/Maintain Documentation	Preventive
Include the transferability of services in the Third Party Service Provider list. CC ID 17185	Establish/Maintain Documentation	Preventive
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Establish/Maintain Documentation	Preventive
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Communicate	Preventive
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Establish/Maintain Documentation	Preventive
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Establish/Maintain Documentation	Preventive
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Establish/Maintain Documentation	Preventive
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Establish/Maintain Documentation	Preventive
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Establish/Maintain Documentation	Preventive
Categorize all suppliers in the supply chain management program. CC ID 00792 [Identify Entities That Are Business Associates Under the HIPAA Security Rule § 5.1.9. Table 16. Row 1 Key Activities 1.]	Establish/Maintain Documentation	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [Regulated entities should consider how cloud services and other third-party IT system and service offerings can both assist regulated entities in protecting ePHI while also potentially introducing new risks to ePHI. § 5.1.1. Table 8. Row 4 Description Bullet 1]	Establish/Maintain Documentation	Preventive
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [Establish criteria for measuring contract performance. § 5.1.9. Table 16. Row 2 Description Bullet 2]	Business Processes	Detective
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met § 5.1.9. Table 16. Row 2 Key Activities 2.]	Monitor and Evaluate Occurrences	Detective
Monitor third parties' financial conditions. CC ID 13170	Monitor and Evaluate Occurrences	Detective

Common Controls and
mandates by Type 291 Mandated Controls - bold
44 Implied Controls - italic 2523 Implementation

Number of Controls

2858 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Monitoring and measurement	Preventive
Implement automated audit tools. CC ID 04882 [Implement regular reviews of information system activity and consider ways to automate the review for the protection of ePHI. § 5.1.1. Table 8. Row 7 Description Bullet 2 Implement tools that can provide reports on the level of compliance, integration, or maturity of a particular security safeguard deployed to protect ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 5 Select the Tools That Will Be Deployed for Auditing and System Activity Reviews § 5.3.2. Table 22. Row 2 Key Activities 2. {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4]	Monitoring and measurement	Preventive
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Corrective
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182	Operational management	Preventive
Plan for acquiring facilities, technology, or services. CC ID 06892 [{information technology systems} {information technology services} Acquire Information Technology (IT) Systems and Services § 5.1.1. Table 8. Row 4 Key Activities 4.]	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain acquisition notices. CC ID 16682	Acquisition or sale of facilities, technology, and services	Preventive
Include the geographic locations of the organization in the acquisition notice. CC ID 16723	Acquisition or sale of facilities, technology, and services	Preventive
Include certification that the organizations meet applicable requirements in the acquisition notice. CC ID 16714	Acquisition or sale of facilities, technology, and services	Preventive
Include the capital ratios in the acquisition notice. CC ID 16712	Acquisition or sale of facilities, technology, and services	Preventive
Include the relevant authorities in the acquisition notice. CC ID 16711	Acquisition or sale of facilities, technology, and services	Preventive
Include a description of the subsidiary's activities in the acquisition notice. CC ID 16707	Acquisition or sale of facilities, technology, and services	Preventive
Include the subsidiary's contact information in the acquisition notice. CC ID 16704	Acquisition or sale of facilities, technology, and services	Preventive
Include in scope transactions in the acquisition notice. CC ID 16700	Acquisition or sale of facilities, technology, and services	Preventive
Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714	Acquisition or sale of facilities, technology, and services	Preventive
Obtain user documentation before acquiring products and services. CC ID 14283	Acquisition or sale of facilities, technology, and services	Preventive
Include the acceptance criteria in system acquisition contracts. CC ID 14288	Acquisition or sale of facilities, technology, and services	Preventive
Include audit record generation capabilities in system acquisition contracts. CC ID 16427	Acquisition or sale of facilities, technology, and services	Preventive
Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256	Acquisition or sale of facilities, technology, and services	Preventive
Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231	Acquisition or sale of facilities, technology, and services	Preventive
Include environmental considerations in the acquisition feasibility study. CC ID 16224	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain the requirements for competitive bid documents. CC ID 16936	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain the requirements for off-contract purchases. CC ID 16929	Acquisition or sale of facilities, technology, and services	Preventive
Require prior approval from the appropriate authority for any off-contract purchases. CC ID 16928	Acquisition or sale of facilities, technology, and services	Preventive
Review and update the acquisition contracts, as necessary. CC ID 14279	Acquisition or sale of facilities, technology, and services	Corrective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Preventive
Write contractual agreements in clear and conspicuous language. CC ID 16923	Third Party and supply chain oversight	Preventive
Include training requirements in third party contracts. CC ID 16367 [Specify any training requirements associated with the contract/agreement or arrangement, if reasonable and appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 5]	Third Party and supply chain oversight	Preventive
Include location requirements in third party contracts. CC ID 16915	Third Party and supply chain oversight	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitor and evaluate system telemetry data. CC ID 14929	Monitoring and measurement	Detective
Include evidence of the closure of findings in the corrective action plan. CC ID 16978	Monitoring and measurement	Preventive
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Document and communicate to the workforce the organization's decisions on audits and reviews. § 5.3.2. Table 22. Row 3 Description Bullet 1]	Monitoring and measurement	Corrective
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Audits and risk management	Corrective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Operational and Systems Continuity	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive
Mitigate reported incidents. CC ID 12973 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Preventive
Document the results of incident response tests and provide them to senior management. CC ID 14857	Operational management	Preventive
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Rotate auditors, as necessary. CC ID 15589	Audits and risk management	Preventive
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [{external experts} {internal auditors} Engage external expertise to assist the internal evaluation team where additional skills and expertise are determined to be reasonable and appropriate. § 5.1.8. Table 15. Row 1 Description Bullet 2]	Audits and risk management	Preventive
Define what constitutes a threat to independence. CC ID 16824	Audits and risk management	Preventive
Determine if requested services create a threat to independence. CC ID 16823	Audits and risk management	Detective
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551	Audits and risk management	Preventive
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558	Audits and risk management	Preventive
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548	Audits and risk management	Preventive
Include third party data in the audit assertion's in scope system description. CC ID 16554	Audits and risk management	Preventive
Include third party personnel in the audit assertion's in scope system description. CC ID 16552	Audits and risk management	Preventive
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506	Audits and risk management	Preventive
Include third party assets in the audit assertion's in scope system description. CC ID 16550	Audits and risk management	Preventive
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549	Audits and risk management	Preventive
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449	Audits and risk management	Detective
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256	Audits and risk management	Preventive
Confirm audit requirements during the opening meeting. CC ID 15255	Audits and risk management	Detective
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254	Audits and risk management	Preventive
Include third party assets in the audit scope. CC ID 16504	Audits and risk management	Preventive
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and risk management	Preventive
Include the date of the audit in the representation letter. CC ID 16517	Audits and risk management	Preventive
Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162	Audits and risk management	Preventive
Refrain from performing an attestation engagement under defined conditions. CC ID 13952	Audits and risk management	Detective
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951	Audits and risk management	Preventive
Audit in scope audit items and compliance documents. CC ID 06730	Audits and risk management	Preventive
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and risk management	Detective
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and risk management	Detective
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and risk management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Detective
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Detective
Implement procedures that collect sufficient audit evidence. CC ID 07153 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Preventive
Refrain from using audit evidence that is not sufficient. CC ID 17163	Audits and risk management	Preventive
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and risk management	Preventive
Review the subject matter expert's findings. CC ID 16559	Audits and risk management	Detective
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and risk management	Preventive
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and risk management	Preventive
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and risk management	Preventive
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and risk management	Detective
Include the cost of corrective action in the audit report. CC ID 17015	Audits and risk management	Preventive
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and risk management	Preventive
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Preventive
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217	Audits and risk management	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Ensure that any risks associated with a device's surroundings are known and analyzed for possible negative impacts. § 5.2.2. Table 18. Row 3 Description Bullet 1]	Audits and risk management	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 {include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and risk management	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Detective
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Analyze the Risks Associated with Each Type of Access § 5.2.3. Table 19. Row 2 Key Activities 2. Determine which type of access identified in Key Activity 1 poses the greatest threat to the security of ePHI. § 5.2.3. Table 19. Row 2 Description Bullet 1]	Audits and risk management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [{include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 Ensure that any risks associated with a device's surroundings are known and analyzed for possible negative impacts. § 5.2.2. Table 18. Row 3 Description Bullet 1]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [{management control} {operational control} Implement the decisions concerning the management, operational, and technical controls selected to mitigate identified risks. § 5.1.1. Table 8. Row 5 Description Bullet 1 Consider whether multiple access control methods are needed to protect ePHI according to the results of the risk assessment. § 5.1.4. Table 11. Row 2 Description Bullet 8]	Audits and risk management	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Preventive
Conduct external audits of the physical security plan. CC ID 13314	Physical and environmental protection	Detective

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 [{person responsible} Ensure That Documentation is Available to Those Responsible for Implementation Implementation Specification (Required) § 5.5.2. Table 29. Row 3 Key Activities 3. {make available} Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. § 5.5.2. Table 29. Row 3 Description Bullet 1]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a testing program. CC ID 00654	Monitoring and measurement	Preventive
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954	Audits and risk management	Preventive
Verify statements made by interviewees are correct. CC ID 16299	Audits and risk management	Detective
Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [{user account} Deactivate computer access accounts (e.g., disable user IDs and passwords) and facility access (e.g., change facility security codes/PINs). § 5.1.3. Table 10. Row 5 Description Bullet 3]	Technical security	Corrective
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Preventive
Train personnel on the continuity plan. CC ID 00759 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Train those with defined plan responsibilities in their roles. § 5.1.7. Table 14. Row 7 Description Bullet 3]	Operational and Systems Continuity	Preventive
Train all new hires, as necessary. CC ID 06673	Human Resources management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Human Resources management	Preventive
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Human Resources management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785 [Monitor the training program implementation to ensure that all workforce members participate. § 5.1.5. Table 12. Row 7 Description Bullet 4 In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Preventive
Retrain all personnel, as necessary. CC ID 01362 [{environmental changes} Training should be an ongoing, evolving process in response to environmental and operational changes that affect the security of ePHI. § 5.1.5. Table 12. Row 4 Description Bullet 4 Conduct training whenever changes occur in the technology and practices, as appropriate. § 5.1.5. Table 12. Row 7 Description Bullet 3]	Human Resources management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3 Consider the benefits of ongoing communication with staff (e.g., emails, newsletters) on training topics to achieve HIPAA compliance and protect ePHI. § 5.1.5. Table 12. Row 6 Description Bullet 3 Implement any reasonable technique to disseminate the security messages in an organization, including newsletters, screensavers, video recordings, email messages, teleconferencing sessions, staff meetings, and computer-based training. § 5.1.5. Table 12. Row 5 Description Bullet 2]	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [As reasonable and appropriate, train workforce members regarding procedures for: Monitoring login attempts and reporting discrepancies; and § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Guarding against, detecting, and reporting malicious software; § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 1]	Human Resources management	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Develop and Implement a Sanction Policy Implementation Specification (Required) § 5.1.1. Table 8. Row 6 Key Activities 6. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. § 5.1.1. Table 8. Row 6 Description Bullet 1 Develop policies and procedures for imposing appropriate sanctions (e.g., reprimand, termination) for noncompliance with the organization's security policies. § 5.1.1. Table 8. Row 6 Description Bullet 2 Implement sanction policy as cases arise. § 5.1.1. Table 8. Row 6 Description Bullet 3]	Human Resources management	Corrective
Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113	Operational management	Detective
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Preventive
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943	Privacy protection for information and data	Preventive
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Preventive
Respond to data access requests in a timely manner. CC ID 00421	Privacy protection for information and data	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Privacy protection for information and data	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Detective
Notify the data subject after personal data is used or disclosed. CC ID 06247	Privacy protection for information and data	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Privacy protection for information and data	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Preventive
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Detective
Notify data subjects when their personal data is transferred. CC ID 00352	Privacy protection for information and data	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Privacy protection for information and data	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Privacy protection for information and data	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Privacy protection for information and data	Corrective
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Privacy protection for information and data	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Detective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Detective
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Privacy protection for information and data	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Preventive
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Corrective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Corrective
Award damages based on applicable law. CC ID 00501	Privacy protection for information and data	Corrective
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Preventive

Business Processes

111

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze the business environment in which the organization operates. CC ID 12798 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Leadership and high level objectives	Preventive
Align assets with business functions and the business environment. CC ID 13681 [Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: Applicability of the IT solution to the intended environment; § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 1 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: The organization's security policies, procedures, and standards; and § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 3 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: The sensitivity of the data; § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 2 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: Other requirements, such as resources available for operation, maintenance, and training. § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 4]	Leadership and high level objectives	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005 [Each regulated entity (i.e., covered entity or business associate) is responsible for its own Security Rule compliance and violations and should review the following key activities, descriptions, and sample questions through the lens of its own organization. § 5. ¶ 5 {monitoring processes} Review existing processes to determine whether objectives are being addressed. § 5.3.3. Table 23. Row 6 Description Bullet 1]	Leadership and high level objectives	Preventive
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Identify All ePHI and Relevant Information Systems § 5.1.1. Table 8. Row 1 Key Activities 1.]	Leadership and high level objectives	Preventive
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Leadership and high level objectives	Preventive
Establish, implement, and maintain a public oversight system. CC ID 17284	Leadership and high level objectives	Preventive
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Preventive
Withdraw the approvals of auditors, as necessary. CC ID 17260	Audits and risk management	Preventive
Identify personnel who should attend the closing meeting. CC ID 15261	Audits and risk management	Preventive
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263	Audits and risk management	Preventive
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912	Audits and risk management	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Preventive
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Audits and risk management	Corrective
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2]	Audits and risk management	Preventive
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Preventive
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Preventive
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Technical security	Detective
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Preventive
Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001	Physical and environmental protection	Preventive
Obtain management approval prior to decommissioning assets. CC ID 17269	Physical and environmental protection	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Physical and environmental protection	Preventive
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572	Physical and environmental protection	Preventive
Review the beneficiaries of the insurance policy. CC ID 16563	Operational and Systems Continuity	Detective
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [If available, consider engaging corporate, legal, or regulatory compliance staff when conducting the analysis. § 5.1.8. Table 15. Row 2 Description Bullet 6 Determine in advance what departments and/or staff will participate in the evaluation. § 5.1.8. Table 15. Row 3 Description Bullet 1]	Human Resources management	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671 [{security awareness and training program} Consider using a variety of media and avenues according to what is appropriate for the organization based on workforce size, location, level of education, and other factors. § 5.1.5. Table 12. Row 4 Description Bullet 3]	Human Resources management	Preventive
Correlate business processes and applications. CC ID 16300	Operational management	Preventive
Define the scope for the internal control framework. CC ID 16325	Operational management	Preventive
Leverage actionable information to support internal controls. CC ID 12414 [Leverage any existing reports or documentation that may already be prepared by the organization addressing the compliance, integration, or maturity of a particular security safeguard deployed to protect ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 7]	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006 [Create procedures to be followed to accomplish particular security-related tasks. § 5.1.1. Table 8. Row 5 Description Bullet 3 {technical evaluation} HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 5.1.8. ¶ 1]	Operational management	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Preventive
Coordinate the transmission of electricity between affected parties. CC ID 17114	Operational management	Preventive
Comply with requests from relevant parties unless justified in not complying. CC ID 17094	Operational management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Preventive
Validate recipients prior to sending electronic messages. CC ID 16981	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Develop and document policies and procedures related to the proper use and performance of devices that create, store, process, or transmit ePHI. § 5.2.2. Table 18. Row 2 Description Bullet 1 Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2]	Operational management	Preventive
Include coordination amongst entities in the asset management policy. CC ID 16424	Operational management	Preventive
Define the requirements for where assets can be located. CC ID 17051	Operational management	Preventive
Define and prioritize the importance of each asset in the asset management program. CC ID 16837	Operational management	Preventive
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Operational management	Preventive
Classify virtual systems by type and purpose. CC ID 16332	Operational management	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3]	Operational management	Preventive
Obtain management approval prior to disposing of information technology assets. CC ID 17270	Operational management	Preventive
Destroy systems in accordance with the system disposal program. CC ID 16457	Operational management	Preventive
Approve the release of systems and waste material into the public domain. CC ID 16461	Operational management	Preventive
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Operational management	Preventive
Dispose of hardware and software at their life cycle end. CC ID 06278 [Determine and document the appropriate methods to dispose of hardware, software, and the data. § 5.2.4. Table 20. Row 1 Description Bullet 2]	Operational management	Preventive
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Operational management	Preventive
Remove asset tags prior to disposal of an asset. CC ID 12198	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [HIPAA Standard: Implement policies and procedures to address security incidents. § 5.1.6. ¶ 1]	Operational management	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Detective
Remediate security violations according to organizational standards. CC ID 12338 [Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Operational management	Preventive
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Implement changes according to the change control program. CC ID 11776 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Operational management	Preventive
Perform destruction at authorized facilities. CC ID 17074	Records management	Preventive
Supervise media destruction in accordance with organizational standards. CC ID 16456	Records management	Preventive
Use approved media sanitization equipment for destruction. CC ID 16459	Records management	Preventive
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Preventive
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 [{transmitted} Identify where ePHI is generated within the organization, where it enters the organization, where it moves within the organization, where it is stored, and where it leaves the organization. § 5.1.1. Table 8. Row 1 Description Bullet 1]	Records management	Detective
Obtain authorization for marketing new products. CC ID 16805	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Preventive
Approve the privacy plan. CC ID 14700	Privacy protection for information and data	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334	Privacy protection for information and data	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Privacy protection for information and data	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Privacy protection for information and data	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Privacy protection for information and data	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Preventive
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Preventive
Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250	Privacy protection for information and data	Preventive
Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251	Privacy protection for information and data	Preventive
Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256	Privacy protection for information and data	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Privacy protection for information and data	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Privacy protection for information and data	Detective
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Preventive
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Privacy protection for information and data	Preventive
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Privacy protection for information and data	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Preventive
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Preventive
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Privacy protection for information and data	Corrective
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [Establish criteria for measuring contract performance. § 5.1.9. Table 16. Row 2 Description Bullet 2]	Third Party and supply chain oversight	Detective

Communicate

190

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200	Leadership and high level objectives	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Leadership and high level objectives	Preventive
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804	Leadership and high level objectives	Preventive
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Leadership and high level objectives	Corrective
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695	Leadership and high level objectives	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Leadership and high level objectives	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Leadership and high level objectives	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Preventive
Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308	Leadership and high level objectives	Preventive
Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095	Monitoring and measurement	Preventive
Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137	Monitoring and measurement	Preventive
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Monitoring and measurement	Detective
Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 [Communicate evaluation results, metrics, and/or measurements to relevant organizational personnel. § 5.1.8. Table 15. Row 4 Description Bullet 5]	Monitoring and measurement	Preventive
Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883	Monitoring and measurement	Preventive
Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283	Audits and risk management	Preventive
Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265	Audits and risk management	Preventive
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248	Audits and risk management	Preventive
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Audits and risk management	Preventive
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Audits and risk management	Preventive
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Audits and risk management	Preventive
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238	Audits and risk management	Preventive
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Audits and risk management	Preventive
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Preventive
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Preventive
Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164	Technical security	Preventive
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Technical security	Corrective
Notify interested personnel when user accounts are added or deleted. CC ID 14327	Technical security	Detective
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Preventive
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Technical security	Corrective
Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197	Technical security	Preventive
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Technical security	Preventive
Require individuals to report lost or damaged authentication mechanisms. CC ID 17035	Technical security	Preventive
Notify a user when an authenticator for a user account is changed. CC ID 13820	Technical security	Preventive
Disseminate and communicate the system and information integrity policy to interested personnel and affected parties. CC ID 14145	Technical security	Preventive
Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142	Technical security	Preventive
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199	Technical security	Preventive
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206	Technical security	Preventive
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137	Technical security	Preventive
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Technical security	Preventive
Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089	Technical security	Preventive
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Technical security	Preventive
Report damaged property to interested personnel and affected parties. CC ID 13702	Physical and environmental protection	Corrective
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319	Physical and environmental protection	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Preventive
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165	Physical and environmental protection	Preventive
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186	Physical and environmental protection	Preventive
Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925	Physical and environmental protection	Preventive
Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998	Physical and environmental protection	Preventive
Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198	Operational and Systems Continuity	Preventive
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573	Operational and Systems Continuity	Preventive
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Preventive
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Preventive
Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045	Operational and Systems Continuity	Preventive
Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271	Operational and Systems Continuity	Preventive
Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080	Operational and Systems Continuity	Preventive
Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134	Operational and Systems Continuity	Preventive
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141	Human Resources management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Preventive
Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977	Human Resources management	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Human Resources management	Preventive
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800	Human Resources management	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Operational management	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Operational management	Preventive
Share security information with interested personnel and affected parties. CC ID 11732 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Operational management	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Preventive
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Operational management	Preventive
Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117	Operational management	Preventive
Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116	Operational management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Require social media users to clarify that their communications do not represent the organization. CC ID 17046	Operational management	Preventive
Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044	Operational management	Preventive
Implement alternative actions for oral communications not received or understood. CC ID 17122	Operational management	Preventive
Reissue operating instructions, as necessary. CC ID 17121	Operational management	Preventive
Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110	Operational management	Detective
Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120	Operational management	Preventive
Repeat operating instructions received by oral communications to the issuer. CC ID 17119	Operational management	Preventive
Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151	Operational management	Preventive
Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093	Operational management	Preventive
Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965	Operational management	Preventive
Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980	Operational management	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Preventive
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Operational management	Preventive
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Operational management	Preventive
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Operational management	Preventive
Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938	Operational management	Preventive
Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937	Operational management	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Corrective
Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838	Operational management	Preventive
Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099	Operational management	Preventive
Communicate the service catalog to interested personnel and affected parties. CC ID 13910	Operational management	Preventive
Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891	Records management	Preventive
Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Privacy protection for information and data	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Privacy protection for information and data	Preventive
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Privacy protection for information and data	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Privacy protection for information and data	Preventive
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Corrective
Provide a copy of the data subject's consent to the data subject. CC ID 17234	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Privacy protection for information and data	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Preventive
Respond to questions about submissions in a timely manner. CC ID 16930	Privacy protection for information and data	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Corrective
Notify the data controller of any changes in data processors. CC ID 12648	Privacy protection for information and data	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Preventive
Respond to data access requests in an official language. CC ID 17176	Privacy protection for information and data	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Corrective
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Corrective
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Privacy protection for information and data	Corrective
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Corrective
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Preventive
Capture personal data removal requests. CC ID 13507	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Privacy protection for information and data	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Preventive
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Privacy protection for information and data	Preventive
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Preventive
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414	Privacy protection for information and data	Preventive
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Privacy protection for information and data	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Preventive
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Corrective
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Preventive
Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301	Third Party and supply chain oversight	Preventive
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Third Party and supply chain oversight	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Document the event information to be logged in the event information log specification. CC ID 00639 [Determine the Activities That Will Be Tracked or Audited § 5.3.2. Table 22. Row 1 Key Activities 1. Determine what activities need to be captured using the results of the risk assessment and risk management processes. § 5.3.2. Table 22. Row 1 Description Bullet 2 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.3.2. Table 22. Row 4 Description Bullet 1 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.1.1. Table 8. Row 8 Description Bullet 1]	Monitoring and measurement	Preventive
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Monitoring and measurement	Preventive
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Technical security	Preventive
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Technical security	Preventive
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Technical security	Preventive
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Technical security	Preventive
Configure access control lists in accordance with organizational standards. CC ID 16465	Technical security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Isolate Healthcare Clearinghouse Functions Implementation Specification (Required) § 5.1.4. Table 11. Row 1 Key Activities 1.]	Technical security	Preventive
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Technical security	Preventive
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Technical security	Preventive
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Technical security	Preventive
Configure the "tlscert" argument to organizational standards. CC ID 14520	Technical security	Preventive
Configure the "tlskey" argument to organizational standards. CC ID 14519	Technical security	Preventive
Enable access control for objects and users on each system. CC ID 04553 [Determine the access control capabilities of all systems with ePHI. § 5.3.1. Table 21. Row 2 Description Bullet 1 Authentication requires establishing the validity of a transmission source and/or verifying an individual's claim that they have been authorized for specific access privileges to information and information systems. § 5.3.4. Table 24. Row 1 Description Bullet 3]	Technical security	Preventive
Grant access to authorized personnel or systems. CC ID 12186 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2 Provide formal authorization from the appropriate authority before granting access to ePHI. § 5.1.4. Table 11. Row 3 Description Bullet 3]	Technical security	Preventive
Configure network ports to organizational standards. CC ID 14007	Technical security	Preventive
Implement multifactor authentication techniques. CC ID 00561 [Consider implementing MFA solutions when the risk to ePHI is sufficiently high. § 5.3.4. Table 24. Row 2 Description Bullet 4]	Technical security	Preventive
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211	Physical and environmental protection	Preventive
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215	Physical and environmental protection	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Preventive
Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968	Operational management	Preventive
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Corrective
Remove outdated software after software has been updated. CC ID 11792	Operational management	Corrective
Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: Implement electronic procedures that terminate an electronic session after a predetermined period of inactivity. § 5.3.1. Table 21. Row 8 Description Bullet 1 Sub-Bullet 1]	System hardening through configuration management	Preventive
Configure Session Configuration settings in accordance with organizational standards. CC ID 07698	System hardening through configuration management	Preventive
Invalidate unexpected session identifiers. CC ID 15307	System hardening through configuration management	Preventive
Configure the "MaxStartups" settings to organizational standards. CC ID 15329	System hardening through configuration management	Preventive
Reject session identifiers that are not valid. CC ID 15306	System hardening through configuration management	Preventive
Configure the "MaxSessions" settings to organizational standards. CC ID 15330	System hardening through configuration management	Preventive
Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328	System hardening through configuration management	Preventive
Configure Logging settings in accordance with organizational standards. CC ID 07611	System hardening through configuration management	Preventive
Configure all logs to capture auditable events or actionable events. CC ID 06332 [Ensure that the necessary data is available in the system logs to support audit and other related business functions. § 5.3.1. Table 21. Row 3 Description Bullet 3]	System hardening through configuration management	Preventive
Configure the log to capture account lockouts. CC ID 16470	System hardening through configuration management	Preventive
Configure the log to capture execution events. CC ID 16469	System hardening through configuration management	Preventive
Configure the log to capture AWS Organizations changes. CC ID 15445	System hardening through configuration management	Preventive
Configure the log to capture Identity and Access Management policy changes. CC ID 15442	System hardening through configuration management	Preventive
Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441	System hardening through configuration management	Preventive
Configure the log to capture route table changes. CC ID 15439	System hardening through configuration management	Preventive
Configure the log to capture virtual private cloud changes. CC ID 15435	System hardening through configuration management	Preventive
Configure the log to capture changes to encryption keys. CC ID 15432	System hardening through configuration management	Preventive
Configure the log to capture unauthorized API calls. CC ID 15429	System hardening through configuration management	Preventive
Configure the log to capture changes to network gateways. CC ID 15421	System hardening through configuration management	Preventive
Configure the "logging level" to organizational standards. CC ID 14456	System hardening through configuration management	Detective
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Preventive
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Preventive

Data and Information Management

507

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the data source in the data governance and management practices. CC ID 17211	Leadership and high level objectives	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Leadership and high level objectives	Preventive
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046	Leadership and high level objectives	Preventive
Include format requirements for data elements in the data dictionary. CC ID 17108	Leadership and high level objectives	Preventive
Include notification requirements for data elements in the data dictionary. CC ID 17107	Leadership and high level objectives	Preventive
Establish, implement, and maintain data reconciliation procedures. CC ID 17118	Leadership and high level objectives	Preventive
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Monitoring and measurement	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Preventive
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Preventive
Establish and maintain contact information for user accounts, as necessary. CC ID 15418	Technical security	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [Ensure that the modification of technical controls that affect a user's access to ePHI continue to limit access to ePHI to that which has been granted in accordance with the regulated entity's information access management policies and procedures (see 45 CFR 164.308(a)(4)). § 5.3.1. Table 21. Row 6 Description Bullet 3 {plan sponsor} Amend Plan Documents of the Group Health Plan to Address Adequate Separation Implementation Specification (Required) § 5.4.2. Table 27. Row 2 Key Activities 2. Amend the plan documents to incorporate provisions to require the plan sponsor to ensure that the adequate separation between the group health plan and plan sponsor required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. § 5.4.2. Table 27. Row 2 Description Bullet 1 HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 5.1.3. ¶ 1]	Technical security	Preventive
Include the date and time that access was reviewed in the system record. CC ID 16416	Technical security	Preventive
Include virtual systems in the network diagram. CC ID 16324	Technical security	Preventive
Protect data stored at external locations. CC ID 16333	Technical security	Preventive
Perform content sanitization on data-in-transit. CC ID 16512	Technical security	Preventive
Perform content conversion on data-in-transit. CC ID 16510	Technical security	Preventive
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Technical security	Preventive
Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234	Technical security	Preventive
Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Implement Encryption Implementation Specification (Addressable) § 5.3.5. Table 25. Row 4 Key Activities 4. Implement a mechanism to encrypt ePHI whenever appropriate. § 5.3.5. Table 25. Row 4 Description Bullet 1]	Technical security	Preventive
Digitally sign records and data, as necessary. CC ID 16507	Technical security	Preventive
Decrypt restricted data for the minimum time required. CC ID 12308	Technical security	Preventive
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Technical security	Preventive
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Technical security	Preventive
Establish, implement, and maintain removable storage media controls. CC ID 06680 [Identify removable media and their uses. § 5.2.4. Table 20. Row 2 Description Bullet 3]	Physical and environmental protection	Preventive
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Physical and environmental protection	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Physical and environmental protection	Preventive
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Operational and Systems Continuity	Preventive
Perform full backups in accordance with organizational standards. CC ID 16376	Operational and Systems Continuity	Preventive
Perform incremental backups in accordance with organizational standards. CC ID 16375	Operational and Systems Continuity	Preventive
Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374	Operational and Systems Continuity	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Human Resources management	Corrective
Establish, implement, and maintain a Global Address List. CC ID 16934	Operational management	Preventive
Identify the sender in all electronic messages. CC ID 13996	Operational management	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 [Identify all systems that house ePHI. Be sure to identify mobile devices, medical equipment, and IoT devices that store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 2 Identify systems covered by the contract/agreement. § 5.1.9. Table 16. Row 1 Description Bullet 3]	Operational management	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Preventive
Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196	Operational management	Preventive
Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194	Operational management	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Preventive
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Preventive
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Preventive
Ensure data sets have the appropriate characteristics. CC ID 15000	Records management	Detective
Ensure data sets are complete, are accurate, and are relevant. CC ID 14999	Records management	Detective
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 [Ensure that ePHI previously stored on any electronic media cannot be accessed and reused. § 5.2.4. Table 20. Row 2 Description Bullet 2]	Records management	Preventive
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Implement procedures for the removal of ePHI from electronic media before the media become available for reuse. § 5.2.4. Table 20. Row 2 Description Bullet 1 Ensure that ePHI is removed from reusable media before they are used to record new information. § 5.2.4. Table 20. Row 2 Description Bullet 4]	Records management	Preventive
Require authorized individuals be present to witness records disposition. CC ID 12313	Records management	Preventive
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Records management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Records management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Records management	Preventive
Include attributes in the decision support intervention. CC ID 16766	Records management	Preventive
Remove non-public information from publicly accessible systems. CC ID 14246	Records management	Corrective
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Preventive
Deliver notices to the intended parties. CC ID 06240	Privacy protection for information and data	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Preventive
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Preventive
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Privacy protection for information and data	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Privacy protection for information and data	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Privacy protection for information and data	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Privacy protection for information and data	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469	Privacy protection for information and data	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551	Privacy protection for information and data	Preventive
Cooperate with Data Protection Authorities. CC ID 06870	Privacy protection for information and data	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2 Ensure that ePHI is properly destroyed and cannot be recreated. § 5.2.4. Table 20. Row 1 Description Bullet 3 Implement Methods for the Final Disposal of ePHI Implementation Specification (Required) § 5.2.4. Table 20. Row 1 Key Activities 1.]	Privacy protection for information and data	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Privacy protection for information and data	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Preventive
Delay responding to data access requests, as necessary. CC ID 15504	Privacy protection for information and data	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Privacy protection for information and data	Preventive
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Preventive
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Preventive
Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Privacy protection for information and data	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Privacy protection for information and data	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Privacy protection for information and data	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577	Privacy protection for information and data	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Preventive
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Privacy protection for information and data	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Privacy protection for information and data	Detective
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Privacy protection for information and data	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Privacy protection for information and data	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Privacy protection for information and data	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Preventive
Refrain from selling restricted data, as necessary. CC ID 17165	Privacy protection for information and data	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Privacy protection for information and data	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Preventive
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Privacy protection for information and data	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Privacy protection for information and data	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Preventive
Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953	Privacy protection for information and data	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Privacy protection for information and data	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269	Privacy protection for information and data	Preventive
Use personal data for specified purposes. CC ID 11831	Privacy protection for information and data	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Privacy protection for information and data	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Privacy protection for information and data	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Preventive
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Preventive
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Preventive
Manage health data collection. CC ID 00050	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Preventive
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Preventive
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Preventive
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Preventive
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Preventive
Collect restricted data in a fair and lawful manner. CC ID 00010	Privacy protection for information and data	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Privacy protection for information and data	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014	Privacy protection for information and data	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Privacy protection for information and data	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Privacy protection for information and data	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Privacy protection for information and data	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Privacy protection for information and data	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Privacy protection for information and data	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Privacy protection for information and data	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Privacy protection for information and data	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293	Privacy protection for information and data	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Privacy protection for information and data	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019	Privacy protection for information and data	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020	Privacy protection for information and data	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287	Privacy protection for information and data	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078	Privacy protection for information and data	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027	Privacy protection for information and data	Preventive
Collect restricted data when required by law. CC ID 00031	Privacy protection for information and data	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Privacy protection for information and data	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Preventive
Collect restricted data for legal purposes. CC ID 00036	Privacy protection for information and data	Preventive
Validate the business need for maintaining collected restricted data. CC ID 17090	Privacy protection for information and data	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Preventive
Limit data leakage. CC ID 00356 [Ensure that ePHI is not inadvertently released or shared with any unauthorized party. § 5.2.4. Table 20. Row 3 Description Bullet 2]	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Detective
Include text about data ownership in the data handling policy. CC ID 15720	Privacy protection for information and data	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126	Privacy protection for information and data	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535	Privacy protection for information and data	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Preventive
Obtain consent from an individual prior to transferring personal data. CC ID 06948	Privacy protection for information and data	Preventive
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314	Privacy protection for information and data	Preventive
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Privacy protection for information and data	Preventive
Prohibit personal data transfers when security is inadequate. CC ID 00345	Privacy protection for information and data	Preventive
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Privacy protection for information and data	Preventive
Refrain from transferring past the first transfer. CC ID 00347	Privacy protection for information and data	Preventive
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Privacy protection for information and data	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Privacy protection for information and data	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Preventive
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Privacy protection for information and data	Preventive
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Privacy protection for information and data	Preventive
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Privacy protection for information and data	Preventive
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Privacy protection for information and data	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Privacy protection for information and data	Preventive
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Privacy protection for information and data	Preventive
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Privacy protection for information and data	Preventive
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Privacy protection for information and data	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Privacy protection for information and data	Preventive
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Privacy protection for information and data	Preventive
Obtain consent prior to downloading software to an individual's computer. CC ID 06951	Privacy protection for information and data	Preventive
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Privacy protection for information and data	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476	Privacy protection for information and data	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective
Notify individuals of their right to challenge personal data. CC ID 00457	Privacy protection for information and data	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Corrective
Include the organization's name in the Third Party Service Provider list. CC ID 17287	Third Party and supply chain oversight	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Decide whether the evaluation will be conducted with internal staff resources or external consultants. § 5.1.8. Table 15. Row 1 Description Bullet 1]	Audits and risk management	Preventive
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 [Use internal resources to supplement an external source of help because these internal resources can provide the best institutional knowledge and history of internal policies and practices. § 5.1.8. Table 15. Row 1 Description Bullet 3]	Audits and risk management	Preventive
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134	Physical and environmental protection	Preventive
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{contingency plan} Establish the organizational framework, roles, and responsibilities for this area. § 5.1.7. Table 14. Row 1 Description Bullet 2]	Operational and Systems Continuity	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [Identify the individual who has final responsibility for security. § 5.1.2. Table 9. Row 1 Description Bullet 1 {security responsibility} Assign and Document the Individual's Responsibility § 5.1.2. Table 9. Row 2 Key Activities 2.]	Human Resources management	Preventive
Identify and define all critical roles. CC ID 00777	Human Resources management	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Preventive
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Preventive
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [{security role} Communicate this assigned role to the entire organization. § 5.1.2. Table 9. Row 2 Description Bullet 2 Establish Clear Job Descriptions and Responsibilities § 5.1.3. Table 10. Row 2 Key Activities 2. Document the assignment to one individual's responsibilities in a job description. § 5.1.2. Table 9. Row 2 Description Bullet 1]	Human Resources management	Detective
Assign ownership of the information security program to the appropriate role. CC ID 00814 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2]	Operational management	Preventive
Classify assets according to the Asset Classification Policy. CC ID 07186 [Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2 Classify devices based on the capabilities, connections, and allowable activities for each device used. § 5.2.2. Table 18. Row 1 Description Bullet 3]	Operational management	Preventive
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2]	Operational management	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Implement a Mechanism to Authenticate ePHI Implementation Specification (Addressable) § 5.3.3. Table 23. Row 5 Key Activities 5. Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. § 5.3.3. Table 23. Row 5 Description Bullet 1 Consider possible mechanisms for integrity verification, such as: § 5.3.3. Table 23. Row 5 Description Bullet 2 Implement Integrity Controls Implementation Specification (Addressable) § 5.3.5. Table 25. Row 3 Key Activities 3.]	Records management	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Preventive
Process restricted data lawfully and carefully. CC ID 00086	Privacy protection for information and data	Preventive

Establish/Maintain Documentation

1222

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a value generation model. CC ID 15591	Leadership and high level objectives	Preventive
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Preventive
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Preventive
Establish, implement, and maintain value generation objectives. CC ID 15583	Leadership and high level objectives	Preventive
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Leadership and high level objectives	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Leadership and high level objectives	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Leadership and high level objectives	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Leadership and high level objectives	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998	Leadership and high level objectives	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085	Leadership and high level objectives	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081	Leadership and high level objectives	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Preventive
Approve the data classification scheme. CC ID 13858	Leadership and high level objectives	Detective
Refrain from including metadata in the data dictionary. CC ID 13529	Leadership and high level objectives	Preventive
Include information needed to understand each data element and population in the data dictionary. CC ID 13528	Leadership and high level objectives	Preventive
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525	Leadership and high level objectives	Preventive
Include the date or time period the data was observed in the data dictionary. CC ID 13524	Leadership and high level objectives	Preventive
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522	Leadership and high level objectives	Preventive
Include the uncertainty of each data element in the data dictionary. CC ID 13521	Leadership and high level objectives	Preventive
Include the measurement units for each data element in the data dictionary. CC ID 13534	Leadership and high level objectives	Preventive
Include the precision of the measurement in the data dictionary. CC ID 13520	Leadership and high level objectives	Preventive
Include the data source in the data dictionary. CC ID 13519	Leadership and high level objectives	Preventive
Include the nature of each element in the data dictionary. CC ID 13518	Leadership and high level objectives	Preventive
Include the population of events or instances in the data dictionary. CC ID 13517	Leadership and high level objectives	Preventive
Establish, implement, and maintain an organizational structure. CC ID 16310	Leadership and high level objectives	Preventive
Include supply chain management standards in the Quality Management framework. CC ID 13701	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Quality Management policy. CC ID 13694	Leadership and high level objectives	Preventive
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700	Leadership and high level objectives	Preventive
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699	Leadership and high level objectives	Preventive
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698	Leadership and high level objectives	Preventive
Align the quality objectives with the Quality Management policy. CC ID 13697	Leadership and high level objectives	Preventive
Include quality objectives in the Quality Management program. CC ID 13693	Leadership and high level objectives	Preventive
Include records management in the quality management system. CC ID 15055	Leadership and high level objectives	Preventive
Include risk management in the quality management system. CC ID 15054	Leadership and high level objectives	Preventive
Include data management procedures in the quality management system. CC ID 15052	Leadership and high level objectives	Preventive
Include a post-market monitoring system in the quality management system. CC ID 15027	Leadership and high level objectives	Preventive
Include operational roles and responsibilities in the quality management system. CC ID 15028	Leadership and high level objectives	Preventive
Include resource management in the quality management system. CC ID 15026	Leadership and high level objectives	Preventive
Include communication protocols in the quality management system. CC ID 15025	Leadership and high level objectives	Preventive
Include incident reporting procedures in the quality management system. CC ID 15023	Leadership and high level objectives	Preventive
Include technical specifications in the quality management system. CC ID 15021	Leadership and high level objectives	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [{organizational requirements} Create and Deploy Policies and Procedures § 5.5.1. Table 28. Row 1 Key Activities 1. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 1 Description Bullet 1 Periodically evaluate written policies and procedures to verify that: Policies and procedures accurately reflect the actual activities and practices exhibited by the regulated entity, its staff, its systems, and its business associates. § 5.5.1. Table 28. Row 1 Description Bullet 3 Sub-Bullet 2 Update the Documentation of the Policy and Procedures § 5.5.1. Table 28. Row 2 Key Activities 2. Periodically evaluate written policies and procedures to verify that: Policies and procedures are sufficient to address the standards, implementation specifications, and other requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 1 Description Bullet 3 Sub-Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Leadership and high level objectives	Preventive
Include contact information in the organization's policies, standards, and procedures. CC ID 17167	Leadership and high level objectives	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. § 5.5.2. Table 29. Row 1 Description Bullet 2]	Leadership and high level objectives	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Leadership and high level objectives	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1]	Leadership and high level objectives	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 5.5.2. ¶ 1 Draft, Maintain, and Update Required Documentation § 5.5.2. Table 29. Row 1 Key Activities 1. Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. § 5.5.2. Table 29. Row 1 Description Bullet 2 Use feedback from risk assessments and contingency plan tests to help determine when to update documentation. § 5.5.2. Table 29. Row 1 Description Bullet 4 Update Documentation as Required Implementation Specification (Required) § 5.5.2. Table 29. Row 4 Key Activities 4.]	Leadership and high level objectives	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 [{contingency plan} Identify Preventive Measures § 5.1.7. Table 14. Row 3 Key Activities 3.]	Leadership and high level objectives	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Corrective
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{do not exist} If no clearinghouse functions exist, document this finding. If a clearinghouse exists within the organization, implement procedures for access that are consistent with the HIPAA Privacy Rule. § 5.1.4. Table 11. Row 1 Description Bullet 3]	Leadership and high level objectives	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Document known gaps between identified risks, mitigating security controls, and any acceptance of risk, including justification. § 5.1.8. Table 15. Row 4 Description Bullet 2]	Leadership and high level objectives	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Preventive
Establish, implement, and maintain an oversight plan. CC ID 17302	Leadership and high level objectives	Preventive
Include roles and responsibilities in the public oversight system. CC ID 17285	Leadership and high level objectives	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784	Leadership and high level objectives	Preventive
Establish, implement, and maintain a security planning policy. CC ID 14027	Leadership and high level objectives	Preventive
Include roles and responsibilities in the security planning policy. CC ID 14128 [Select an individual who is able to assess effective security to serve as the point of contact for security policy, implementation, and monitoring. § 5.1.2. Table 9. Row 1 Description Bullet 2]	Leadership and high level objectives	Preventive
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [{management controls} {operational controls} Document decisions concerning the management, operational, and technical controls selected to mitigate identified risks. § 5.5.2. Table 29. Row 1 Description Bullet 1]	Leadership and high level objectives	Preventive
Align business continuity objectives with the business continuity policy. CC ID 12408 [Define the organization's overall contingency objectives. § 5.1.7. Table 14. Row 1 Description Bullet 1]	Leadership and high level objectives	Preventive
Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [Establish a Monitoring Process to Assess How the Implemented Process is Working § 5.3.3. Table 23. Row 6 Key Activities 6.]	Monitoring and measurement	Preventive
Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488	Monitoring and measurement	Preventive
Establish, implement, and maintain an audit and accountability policy. CC ID 14035 [Develop and Deploy the Information System Activity Review/Audit Policy § 5.3.2. Table 22. Row 3 Key Activities 3.]	Monitoring and measurement	Preventive
Include compliance requirements in the audit and accountability policy. CC ID 14103	Monitoring and measurement	Preventive
Include coordination amongst entities in the audit and accountability policy. CC ID 14102	Monitoring and measurement	Preventive
Include the purpose in the audit and accountability policy. CC ID 14100	Monitoring and measurement	Preventive
Include roles and responsibilities in the audit and accountability policy. CC ID 14098	Monitoring and measurement	Preventive
Include management commitment in the audit and accountability policy. CC ID 14097	Monitoring and measurement	Preventive
Include the scope in the audit and accountability policy. CC ID 14096	Monitoring and measurement	Preventive
Establish, implement, and maintain audit and accountability procedures. CC ID 14057 [{logging procedures} Begin logging and auditing procedures. § 5.3.2. Table 22. Row 5 Description Bullet 2]	Monitoring and measurement	Preventive
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211	Monitoring and measurement	Preventive
Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169	Monitoring and measurement	Preventive
Establish, implement, and maintain an event logging policy. CC ID 15217	Monitoring and measurement	Preventive
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 [Conduct Evaluation § 5.1.8. Table 15. Row 3 Key Activities 3. Determine when evaluations are conducted in response to an environmental or operational change that affects the security of ePHI (e.g., prior to the change, contemporaneous with the change, after the change). § 5.1.8. Table 15. Row 3 Description Bullet 3 {regular basis} Repeat Evaluations Periodically § 5.1.8. Table 15. Row 5 Key Activities 5. In addition to periodic reevaluations, consider repeating evaluations when environmental and operational changes that affect the security of ePHI are made to the organization (e.g., if new technology is adopted or if there are newly recognized risks to the security of ePHI). § 5.1.8. Table 15. Row 5 Description Bullet 2 {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4 {if} {is appropriate} Determine Whether Internal or External Evaluation is Most Appropriate § 5.1.8. Table 15. Row 1 Key Activities 1.]	Monitoring and measurement	Preventive
Document improvement actions based on test results and exercises. CC ID 16840 [Develop security program priorities and establish targets for continuous improvement. § 5.1.8. Table 15. Row 4 Description Bullet 3 Utilize the results of evaluations to inform impactful security changes to protect ePHI. § 5.1.8. Table 15. Row 4 Description Bullet 4]	Monitoring and measurement	Preventive
Define the test requirements for each testing program. CC ID 13177 [Decide how to segment the type of testing based on the assessment of business impact and the acceptability of a sustained loss of service. § 5.1.7. Table 14. Row 7 Description Bullet 6]	Monitoring and measurement	Preventive
Define the test frequency for each testing program. CC ID 13176 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Monitoring and measurement	Preventive
Include the pass or fail test status in the test results. CC ID 17106	Monitoring and measurement	Preventive
Include time information in the test results. CC ID 17105	Monitoring and measurement	Preventive
Include a description of the system tested in the test results. CC ID 17104	Monitoring and measurement	Preventive
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule § 5.1.8. Table 15. Row 2 Key Activities 2.]	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics standard and template. CC ID 02157 [Consider determining any specific evaluation metrics and/or measurements to be captured during evaluation. Metrics and/or measurements can assist in tracking progress over time. § 5.1.8. Table 15. Row 2 Description Bullet 3]	Monitoring and measurement	Preventive
Include roles and responsibilities in the corrective action plan. CC ID 16926 [Identify and assign responsibility for the measures and activities necessary to correct deficiencies and ensure that proper physical access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 1]	Monitoring and measurement	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Preventive
Include actions taken to resolve issues in the corrective action plan. CC ID 16884	Monitoring and measurement	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Preventive
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523	Audits and risk management	Preventive
Establish, implement, and maintain an audit program. CC ID 00684 [Develop and document organizational policies and procedures for conducting evaluation. § 5.1.8. Table 15. Row 2 Description Bullet 1]	Audits and risk management	Preventive
Establish, implement, and maintain audit policies. CC ID 13166	Audits and risk management	Preventive
Include resource requirements in the audit program. CC ID 15237	Audits and risk management	Preventive
Include risks and opportunities in the audit program. CC ID 15236	Audits and risk management	Preventive
Establish and maintain audit terms. CC ID 13880	Audits and risk management	Preventive
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883	Audits and risk management	Preventive
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882	Audits and risk management	Preventive
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893	Audits and risk management	Preventive
Establish, implement, and maintain an in scope system description. CC ID 14873	Audits and risk management	Preventive
Include facility locations in the audit assertion's in scope system description. CC ID 17261	Audits and risk management	Preventive
Include third party services in the audit assertion's in scope system description. CC ID 16503	Audits and risk management	Preventive
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501	Audits and risk management	Preventive
Include availability commitments in the audit assertion's in scope system description. CC ID 14914	Audits and risk management	Preventive
Include changes in the audit assertion's in scope system description. CC ID 14894	Audits and risk management	Preventive
Include external communications in the audit assertion's in scope system description. CC ID 14913	Audits and risk management	Preventive
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878	Audits and risk management	Preventive
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911	Audits and risk management	Preventive
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896	Audits and risk management	Preventive
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895	Audits and risk management	Preventive
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891	Audits and risk management	Preventive
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889	Audits and risk management	Preventive
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897	Audits and risk management	Preventive
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502	Audits and risk management	Preventive
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916	Audits and risk management	Preventive
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910	Audits and risk management	Preventive
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909	Audits and risk management	Preventive
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907	Audits and risk management	Preventive
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904	Audits and risk management	Preventive
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893	Audits and risk management	Preventive
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892	Audits and risk management	Preventive
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887	Audits and risk management	Preventive
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885	Audits and risk management	Detective
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884	Audits and risk management	Preventive
Include commitments to third parties in the audit assertion. CC ID 14899	Audits and risk management	Preventive
Determine the completeness of the audit assertion's in scope system description. CC ID 14883	Audits and risk management	Preventive
Include system requirements in the audit assertion's in scope system description. CC ID 14881	Audits and risk management	Preventive
Include third party controls in the audit assertion's in scope system description. CC ID 14880	Audits and risk management	Preventive
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Audits and risk management	Preventive
Include in scope information in the audit program. CC ID 16198	Audits and risk management	Preventive
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Audits and risk management	Preventive
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Audits and risk management	Preventive
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Audits and risk management	Preventive
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772	Audits and risk management	Preventive
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769	Audits and risk management	Preventive
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Audits and risk management	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871	Audits and risk management	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Audits and risk management	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Audits and risk management	Preventive
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Audits and risk management	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Audits and risk management	Preventive
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Audits and risk management	Preventive
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Audits and risk management	Corrective
Establish, implement, and maintain interview procedures. CC ID 16282	Audits and risk management	Preventive
Establish and maintain work papers, as necessary. CC ID 13891	Audits and risk management	Preventive
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Audits and risk management	Preventive
Include audit irregularities in the work papers. CC ID 16774	Audits and risk management	Preventive
Include corrective actions in the work papers. CC ID 16771	Audits and risk management	Preventive
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Audits and risk management	Preventive
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Audits and risk management	Preventive
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Audits and risk management	Preventive
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894	Audits and risk management	Preventive
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968	Audits and risk management	Preventive
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982	Audits and risk management	Preventive
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981	Audits and risk management	Preventive
Establish and maintain organizational audit reports. CC ID 06731	Audits and risk management	Preventive
Determine what disclosures are required in the audit report. CC ID 14888	Audits and risk management	Detective
Include the purpose in the audit report. CC ID 17263	Audits and risk management	Preventive
Include audit subject matter in the audit report. CC ID 14882	Audits and risk management	Preventive
Include an other-matter paragraph in the audit report. CC ID 14901	Audits and risk management	Preventive
Include that the auditee did not provide comments in the audit report. CC ID 16849	Audits and risk management	Preventive
Include written agreements in the audit report. CC ID 17266	Audits and risk management	Preventive
Write the audit report using clear and conspicuous language. CC ID 13948	Audits and risk management	Preventive
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Audits and risk management	Preventive
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Audits and risk management	Preventive
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Audits and risk management	Preventive
Include a description of the financial information being reported on in the audit report. CC ID 13965	Audits and risk management	Preventive
Include references to any adjustments of financial information in the audit report. CC ID 13964	Audits and risk management	Preventive
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Audits and risk management	Preventive
Include references to historical financial information used in the audit report. CC ID 13961	Audits and risk management	Preventive
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Audits and risk management	Preventive
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Audits and risk management	Preventive
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Audits and risk management	Preventive
Include any discussions of significant findings in the audit report. CC ID 13955	Audits and risk management	Preventive
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Audits and risk management	Preventive
Include the audit criteria in the audit report. CC ID 13945	Audits and risk management	Preventive
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Audits and risk management	Preventive
Include all hypothetical assumptions in the audit report. CC ID 13947	Audits and risk management	Preventive
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Audits and risk management	Preventive
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931	Audits and risk management	Preventive
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Audits and risk management	Preventive
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Audits and risk management	Preventive
Include a review of the subject matter expert's findings in the audit report. CC ID 13972	Audits and risk management	Preventive
Include all restrictions on the audit in the audit report. CC ID 13930	Audits and risk management	Preventive
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Audits and risk management	Preventive
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Audits and risk management	Preventive
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Audits and risk management	Preventive
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Audits and risk management	Preventive
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Audits and risk management	Preventive
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Audits and risk management	Preventive
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Audits and risk management	Preventive
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Audits and risk management	Preventive
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Audits and risk management	Preventive
Include recommended corrective actions in the audit report. CC ID 16197 [Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Audits and risk management	Preventive
Include risks and opportunities in the audit report. CC ID 16196	Audits and risk management	Preventive
Include the description of tests of controls and results in the audit report. CC ID 14898	Audits and risk management	Preventive
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Audits and risk management	Preventive
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Audits and risk management	Preventive
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Audits and risk management	Preventive
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Audits and risk management	Preventive
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Audits and risk management	Preventive
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Audits and risk management	Preventive
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Audits and risk management	Preventive
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Audits and risk management	Preventive
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Audits and risk management	Preventive
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Audits and risk management	Preventive
Include deficiencies and non-compliance in the audit report. CC ID 14879	Audits and risk management	Corrective
Include the results of the business impact analysis in the audit report. CC ID 17208	Audits and risk management	Preventive
Include qualified opinions in the audit report. CC ID 13928	Audits and risk management	Preventive
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Audits and risk management	Corrective
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Audits and risk management	Preventive
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Audits and risk management	Preventive
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Audits and risk management	Preventive
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Audits and risk management	Corrective
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Audits and risk management	Preventive
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Audits and risk management	Preventive
Include the audit criteria in the audit plan. CC ID 15262	Audits and risk management	Preventive
Include a list of reference documents in the audit plan. CC ID 15260	Audits and risk management	Preventive
Include the languages to be used for the audit in the audit plan. CC ID 15252	Audits and risk management	Preventive
Include the allocation of resources in the audit plan. CC ID 15251	Audits and risk management	Preventive
Include communication protocols in the audit plan. CC ID 15247	Audits and risk management	Preventive
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246	Audits and risk management	Preventive
Include meeting schedules in the audit plan. CC ID 15245	Audits and risk management	Preventive
Include the time frames for the audit in the audit plan. CC ID 15244	Audits and risk management	Preventive
Include the time frames for conducting the audit in the audit plan. CC ID 15243	Audits and risk management	Preventive
Include the locations to be audited in the audit plan. CC ID 15242	Audits and risk management	Preventive
Include the processes to be audited in the audit plan. CC ID 15241	Audits and risk management	Preventive
Include audit objectives in the audit plan. CC ID 15240	Audits and risk management	Preventive
Include the risks associated with audit activities in the audit plan. CC ID 15239	Audits and risk management	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051 [Implement a Risk Management Program Implementation Specification (Required) § 5.1.1. Table 8. Row 3 Key Activities 3. {risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Audits and risk management	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Preventive
Establish, implement, and maintain a risk management policy. CC ID 17192 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Audits and risk management	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Preventive
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248	Audits and risk management	Preventive
Include metrics in the fundamental rights impact assessment. CC ID 17249	Audits and risk management	Preventive
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244	Audits and risk management	Preventive
Include user safeguards in the fundamental rights impact assessment. CC ID 17255	Audits and risk management	Preventive
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247	Audits and risk management	Preventive
Include the purpose in the fundamental rights impact assessment. CC ID 17243	Audits and risk management	Preventive
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254	Audits and risk management	Preventive
Include risk management measures in the fundamental rights impact assessment. CC ID 17224	Audits and risk management	Preventive
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223	Audits and risk management	Preventive
Include risks in the fundamental rights impact assessment. CC ID 17222	Audits and risk management	Preventive
Include affected parties in the fundamental rights impact assessment. CC ID 17221	Audits and risk management	Preventive
Include the frequency in the fundamental rights impact assessment. CC ID 17220	Audits and risk management	Preventive
Include the usage duration in the fundamental rights impact assessment. CC ID 17219	Audits and risk management	Preventive
Include system use in the fundamental rights impact assessment. CC ID 17218	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{identify} {unauthorized sources} Conduct this activity as part of a risk analysis. § 5.3.3. Table 23. Row 2 Description Bullet 2]	Audits and risk management	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 [Remediation and corrective action plans that arise from incidents should serve as input to the risk assessment/management process. § 5.1.6. Table 13. Row 4 Description Bullet 3]	Audits and risk management	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075 [Conduct an Analysis of Existing Physical Security Vulnerabilities § 5.2.1. Table 17. Row 1 Key Activities 1. Inventory facilities and identify shortfalls and/or vulnerabilities in current physical security capabilities. § 5.2.1. Table 17. Row 1 Description Bullet 1]	Audits and risk management	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627 [{include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and risk management	Detective
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Preventive
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Preventive
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Audits and risk management	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Detective
Document the results of the gap analysis. CC ID 16271 [Document known gaps between identified risks, mitigating security controls, and any acceptance of risk, including justification. § 5.1.8. Table 15. Row 4 Description Bullet 2]	Audits and risk management	Preventive
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Audits and risk management	Preventive
Include time information in the risk treatment plan. CC ID 16993	Audits and risk management	Preventive
Include allocation of resources in the risk treatment plan. CC ID 16989	Audits and risk management	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Preventive
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Corrective
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Audits and risk management	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190	Audits and risk management	Preventive
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Preventive
Establish, implement, and maintain digital identification procedures. CC ID 13714 [HIPAA Standard: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. § 5.3.4. ¶ 1]	Technical security	Preventive
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Technical security	Preventive
Establish, implement, and maintain an access control program. CC ID 11702 [Implement policies and procedures for granting access to ePHI, such as through access to a workstation, transaction, program, process, or other mechanism. § 5.1.4. Table 11. Row 2 Description Bullet 1 If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization. § 5.1.4. Table 11. Row 1 Description Bullet 1 Implement Policies and Procedures for Access Establishment and Modification Implementation Specification (Addressable) § 5.1.4. Table 11. Row 3 Key Activities 3. Implement policies and procedures that – based on the covered entity or business associate's access authorization policies – establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. § 5.1.4. Table 11. Row 3 Description Bullet 1 HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). § 5.3.1. ¶ 1 {access control} Integrate these activities into the access granting and management process. § 5.3.1. Table 21. Row 1 Description Bullet 3 Develop Access Control Policy and Procedures § 5.3.1. Table 21. Row 4 Key Activities 4. {access control} Implement the policy and procedures using existing or additional hardware or software solutions. § 5.3.1. Table 21. Row 5 Description Bullet 1 {access control} Enforce the policy and procedures as a matter of ongoing operations. § 5.3.1. Table 21. Row 6 Description Bullet 1 Identify Technical Access Control Capabilities § 5.3.1. Table 21. Row 2 Key Activities 2. HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 5.1.3. ¶ 1 Implement Policies and Procedures for Authorizing Access Implementation Specification (Addressable) Implement Policies and Procedures for Authorizing Access Implementation Specification (Addressable) § 5.1.4. Table 11. Row 2 Key Activities 2.]	Technical security	Preventive
Establish, implement, and maintain access control policies. CC ID 00512 [Establish a formal policy for access control that will guide the development of procedures. § 5.3.1. Table 21. Row 4 Description Bullet 1]	Technical security	Preventive
Include compliance requirements in the access control policy. CC ID 14006 [{are feasible} {are cost-effective} Specify requirements for access control that are both feasible and cost-effective. § 5.3.1. Table 21. Row 4 Description Bullet 2]	Technical security	Preventive
Include coordination amongst entities in the access control policy. CC ID 14005	Technical security	Preventive
Include management commitment in the access control policy. CC ID 14004	Technical security	Preventive
Include roles and responsibilities in the access control policy. CC ID 14003	Technical security	Preventive
Include the scope in the access control policy. CC ID 14002	Technical security	Preventive
Include the purpose in the access control policy. CC ID 14001	Technical security	Preventive
Document the business need justification for user accounts. CC ID 15490	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513 [HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. § 5.1.4. ¶ 1]	Technical security	Preventive
Inventory all user accounts. CC ID 13732	Technical security	Preventive
Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005	Technical security	Preventive
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [Ensure that there is a list of personnel with authority to approve user requests to access ePHI and systems with ePHI. § 5.1.4. Table 11. Row 2 Description Bullet 6]	Technical security	Preventive
Establish, implement, and maintain a password policy. CC ID 16346	Technical security	Preventive
Establish, implement, and maintain biometric collection procedures. CC ID 15419	Technical security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663 [{do not exist} If no clearinghouse functions exist, document this finding. If a clearinghouse exists within the organization, implement procedures for access that are consistent with the HIPAA Privacy Rule. § 5.1.4. Table 11. Row 1 Description Bullet 3 Decide and document procedures for how access to ePHI will be granted to workforce members within the organization. § 5.1.4. Table 11. Row 2 Description Bullet 2 Select an access control method (e.g., identity-based, rolebased, or other reasonable and appropriate means of access.) § 5.1.4. Table 11. Row 2 Description Bullet 4 Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1 Identify an approach for access control. § 5.3.1. Table 21. Row 1 Description Bullet 1 Implement Access Control Procedures Using Selected Hardware and Software § 5.3.1. Table 21. Row 5 Key Activities 5. Determine whether any changes are needed for access control mechanisms. § 5.3.1. Table 21. Row 6 Description Bullet 2]	Technical security	Preventive
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 [Identify in writing who has the business need and who has been granted permission to view, alter, retrieve, and store ePHI and at what times, under what circumstances, and for what purposes. § 5.1.3. Table 10. Row 2 Description Bullet 3]	Technical security	Preventive
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Technical security	Preventive
Include the date and time that access rights were changed in the system record. CC ID 16415	Technical security	Preventive
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Technical security	Preventive
Include the purpose in the identification and authentication policy. CC ID 14234	Technical security	Preventive
Include the scope in the identification and authentication policy. CC ID 14232	Technical security	Preventive
Include roles and responsibilities in the identification and authentication policy. CC ID 14230	Technical security	Preventive
Include management commitment in the identification and authentication policy. CC ID 14229	Technical security	Preventive
Include coordination amongst entities in the identification and authentication policy. CC ID 14227	Technical security	Preventive
Include compliance requirements in the identification and authentication policy. CC ID 14225	Technical security	Preventive
Establish the requirements for Authentication Assurance Levels. CC ID 16958	Technical security	Preventive
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Identify the methods available for authentication. Under the HIPAA Security Rule, authentication is the corroboration that a person is the one claimed (45 CFR § 164.304). § 5.3.4. Table 24. Row 1 Description Bullet 1 Evaluate Available Authentication Options § 5.3.4. Table 24. Row 2 Key Activities 2. Weigh the relative advantages and disadvantages of commonly used authentication approaches. § 5.3.4. Table 24. Row 2 Description Bullet 1 Select and Implement Authentication Options § 5.3.4. Table 24. Row 3 Key Activities 3. {authentication methods} Implement the methods selected in organizational operations and activities. § 5.3.4. Table 24. Row 3 Description Bullet 2 Consider the results of the analysis conducted under Key Activity 2 and select appropriate authentication methods based on the results of the risk assessment and risk management processes. § 5.3.4. Table 24. Row 3 Description Bullet 1 Determine Authentication Applicability to Current Systems/Applications § 5.3.4. Table 24. Row 1 Key Activities 1.]	Technical security	Preventive
Establish and maintain a memorized secret list. CC ID 13791	Technical security	Preventive
Establish, implement, and maintain a system and information integrity policy. CC ID 14034 [{integrity requirements} Develop the Integrity Policy and Requirements § 5.3.3. Table 23. Row 3 Key Activities 3.]	Technical security	Preventive
Include compliance requirements in the system and information integrity policy. CC ID 14151 [{risk analysis} Establish a formal written set of integrity requirements based on the results of the analysis completed in Key Activities 1 and 2. § 5.3.3. Table 23. Row 3 Description Bullet 1]	Technical security	Preventive
Include coordination amongst entities in the system and information integrity policy. CC ID 14150	Technical security	Preventive
Include management commitment in the system and information integrity policy. CC ID 14149	Technical security	Preventive
Include roles and responsibilities in the system and information integrity policy. CC ID 14148	Technical security	Preventive
Include the scope in the system and information integrity policy. CC ID 14147	Technical security	Preventive
Include the purpose in the system and information integrity policy. CC ID 14146	Technical security	Preventive
Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. § 5.3.3. ¶ 1 {integrity requirements} Implement Procedures to Address These Requirements § 5.3.3. Table 23. Row 4 Key Activities 4. Identify and implement tools and techniques to be developed or procured that support the assurance of integrity. § 5.3.3. Table 23. Row 4 Description Bullet 2 Continually reassess integrity processes as technology and operational environments change to determine whether they need to be revised. § 5.3.3. Table 23. Row 6 Description Bullet 2 Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. § 5.3.5. Table 25. Row 3 Description Bullet 1]	Technical security	Preventive
Establish, implement, and maintain network segmentation requirements. CC ID 16380	Technical security	Preventive
Include compliance requirements in the network security policy. CC ID 14205	Technical security	Preventive
Include coordination amongst entities in the network security policy. CC ID 14204	Technical security	Preventive
Include management commitment in the network security policy. CC ID 14203	Technical security	Preventive
Include roles and responsibilities in the network security policy. CC ID 14202	Technical security	Preventive
Include the scope in the network security policy. CC ID 14201	Technical security	Preventive
Include the purpose in the network security policy. CC ID 14200	Technical security	Preventive
Establish, implement, and maintain system and communications protection procedures. CC ID 14052	Technical security	Preventive
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443	Technical security	Preventive
Include the date of the most recent update on the network diagram. CC ID 14319	Technical security	Preventive
Include the organization's name in the network diagram. CC ID 14318	Technical security	Preventive
Include Internet Protocol addresses in the network diagram. CC ID 16244	Technical security	Preventive
Include Domain Name System names in the network diagram. CC ID 16240	Technical security	Preventive
Accept, by formal signature, the security implications of the network topology. CC ID 12323	Technical security	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059 [Identify all pathways by which ePHI will be transmitted into, within, and outside of the organization. § 5.3.5. Table 25. Row 1 Description Bullet 1]	Technical security	Preventive
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Technical security	Detective
Include information flows to third parties in the data flow diagram. CC ID 13185	Technical security	Preventive
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Technical security	Preventive
Secure the network access control standard against unauthorized changes. CC ID 11920	Technical security	Preventive
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Technical security	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [HIPAA Standard: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. § 5.3.5. ¶ 1 Establish a formal written set of requirements for transmitting ePHI. § 5.3.5. Table 25. Row 2 Description Bullet 1 Develop and Implement Transmission Security Policy and Procedures § 5.3.5. Table 25. Row 2 Key Activities 2.]	Technical security	Preventive
Establish, implement, and maintain a document printing policy. CC ID 14384	Technical security	Preventive
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Technical security	Preventive
Establish, implement, and maintain information exchange procedures. CC ID 11782 [Identify methods of transmission that will be used to safeguard ePHI. § 5.3.5. Table 25. Row 2 Description Bullet 2 Identify tools and techniques that will be used to support the transmission security policy. § 5.3.5. Table 25. Row 2 Description Bullet 3 Implement procedures for transmitting ePHI using hardware and/or software, if needed. § 5.3.5. Table 25. Row 2 Description Bullet 4 Develop and Implement Transmission Security Policy and Procedures § 5.3.5. Table 25. Row 2 Key Activities 2.]	Technical security	Preventive
Include the connected Information Technology assets in the information exchange procedures. CC ID 17025	Technical security	Preventive
Include connection termination procedures in the information exchange procedures. CC ID 17027	Technical security	Preventive
Include the data sensitivity levels in the information exchange procedures. CC ID 17024	Technical security	Preventive
Include communication requirements in the information exchange procedures. CC ID 17026	Technical security	Preventive
Include roles and responsibilities in the information exchange procedures. CC ID 17023	Technical security	Preventive
Include contact information in the information exchange procedures. CC ID 17307	Technical security	Preventive
Include implementation procedures in the information exchange procedures. CC ID 17022	Technical security	Preventive
Include security controls in the information exchange procedures. CC ID 17021	Technical security	Preventive
Include testing procedures in the information exchange procedures. CC ID 17020	Technical security	Preventive
Include measurement criteria in the information exchange procedures. CC ID 17019	Technical security	Preventive
Include training requirements in the information exchange procedures. CC ID 17017	Technical security	Preventive
Revoke membership in the allowlist, as necessary. CC ID 13827	Technical security	Corrective
Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 [Consider any mobile devices that leave the physical facility as well as remote workers who access devices that create, store, process, or transmit ePHI. § 5.2.3. Table 19. Row 1 Description Bullet 2]	Technical security	Preventive
Include information security requirements in the remote access and teleworking program. CC ID 15704	Technical security	Preventive
Document and approve requests to bypass multifactor authentication. CC ID 15464	Technical security	Preventive
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: Implement a mechanism to encrypt and decrypt ePHI. § 5.3.1. Table 21. Row 8 Description Bullet 1 Sub-Bullet 2]	Technical security	Preventive
Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207	Technical security	Preventive
Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206	Technical security	Preventive
Establish, implement, and maintain a physical security program. CC ID 11757 [Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. § 5.2.1. Table 17. Row 3 Description Bullet 1 HIPAA Standard: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. § 5.2.1. ¶ 1]	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security plans. CC ID 13307	Physical and environmental protection	Preventive
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309	Physical and environmental protection	Preventive
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Develop a Facility Security Plan Implementation Specification (Addressable) § 5.2.1. Table 17. Row 3 Key Activities 3. If there are impediments to physically securing devices and/or the facilities where devices are located, additional safeguards should be considered, such as: § 5.2.3. Table 19. Row 3 Description Bullet 2]	Physical and environmental protection	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637 [Identify points of access to the facility and existing security controls. § 5.2.1. Table 17. Row 3 Description Bullet 4]	Physical and environmental protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629 [Determine which types of facilities require access controls to safeguard ePHI, such as: § 5.2.1. Table 17. Row 1 Description Bullet 3 Implement procedures to provide facility access to authorized personnel and visitors and exclude unauthorized persons. § 5.2.1. Table 17. Row 4 Description Bullet 2 Develop Access Control and Validation Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 4 Key Activities 4. Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1]	Physical and environmental protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 [Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1]	Physical and environmental protection	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Develop Access Control and Validation Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 4 Key Activities 4.]	Physical and environmental protection	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Corrective
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Preventive
Establish, implement, and maintain a media protection policy. CC ID 14029	Physical and environmental protection	Preventive
Include compliance requirements in the media protection policy. CC ID 14185	Physical and environmental protection	Preventive
Include coordination amongst entities in the media protection policy. CC ID 14184	Physical and environmental protection	Preventive
Include management commitment in the media protection policy. CC ID 14182	Physical and environmental protection	Preventive
Include roles and responsibilities in the media protection policy. CC ID 14180	Physical and environmental protection	Preventive
Include the scope in the media protection policy. CC ID 14167	Physical and environmental protection	Preventive
Include the purpose in the media protection policy. CC ID 14166	Physical and environmental protection	Preventive
Establish, implement, and maintain media protection procedures. CC ID 14062	Physical and environmental protection	Preventive
Include Information Technology assets in the asset removal policy. CC ID 13162	Physical and environmental protection	Preventive
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1 Determine the proper function and manner by which specific workstations or classes of workstations are permitted to access ePHI (e.g., applications permitting access to ePHI that are allowed on workstations used by a hospital's customer service call center or its radiology department). § 5.2.2. Table 18. Row 1 Description Bullet 4]	Physical and environmental protection	Preventive
Establish, implement, and maintain a mobile device management program. CC ID 15212	Physical and environmental protection	Preventive
Establish, implement, and maintain a mobile device management policy. CC ID 15214	Physical and environmental protection	Preventive
Establish, implement, and maintain mobile device activation procedures. CC ID 16999	Physical and environmental protection	Preventive
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454	Physical and environmental protection	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [Consider any mobile devices that leave the physical facility as well as remote workers who access devices that create, store, process, or transmit ePHI. § 5.2.3. Table 19. Row 1 Description Bullet 2]	Physical and environmental protection	Preventive
Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076	Physical and environmental protection	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537 [Develop a standard set of procedures that should be followed to recover access control devices (e.g., identification badges, keys, access cards) when employment ends. § 5.1.3. Table 10. Row 5 Description Bullet 2]	Physical and environmental protection	Preventive
Establish, implement, and maintain returned card procedures. CC ID 13567	Physical and environmental protection	Preventive
Establish, implement, and maintain a mailing control log. CC ID 16136	Physical and environmental protection	Preventive
Establish, implement, and maintain payment card disposal procedures. CC ID 16135	Physical and environmental protection	Preventive
Establish, implement, and maintain facility maintenance procedures. CC ID 00710 [{authorized access} Develop and deploy policies and procedures to ensure that repairs, upgrades, and/or modifications are made to the appropriate physical areas of the facility while ensuring that proper access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 2]	Physical and environmental protection	Preventive
Establish, implement, and maintain facility demolition procedures. CC ID 16133	Physical and environmental protection	Preventive
Establish, implement, and maintain work environment requirements. CC ID 06613 [Analyze Physical Surroundings for Physical Attributes § 5.2.2. Table 18. Row 3 Key Activities 3. HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1]	Physical and environmental protection	Preventive
Establish, implement, and maintain a business continuity program. CC ID 13210 [HIPAA Standard: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. § 5.1.7. ¶ 1]	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a business continuity policy. CC ID 12405 [Develop a Contingency Planning Policy § 5.1.7. Table 14. Row 1 Key Activities 1.]	Operational and Systems Continuity	Preventive
Include compliance requirements in the business continuity policy. CC ID 14237	Operational and Systems Continuity	Preventive
Include coordination amongst entities in the business continuity policy. CC ID 14235	Operational and Systems Continuity	Preventive
Include management commitment in the business continuity policy. CC ID 14233	Operational and Systems Continuity	Preventive
Include the scope in the business continuity policy. CC ID 14231	Operational and Systems Continuity	Preventive
Include roles and responsibilities in the business continuity policy. CC ID 14190	Operational and Systems Continuity	Preventive
Include the purpose in the business continuity policy. CC ID 14188	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a business continuity testing policy. CC ID 13235	Operational and Systems Continuity	Preventive
Include testing cycles and test scope in the business continuity testing policy. CC ID 13236	Operational and Systems Continuity	Preventive
Include documentation requirements in the business continuity testing policy. CC ID 14377	Operational and Systems Continuity	Preventive
Include reporting requirements in the business continuity testing policy. CC ID 14397	Operational and Systems Continuity	Preventive
Include test requirements for crisis management in the business continuity testing policy. CC ID 13240	Operational and Systems Continuity	Preventive
Include test requirements for support functions in the business continuity testing policy. CC ID 13239	Operational and Systems Continuity	Preventive
Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238	Operational and Systems Continuity	Preventive
Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237	Operational and Systems Continuity	Preventive
Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257	Operational and Systems Continuity	Preventive
Include data recovery in the business continuity testing strategy. CC ID 13262	Operational and Systems Continuity	Preventive
Include testing critical applications in the business continuity testing strategy. CC ID 13261	Operational and Systems Continuity	Preventive
Include reconciling transaction data in the business continuity testing strategy. CC ID 13260	Operational and Systems Continuity	Preventive
Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732 [{contingency plan} Establish the organizational framework, roles, and responsibilities for this area. § 5.1.7. Table 14. Row 1 Description Bullet 2]	Operational and Systems Continuity	Preventive
Establish and maintain the scope of the continuity framework. CC ID 11908 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Operational and Systems Continuity	Preventive
Include network security in the scope of the continuity framework. CC ID 16327	Operational and Systems Continuity	Preventive
Include business functions in the scope of the continuity framework. CC ID 12699	Operational and Systems Continuity	Preventive
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [{contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1]	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a shelter in place plan. CC ID 16260	Operational and Systems Continuity	Preventive
Designate safe rooms in the shelter in place plan. CC ID 16276	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Develop and Implement an Emergency Mode Operation Plan Implementation Specification (Required) § 5.1.7. Table 14. Row 6 Key Activities 6.]	Operational and Systems Continuity	Preventive
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Operational and Systems Continuity	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Operational and Systems Continuity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236 [{contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Establish Contingency Operations Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 5 Key Activities 5. Identify a method for supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems. § 5.3.1. Table 21. Row 7 Description Bullet 2]	Operational and Systems Continuity	Corrective
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [Establish (and implement as needed) procedures to restore any loss of data. § 5.1.7. Table 14. Row 5 Description Bullet 2 Develop Recovery Strategy § 5.1.7. Table 14. Row 4 Key Activities 4. {be cost-effective} Establish cost-effective strategies for recovering these critical services or processes. § 5.1.7. Table 14. Row 2 Description Bullet 7]	Operational and Systems Continuity	Preventive
Include procedures to restore system interconnections in the recovery plan. CC ID 17100	Operational and Systems Continuity	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Preventive
Include voltage and frequency requirements in the recovery plan. CC ID 17098	Operational and Systems Continuity	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [Develop Data Backup and Storage Procedures Implementation Specification (Addressable) § 5.2.4. Table 20. Row 4 Key Activities 4.]	Operational and Systems Continuity	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Preventive
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Detective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [{are feasible} Ensure that identified preventive measures are practical and feasible in terms of their applicability in a given environment. § 5.1.7. Table 14. Row 3 Description Bullet 2 {contingency plan} Identify preventive measures for each defined scenario that could result in the loss of a critical service operation involving the use of ePHI. § 5.1.7. Table 14. Row 3 Description Bullet 1]	Operational and Systems Continuity	Preventive
Include emergency operating procedures in the continuity plan. CC ID 11694 [{emergency mode operation} "Emergency mode" operation involves only those critical business processes that must occur to protect the security of ePHI during and immediately after a crisis situation. § 5.1.7. Table 14. Row 6 Description Bullet 2 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Establish (and implement as needed) procedures to enable the continuation of critical business processes to protect the security of ePHI while operating in emergency mode. § 5.1.7. Table 14. Row 6 Description Bullet 1]	Operational and Systems Continuity	Preventive
Include load-shedding in the emergency operating procedures. CC ID 17133	Operational and Systems Continuity	Preventive
Include redispatch of generation requests in the emergency operating procedures. CC ID 17132	Operational and Systems Continuity	Preventive
Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130	Operational and Systems Continuity	Preventive
Include outages in the emergency operating procedures. CC ID 17129	Operational and Systems Continuity	Preventive
Include energy resource management in the emergency operating procedures. CC ID 17128	Operational and Systems Continuity	Preventive
Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369	Operational and Systems Continuity	Preventive
Define and prioritize critical business functions. CC ID 00736 [Identify the activities and material involving ePHI that are critical to business operations. § 5.1.7. Table 14. Row 2 Description Bullet 2 {critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Develop security program priorities and establish targets for continuous improvement. § 5.1.8. Table 15. Row 4 Description Bullet 3 {contingency plan} Conduct an Applications and Data Criticality Analysis Implementation Specification (Addressable) § 5.1.7. Table 14. Row 2 Key Activities 2. Assess the relative criticality of specific applications and data in support of other Contingency Plan components. § 5.1.7. Table 14. Row 2 Description Bullet 1]	Operational and Systems Continuity	Detective
Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [Determine the amount of time that the organization can tolerate disruptions to these operations, materials, or services (e.g., due to power outages). § 5.1.7. Table 14. Row 2 Description Bullet 4 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1]	Operational and Systems Continuity	Preventive
Define and prioritize critical business records. CC ID 11687 [Identify the activities and material involving ePHI that are critical to business operations. § 5.1.7. Table 14. Row 2 Description Bullet 2]	Operational and Systems Continuity	Preventive
Include the protection of personnel in the continuity plan. CC ID 06378	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a critical personnel list. CC ID 00739	Operational and Systems Continuity	Detective
Establish, implement, and maintain a critical third party list. CC ID 06815 [Consider whether any vendor/service provider arrangements are critical to operations and address them as appropriate to ensure availability and reliability. § 5.1.7. Table 14. Row 2 Description Bullet 6]	Operational and Systems Continuity	Preventive
Include the capacity of critical resources in the critical resource list. CC ID 17099	Operational and Systems Continuity	Preventive
Include website continuity procedures in the continuity plan. CC ID 01380	Operational and Systems Continuity	Preventive
Include a backup rotation scheme in the backup policy. CC ID 16219	Operational and Systems Continuity	Preventive
Include naming conventions in the backup policy. CC ID 16218	Operational and Systems Continuity	Preventive
Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281	Operational and Systems Continuity	Detective
Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283	Operational and Systems Continuity	Detective
Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282	Operational and Systems Continuity	Detective
Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827	Operational and Systems Continuity	Preventive
Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279	Operational and Systems Continuity	Preventive
Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280	Operational and Systems Continuity	Preventive
Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278	Operational and Systems Continuity	Preventive
Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277	Operational and Systems Continuity	Detective
Establish, implement, and maintain a continuity test plan. CC ID 04896 [Make key decisions regarding how the testing is to occur (e.g., tabletop exercise versus staging a real operational scenario, including actual loss of capability). § 5.1.7. Table 14. Row 7 Description Bullet 5 Implement procedures for the periodic testing and revision of contingency plans. § 5.1.7. Table 14. Row 7 Description Bullet 1]	Operational and Systems Continuity	Preventive
Include success criteria for testing the plan in the continuity test plan. CC ID 14877	Operational and Systems Continuity	Preventive
Include recovery procedures in the continuity test plan. CC ID 14876	Operational and Systems Continuity	Preventive
Include test scripts in the continuity test plan. CC ID 14875	Operational and Systems Continuity	Preventive
Include test objectives and scope of testing in the continuity test plan. CC ID 14874	Operational and Systems Continuity	Preventive
Include escalation procedures in the continuity test plan, as necessary. CC ID 14400	Operational and Systems Continuity	Preventive
Include the succession plan in the continuity test plan, as necessary. CC ID 14401	Operational and Systems Continuity	Preventive
Include contact information in the continuity test plan. CC ID 14399	Operational and Systems Continuity	Preventive
Include testing all system components in the continuity test plan. CC ID 13508	Operational and Systems Continuity	Preventive
Include test scenarios in the continuity test plan. CC ID 13506	Operational and Systems Continuity	Preventive
Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243	Operational and Systems Continuity	Preventive
Include the risk assessment results in the continuity test plan. CC ID 17205	Operational and Systems Continuity	Preventive
Include the business impact analysis test results in the continuity test plan CC ID 17204	Operational and Systems Continuity	Preventive
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Human Resources management	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018 [Implement Policies and Procedures for Authorization and/or Supervision Implementation Specification (Addressable) § 5.1.3. Table 10. Row 1 Key Activities 1. Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. § 5.1.3. Table 10. Row 1 Description Bullet 1]	Human Resources management	Preventive
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760	Human Resources management	Preventive
Require all new hires to sign the Code of Conduct. CC ID 06665	Human Resources management	Preventive
Require all new hires to sign Acceptable Use Policies. CC ID 06662	Human Resources management	Preventive
Require new hires to sign nondisclosure agreements. CC ID 06668	Human Resources management	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Preventive
Establish, implement, and maintain a personnel security policy. CC ID 14025	Human Resources management	Preventive
Include compliance requirements in the personnel security policy. CC ID 14154	Human Resources management	Preventive
Include coordination amongst entities in the personnel security policy. CC ID 14114	Human Resources management	Preventive
Include management commitment in the personnel security policy. CC ID 14113	Human Resources management	Preventive
Include roles and responsibilities in the personnel security policy. CC ID 14112	Human Resources management	Preventive
Include the scope in the personnel security policy. CC ID 14111	Human Resources management	Preventive
Include the purpose in the personnel security policy. CC ID 14110	Human Resources management	Preventive
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109	Human Resources management	Preventive
Establish, implement, and maintain personnel security procedures. CC ID 14058	Human Resources management	Preventive
Establish, implement, and maintain security clearance level criteria. CC ID 00780	Human Resources management	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700 [Implement appropriate screening of persons who will have access to ePHI. § 5.1.3. Table 10. Row 4 Description Bullet 2]	Human Resources management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Preventive
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783 [Implement a procedure for obtaining clearance from appropriate offices or individuals where access is provided or terminated. § 5.1.3. Table 10. Row 4 Description Bullet 3 Establish a Workforce Clearance Procedure Implementation Specification (Addressable) § 5.1.3. Table 10. Row 4 Key Activities 4.]	Human Resources management	Preventive
Document the security clearance procedure results. CC ID 01635	Human Resources management	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Establish Termination Procedures Implementation Specification (Addressable) § 5.1.3. Table 10. Row 5 Key Activities 5.]	Human Resources management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Human Resources management	Preventive
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [Establish Criteria and Procedures for Hiring and Assigning Tasks § 5.1.3. Table 10. Row 3 Key Activities 3. {workforce security} Ensure that these requirements are included as part of the personnel hiring process. § 5.1.3. Table 10. Row 3 Description Bullet 2]	Human Resources management	Preventive
Establish and maintain an annual report on compensation. CC ID 14801	Human Resources management	Preventive
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804	Human Resources management	Preventive
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798	Human Resources management	Preventive
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797	Human Resources management	Preventive
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794	Human Resources management	Preventive
Establish, implement, and maintain job applications. CC ID 16180	Human Resources management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Preventive
Establish, implement, and maintain training plans. CC ID 00828 [{training plan} Develop and Approve a Training Strategy and a Plan § 5.1.5. Table 12. Row 2 Key Activities 2. Monitor and Evaluate the Training Plan § 5.1.5. Table 12. Row 7 Key Activities 7.]	Human Resources management	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Human Resources management	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2 HIPAA Standard: Implement a security awareness and training program for all members of its workforce (including management). § 5.1.5. ¶ 1 Develop Appropriate Awareness and Training Content, Materials, and Methods § 5.1.5. Table 12. Row 4 Key Activities 4. {security awareness training} Implement the Training § 5.1.5. Table 12. Row 5 Key Activities 5. {security awareness training} Schedule and conduct the training outlined in the strategy and plan. § 5.1.5. Table 12. Row 5 Description Bullet 1 {keep current} Keep the security awareness and training program current. § 5.1.5. Table 12. Row 7 Description Bullet 1]	Human Resources management	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092 [Address the specific HIPAA policies that require security awareness and training in the security awareness and training program. § 5.1.5. Table 12. Row 2 Description Bullet 1]	Human Resources management	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Preventive
Document security awareness requirements. CC ID 12146 [Select topics to be included in the training materials, and consider current and relevant topics (e.g., phishing, email security) for the protection of ePHI. § 5.1.5. Table 12. Row 4 Description Bullet 1]	Human Resources management	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046 [Set organizational expectations for protecting ePHI. § 5.1.5. Table 12. Row 2 Description Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Monitoring login attempts and reporting discrepancies; and § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Creating, changing, and safeguarding passwords. § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 3]	Human Resources management	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [Incorporate information concerning workforce members' roles and responsibilities in implementing these implementation specifications into training and awareness efforts. § 5.1.5. Table 12. Row 3 Description Bullet 2]	Human Resources management	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Human Resources management	Preventive
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Preventive
Document the goals of the security awareness program. CC ID 12145 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Preventive
Document the scope of the security awareness program. CC ID 12148 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Preventive
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Human Resources management	Preventive
Establish, implement, and maintain a capacity management plan. CC ID 11751	Operational management	Preventive
Document the organization's business processes. CC ID 13035 [{critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3]	Operational management	Detective
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Operational management	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Operational management	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Operational management	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Operational management	Preventive
Include the scope in the compliance policy. CC ID 14812	Operational management	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Operational management	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Operational management	Preventive
Include management commitment in the compliance policy. CC ID 14808	Operational management	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Operational management	Preventive
Include governance threshold requirements in the governance policy. CC ID 16933	Operational management	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Operational management	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Operational management	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4]	Operational management	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Preventive
Include cloud services in the internal control framework. CC ID 17262	Operational management	Preventive
Include cloud security controls in the internal control framework. CC ID 17264	Operational management	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Preventive
Establish, implement, and maintain a cybersecurity framework. CC ID 17276	Operational management	Preventive
Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279	Operational management	Preventive
Include protection measures in the cybersecurity framework. CC ID 17278	Operational management	Preventive
Include the scope in the cybersecurity framework. CC ID 17277	Operational management	Preventive
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations. § 5.1.1. ¶ 1 {security management} Create and Deploy Policies and Procedures § 5.1.1. Table 8. Row 5 Key Activities 5. {security management} Establish a frequency for reviewing policy and procedures. § 5.1.1. Table 8. Row 5 Description Bullet 4 Consider the importance of documenting processes and procedures for demonstrating the adequate implementation of recognized security practices. § 5.5.1. Table 28. Row 1 Description Bullet 2 Consider the importance of documenting the processes and procedures for demonstrating the adequate implementation of recognized security practices. § 5.5.2. Table 29. Row 1 Description Bullet 3]	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Operational management	Preventive
Include access control in the information security program. CC ID 12386 [Evaluate Existing Security Measures Related to Access Controls § 5.1.4. Table 11. Row 4 Key Activities 4. Evaluate the security features of access controls that are already in place or those of any planned for implementation, as appropriate. § 5.1.4. Table 11. Row 4 Description Bullet 1]	Operational management	Preventive
Include asset management in the information security program. CC ID 12380 [{security management} Include all hardware and software that are used to collect, store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 3]	Operational management	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [{security management} Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. § 5.1.1. Table 8. Row 5 Description Bullet 2]	Operational management	Preventive
Include data localization requirements in the information security policy. CC ID 16932	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Define the nomenclature requirements in the operating instructions. CC ID 17112	Operational management	Preventive
Define the situations that require time information in the operating instructions. CC ID 17111	Operational management	Preventive
Include congestion management actions in the operational control procedures. CC ID 17135	Operational management	Preventive
Update the congestion management actions in a timely manner. CC ID 17145	Operational management	Preventive
Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146	Operational management	Preventive
Include continuous monitoring in the operational control procedures. CC ID 17137	Operational management	Preventive
Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109	Operational management	Preventive
Include coordination amongst entities in the operational control procedures. CC ID 17147	Operational management	Preventive
Include roles and responsibilities in the operational control procedures. CC ID 17159	Operational management	Preventive
Include alternative actions in the operational control procedures. CC ID 17096	Operational management	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Develop Appropriate Standard Operating Procedures § 5.1.1. Table 8. Row 8 Key Activities 8. Develop Appropriate Standard Operating Procedures § 5.3.2. Table 22. Row 4 Key Activities 4.]	Operational management	Preventive
Include system use information in the standard operating procedures manual. CC ID 17240	Operational management	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Preventive
Include logging procedures in the standard operating procedures manual. CC ID 17214	Operational management	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Preventive
Include resources in the standard operating procedures manual. CC ID 17212	Operational management	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Preventive
Include human oversight measures in the standard operating procedures manual. CC ID 17213	Operational management	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1]	Operational management	Preventive
Include usage restrictions in the Acceptable Use Policy. CC ID 15311	Operational management	Preventive
Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962	Operational management	Preventive
Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979	Operational management	Preventive
Include consequences in the fax machine and multifunction device usage policy. CC ID 16957	Operational management	Preventive
Include roles and responsibilities in the e-mail policy. CC ID 17040	Operational management	Preventive
Include content requirements in the e-mail policy. CC ID 17041	Operational management	Preventive
Include the personal use of business e-mail in the e-mail policy. CC ID 17037	Operational management	Preventive
Include usage restrictions in the e-mail policy. CC ID 17039	Operational management	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Preventive
Include message format requirements in the e-mail policy. CC ID 17038	Operational management	Preventive
Include the consequences of sending restricted data in the e-mail policy. CC ID 16970	Operational management	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Each regulated entity (i.e., covered entity or business associate) is responsible for its own Security Rule compliance and violations and should review the following key activities, descriptions, and sample questions through the lens of its own organization. § 5. ¶ 5]	Operational management	Preventive
Establish, implement, and maintain an asset management policy. CC ID 15219	Operational management	Preventive
Establish, implement, and maintain asset management procedures. CC ID 16748	Operational management	Preventive
Include life cycle requirements in the security management program. CC ID 16392	Operational management	Preventive
Include program objectives in the asset management program. CC ID 14413	Operational management	Preventive
Include a commitment to continual improvement in the asset management program. CC ID 14412	Operational management	Preventive
Include compliance with applicable requirements in the asset management program. CC ID 14411	Operational management	Preventive
Include installation requirements in the asset management program. CC ID 17195	Operational management	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Identify all systems that house ePHI. Be sure to identify mobile devices, medical equipment, and IoT devices that store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 2 Inventory facilities and identify shortfalls and/or vulnerabilities in current physical security capabilities. § 5.2.1. Table 17. Row 1 Description Bullet 1 Inventory workstations and devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.2. Table 18. Row 1 Description Bullet 1 Inventory workstations and devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.2. Table 18. Row 1 Description Bullet 1]	Operational management	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Preventive
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Preventive
Record the software version in the asset inventory. CC ID 12196	Operational management	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 [Identify Workstation and Device Types and Functions or Uses § 5.2.2. Table 18. Row 1 Key Activities 1.]	Operational management	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636 [Identify Workstation and Device Types and Functions or Uses § 5.2.2. Table 18. Row 1 Key Activities 1.]	Operational management	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640 [Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Operational management	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Preventive
Record all changes to assets in the asset inventory. CC ID 12190 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3]	Operational management	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Operational management	Preventive
Establish, implement, and maintain digital legacy procedures. CC ID 16524	Operational management	Preventive
Establish, implement, and maintain a system disposal program. CC ID 14431	Operational management	Preventive
Establish, implement, and maintain disposal procedures. CC ID 16513	Operational management	Preventive
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Operational management	Preventive
Establish, implement, and maintain system destruction procedures. CC ID 16474	Operational management	Preventive
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Operational management	Preventive
Establish and maintain maintenance reports. CC ID 11749 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3 Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (e.g., hardware, walls, doors, and locks). § 5.2.1. Table 17. Row 6 Description Bullet 1]	Operational management	Preventive
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Operational management	Preventive
Include compliance requirements in the system maintenance policy. CC ID 14217	Operational management	Preventive
Include management commitment in the system maintenance policy. CC ID 14216	Operational management	Preventive
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Operational management	Preventive
Include the scope in the system maintenance policy. CC ID 14214	Operational management	Preventive
Include the purpose in the system maintenance policy. CC ID 14187	Operational management	Preventive
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Operational management	Preventive
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Operational management	Preventive
Establish, implement, and maintain a technology refresh schedule. CC ID 16940	Operational management	Preventive
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 [Maintain Maintenance Records Implementation Specification (Addressable) § 5.2.1. Table 17. Row 6 Key Activities 6.]	Operational management	Preventive
Establish, implement, and maintain an end-of-life management process. CC ID 16540	Operational management	Preventive
Establish, implement, and maintain disposal contracts. CC ID 12199	Operational management	Preventive
Include disposal procedures in disposal contracts. CC ID 13905	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173 [Gain an understanding as to what constitutes a true security incident. Under the HIPAA Security Rule, a security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (45 CFR § 164.304). § 5.1.6. Table 13. Row 1 Description Bullet 1]	Operational management	Preventive
Include a definition of affected transactions in the incident criteria. CC ID 17180	Operational management	Preventive
Include a definition of affected parties in the incident criteria. CC ID 17179	Operational management	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Preventive
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Detective
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Corrective
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include the incident classification criteria in incident response notifications. CC ID 17293	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include the incident reference code in incident response notifications. CC ID 17292	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include activations of the business continuity plan in incident response notifications. CC ID 17295	Operational management	Preventive
Include costs associated with the incident in incident response notifications. CC ID 17300	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Preventive
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Preventive
Include response times in the containment strategy. CC ID 13485	Operational management	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233 [Update the procedures as required based on changing organizational needs. § 5.1.6. Table 13. Row 3 Description Bullet 6 Incorporate Post-Incident Analysis Into Updates and Revisions § 5.1.6. Table 13. Row 4 Key Activities 4. Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4 Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Operational management	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 [Establish (and implement as needed) procedures that allow facility access in support of the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency. § 5.2.1. Table 17. Row 5 Description Bullet 1 Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. § 5.3.1. Table 21. Row 7 Description Bullet 1 Establish an Emergency Access Procedure Implementation Specification (Required) § 5.3.1. Table 21. Row 7 Key Activities 7.]	Operational management	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Preventive
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Develop and Implement Policy and Procedures to Respond to and Report Security Incidents Implementation Specification (Required) § 5.1.6. Table 13. Row 3 Key Activities 3. Establish a reporting mechanism and a process to coordinate responses to the security incident. § 5.1.6. Table 13. Row 1 Description Bullet 4 Establish a specific policy for security incident reporting. § 5.4.2. Table 27. Row 4 Description Bullet 2]	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579 [Ensure that the incident response program covers all parts of the organization in which ePHI is created, stored, processed, or transmitted. § 5.1.6. Table 13. Row 1 Description Bullet 2 Develop and Implement Policy and Procedures to Respond to and Report Security Incidents Implementation Specification (Required) § 5.1.6. Table 13. Row 3 Key Activities 3.]	Operational management	Preventive
Create an incident response report. CC ID 12700 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Preventive
Include entities notified of the incident in the incident response report. CC ID 17294	Operational management	Preventive
Include details of the companies and persons involved in the incident response report. CC ID 17298	Operational management	Preventive
Include the incident reference code in the incident response report. CC ID 17297	Operational management	Preventive
Include how the incident was discovered in the incident response report. CC ID 16987	Operational management	Preventive
Include the categories of data that were compromised in the incident response report. CC ID 16985	Operational management	Preventive
Include disciplinary actions taken in the incident response report. CC ID 16810	Operational management	Preventive
Include the persons responsible for the incident in the incident response report. CC ID 16808	Operational management	Preventive
Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789	Operational management	Preventive
Include recovery measures in the incident response report. CC ID 17299	Operational management	Preventive
Include the date and time of recovery from the incident in the incident response report. CC ID 17296	Operational management	Preventive
Define target resolution times for incident response in the Incident Response program. CC ID 13072 [Determine the Goals of an Incident Response § 5.1.6. Table 13. Row 1 Key Activities 1.]	Operational management	Preventive
Include addressing external communications in the incident response plan. CC ID 13351	Operational management	Preventive
Include addressing internal communications in the incident response plan. CC ID 13350	Operational management	Preventive
Include change control procedures in the incident response plan. CC ID 15479	Operational management	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349	Operational management	Preventive
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Operational management	Preventive
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Operational management	Preventive
Include the management support needed for incident response in the incident response plan. CC ID 14300	Operational management	Preventive
Include root cause analysis in the incident response plan. CC ID 16423	Operational management	Preventive
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Operational management	Preventive
Include the resources needed for incident response in the incident response plan. CC ID 14292	Operational management	Preventive
Establish, implement, and maintain a cyber incident response plan. CC ID 13286	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237 [Develop and Deploy an Incident Response Team or Other Reasonable and Appropriate Response Mechanism § 5.1.6. Table 13. Row 2 Key Activities 2. Determine whether the size, scope, mission, and other aspects of the organization justify the reasonableness and appropriateness of maintaining a standing incident response team. § 5.1.6. Table 13. Row 2 Description Bullet 1 Identify appropriate individuals to be part of a formal incident response team if the organization has determined that implementing an incident response team is reasonable and appropriate. § 5.1.6. Table 13. Row 2 Description Bullet 2]	Operational management	Preventive
Include identifying remediation actions in the incident response plan. CC ID 13354	Operational management	Preventive
Include log management procedures in the incident response program. CC ID 17081	Operational management	Preventive
Establish, implement, and maintain an incident response policy. CC ID 14024 [Ensure that an organizational incident response policy is in place that addresses all parts of the organization in which ePHI is created, stored, processed, or transmitted. § 5.1.6. Table 13. Row 3 Description Bullet 2]	Operational management	Preventive
Include compliance requirements in the incident response policy. CC ID 14108	Operational management	Preventive
Include coordination amongst entities in the incident response policy. CC ID 14107 [Establish a reporting mechanism and a process to coordinate responses to the security incident. § 5.1.6. Table 13. Row 1 Description Bullet 4]	Operational management	Preventive
Include management commitment in the incident response policy. CC ID 14106	Operational management	Preventive
Include roles and responsibilities in the incident response policy. CC ID 14105	Operational management	Preventive
Include the scope in the incident response policy. CC ID 14104	Operational management	Preventive
Include the purpose in the incident response policy. CC ID 14101	Operational management	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Document incident response procedures that can provide a single point of reference to guide the day-to-day operations of the incident response team. § 5.1.6. Table 13. Row 3 Description Bullet 3 Determine how the organization will respond to a security incident. § 5.1.6. Table 13. Row 1 Description Bullet 3]	Operational management	Detective
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Operational management	Preventive
Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4]	Operational management	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Determine what constitutes an environmental or operational change that affects the security of ePHI. § 5.1.8. Table 15. Row 3 Description Bullet 2 Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1 Evaluate existing system capabilities and determine whether any changes or upgrades are necessary. § 5.3.2. Table 22. Row 2 Description Bullet 1]	Operational management	Preventive
Include version control in the change control program. CC ID 13119	Operational management	Preventive
Include service design and transition in the change control program. CC ID 13920	Operational management	Preventive
Log emergency changes after they have been performed. CC ID 12733	Operational management	Preventive
Provide audit trails for all approved changes. CC ID 13120 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Operational management	Preventive
Establish, implement, and maintain a transition strategy. CC ID 17049	Operational management	Preventive
Include monitoring requirements in the transition strategy. CC ID 17290	Operational management	Preventive
Include resources in the transition strategy. CC ID 17289	Operational management	Preventive
Include time requirements in the transition strategy. CC ID 17288	Operational management	Preventive
Document the sources of all software updates. CC ID 13316	Operational management	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Preventive
Update associated documentation after the system configuration has been changed. CC ID 00891 [Review documentation periodically and update as needed in response to environmental or operational changes that affect the security of the ePHI. § 5.5.2. Table 29. Row 4 Description Bullet 1]	Operational management	Preventive
Establish and maintain a service catalog. CC ID 13634 [{critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3]	Operational management	Preventive
Include a service description in the service catalog. CC ID 13917	Operational management	Preventive
Assign unique reference numbers to all services in the service catalog. CC ID 14424	Operational management	Preventive
Include service deliverables for each service description in the service catalog. CC ID 13918	Operational management	Preventive
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914	Operational management	Preventive
Categorize services in the service catalog. CC ID 14419	Operational management	Preventive
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426	Operational management	Preventive
Establish, implement, and maintain an information management program. CC ID 14315 [Periodically evaluate written policies and procedures to verify that: § 5.5.1. Table 28. Row 1 Description Bullet 3]	Records management	Preventive
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored. § 5.2.4. Table 20. Row 1 Description Bullet 1]	Records management	Preventive
Establish, implement, and maintain records disposition procedures. CC ID 00971 [Determine and document the appropriate methods to dispose of hardware, software, and the data. § 5.2.4. Table 20. Row 1 Description Bullet 2]	Records management	Preventive
Include the name of the signing officer in the disposal record. CC ID 15710	Records management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Preventive
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Preventive
Include record integrity techniques in the records management procedures. CC ID 06418 [Identify and implement methods that will be used to protect ePHI from unauthorized modification. § 5.3.3. Table 23. Row 4 Description Bullet 1]	Records management	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [Develop and Implement Procedures for the Reuse of Electronic Media Implementation Specification (Required) § 5.2.4. Table 20. Row 2 Key Activities 2.]	Records management	Preventive
Establish, implement, and maintain an information preservation policy. CC ID 16483	Records management	Preventive
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Records management	Preventive
Include the date and time in the removable storage media log. CC ID 12318	Records management	Preventive
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Records management	Preventive
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Records management	Preventive
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Records management	Preventive
Include the sender's name in the removable storage media log. CC ID 12752	Records management	Preventive
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Records management	Preventive
Include the reason for transfer in the removable storage media log. CC ID 12316	Records management	Preventive
Establish, implement, and maintain system acquisition contracts. CC ID 14758	Acquisition or sale of facilities, technology, and services	Preventive
Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309	Acquisition or sale of facilities, technology, and services	Preventive
Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302	Acquisition or sale of facilities, technology, and services	Preventive
Include instructions on how to use the security functions in the user documentation. CC ID 14314	Acquisition or sale of facilities, technology, and services	Preventive
Include security functions in the user documentation. CC ID 14313	Acquisition or sale of facilities, technology, and services	Preventive
Include user responsibilities for maintaining system security in the user documentation. CC ID 14312	Acquisition or sale of facilities, technology, and services	Preventive
Include a description of user interactions in the user documentation. CC ID 14311	Acquisition or sale of facilities, technology, and services	Preventive
Require the information system developer to create a continuous monitoring plan. CC ID 14307	Acquisition or sale of facilities, technology, and services	Preventive
Include roles and responsibilities in system acquisition contracts. CC ID 14765	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a product and services acquisition policy. CC ID 14028	Acquisition or sale of facilities, technology, and services	Preventive
Include compliance requirements in the product and services acquisition policy. CC ID 14163	Acquisition or sale of facilities, technology, and services	Preventive
Include coordination amongst entities in the product and services acquisition policy. CC ID 14162	Acquisition or sale of facilities, technology, and services	Preventive
Include management commitment in the product and services acquisition policy. CC ID 14161	Acquisition or sale of facilities, technology, and services	Preventive
Include roles and responsibilities in the product and services acquisition policy. CC ID 14160	Acquisition or sale of facilities, technology, and services	Preventive
Include the scope in the product and services acquisition policy. CC ID 14159	Acquisition or sale of facilities, technology, and services	Preventive
Include the purpose in the product and services acquisition policy. CC ID 14158	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain product and services acquisition procedures. CC ID 14065	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain acquisition approval requirements. CC ID 13704	Acquisition or sale of facilities, technology, and services	Preventive
Align the service management program with the Code of Conduct. CC ID 14211	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Determine whether a component of the regulated entity constitutes a ass="term_primary-noun">healthcare clearinghouse under the HIPAA Security Rule. Determine whether a component of the regulated entity constitutes a healthcare clearinghouse under the HIPAA Security Rule. § 5.1.4. Table 11. Row 1 Description Bullet 2]	Privacy protection for information and data	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Privacy protection for information and data	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy notice. CC ID 16543	Privacy protection for information and data	Preventive
Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258	Privacy protection for information and data	Preventive
Include contact information in the privacy notice. CC ID 14432	Privacy protection for information and data	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Privacy protection for information and data	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Preventive
Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257	Privacy protection for information and data	Preventive
Include prohibitions of use or disclosure in the privacy notice. CC ID 17252	Privacy protection for information and data	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Privacy protection for information and data	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Privacy protection for information and data	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Privacy protection for information and data	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Preventive
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312	Privacy protection for information and data	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Preventive
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Preventive
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Preventive
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Privacy protection for information and data	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Privacy protection for information and data	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Preventive
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Privacy protection for information and data	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Privacy protection for information and data	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Detective
Write privacy notices in the official languages required by law. CC ID 16529	Privacy protection for information and data	Preventive
Define what is included in the privacy policy. CC ID 00404	Privacy protection for information and data	Preventive
Define the information being collected in the privacy policy. CC ID 13115	Privacy protection for information and data	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Privacy protection for information and data	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114	Privacy protection for information and data	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Privacy protection for information and data	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Privacy protection for information and data	Preventive
Include management commitment in the privacy policy. CC ID 14668	Privacy protection for information and data	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Privacy protection for information and data	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Privacy protection for information and data	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Privacy protection for information and data	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Privacy protection for information and data	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Privacy protection for information and data	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Privacy protection for information and data	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Privacy protection for information and data	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Privacy protection for information and data	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy policy. CC ID 00406	Privacy protection for information and data	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Privacy protection for information and data	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407	Privacy protection for information and data	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116	Privacy protection for information and data	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Privacy protection for information and data	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Privacy protection for information and data	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Privacy protection for information and data	Preventive
Include opt-out instructions in the privacy policy. CC ID 00411	Privacy protection for information and data	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Privacy protection for information and data	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Privacy protection for information and data	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Privacy protection for information and data	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Privacy protection for information and data	Preventive
Post the privacy policy in an easily seen location. CC ID 00401	Privacy protection for information and data	Preventive
Define who will receive the privacy policy. CC ID 00402	Privacy protection for information and data	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Privacy protection for information and data	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Privacy protection for information and data	Preventive
Include the information types in the privacy plan. CC ID 14695	Privacy protection for information and data	Preventive
Include threats in the privacy plan. CC ID 14694	Privacy protection for information and data	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Privacy protection for information and data	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Privacy protection for information and data	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Privacy protection for information and data	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Privacy protection for information and data	Preventive
Include security controls in the privacy plan. CC ID 14681	Privacy protection for information and data	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Privacy protection for information and data	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Privacy protection for information and data	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Privacy protection for information and data	Preventive
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Preventive
Date the data subject's consent. CC ID 17233	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546	Privacy protection for information and data	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Privacy protection for information and data	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Privacy protection for information and data	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Preventive
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Privacy protection for information and data	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Privacy protection for information and data	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Privacy protection for information and data	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Privacy protection for information and data	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Privacy protection for information and data	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Privacy protection for information and data	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Privacy protection for information and data	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Privacy protection for information and data	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Privacy protection for information and data	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Privacy protection for information and data	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Privacy protection for information and data	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Preventive
Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Privacy protection for information and data	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Preventive
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Privacy protection for information and data	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Preventive
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Preventive
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Privacy protection for information and data	Preventive
Define how a data subject may give consent. CC ID 00160	Privacy protection for information and data	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Detective
Establish, implement, and maintain restricted data retention procedures. CC ID 00167	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Preventive
Include cookie management in the privacy framework. CC ID 13809	Privacy protection for information and data	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Privacy protection for information and data	Preventive
Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Preventive
Post the collection purpose. CC ID 00101	Privacy protection for information and data	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Preventive
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Preventive
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Preventive
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024	Privacy protection for information and data	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Detective
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Privacy protection for information and data	Preventive
Establish, implement, and maintain call metadata controls. CC ID 04790	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756	Privacy protection for information and data	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Preventive
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Preventive
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Privacy protection for information and data	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Privacy protection for information and data	Preventive
Document transfer disagreements by the data subject in writing. CC ID 00348	Privacy protection for information and data	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Privacy protection for information and data	Preventive
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Privacy protection for information and data	Preventive
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [Consider the impact of a merger or acquisition on risks to ePHI. During a merger or acquisition, new data pathways may be introduced that lead to ePHI being stored, processed, or transmitted in previously unanticipated places. § 5.1.1. Table 8. Row 1 Description Bullet 5]	Privacy protection for information and data	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Preventive
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Corrective
Include supporting documentation in the privacy rights violation complaint. CC ID 16997	Privacy protection for information and data	Preventive
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526	Privacy protection for information and data	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Preventive
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Preventive
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Preventive
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497	Privacy protection for information and data	Detective
Define the organization's liability based on the applicable law. CC ID 00504	Privacy protection for information and data	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Preventive
Define the appeal process based on the applicable law. CC ID 00506	Privacy protection for information and data	Preventive
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [If part of the strategy depends on external organizations for support, ensure that formal agreements are in place with specific requirements stated. § 5.1.7. Table 14. Row 4 Description Bullet 2 Consider whether any vendor/service provider arrangements are critical to operations and address them as appropriate to ensure availability and reliability. § 5.1.7. Table 14. Row 2 Description Bullet 6 Execute new or update existing agreements or arrangements, as appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 2 Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met § 5.1.9. Table 16. Row 2 Key Activities 2.]	Third Party and supply chain oversight	Preventive
Review and update all contracts, as necessary. CC ID 11612 [Execute new or update existing agreements or arrangements, as appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 2]	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Third Party and supply chain oversight	Preventive
Include the purpose in the information flow agreement. CC ID 17016	Third Party and supply chain oversight	Preventive
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Third Party and supply chain oversight	Preventive
Include the costs in the information flow agreement. CC ID 17018	Third Party and supply chain oversight	Preventive
Include the security requirements in the information flow agreement. CC ID 14244	Third Party and supply chain oversight	Preventive
Include the interface characteristics in the information flow agreement. CC ID 14240	Third Party and supply chain oversight	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Third Party and supply chain oversight	Preventive
Include the contract duration in third party contracts. CC ID 16221	Third Party and supply chain oversight	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487 [{contract} Identify roles and responsibilities. § 5.1.9. Table 16. Row 3 Description Bullet 3]	Third Party and supply chain oversight	Preventive
Include cryptographic keys in third party contracts. CC ID 16179	Third Party and supply chain oversight	Preventive
Include bankruptcy provisions in third party contracts. CC ID 16519	Third Party and supply chain oversight	Preventive
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Third Party and supply chain oversight	Preventive
Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186	Third Party and supply chain oversight	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Contract Must Provide That Business Associates Will Comply With the Applicable Requirements of the Security Rule Implementation Specification (Required) § 5.4.1. Table 26. Row 1 Key Activities 1.]	Third Party and supply chain oversight	Preventive
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410. § 5.4.1. Table 26. Row 3 Description Bullet 1]	Third Party and supply chain oversight	Preventive
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410. § 5.4.1. Table 26. Row 3 Description Bullet 1 Contract Must Provide That Business Associates Will Report Security Incidents Implementation Specification (Required) § 5.4.1. Table 26. Row 3 Key Activities 3. Amend plan documents to incorporate provisions to require the plan sponsor to report any security incident of which it becomes aware to the group health plan. § 5.4.2. Table 27. Row 4 Description Bullet 1 Establish a reporting mechanism and a process for the plan sponsor to use in the event of a security incident. § 5.4.2. Table 27. Row 4 Description Bullet 3 Amend Plan Documents of Group Health Plans to Address the Reporting of Security Incidents Implementation Specification (Required) § 5.4.2. Table 27. Row 4 Key Activities 4.]	Third Party and supply chain oversight	Preventive
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Third Party and supply chain oversight	Preventive
Include a reporting structure in third party contracts. CC ID 06532 [Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI per the BAA or contract. § 5.1.9. Table 16. Row 2 Description Bullet 1 Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract. § 5.4.1. Table 26. Row 3 Description Bullet 2 Establish a reporting mechanism and a process for the plan sponsor to use in the event of a security incident. § 5.4.2. Table 27. Row 4 Description Bullet 3]	Third Party and supply chain oversight	Preventive
Include points of contact in third party contracts. CC ID 12355 [Identify the individual or department who will be responsible for coordinating the execution of business associate agreements or other arrangements. § 5.1.9. Table 16. Row 1 Description Bullet 1]	Third Party and supply chain oversight	Preventive
Include financial reporting in third party contracts, as necessary. CC ID 13573	Third Party and supply chain oversight	Preventive
Include on-site visits in third party contracts. CC ID 17306	Third Party and supply chain oversight	Preventive
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [Business associates must have a BAA in place with each of their subcontractor business associates. Subcontractor business associates are also directly liable for their own Security Rule violations. § 5.1.9. Table 16. Row 1 Description Bullet 4]	Third Party and supply chain oversight	Preventive
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.3 14(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 5.1.9. ¶ 1 {organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1 In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section. § 5.4.1. Table 26. Row 2 Description Bullet 1 Contract Must Provide That the Business Associates Enter Into Contracts With Subcontractors to Ensure the Protection of ePHI Implementation Specification (Required) § 5.4.1. Table 26. Row 2 Key Activities 2.]	Third Party and supply chain oversight	Preventive
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Third Party and supply chain oversight	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [Establish a reporting mechanism and a process for the business associate to use in the event of a security incident or breach. § 5.4.1. Table 26. Row 3 Description Bullet 3]	Third Party and supply chain oversight	Preventive
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026	Third Party and supply chain oversight	Preventive
Include end-of-life information in third party contracts. CC ID 15265	Third Party and supply chain oversight	Preventive
Establish and maintain a Third Party Service Provider list. CC ID 12480 [{individual} {is current} Reevaluate the list of business associates to determine who has access to ePHI in order to assess whether the list is complete and current. § 5.1.9. Table 16. Row 1 Description Bullet 2]	Third Party and supply chain oversight	Preventive
Include required information in the Third Party Service Provider list. CC ID 14429	Third Party and supply chain oversight	Preventive
Include disclosure requirements in the Third Party Service Provider list. CC ID 17189	Third Party and supply chain oversight	Preventive
Include storage locations in the Third Party Service Provider list. CC ID 17184	Third Party and supply chain oversight	Preventive
Include the processing location in the Third Party Service Provider list. CC ID 17183	Third Party and supply chain oversight	Preventive
Include the transferability of services in the Third Party Service Provider list. CC ID 17185	Third Party and supply chain oversight	Preventive
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Third Party and supply chain oversight	Preventive
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Third Party and supply chain oversight	Preventive
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Third Party and supply chain oversight	Preventive
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Third Party and supply chain oversight	Preventive
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Third Party and supply chain oversight	Preventive
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Third Party and supply chain oversight	Preventive
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Third Party and supply chain oversight	Preventive
Categorize all suppliers in the supply chain management program. CC ID 00792 [Identify Entities That Are Business Associates Under the HIPAA Security Rule § 5.1.9. Table 16. Row 1 Key Activities 1.]	Third Party and supply chain oversight	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [Regulated entities should consider how cloud services and other third-party IT system and service offerings can both assist regulated entities in protecting ePHI while also potentially introducing new risks to ePHI. § 5.1.1. Table 8. Row 4 Description Bullet 1]	Third Party and supply chain oversight	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign senior management to approve test plans. CC ID 13071 [Secure management support for the evaluation process to ensure participation. § 5.1.8. Table 15. Row 3 Description Bullet 4]	Monitoring and measurement	Preventive
Define the qualification requirements for auditors. CC ID 17259	Audits and risk management	Preventive
Include roles and responsibilities in the interview procedures. CC ID 16297	Audits and risk management	Preventive
Identify the audit team members in the audit report. CC ID 15259	Audits and risk management	Detective
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Audits and risk management	Preventive
Evaluate the competency of auditors. CC ID 15253	Audits and risk management	Detective
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Detective
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Preventive
Identify alternate personnel for each person on the critical personnel list. CC ID 12771 [Consider assigning secondary personnel to be part of the incident response team in the event that primary personnel are unavailable. § 5.1.6. Table 13. Row 2 Description Bullet 3]	Operational and Systems Continuity	Preventive
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 [Select a Security Official to be Assigned Responsibility for HIPAA Security § 5.1.2. Table 9. Row 1 Key Activities 1.]	Human Resources management	Preventive
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143	Human Resources management	Preventive
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152	Human Resources management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267 [Define roles and responsibilities for all job functions. § 5.1.3. Table 10. Row 2 Description Bullet 1 Establish Clear Job Descriptions and Responsibilities § 5.1.3. Table 10. Row 2 Key Activities 2. Establish Criteria and Procedures for Hiring and Assigning Tasks § 5.1.3. Table 10. Row 3 Key Activities 3.]	Human Resources management	Preventive
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources management	Preventive
Document the use of external experts. CC ID 16263	Human Resources management	Preventive
Define and assign roles and responsibilities for the biometric system. CC ID 17004	Human Resources management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Human Resources management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Preventive
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources management	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Preventive
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources management	Preventive
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources management	Preventive
Categorize the gender of all employees. CC ID 15609	Human Resources management	Preventive
Categorize all employees by racial groups and ethnic groups. CC ID 15627	Human Resources management	Preventive
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822	Human Resources management	Preventive
Establish and maintain Personnel Files for all employees. CC ID 12438	Human Resources management	Preventive
Include credit check results in each employee's personnel file. CC ID 12447	Human Resources management	Preventive
Include any criminal records in each employee's personnel file. CC ID 12446	Human Resources management	Preventive
Include all employee information in each employee's personnel file. CC ID 12445	Human Resources management	Preventive
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444	Human Resources management	Preventive
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441	Human Resources management	Preventive
Include referral follow-up results in each employee's personnel file. CC ID 12440	Human Resources management	Preventive
Include background check results in each employee's personnel file. CC ID 12439	Human Resources management	Preventive
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761	Human Resources management	Preventive
Establish, implement, and maintain staff position risk designations. CC ID 14280	Human Resources management	Preventive
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources management	Detective
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources management	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources management	Preventive
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources management	Preventive
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources management	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources management	Corrective
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources management	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources management	Detective
Refrain from using employees' privacy choices to take punitive actions. CC ID 16815	Human Resources management	Preventive
Include a space for the applicant's name on the job application. CC ID 16190	Human Resources management	Preventive
Include a space for the applicant's current address on the job application. CC ID 16189	Human Resources management	Preventive
Include a space for the applicant's social security number on the job application. CC ID 16188	Human Resources management	Preventive
Include a space for the applicant's date of birth on the job application. CC ID 16186	Human Resources management	Preventive
Include a space for previous employers and business relationships on the job application. CC ID 16185	Human Resources management	Preventive
Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184	Human Resources management	Preventive
Include a space for the start date on the job application. CC ID 16187	Human Resources management	Preventive
Include a space to explain legal penalties on the job application. CC ID 16183	Human Resources management	Preventive
Approve the wording of job applications. CC ID 16182	Human Resources management	Preventive
Include a space for past aliases and other used names on job applications. CC ID 12301	Human Resources management	Preventive
Include a space for previous addresses and previous residences on the job application. CC ID 12302	Human Resources management	Preventive
Include a space to explain employment gaps on the job application. CC ID 12303	Human Resources management	Preventive
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [{security management} Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. § 5.1.1. Table 8. Row 5 Description Bullet 2 HIPAA Standard: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. § 5.1.2. ¶ 1]	Operational management	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Operational management	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Privacy protection for information and data	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Privacy protection for information and data	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Privacy protection for information and data	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Privacy protection for information and data	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490	Privacy protection for information and data	Detective
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Ensure the data dictionary is complete and accurate. CC ID 13527	Leadership and high level objectives	Detective
Monitor and evaluate the effectiveness of detection tools. CC ID 13505	Monitoring and measurement	Detective
Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546	Monitoring and measurement	Detective
Review retail payment service reports, as necessary. CC ID 13545	Monitoring and measurement	Detective
Examine the availability of the audit criteria in the audit program. CC ID 16520	Audits and risk management	Preventive
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Detective
Audit information systems, as necessary. CC ID 13010 [{security management} Begin auditing and logging activity. § 5.1.1. Table 8. Row 9 Description Bullet 2 Implement the Information System Activity Review and Audit Process § 5.1.1. Table 8. Row 9 Key Activities 9.]	Audits and risk management	Detective
Audit the potential costs of compromise to information systems. CC ID 13012	Audits and risk management	Detective
Permit assessment teams to conduct audits, as necessary. CC ID 16430	Audits and risk management	Detective
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Audits and risk management	Detective
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Detective
Verify proof of identity records. CC ID 13761	Technical security	Detective
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Detective
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Detective
Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212	Operational and Systems Continuity	Detective
Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218	Operational and Systems Continuity	Detective
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Detective
Perform social network analysis, as necessary. CC ID 14864	Operational management	Detective
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Detective
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Detective
Prepare digital forensic equipment. CC ID 08688	Operational management	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Detective
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Detective
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Detective
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [{security management} Begin auditing and logging activity. § 5.1.1. Table 8. Row 9 Description Bullet 2 Evaluate existing system capabilities and determine whether any changes or upgrades are necessary. § 5.3.2. Table 22. Row 2 Description Bullet 1 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.3.2. Table 22. Row 4 Description Bullet 1 {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.1.1. Table 8. Row 8 Description Bullet 1]	Monitoring and measurement	Detective
Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 5.3.2. ¶ 1 Activate the necessary audit system. § 5.3.2. Table 22. Row 5 Description Bullet 1]	Monitoring and measurement	Preventive
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [Determine the appropriate scope of audit controls that will be necessary in information systems that contain or use ePHI based on the regulated entity's risk assessment and other organizational factors. § 5.3.2. Table 22. Row 1 Description Bullet 1]	Monitoring and measurement	Detective
Establish, implement, and maintain event logging procedures. CC ID 01335 [{logging procedures} Begin logging and auditing procedures. § 5.3.2. Table 22. Row 5 Description Bullet 2]	Monitoring and measurement	Detective
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Develop and Deploy the Information System Activity Review Process Implementation Specification (Required) § 5.1.1. Table 8. Row 7 Key Activities 7. Implement regular reviews of information system activity and consider ways to automate the review for the protection of ePHI. § 5.1.1. Table 8. Row 7 Description Bullet 2 Implement the Information System Activity Review and Audit Process § 5.1.1. Table 8. Row 9 Key Activities 9.]	Monitoring and measurement	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596 [Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 5.1.1. Table 8. Row 7 Description Bullet 1 Activate the necessary review process. § 5.1.1. Table 8. Row 9 Description Bullet 1 Implement the Audit/System Activity Review Process § 5.3.2. Table 22. Row 5 Key Activities 5. Determine the frequency of audit log reviews based on the risk assessment and risk management processes. § 5.3.2. Table 22. Row 4 Description Bullet 2]	Monitoring and measurement	Detective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Detective
Log account usage times. CC ID 07099	Monitoring and measurement	Detective
Preserve the identity of individuals in audit trails. CC ID 10594 [Ensure that system activity can be traced to a specific user. § 5.3.1. Table 21. Row 3 Description Bullet 2]	Monitoring and measurement	Preventive
Maintain a log of the overrides of the biometric system. CC ID 17000	Technical security	Preventive
Include the user's location in the system record. CC ID 16996	Technical security	Preventive
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Technical security	Preventive
Log the individual's address in the facility access list. CC ID 16921	Physical and environmental protection	Preventive
Log the contact information for the person authorizing access in the facility access list. CC ID 16920	Physical and environmental protection	Preventive
Log the organization's name in the facility access list. CC ID 16919	Physical and environmental protection	Preventive
Log the individual's name in the facility access list. CC ID 16918	Physical and environmental protection	Preventive
Log the purpose in the facility access list. CC ID 16982	Physical and environmental protection	Preventive
Log the level of access in the facility access list. CC ID 16975	Physical and environmental protection	Preventive
Record the purpose of the visit in the visitor log. CC ID 16917	Physical and environmental protection	Preventive
Record the date and time of departure in the visitor log. CC ID 16897	Physical and environmental protection	Preventive
Record the type of identification used in the visitor log. CC ID 16916	Physical and environmental protection	Preventive
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Detective
Include the requestor's name in the physical access log. CC ID 16922	Physical and environmental protection	Preventive
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Physical and environmental protection	Preventive
Maintain records of all system components entering and exiting the facility. CC ID 14304	Physical and environmental protection	Preventive
Log the performance of all remote maintenance. CC ID 13202	Operational management	Preventive
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Preventive
Include time information in the chain of custody. CC ID 17068	Operational management	Preventive
Include actions performed on evidence in the chain of custody. CC ID 17067	Operational management	Preventive
Include individuals who had custody of evidence in the chain of custody. CC ID 17066	Operational management	Preventive
Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494	System hardening through configuration management	Preventive
Configure the log to capture startups and shutdowns. CC ID 16491	System hardening through configuration management	Preventive
Configure the log to capture user queries and searches. CC ID 16479	System hardening through configuration management	Preventive
Configure the log to capture Internet Protocol addresses. CC ID 16495	System hardening through configuration management	Preventive
Configure the log to capture error messages. CC ID 16477	System hardening through configuration management	Preventive
Configure the log to capture system failures. CC ID 16475	System hardening through configuration management	Preventive
Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078	System hardening through configuration management	Preventive
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	System hardening through configuration management	Preventive
Include the sanitization method in the disposal record. CC ID 17073	Records management	Preventive
Include time information in the disposal record. CC ID 17072	Records management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Preventive
Establish, implement, and maintain a removable storage media log. CC ID 12317 [Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Records management	Preventive
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Preventive
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Preventive
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Detective
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Detective

Maintenance

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088	Operational management	Preventive
Include a description of the maintenance performed in the maintenance report. CC ID 17087	Operational management	Preventive
Include roles and responsibilities in the maintenance report. CC ID 17086	Operational management	Preventive
Include the date and time of maintenance in the maintenance report. CC ID 17085	Operational management	Preventive
Conduct offsite maintenance in authorized facilities. CC ID 16473	Operational management	Preventive
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Operational management	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Operational management	Preventive
Restart systems on a periodic basis. CC ID 16498	Operational management	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Leadership and high level objectives	Preventive
Include monitoring and analysis capabilities in the quality management program. CC ID 17153	Leadership and high level objectives	Preventive
Establish, implement, and maintain network monitoring operations. CC ID 16444	Monitoring and measurement	Preventive
Monitor and review retail payment activities, as necessary. CC ID 13541	Monitoring and measurement	Detective
Implement file integrity monitoring. CC ID 01205 [Consider how the organization will detect unauthorized modification to ePHI. § 5.3.3. Table 23. Row 2 Description Bullet 3]	Monitoring and measurement	Detective
Log account usage durations. CC ID 12117	Monitoring and measurement	Detective
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Implement corrective actions when problems arise. § 5.1.5. Table 12. Row 7 Description Bullet 5 Identify Corrective Measures § 5.2.1. Table 17. Row 2 Key Activities 2. Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Monitoring and measurement	Detective
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Preventive
Monitor for evidence of when tampering indicators are being identified. CC ID 11905	Physical and environmental protection	Detective
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Preventive
Monitor the location of distributed assets. CC ID 11684 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1 Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Physical and environmental protection	Detective
Identify and watch individuals that pose a risk to the organization. CC ID 10674	Human Resources management	Detective
Monitor and measure the effectiveness of security awareness. CC ID 06262 [Solicit trainee feedback to determine whether the training and awareness are successfully reaching the intended audience. § 5.1.5. Table 12. Row 7 Description Bullet 2]	Human Resources management	Detective
Monitor and review the effectiveness of the information security program. CC ID 12744 [Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule § 5.1.8. Table 15. Row 2 Key Activities 2. Once security controls have been implemented in response to the organization's risk assessment and management processes, periodically review these implemented security measures to ensure their continued effectiveness in protecting ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 2]	Operational management	Preventive
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Detective
Respond to and triage when an incident is detected. CC ID 06942 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Detective
Escalate incidents, as necessary. CC ID 14861	Operational management	Corrective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Corrective
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Detective
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Detective
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Preventive
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met § 5.1.9. Table 16. Row 2 Key Activities 2.]	Third Party and supply chain oversight	Detective
Monitor third parties' financial conditions. CC ID 13170	Third Party and supply chain oversight	Detective

Physical and Environmental Protection

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Preventive
Control physical access to (and within) the facility. CC ID 01329 [{authorized access} Assign degrees of significance to each vulnerability identified and ensure that proper access is allowed. § 5.2.1. Table 17. Row 1 Description Bullet 2 Identify and assign responsibility for the measures and activities necessary to correct deficiencies and ensure that proper physical access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 1 {authorized access} Develop and deploy policies and procedures to ensure that repairs, upgrades, and/or modifications are made to the appropriate physical areas of the facility while ensuring that proper access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 2 Identify points of access to the facility and existing security controls. § 5.2.1. Table 17. Row 3 Description Bullet 4]	Physical and environmental protection	Preventive
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Preventive
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [HIPAA Standard: Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. § 5.2.3. ¶ 1 Identify All Methods of Physical Access to Workstations and Devices § 5.2.3. Table 19. Row 1 Key Activities 1. Document the different ways that users access workstations and other devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.3. Table 19. Row 1 Description Bullet 1 Document the different ways that users access workstations and other devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.3. Table 19. Row 1 Description Bullet 1 Identify and Implement Physical Safeguards for Workstations and Devices § 5.2.3. Table 19. Row 3 Key Activities 3. If there are impediments to physically securing devices and/or the facilities where devices are located, additional safeguards should be considered, such as: § 5.2.3. Table 19. Row 3 Description Bullet 2]	Physical and environmental protection	Preventive
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and environmental protection	Preventive
Restrict physical access to distributed assets. CC ID 11865 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2 Implement physical safeguards and other security measures to minimize the possibility of inappropriate access to ePHI through computing devices. § 5.2.3. Table 19. Row 3 Description Bullet 1]	Physical and environmental protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Preventive
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1]	Physical and environmental protection	Preventive
Control the removal of assets through physical entry points and physical exit points. CC ID 11681 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1]	Physical and environmental protection	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and environmental protection	Preventive
Secure system components from unauthorized viewing. CC ID 01437 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2]	Physical and environmental protection	Preventive
Protect customer property under the care of the organization. CC ID 11685	Physical and environmental protection	Preventive
Provide storage media shelving capable of bearing all potential loads. CC ID 11400	Physical and environmental protection	Preventive
Color code cables in accordance with organizational standards. CC ID 16422	Physical and environmental protection	Preventive
Install and maintain network jacks and outlet boxes. CC ID 08635	Physical and environmental protection	Preventive
Color code outlet boxes in accordance with organizational standards. CC ID 16451	Physical and environmental protection	Preventive
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142	Physical and environmental protection	Preventive
Install and maintain network patch panels. CC ID 08636	Physical and environmental protection	Preventive
Design the Information Technology facility with a low profile. CC ID 16140	Physical and environmental protection	Preventive
Require critical facilities to have adequate room for evacuation. CC ID 11686	Physical and environmental protection	Preventive
Build critical facilities according to applicable building codes. CC ID 06366	Physical and environmental protection	Preventive
Build critical facilities with materials that limit electromagnetic interference. CC ID 16131	Physical and environmental protection	Preventive
Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141	Physical and environmental protection	Preventive
Refrain from protecting physical assets when no longer required. CC ID 13484	Operational management	Corrective

Process or Activity

151

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584	Leadership and high level objectives	Preventive
Involve all stakeholders in the architecture review process. CC ID 16935	Leadership and high level objectives	Preventive
Establish, implement, and maintain an oversight team. CC ID 17303	Leadership and high level objectives	Preventive
Review and approve the use of continuous security management systems. CC ID 13181	Monitoring and measurement	Preventive
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Monitoring and measurement	Detective
Ensure protocols are free from injection flaws. CC ID 16401	Monitoring and measurement	Preventive
Mitigate the threats to an auditor's independence. CC ID 17282	Audits and risk management	Preventive
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973	Audits and risk management	Preventive
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Audits and risk management	Detective
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Audits and risk management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Preventive
Coordinate the scheduling of interviews. CC ID 16293	Audits and risk management	Preventive
Create a schedule for the interviews. CC ID 16292	Audits and risk management	Preventive
Identify interviewees. CC ID 16290	Audits and risk management	Preventive
Discuss unsolved questions with the interviewee. CC ID 16298	Audits and risk management	Detective
Allow interviewee to respond to explanations. CC ID 16296	Audits and risk management	Detective
Explain the requirements being discussed to the interviewee. CC ID 16294	Audits and risk management	Detective
Explain the testing results to the interviewee. CC ID 16291	Audits and risk management	Preventive
Withdraw from the audit, when defined conditions exist. CC ID 13885	Audits and risk management	Corrective
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971	Audits and risk management	Preventive
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Audits and risk management	Detective
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Audits and risk management	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Audits and risk management	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Audits and risk management	Detective
Approve the risk acceptance level, as necessary. CC ID 17168	Audits and risk management	Preventive
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Detective
Implement digital identification processes. CC ID 13731	Technical security	Preventive
Implement identity proofing processes. CC ID 13719	Technical security	Preventive
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Technical security	Preventive
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Technical security	Preventive
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Technical security	Detective
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Technical security	Preventive
Interact with the data subject when performing remote proofing. CC ID 13777	Technical security	Detective
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Technical security	Preventive
View all applicant actions when performing remote proofing. CC ID 13804	Technical security	Detective
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Technical security	Preventive
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Technical security	Detective
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Technical security	Detective
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Technical security	Preventive
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Technical security	Preventive
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Technical security	Detective
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Technical security	Preventive
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Technical security	Preventive
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Technical security	Detective
Validate proof of identity during the identity proofing process. CC ID 13756	Technical security	Detective
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Technical security	Detective
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Technical security	Detective
Allow records that relate to the data subject as proof of identity. CC ID 13772	Technical security	Preventive
Conduct in-person proofing with physical interactions. CC ID 13775	Technical security	Detective
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Technical security	Preventive
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Technical security	Preventive
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Technical security	Preventive
Refrain from approving attributes in the identity proofing process. CC ID 13716	Technical security	Preventive
Reperform the identity proofing process for each individual, as necessary. CC ID 13762	Technical security	Detective
Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007	Technical security	Preventive
Enforce the network segmentation requirements. CC ID 16381	Technical security	Preventive
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735	Technical security	Detective
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Technical security	Detective
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Preventive
Restrict physical access mechanisms to authorized parties. CC ID 16924	Physical and environmental protection	Preventive
Remote wipe any distributed asset reported lost or stolen. CC ID 12197	Physical and environmental protection	Corrective
Include a "Return to Sender" text file on mobile devices. CC ID 17075	Physical and environmental protection	Preventive
Remove dormant systems from the network, as necessary. CC ID 13727	Physical and environmental protection	Corrective
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Preventive
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Preventive
Conduct governance meetings, as necessary. CC ID 16946	Operational management	Preventive
Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152	Operational management	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Preventive
Coordinate alternate congestion management actions with affected parties. CC ID 17136	Operational management	Preventive
Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138	Operational management	Preventive
Establish, implement, and maintain an outage coordination process. CC ID 17161	Operational management	Preventive
Coordinate outages with affected parties. CC ID 17160	Operational management	Preventive
Coordinate energy resource management with affected parties. CC ID 17150	Operational management	Preventive
Coordinate the control of voltage with affected parties. CC ID 17149	Operational management	Preventive
Coordinate energy shortages with affected parties. CC ID 17148	Operational management	Preventive
Approve or deny requests in a timely manner. CC ID 17095	Operational management	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644	Operational management	Preventive
Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174	Operational management	Preventive
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Operational management	Preventive
Determine the cost of the incident when assessing security incidents. CC ID 17188	Operational management	Detective
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182	Operational management	Detective
Determine the duration of the incident when assessing security incidents. CC ID 17181	Operational management	Detective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Operational management	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Detective
Perform emergency changes, as necessary. CC ID 12707	Operational management	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Detective
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485	Records management	Preventive
Display required information automatically in electronic health records. CC ID 14442	Records management	Preventive
Create export summaries, as necessary. CC ID 14446	Records management	Preventive
Identify patient-specific education resources. CC ID 14439	Records management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Preventive
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Records management	Detective
Review the electronic storage media for the information the organization collects and processes. CC ID 13009	Records management	Detective
Document attempts to obtain system documentation. CC ID 14284	Acquisition or sale of facilities, technology, and services	Corrective
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Privacy protection for information and data	Detective
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Privacy protection for information and data	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Privacy protection for information and data	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Preventive
Allow data subjects to submit data requests. CC ID 16545	Privacy protection for information and data	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Preventive
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Corrective
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Privacy protection for information and data	Preventive
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Privacy protection for information and data	Preventive
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Privacy protection for information and data	Preventive
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Preventive
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Document the satisfactory assurances required by this standard through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a). Readers may find useful resources in Appendix F, including OCR BAA guidance and/or templates that include applicable language. § 5.1.9. Table 16. Row 3 Description Bullet 1 {organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1]	Third Party and supply chain oversight	Detective

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Maintain Accountability for Hardware and Electronic Media Implementation Specification (Addressable) § 5.2.4. Table 20. Row 3 Key Activities 3.]	Physical and environmental protection	Preventive
Treat archive media as evidence. CC ID 00960	Physical and environmental protection	Preventive
Inventory payment cards, as necessary. CC ID 13547	Physical and environmental protection	Preventive
Refrain from including exclusions that could affect business continuity. CC ID 12740	Operational and Systems Continuity	Preventive
Identify all critical business records. CC ID 00737	Operational and Systems Continuity	Detective
Include source code in the asset inventory. CC ID 14858	Operational management	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [Retain Documentation for at Least Six Years Implementation Specification (Required) § 5.5.2. Table 29. Row 2 Key Activities 2. Retain documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later. § 5.5.2. Table 29. Row 2 Description Bullet 1]	Records management	Preventive
Capture the records required by organizational compliance requirements. CC ID 00912 [Collect and document all needed information. Collection methods may include the use of interviews, surveys, and the outputs of automated tools, such as access control auditing tools, system logs, and the results of penetration testing. § 5.1.8. Table 15. Row 3 Description Bullet 5 HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 5.5.2. ¶ 1]	Records management	Detective
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Preventive
Establish and maintain an implantable device list. CC ID 14444	Records management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Preventive
Compare each record's data input to its final form. CC ID 11813	Records management	Detective
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Create a retrievable exact copy of ePHI, when needed, before movement of equipment. § 5.2.4. Table 20. Row 4 Description Bullet 1 Ensure that an exact retrievable copy of the data is retained and protected to maintain the integrity of ePHI during equipment relocation. § 5.2.4. Table 20. Row 4 Description Bullet 2]	Records management	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Corrective
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Corrective
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Preventive
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Preventive
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967	Privacy protection for information and data	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Privacy protection for information and data	Preventive
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Privacy protection for information and data	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include escalation procedures in the business continuity policy. CC ID 17203	Operational and Systems Continuity	Preventive
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Operational and Systems Continuity	Detective
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Operational and Systems Continuity	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Preventive
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Corrective
Include tolerance levels in the continuity plan. CC ID 17305	Operational and Systems Continuity	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Preventive
Identify and document critical facilities. CC ID 17304	Operational and Systems Continuity	Preventive
Identify telecommunication facilities critical to the continuity of operations. CC ID 12732	Operational and Systems Continuity	Detective
Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719	Operational and Systems Continuity	Preventive
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Establish and implement procedures to create and maintain retrievable exact copies of ePHI. § 5.1.7. Table 14. Row 5 Description Bullet 1 {contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Develop Data Backup and Storage Procedures Implementation Specification (Addressable) § 5.2.4. Table 20. Row 4 Key Activities 4.]	Operational and Systems Continuity	Preventive
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Operational and Systems Continuity	Preventive
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Preventive
Approve or deny third party recovery plans, as necessary. CC ID 17124	Third Party and supply chain oversight	Preventive
Review third party recovery plans. CC ID 17123	Third Party and supply chain oversight	Detective

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Implement gateways between security domains. CC ID 16493	Technical security	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain log analysis tools. CC ID 17056	Monitoring and measurement	Preventive
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Detective
Erase payment applications when suspicious activity is confirmed. CC ID 12193	Monitoring and measurement	Corrective
Test security systems and associated security procedures, as necessary. CC ID 11901 [{technical evaluation} HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 5.1.8. ¶ 1]	Monitoring and measurement	Detective
Prevent adversaries from disabling or compromising security controls. CC ID 17057	Monitoring and measurement	Preventive
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [{authorized access} Assign degrees of significance to each vulnerability identified and ensure that proper access is allowed. § 5.2.1. Table 17. Row 1 Description Bullet 2 Identify Any Possible Unauthorized Sources That May Be Able to Intercept the Information and Modify It § 5.3.3. Table 23. Row 2 Key Activities 2. Identify scenarios that may result in modification to the ePHI by unauthorized sources (e.g., hackers, ransomware, insider threats, business competitors, user errors). § 5.3.3. Table 23. Row 2 Description Bullet 1 Identify Any Possible Unauthorized Sources That May Be Able to Intercept and/or Modify the Information § 5.3.5. Table 25. Row 1 Key Activities 1. Identify scenarios (e.g., telehealth, claims processing) that may result in access to or modification of the ePHI by unauthorized sources during transmission (e.g., hackers, disgruntled employees, business competitors). § 5.3.5. Table 25. Row 1 Description Bullet 2 Identify scenarios and pathways that may put ePHI at a high level of risk. § 5.3.5. Table 25. Row 1 Description Bullet 3]	Audits and risk management	Preventive
Implement safeguards to protect access credentials from unauthorized access. CC ID 16433	Technical security	Preventive
Identify information system users. CC ID 12081 [Identify authorized users with access to ePHI, including data owners and data custodians. § 5.1.4. Table 11. Row 2 Description Bullet 7 Identify All Users Who Have Been Authorized to Access ePHI § 5.3.3. Table 23. Row 1 Key Activities 1. Identify all approved users with the ability to alter or destroy ePHI, if reasonable and appropriate. § 5.3.3. Table 23. Row 1 Description Bullet 1 {authorized user} Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2. § 5.3.3. Table 23. Row 1 Description Bullet 2]	Technical security	Detective
Control access rights to organizational assets. CC ID 00004 [Select the basis for restricting access to ePHI. § 5.1.4. Table 11. Row 2 Description Bullet 3 Decide and document how access to ePHI will be granted for privileged functions § 5.1.4. Table 11. Row 2 Description Bullet 5 Implement technical access controls to limit access to ePHI to only that which has been granted in accordance with the regulated entity's information access management policies and procedures (see 45 CFR 164.308(a)(4)). § 5.3.1. Table 21. Row 2 Description Bullet 3]	Technical security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538 [Analyze Workloads and Operations to Identify the Access Needs of All Users § 5.3.1. Table 21. Row 1 Key Activities 1.]	Technical security	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [Consider all applications and systems containing ePHI that should only be available to authorized users, processes, and services. § 5.3.1. Table 21. Row 1 Description Bullet 2]	Technical security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Preventive
Review all user privileges, as necessary. CC ID 06784 [Regularly review personnel access to ePHI to ensure that access is still authorized and needed § 5.1.4. Table 11. Row 3 Description Bullet 4 Review and Update Access for Users and Processes § 5.3.1. Table 21. Row 6 Key Activities 6. Consider implementing a user recertification process to ensure that least privilege is enforced. § 5.3.1. Table 21. Row 9 Description Bullet 2]	Technical security	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [Determine whether direct access to ePHI will ever be appropriate for individuals external to the organization (e.g., business partners or patients seeking access to their own ePHI). § 5.1.4. Table 11. Row 2 Description Bullet 9 Implement procedures to determine that the access of a workforce member to ePHI is appropriate. § 5.1.3. Table 10. Row 4 Description Bullet 1 Establish standards for granting access to ePHI. § 5.1.4. Table 11. Row 3 Description Bullet 2 Modify personnel access to ePHI, as needed, based on review activities. § 5.1.4. Table 11. Row 3 Description Bullet 5 Establish procedures for updating access when users require the following: Increased access § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 2 Establish procedures for updating access when users require the following: Initial access § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 1 Establish procedures for updating access when users require the following: Access to different systems or applications than those they currently have § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 3]	Technical security	Preventive
Refrain from storing logon credentials for third party applications. CC ID 13690	Technical security	Preventive
Enforce the password policy. CC ID 16347	Technical security	Preventive
Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002	Technical security	Preventive
Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006	Technical security	Preventive
Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003	Technical security	Preventive
Identify and control all network access controls. CC ID 00529 [Determine whether network infrastructure can limit access to systems with ePHI (e.g., network segmentation) § 5.3.1. Table 21. Row 2 Description Bullet 2 Identify points of electronic access that require or should require authentication. Ensure that the regulated entity's risk analysis properly assesses risks for such access points (e.g., risks of unauthorized access from within the enterprise could be different than those of remote unauthorized access). § 5.3.4. Table 24. Row 1 Description Bullet 2]	Technical security	Preventive
Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063	Technical security	Preventive
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385	Technical security	Preventive
Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050	Technical security	Preventive
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical security	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Preventive
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical security	Preventive
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical security	Preventive
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881	Technical security	Preventive
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical security	Preventive
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Preventive
Filter packets based on IPv6 header fields. CC ID 17048	Technical security	Preventive
Filter traffic at firewalls based on application layer attributes. CC ID 17054	Technical security	Preventive
Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173	Technical security	Preventive
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical security	Preventive
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Preventive
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Physical and environmental protection	Preventive
Remote lock any distributed assets reported lost or stolen. CC ID 14008	Physical and environmental protection	Corrective
Remotely control operational conditions at unmanned facilities. CC ID 11680	Physical and environmental protection	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614 [{user account} Deactivate computer access accounts (e.g., disable user IDs and passwords) and facility access (e.g., change facility security codes/PINs). § 5.1.3. Table 10. Row 5 Description Bullet 3]	Human Resources management	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Implement procedures for terminating access to ePHI when the employment of or other arrangement with a workforce member ends or as required by determinations made as specified in §164.308(a)(3)(ii)(B). § 5.1.3. Table 10. Row 5 Description Bullet 1 Terminate Access if it is No Longer Required § 5.3.1. Table 21. Row 9 Key Activities 9. Ensure that access to ePHI is terminated if the access is no longer authorized. § 5.3.1. Table 21. Row 9 Description Bullet 1]	Human Resources management	Corrective
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Preventive
Prevent users from disabling required software. CC ID 16417	Operational management	Preventive
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Corrective
Review the patch log for missing patches. CC ID 13186	Operational management	Detective
Patch the operating system, as necessary. CC ID 11824	Operational management	Corrective
Refrain from using assertion lifetimes to limit each session. CC ID 13871	System hardening through configuration management	Preventive
Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666	Acquisition or sale of facilities, technology, and services	Preventive
Install software that originates from approved third parties. CC ID 12184	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Preventive
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Privacy protection for information and data	Preventive
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Preventive
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Preventive
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Preventive
Implement security measures to protect personal data. CC ID 13606 [Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). § 5.1.1. Table 8. Row 3 Description Bullet 1 Implement physical safeguards and other security measures to minimize the possibility of inappropriate access to ePHI through computing devices. § 5.2.3. Table 19. Row 3 Description Bullet 1 Ensure that an exact retrievable copy of the data is retained and protected to maintain the integrity of ePHI during equipment relocation. § 5.2.4. Table 20. Row 4 Description Bullet 2 Amend Plan Documents of the Group Health Plan to Address the Plan Sponsor's Security of ePHI Implementation Specification (Required) § 5.4.2. Table 27. Row 1 Key Activities 1. HIPAA Standard: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. § 5.4.2. ¶ 1]	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include test requirements for the use of production data in the testing program. CC ID 17201	Monitoring and measurement	Preventive
Include test requirements for the use of human subjects in the testing program. CC ID 16222	Monitoring and measurement	Preventive
Perform penetration tests, as necessary. CC ID 00655 [Conduct penetration testing (where testers attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate. § 5.1.8. Table 15. Row 3 Description Bullet 6]	Monitoring and measurement	Detective
Document and maintain test results. CC ID 17028 [{evaluation} Document Results § 5.1.8. Table 15. Row 4 Key Activities 4. Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Monitoring and measurement	Preventive
Conduct onsite inspections, as necessary. CC ID 16199	Audits and risk management	Preventive
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Detective
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Detective
Determine the implementation status of in scope controls. CC ID 06981 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Detective
Determine the effectiveness of in scope controls. CC ID 06984 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 {align} {management controls} {operational controls} Determine whether these security features involve alignment with other existing management, operational, and technical controls, such as policy standards, personnel procedures, the maintenance and review of audit trails, the identification and authentication of users, and physical access controls. § 5.1.4. Table 11. Row 4 Description Bullet 2 Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Audits and risk management	Detective
Provide transactional walkthrough procedures for external auditors. CC ID 00672 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Identify points of electronic access that require or should require authentication. Ensure that the regulated entity's risk analysis properly assesses risks for such access points (e.g., risks of unauthorized access from within the enterprise could be different than those of remote unauthorized access). § 5.3.4. Table 24. Row 1 Description Bullet 2]	Audits and risk management	Preventive
Employ unique identifiers. CC ID 01273 [Ensure That All System Users Have Been Assigned a Unique Identifier Implementation Specification (Required) § 5.3.1. Table 21. Row 3 Key Activities 3. Assign a unique name and/or number for identifying and tracking user identity. § 5.3.1. Table 21. Row 3 Description Bullet 1]	Technical security	Detective
Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [Authentication requires establishing the validity of a transmission source and/or verifying an individual's claim that they have been authorized for specific access privileges to information and information systems. § 5.3.4. Table 24. Row 1 Description Bullet 3]	Technical security	Preventive
Test the information exchange procedures. CC ID 17115	Technical security	Preventive
Involve auditors in reviewing and testing the business continuity program. CC ID 13211	Operational and Systems Continuity	Detective
Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265	Operational and Systems Continuity	Detective
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Detective
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Operational and Systems Continuity	Preventive
Test the continuity plan, as necessary. CC ID 00755 [Test the contingency plan on a predefined cycle (stated in the policy developed under Key Activity 1), if reasonable and appropriate. § 5.1.7. Table 14. Row 7 Description Bullet 2]	Operational and Systems Continuity	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [If possible, involve external entities (e.g., vendors, alternative site or service providers) in testing exercises. § 5.1.7. Table 14. Row 7 Description Bullet 4]	Operational and Systems Continuity	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Detective
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Operational and Systems Continuity	Preventive
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Detective
Address identified deficiencies in the continuity plan test results. CC ID 17209	Operational and Systems Continuity	Preventive
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Operational and Systems Continuity	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Detective
Conduct external audits of the Business Continuity Plan testing program. CC ID 13216	Operational and Systems Continuity	Detective
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Ensure that workforce members have the necessary knowledge, skills, and abilities to fulfill particular roles (e.g., positions involving access to and use of sensitive information). § 5.1.3. Table 10. Row 3 Description Bullet 1]	Human Resources management	Detective
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Preventive
Conduct tests and evaluate training. CC ID 06672 [Conduct a Training Needs Assessment § 5.1.5. Table 12. Row 1 Key Activities 1. Determine the training needs of the organization. § 5.1.5. Table 12. Row 1 Description Bullet 1 Interview and involve key personnel in assessing security training needs. § 5.1.5. Table 12. Row 1 Description Bullet 2 Use feedback and analysis of past events to help determine training needs. § 5.1.5. Table 12. Row 1 Description Bullet 3 Review organizational behavior issues, past incidents, and/or breaches to determine what training is missing or needs reinforcement, improvement, or periodic reminders. § 5.1.5. Table 12. Row 1 Description Bullet 4 In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Detective
Utilize resource capacity management controls. CC ID 00939	Operational management	Detective
Perform system performance reviews. CC ID 11866 [Identify the Expected Performance of Each Type of Workstation and Device § 5.2.2. Table 18. Row 2 Key Activities 2.]	Operational management	Detective
Test incident monitoring procedures. CC ID 13194	Operational management	Detective
Test the incident response procedures. CC ID 01216 [Consider conducting tests of the incident response plan. § 5.1.6. Table 13. Row 3 Description Bullet 5]	Operational management	Detective
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Detective
Review changes to computer firmware. CC ID 12226	Operational management	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Detective
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Detective
Implement physical controls to protect personal data. CC ID 00355 [Implement appropriate measures to provide physical security protection for ePHI in a regulated entity's possession. § 5.2.1. Table 17. Row 3 Description Bullet 2]	Privacy protection for information and data	Preventive
Conduct personal data risk assessments. CC ID 00357 [Conduct Risk Assessment Implementation Specification (Required) § 5.1.1. Table 8. Row 2 Key Activities 2. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate. § 5.1.1. Table 8. Row 2 Description Bullet 1]	Privacy protection for information and data	Detective
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Detective
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Detective
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Include security requirements in business associate contracts and agreements to address the confidentiality, integrity, and availability of ePHI. § 5.1.9. Table 16. Row 3 Description Bullet 4 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2 Amend plan documents to incorporate provisions to require the plan sponsor to ensure that any agent to whom it provides ePHI agrees to implement reasonable and appropriate security measures to protect the ePHI. § 5.4.2. Table 27. Row 3 Description Bullet 1 {administrative safeguards} {physical safeguards} Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity. § 5.4.1. Table 26. Row 1 Description Bullet 1 Amend Plan Documents of the Group Health Plan to Address the Security of ePHI Supplied to the Plan Sponsors' Agents and Subcontractors Implementation Specification (Required) § 5.4.2. Table 27. Row 3 Key Activities 3.]	Third Party and supply chain oversight	Detective
Establish the third party's service continuity. CC ID 00797 [{geographic separation} Evaluate the current and available levels of redundancy and geographic distribution of any storage service providers to identify risks to service availability and determine restoration times. § 5.1.7. Table 14. Row 2 Description Bullet 5]	Third Party and supply chain oversight	Detective

Training

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include coordination and interfaces among third parties in continuity plan training. CC ID 17102	Operational and Systems Continuity	Preventive
Include cross-team coordination in continuity plan training. CC ID 16235	Operational and Systems Continuity	Preventive
Include stay at home order training in the continuity plan training. CC ID 14382	Operational and Systems Continuity	Preventive
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388	Operational and Systems Continuity	Preventive
Include personal protection in continuity plan training. CC ID 14394	Operational and Systems Continuity	Preventive
Provide new hires limited network access to complete computer-based training. CC ID 17008	Human Resources management	Preventive
Submit applications for professional certification. CC ID 16192	Human Resources management	Preventive
Approve training plans, as necessary. CC ID 17193 [{training plan} Develop and Approve a Training Strategy and a Plan § 5.1.5. Table 12. Row 2 Key Activities 2.]	Human Resources management	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Human Resources management	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Human Resources management	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Human Resources management	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Human Resources management	Detective
Develop or acquire content to update the training plans. CC ID 12867 [{security awareness and training program} Incorporate new information from email advisories, online IT security, daily news, websites, and periodicals, as reasonable and appropriate. § 5.1.5. Table 12. Row 4 Description Bullet 2]	Human Resources management	Preventive
Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101	Human Resources management	Preventive
Designate training facilities in the training plan. CC ID 16200	Human Resources management	Preventive
Include insider threats in the security awareness program. CC ID 16963	Human Resources management	Preventive
Conduct personal data processing training. CC ID 13757	Human Resources management	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Human Resources management	Preventive
Complete security awareness training prior to being granted access to information systems or data. CC ID 17009	Human Resources management	Preventive
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Preventive
Include identity and access management in the security awareness program. CC ID 17013	Human Resources management	Preventive
Include the encryption process in the security awareness program. CC ID 17014	Human Resources management	Preventive
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Preventive
Include data management in the security awareness program. CC ID 17010	Human Resources management	Preventive
Include e-mail and electronic messaging in the security awareness program. CC ID 17012	Human Resources management	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184 [Implement Security Reminders Implementation Specification (Addressable) § 5.1.5. Table 12. Row 6 Key Activities 6. Implement periodic security updates. § 5.1.5. Table 12. Row 6 Description Bullet 1 Provide periodic security updates to staff, business associates, and contractors. § 5.1.5. Table 12. Row 6 Description Bullet 2]	Human Resources management	Preventive
Include cybersecurity in the security awareness program. CC ID 13183 [As reasonable and appropriate, train workforce members regarding procedures for: Guarding against, detecting, and reporting malicious software; § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 1]	Human Resources management	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Preventive
Include social networking in the security awareness program. CC ID 17011	Human Resources management	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Preventive

Common Controls and
mandates by Classification 291 Mandated Controls - bold
44 Implied Controls - italic 2523 Implementation

Number of Controls

2858 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Leadership and high level objectives	Communicate
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Establish/Maintain Documentation
Erase payment applications when suspicious activity is confirmed. CC ID 12193	Monitoring and measurement	Technical Security
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Document and communicate to the workforce the organization's decisions on audits and reviews. § 5.3.2. Table 22. Row 3 Description Bullet 1]	Monitoring and measurement	Actionable Reports or Measurements
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Audits and risk management	Establish/Maintain Documentation
Withdraw from the audit, when defined conditions exist. CC ID 13885	Audits and risk management	Process or Activity
Include deficiencies and non-compliance in the audit report. CC ID 14879	Audits and risk management	Establish/Maintain Documentation
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Audits and risk management	Establish/Maintain Documentation
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Audits and risk management	Business Processes
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Audits and risk management	Establish/Maintain Documentation
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Audits and risk management	Actionable Reports or Measurements
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Acquisition/Sale of Assets or Services
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Establish/Maintain Documentation
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Technical security	Communicate
Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 [{user account} Deactivate computer access accounts (e.g., disable user IDs and passwords) and facility access (e.g., change facility security codes/PINs). § 5.1.3. Table 10. Row 5 Description Bullet 3]	Technical security	Behavior
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Technical security	Communicate
Revoke membership in the allowlist, as necessary. CC ID 13827	Technical security	Establish/Maintain Documentation
Report damaged property to interested personnel and affected parties. CC ID 13702	Physical and environmental protection	Communicate
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Establish/Maintain Documentation
Remote lock any distributed assets reported lost or stolen. CC ID 14008	Physical and environmental protection	Technical Security
Remote wipe any distributed asset reported lost or stolen. CC ID 12197	Physical and environmental protection	Process or Activity
Remove dormant systems from the network, as necessary. CC ID 13727	Physical and environmental protection	Process or Activity
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain the continuity procedures. CC ID 14236 [{contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Establish Contingency Operations Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 5 Key Activities 5. Identify a method for supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems. § 5.3.1. Table 21. Row 7 Description Bullet 2]	Operational and Systems Continuity	Establish/Maintain Documentation
Terminate user accounts when notified that an individual is terminated. CC ID 11614 [{user account} Deactivate computer access accounts (e.g., disable user IDs and passwords) and facility access (e.g., change facility security codes/PINs). § 5.1.3. Table 10. Row 5 Description Bullet 3]	Human Resources management	Technical Security
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Implement procedures for terminating access to ePHI when the employment of or other arrangement with a workforce member ends or as required by determinations made as specified in §164.308(a)(3)(ii)(B). § 5.1.3. Table 10. Row 5 Description Bullet 1 Terminate Access if it is No Longer Required § 5.3.1. Table 21. Row 9 Key Activities 9. Ensure that access to ePHI is terminated if the access is no longer authorized. § 5.3.1. Table 21. Row 9 Description Bullet 1]	Human Resources management	Technical Security
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Human Resources management	Data and Information Management
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources management	Human Resources Management
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Develop and Implement a Sanction Policy Implementation Specification (Required) § 5.1.1. Table 8. Row 6 Key Activities 6. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. § 5.1.1. Table 8. Row 6 Description Bullet 1 Develop policies and procedures for imposing appropriate sanctions (e.g., reprimand, termination) for noncompliance with the organization's security policies. § 5.1.1. Table 8. Row 6 Description Bullet 2 Implement sanction policy as cases arise. § 5.1.1. Table 8. Row 6 Description Bullet 3]	Human Resources management	Behavior
Refrain from protecting physical assets when no longer required. CC ID 13484	Operational management	Physical and Environmental Protection
Escalate incidents, as necessary. CC ID 14861	Operational management	Monitor and Evaluate Occurrences
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Operational management	Process or Activity
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Operational management	Process or Activity
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Technical Security
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Establish/Maintain Documentation
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Communicate
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 [Establish (and implement as needed) procedures that allow facility access in support of the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency. § 5.2.1. Table 17. Row 5 Description Bullet 1 Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. § 5.3.1. Table 21. Row 7 Description Bullet 1 Establish an Emergency Access Procedure Implementation Specification (Required) § 5.3.1. Table 21. Row 7 Key Activities 7.]	Operational management	Establish/Maintain Documentation
Patch the operating system, as necessary. CC ID 11824	Operational management	Technical Security
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Configuration
Remove outdated software after software has been updated. CC ID 11792	Operational management	Configuration
Remove non-public information from publicly accessible systems. CC ID 14246	Records management	Data and Information Management
Document attempts to obtain system documentation. CC ID 14284	Acquisition or sale of facilities, technology, and services	Process or Activity
Review and update the acquisition contracts, as necessary. CC ID 14279	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Establish/Maintain Documentation
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Records Management
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Records Management
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Privacy protection for information and data	Establish/Maintain Documentation
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Communicate
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Communicate
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Records Management
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Communicate
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Communicate
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Privacy protection for information and data	Communicate
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Communicate
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Monitor and Evaluate Occurrences
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Process or Activity
Implement procedures to file privacy rights violation complaints. CC ID 00476	Privacy protection for information and data	Data and Information Management
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Establish/Maintain Documentation
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Establish/Maintain Documentation
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Privacy protection for information and data	Behavior
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Behavior
Change or destroy any personal data that is incorrect. CC ID 00462	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Behavior
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Privacy protection for information and data	Behavior
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Data and Information Management
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Privacy protection for information and data	Business Processes
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Communicate
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Establish/Maintain Documentation
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Behavior
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Behavior
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Behavior
Award damages based on applicable law. CC ID 00501	Privacy protection for information and data	Behavior
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Data and Information Management

Detective

223

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Approve the data classification scheme. CC ID 13858	Leadership and high level objectives	Establish/Maintain Documentation
Ensure the data dictionary is complete and accurate. CC ID 13527	Leadership and high level objectives	Investigate
Analyze organizational policies, as necessary. CC ID 14037	Leadership and high level objectives	Establish/Maintain Documentation
Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{do not exist} If no clearinghouse functions exist, document this finding. If a clearinghouse exists within the organization, implement procedures for access that are consistent with the HIPAA Privacy Rule. § 5.1.4. Table 11. Row 1 Description Bullet 3]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [{security management} Begin auditing and logging activity. § 5.1.1. Table 8. Row 9 Description Bullet 2 Evaluate existing system capabilities and determine whether any changes or upgrades are necessary. § 5.3.2. Table 22. Row 2 Description Bullet 1 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.3.2. Table 22. Row 4 Description Bullet 1 {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.1.1. Table 8. Row 8 Description Bullet 1]	Monitoring and measurement	Log Management
Monitor and evaluate system telemetry data. CC ID 14929	Monitoring and measurement	Actionable Reports or Measurements
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [Determine the appropriate scope of audit controls that will be necessary in information systems that contain or use ePHI based on the regulated entity's risk assessment and other organizational factors. § 5.3.2. Table 22. Row 1 Description Bullet 1]	Monitoring and measurement	Log Management
Establish, implement, and maintain event logging procedures. CC ID 01335 [{logging procedures} Begin logging and auditing procedures. § 5.3.2. Table 22. Row 5 Description Bullet 2]	Monitoring and measurement	Log Management
Review and update event logs and audit logs, as necessary. CC ID 00596 [Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 5.1.1. Table 8. Row 7 Description Bullet 1 Activate the necessary review process. § 5.1.1. Table 8. Row 9 Description Bullet 1 Implement the Audit/System Activity Review Process § 5.3.2. Table 22. Row 5 Key Activities 5. Determine the frequency of audit log reviews based on the risk assessment and risk management processes. § 5.3.2. Table 22. Row 4 Description Bullet 2]	Monitoring and measurement	Log Management
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Log Management
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Technical Security
Monitor and evaluate the effectiveness of detection tools. CC ID 13505	Monitoring and measurement	Investigate
Monitor and review retail payment activities, as necessary. CC ID 13541	Monitoring and measurement	Monitor and Evaluate Occurrences
Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546	Monitoring and measurement	Investigate
Review retail payment service reports, as necessary. CC ID 13545	Monitoring and measurement	Investigate
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Monitoring and measurement	Process or Activity
Implement file integrity monitoring. CC ID 01205 [Consider how the organization will detect unauthorized modification to ePHI. § 5.3.3. Table 23. Row 2 Description Bullet 3]	Monitoring and measurement	Monitor and Evaluate Occurrences
Log account usage times. CC ID 07099	Monitoring and measurement	Log Management
Log account usage durations. CC ID 12117	Monitoring and measurement	Monitor and Evaluate Occurrences
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Monitoring and measurement	Communicate
Test security systems and associated security procedures, as necessary. CC ID 11901 [{technical evaluation} HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 5.1.8. ¶ 1]	Monitoring and measurement	Technical Security
Perform penetration tests, as necessary. CC ID 00655 [Conduct penetration testing (where testers attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate. § 5.1.8. Table 15. Row 3 Description Bullet 6]	Monitoring and measurement	Testing
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Implement corrective actions when problems arise. § 5.1.5. Table 12. Row 7 Description Bullet 5 Identify Corrective Measures § 5.2.1. Table 17. Row 2 Key Activities 2. Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Monitoring and measurement	Monitor and Evaluate Occurrences
Determine if requested services create a threat to independence. CC ID 16823	Audits and risk management	Audits and Risk Management
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885	Audits and risk management	Establish/Maintain Documentation
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449	Audits and risk management	Audits and Risk Management
Confirm audit requirements during the opening meeting. CC ID 15255	Audits and risk management	Audits and Risk Management
Establish and maintain audit assertions, as necessary. CC ID 14871	Audits and risk management	Establish/Maintain Documentation
Refrain from performing an attestation engagement under defined conditions. CC ID 13952	Audits and risk management	Audits and Risk Management
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and risk management	Audits and Risk Management
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and risk management	Audits and Risk Management
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Investigate
Audit information systems, as necessary. CC ID 13010 [{security management} Begin auditing and logging activity. § 5.1.1. Table 8. Row 9 Description Bullet 2 Implement the Information System Activity Review and Audit Process § 5.1.1. Table 8. Row 9 Key Activities 9.]	Audits and risk management	Investigate
Audit the potential costs of compromise to information systems. CC ID 13012	Audits and risk management	Investigate
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557	Audits and risk management	Audits and Risk Management
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Audits and risk management	Process or Activity
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Testing
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Audits and risk management	Process or Activity
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Testing
Determine the implementation status of in scope controls. CC ID 06981 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Testing
Determine the effectiveness of in scope controls. CC ID 06984 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 {align} {management controls} {operational controls} Determine whether these security features involve alignment with other existing management, operational, and technical controls, such as policy standards, personnel procedures, the maintenance and review of audit trails, the identification and authentication of users, and physical access controls. § 5.1.4. Table 11. Row 4 Description Bullet 2 Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Audits and risk management	Testing
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Audits and Risk Management
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Audits and Risk Management
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Audits and Risk Management
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Audits and Risk Management
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Audits and Risk Management
Verify statements made by interviewees are correct. CC ID 16299	Audits and risk management	Behavior
Discuss unsolved questions with the interviewee. CC ID 16298	Audits and risk management	Process or Activity
Allow interviewee to respond to explanations. CC ID 16296	Audits and risk management	Process or Activity
Explain the requirements being discussed to the interviewee. CC ID 16294	Audits and risk management	Process or Activity
Review the subject matter expert's findings. CC ID 16559	Audits and risk management	Audits and Risk Management
Permit assessment teams to conduct audits, as necessary. CC ID 16430	Audits and risk management	Investigate
Determine what disclosures are required in the audit report. CC ID 14888	Audits and risk management	Establish/Maintain Documentation
Identify the audit team members in the audit report. CC ID 15259	Audits and risk management	Human Resources Management
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and risk management	Audits and Risk Management
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Audits and risk management	Investigate
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Audits and risk management	Process or Activity
Evaluate the competency of auditors. CC ID 15253	Audits and risk management	Human Resources Management
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Business Processes
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Human Resources Management
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Audits and Risk Management
Update the risk assessment upon changes to the risk profile. CC ID 11627 [{include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and risk management	Establish/Maintain Documentation
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Audits and Risk Management
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Investigate
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with individuals. CC ID 17170	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 Ensure that any risks associated with a device's surroundings are known and analyzed for possible negative impacts. § 5.2.2. Table 18. Row 3 Description Bullet 1]	Audits and risk management	Audits and Risk Management
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Investigate
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171	Audits and risk management	Process or Activity
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Establish/Maintain Documentation
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Audits and Risk Management
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Audits and Risk Management
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Process or Activity
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Technical security	Process or Activity
Interact with the data subject when performing remote proofing. CC ID 13777	Technical security	Process or Activity
View all applicant actions when performing remote proofing. CC ID 13804	Technical security	Process or Activity
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Technical security	Process or Activity
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Technical security	Process or Activity
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Technical security	Process or Activity
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Technical security	Process or Activity
Validate proof of identity during the identity proofing process. CC ID 13756	Technical security	Process or Activity
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Technical security	Business Processes
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Technical security	Process or Activity
Verify proof of identity records. CC ID 13761	Technical security	Investigate
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Technical security	Process or Activity
Conduct in-person proofing with physical interactions. CC ID 13775	Technical security	Process or Activity
Reperform the identity proofing process for each individual, as necessary. CC ID 13762	Technical security	Process or Activity
Identify information system users. CC ID 12081 [Identify authorized users with access to ePHI, including data owners and data custodians. § 5.1.4. Table 11. Row 2 Description Bullet 7 Identify All Users Who Have Been Authorized to Access ePHI § 5.3.3. Table 23. Row 1 Key Activities 1. Identify all approved users with the ability to alter or destroy ePHI, if reasonable and appropriate. § 5.3.3. Table 23. Row 1 Description Bullet 1 {authorized user} Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2. § 5.3.3. Table 23. Row 1 Description Bullet 2]	Technical security	Technical Security
Notify interested personnel when user accounts are added or deleted. CC ID 14327	Technical security	Communicate
Employ unique identifiers. CC ID 01273 [Ensure That All System Users Have Been Assigned a Unique Identifier Implementation Specification (Required) § 5.3.1. Table 21. Row 3 Key Activities 3. Assign a unique name and/or number for identifying and tracking user identity. § 5.3.1. Table 21. Row 3 Description Bullet 1]	Technical security	Testing
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735	Technical security	Process or Activity
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Technical security	Process or Activity
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Technical security	Establish/Maintain Documentation
Conduct external audits of the physical security plan. CC ID 13314	Physical and environmental protection	Audits and Risk Management
Monitor for evidence of when tampering indicators are being identified. CC ID 11905	Physical and environmental protection	Monitor and Evaluate Occurrences
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Investigate
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Investigate
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Log Management
Monitor the location of distributed assets. CC ID 11684 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1 Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Physical and environmental protection	Monitor and Evaluate Occurrences
Involve auditors in reviewing and testing the business continuity program. CC ID 13211	Operational and Systems Continuity	Testing
Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212	Operational and Systems Continuity	Investigate
Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218	Operational and Systems Continuity	Investigate
Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265	Operational and Systems Continuity	Testing
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Operational and Systems Continuity	Systems Continuity
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Investigate
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Testing
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Establish/Maintain Documentation
Identify telecommunication facilities critical to the continuity of operations. CC ID 12732	Operational and Systems Continuity	Systems Continuity
Define and prioritize critical business functions. CC ID 00736 [Identify the activities and material involving ePHI that are critical to business operations. § 5.1.7. Table 14. Row 2 Description Bullet 2 {critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Develop security program priorities and establish targets for continuous improvement. § 5.1.8. Table 15. Row 4 Description Bullet 3 {contingency plan} Conduct an Applications and Data Criticality Analysis Implementation Specification (Addressable) § 5.1.7. Table 14. Row 2 Key Activities 2. Assess the relative criticality of specific applications and data in support of other Contingency Plan components. § 5.1.7. Table 14. Row 2 Description Bullet 1]	Operational and Systems Continuity	Establish/Maintain Documentation
Identify all critical business records. CC ID 00737	Operational and Systems Continuity	Records Management
Establish, implement, and maintain a critical personnel list. CC ID 00739	Operational and Systems Continuity	Establish/Maintain Documentation
Review the beneficiaries of the insurance policy. CC ID 16563	Operational and Systems Continuity	Business Processes
Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281	Operational and Systems Continuity	Establish/Maintain Documentation
Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283	Operational and Systems Continuity	Establish/Maintain Documentation
Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282	Operational and Systems Continuity	Establish/Maintain Documentation
Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277	Operational and Systems Continuity	Establish/Maintain Documentation
Test the continuity plan, as necessary. CC ID 00755 [Test the contingency plan on a predefined cycle (stated in the policy developed under Key Activity 1), if reasonable and appropriate. § 5.1.7. Table 14. Row 7 Description Bullet 2]	Operational and Systems Continuity	Testing
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Testing
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Testing
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Testing
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Testing
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Testing
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Testing
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Operational and Systems Continuity	Testing
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Testing
Conduct external audits of the Business Continuity Plan testing program. CC ID 13216	Operational and Systems Continuity	Testing
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Ensure that workforce members have the necessary knowledge, skills, and abilities to fulfill particular roles (e.g., positions involving access to and use of sensitive information). § 5.1.3. Table 10. Row 3 Description Bullet 1]	Human Resources management	Testing
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources management	Human Resources Management
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Human Resources Management
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Establish/Maintain Documentation
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Human Resources Management
Document the security clearance procedure results. CC ID 01635	Human Resources management	Establish/Maintain Documentation
Identify and watch individuals that pose a risk to the organization. CC ID 10674	Human Resources management	Monitor and Evaluate Occurrences
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources management	Human Resources Management
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [{security role} Communicate this assigned role to the entire organization. § 5.1.2. Table 9. Row 2 Description Bullet 2 Establish Clear Job Descriptions and Responsibilities § 5.1.3. Table 10. Row 2 Key Activities 2. Document the assignment to one individual's responsibilities in a job description. § 5.1.2. Table 9. Row 2 Description Bullet 1]	Human Resources management	Establish Roles
Conduct tests and evaluate training. CC ID 06672 [Conduct a Training Needs Assessment § 5.1.5. Table 12. Row 1 Key Activities 1. Determine the training needs of the organization. § 5.1.5. Table 12. Row 1 Description Bullet 1 Interview and involve key personnel in assessing security training needs. § 5.1.5. Table 12. Row 1 Description Bullet 2 Use feedback and analysis of past events to help determine training needs. § 5.1.5. Table 12. Row 1 Description Bullet 3 Review organizational behavior issues, past incidents, and/or breaches to determine what training is missing or needs reinforcement, improvement, or periodic reminders. § 5.1.5. Table 12. Row 1 Description Bullet 4 In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Testing
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Human Resources management	Training
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Human Resources management	Training
Monitor and measure the effectiveness of security awareness. CC ID 06262 [Solicit trainee feedback to determine whether the training and awareness are successfully reaching the intended audience. § 5.1.5. Table 12. Row 7 Description Bullet 2]	Human Resources management	Monitor and Evaluate Occurrences
Utilize resource capacity management controls. CC ID 00939	Operational management	Testing
Perform system performance reviews. CC ID 11866 [Identify the Expected Performance of Each Type of Workstation and Device § 5.2.2. Table 18. Row 2 Key Activities 2.]	Operational management	Testing
Document the organization's business processes. CC ID 13035 [{critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3]	Operational management	Establish/Maintain Documentation
Perform social network analysis, as necessary. CC ID 14864	Operational management	Investigate
Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110	Operational management	Communicate
Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113	Operational management	Behavior
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Business Processes
Determine the cost of the incident when assessing security incidents. CC ID 17188	Operational management	Process or Activity
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182	Operational management	Process or Activity
Determine the duration of the incident when assessing security incidents. CC ID 17181	Operational management	Process or Activity
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Monitor and Evaluate Occurrences
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Monitor and Evaluate Occurrences
Respond to and triage when an incident is detected. CC ID 06942 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Monitor and Evaluate Occurrences
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Test incident monitoring procedures. CC ID 13194	Operational management	Testing
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Process or Activity
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Investigate
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Investigate
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Investigate
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Investigate
Establish, implement, and maintain incident response procedures. CC ID 01206 [Document incident response procedures that can provide a single point of reference to guide the day-to-day operations of the incident response team. § 5.1.6. Table 13. Row 3 Description Bullet 3 Determine how the organization will respond to a security incident. § 5.1.6. Table 13. Row 1 Description Bullet 3]	Operational management	Establish/Maintain Documentation
Prepare digital forensic equipment. CC ID 08688	Operational management	Investigate
Test the incident response procedures. CC ID 01216 [Consider conducting tests of the incident response plan. § 5.1.6. Table 13. Row 3 Description Bullet 5]	Operational management	Testing
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Process or Activity
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Investigate
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Investigate
Review the patch log for missing patches. CC ID 13186	Operational management	Technical Security
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Testing
Review changes to computer firmware. CC ID 12226	Operational management	Testing
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Testing
Configure the "logging level" to organizational standards. CC ID 14456	System hardening through configuration management	Configuration
Ensure data sets have the appropriate characteristics. CC ID 15000	Records management	Data and Information Management
Ensure data sets are complete, are accurate, and are relevant. CC ID 14999	Records management	Data and Information Management
Capture the records required by organizational compliance requirements. CC ID 00912 [Collect and document all needed information. Collection methods may include the use of interviews, surveys, and the outputs of automated tools, such as access control auditing tools, system logs, and the results of penetration testing. § 5.1.8. Table 15. Row 3 Description Bullet 5 HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 5.5.2. ¶ 1]	Records management	Records Management
Identify patient-specific education resources. CC ID 14439	Records management	Process or Activity
Compare each record's data input to its final form. CC ID 11813	Records management	Records Management
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 [{transmitted} Identify where ePHI is generated within the organization, where it enters the organization, where it moves within the organization, where it is stored, and where it leaves the organization. § 5.1.1. Table 8. Row 1 Description Bullet 1]	Records management	Business Processes
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Records management	Process or Activity
Review the electronic storage media for the information the organization collects and processes. CC ID 13009	Records management	Process or Activity
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Privacy protection for information and data	Process or Activity
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Establish/Maintain Documentation
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Privacy protection for information and data	Behavior
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Behavior
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Process or Activity
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Investigate
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Privacy protection for information and data	Data and Information Management
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Data and Information Management
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Privacy protection for information and data	Business Processes
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Investigate
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Investigate
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Testing
Conduct personal data risk assessments. CC ID 00357 [Conduct Risk Assessment Implementation Specification (Required) § 5.1.1. Table 8. Row 2 Key Activities 2. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate. § 5.1.1. Table 8. Row 2 Description Bullet 1]	Privacy protection for information and data	Testing
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Data and Information Management
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Monitor and Evaluate Occurrences
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Investigate
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Behavior
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Data and Information Management
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Log Management
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Log Management
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Monitor and Evaluate Occurrences
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Data and Information Management
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Process or Activity
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Monitor and Evaluate Occurrences
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Testing
Review compliance with the organization's privacy objectives. CC ID 13490	Privacy protection for information and data	Human Resources Management
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Behavior
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Behavior
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Behavior
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Behavior
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Behavior
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Testing
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Document the satisfactory assurances required by this standard through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a). Readers may find useful resources in Appendix F, including OCR BAA guidance and/or templates that include applicable language. § 5.1.9. Table 16. Row 3 Description Bullet 1 {organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1]	Third Party and supply chain oversight	Process or Activity
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Include security requirements in business associate contracts and agreements to address the confidentiality, integrity, and availability of ePHI. § 5.1.9. Table 16. Row 3 Description Bullet 4 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2 Amend plan documents to incorporate provisions to require the plan sponsor to ensure that any agent to whom it provides ePHI agrees to implement reasonable and appropriate security measures to protect the ePHI. § 5.4.2. Table 27. Row 3 Description Bullet 1 {administrative safeguards} {physical safeguards} Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity. § 5.4.1. Table 26. Row 1 Description Bullet 1 Amend Plan Documents of the Group Health Plan to Address the Security of ePHI Supplied to the Plan Sponsors' Agents and Subcontractors Implementation Specification (Required) § 5.4.2. Table 27. Row 3 Key Activities 3.]	Third Party and supply chain oversight	Testing
Establish the third party's service continuity. CC ID 00797 [{geographic separation} Evaluate the current and available levels of redundancy and geographic distribution of any storage service providers to identify risks to service availability and determine restoration times. § 5.1.7. Table 14. Row 2 Description Bullet 5]	Third Party and supply chain oversight	Testing
Review third party recovery plans. CC ID 17123	Third Party and supply chain oversight	Systems Continuity
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [Establish criteria for measuring contract performance. § 5.1.9. Table 16. Row 2 Description Bullet 2]	Third Party and supply chain oversight	Business Processes
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met § 5.1.9. Table 16. Row 2 Key Activities 2.]	Third Party and supply chain oversight	Monitor and Evaluate Occurrences
Monitor third parties' financial conditions. CC ID 13170	Third Party and supply chain oversight	Monitor and Evaluate Occurrences

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

2546

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Leadership and high level objectives	Monitor and Evaluate Occurrences
Analyze the business environment in which the organization operates. CC ID 12798 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Leadership and high level objectives	Business Processes
Align assets with business functions and the business environment. CC ID 13681 [Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: Applicability of the IT solution to the intended environment; § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 1 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: The organization's security policies, procedures, and standards; and § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 3 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: The sensitivity of the data; § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 2 Although the HIPAA Security Rule does not require purchasing any particular technology, adequately protecting information may require additional hardware, software, or services. Considerations for their selection should include the following: Other requirements, such as resources available for operation, maintenance, and training. § 5.1.1. Table 8. Row 4 Description Bullet 2 Sub-Bullet 4]	Leadership and high level objectives	Business Processes
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200	Leadership and high level objectives	Communicate
Establish, implement, and maintain a value generation model. CC ID 15591	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Communicate
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Establish/Maintain Documentation
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Establish/Maintain Documentation
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain value generation objectives. CC ID 15583	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Leadership and high level objectives	Establish/Maintain Documentation
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Leadership and high level objectives	Establish/Maintain Documentation
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Leadership and high level objectives	Establish/Maintain Documentation
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Leadership and high level objectives	Communicate
Review the organization's approach to managing information security, as necessary. CC ID 12005 [Each regulated entity (i.e., covered entity or business associate) is responsible for its own Security Rule compliance and violations and should review the following key activities, descriptions, and sample questions through the lens of its own organization. § 5. ¶ 5 {monitoring processes} Review existing processes to determine whether objectives are being addressed. § 5.3.3. Table 23. Row 6 Description Bullet 1]	Leadership and high level objectives	Business Processes
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584	Leadership and high level objectives	Process or Activity
Establish, implement, and maintain data governance and management practices. CC ID 14998	Leadership and high level objectives	Establish/Maintain Documentation
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Leadership and high level objectives	Establish/Maintain Documentation
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Leadership and high level objectives	Establish/Maintain Documentation
Include bias for data sets in the data governance and management practices. CC ID 15085	Leadership and high level objectives	Establish/Maintain Documentation
Include the data source in the data governance and management practices. CC ID 17211	Leadership and high level objectives	Data and Information Management
Include a data strategy in the data governance and management practices. CC ID 15304	Leadership and high level objectives	Establish/Maintain Documentation
Include data monitoring in the data governance and management practices. CC ID 15303	Leadership and high level objectives	Establish/Maintain Documentation
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Leadership and high level objectives	Establish/Maintain Documentation
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Leadership and high level objectives	Establish/Maintain Documentation
Include data collection for data sets in the data governance and management practices. CC ID 15082	Leadership and high level objectives	Establish/Maintain Documentation
Include data preparations for data sets in the data governance and management practices. CC ID 15081	Leadership and high level objectives	Establish/Maintain Documentation
Include design choices for data sets in the data governance and management practices. CC ID 15080	Leadership and high level objectives	Establish/Maintain Documentation
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Leadership and high level objectives	Data and Information Management
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046	Leadership and high level objectives	Data and Information Management
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804	Leadership and high level objectives	Communicate
Refrain from including metadata in the data dictionary. CC ID 13529	Leadership and high level objectives	Establish/Maintain Documentation
Include information needed to understand each data element and population in the data dictionary. CC ID 13528	Leadership and high level objectives	Establish/Maintain Documentation
Include format requirements for data elements in the data dictionary. CC ID 17108	Leadership and high level objectives	Data and Information Management
Include notification requirements for data elements in the data dictionary. CC ID 17107	Leadership and high level objectives	Data and Information Management
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525	Leadership and high level objectives	Establish/Maintain Documentation
Include the date or time period the data was observed in the data dictionary. CC ID 13524	Leadership and high level objectives	Establish/Maintain Documentation
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522	Leadership and high level objectives	Establish/Maintain Documentation
Include the uncertainty of each data element in the data dictionary. CC ID 13521	Leadership and high level objectives	Establish/Maintain Documentation
Include the measurement units for each data element in the data dictionary. CC ID 13534	Leadership and high level objectives	Establish/Maintain Documentation
Include the precision of the measurement in the data dictionary. CC ID 13520	Leadership and high level objectives	Establish/Maintain Documentation
Include the data source in the data dictionary. CC ID 13519	Leadership and high level objectives	Establish/Maintain Documentation
Include the nature of each element in the data dictionary. CC ID 13518	Leadership and high level objectives	Establish/Maintain Documentation
Include the population of events or instances in the data dictionary. CC ID 13517	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain data reconciliation procedures. CC ID 17118	Leadership and high level objectives	Data and Information Management
Involve all stakeholders in the architecture review process. CC ID 16935	Leadership and high level objectives	Process or Activity
Establish, implement, and maintain an organizational structure. CC ID 16310	Leadership and high level objectives	Establish/Maintain Documentation
Include supply chain management standards in the Quality Management framework. CC ID 13701	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a Quality Management policy. CC ID 13694	Leadership and high level objectives	Establish/Maintain Documentation
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700	Leadership and high level objectives	Establish/Maintain Documentation
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699	Leadership and high level objectives	Establish/Maintain Documentation
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695	Leadership and high level objectives	Communicate
Align the quality objectives with the Quality Management policy. CC ID 13697	Leadership and high level objectives	Establish/Maintain Documentation
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Leadership and high level objectives	Communicate
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Leadership and high level objectives	Communicate
Include quality objectives in the Quality Management program. CC ID 13693	Leadership and high level objectives	Establish/Maintain Documentation
Include monitoring and analysis capabilities in the quality management program. CC ID 17153	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include records management in the quality management system. CC ID 15055	Leadership and high level objectives	Establish/Maintain Documentation
Include risk management in the quality management system. CC ID 15054	Leadership and high level objectives	Establish/Maintain Documentation
Include data management procedures in the quality management system. CC ID 15052	Leadership and high level objectives	Establish/Maintain Documentation
Include a post-market monitoring system in the quality management system. CC ID 15027	Leadership and high level objectives	Establish/Maintain Documentation
Include operational roles and responsibilities in the quality management system. CC ID 15028	Leadership and high level objectives	Establish/Maintain Documentation
Include resource management in the quality management system. CC ID 15026	Leadership and high level objectives	Establish/Maintain Documentation
Include communication protocols in the quality management system. CC ID 15025	Leadership and high level objectives	Establish/Maintain Documentation
Include incident reporting procedures in the quality management system. CC ID 15023	Leadership and high level objectives	Establish/Maintain Documentation
Include technical specifications in the quality management system. CC ID 15021	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. However, to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.1.9. ¶ 2 Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate. § 5.4.1. ¶ 2]	Leadership and high level objectives	Establish/Maintain Documentation
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Identify All ePHI and Relevant Information Systems § 5.1.1. Table 8. Row 1 Key Activities 1.]	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [{organizational requirements} Create and Deploy Policies and Procedures § 5.5.1. Table 28. Row 1 Key Activities 1. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 1 Description Bullet 1 Periodically evaluate written policies and procedures to verify that: Policies and procedures accurately reflect the actual activities and practices exhibited by the regulated entity, its staff, its systems, and its business associates. § 5.5.1. Table 28. Row 1 Description Bullet 3 Sub-Bullet 2 Update the Documentation of the Policy and Procedures § 5.5.1. Table 28. Row 2 Key Activities 2. Periodically evaluate written policies and procedures to verify that: Policies and procedures are sufficient to address the standards, implementation specifications, and other requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 1 Description Bullet 3 Sub-Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Include contact information in the organization's policies, standards, and procedures. CC ID 17167	Leadership and high level objectives	Establish/Maintain Documentation
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. § 5.5.2. Table 29. Row 1 Description Bullet 2]	Leadership and high level objectives	Establish/Maintain Documentation
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Leadership and high level objectives	Business Processes
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 5.5.2. ¶ 1 Draft, Maintain, and Update Required Documentation § 5.5.2. Table 29. Row 1 Key Activities 1. Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. § 5.5.2. Table 29. Row 1 Description Bullet 2 Use feedback from risk assessments and contingency plan tests to help determine when to update documentation. § 5.5.2. Table 29. Row 1 Description Bullet 4 Update Documentation as Required Implementation Specification (Required) § 5.5.2. Table 29. Row 4 Key Activities 4.]	Leadership and high level objectives	Establish/Maintain Documentation
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 [{contingency plan} Identify Preventive Measures § 5.1.7. Table 14. Row 3 Key Activities 3.]	Leadership and high level objectives	Establish/Maintain Documentation
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Establish/Maintain Documentation
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Establish/Maintain Documentation
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Establish/Maintain Documentation
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Establish/Maintain Documentation
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Document known gaps between identified risks, mitigating security controls, and any acceptance of risk, including justification. § 5.1.8. Table 15. Row 4 Description Bullet 2]	Leadership and high level objectives	Establish/Maintain Documentation
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Establish/Maintain Documentation
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Communicate
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 [{person responsible} Ensure That Documentation is Available to Those Responsible for Implementation Implementation Specification (Required) § 5.5.2. Table 29. Row 3 Key Activities 3. {make available} Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. § 5.5.2. Table 29. Row 3 Description Bullet 1]	Leadership and high level objectives	Behavior
Establish, implement, and maintain a public oversight system. CC ID 17284	Leadership and high level objectives	Business Processes
Establish, implement, and maintain an oversight plan. CC ID 17302	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308	Leadership and high level objectives	Communicate
Establish, implement, and maintain an oversight team. CC ID 17303	Leadership and high level objectives	Process or Activity
Include roles and responsibilities in the public oversight system. CC ID 17285	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a strategic plan. CC ID 12784	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a security planning policy. CC ID 14027	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the security planning policy. CC ID 14128 [Select an individual who is able to assess effective security to serve as the point of contact for security policy, implementation, and monitoring. § 5.1.2. Table 9. Row 1 Description Bullet 2]	Leadership and high level objectives	Establish/Maintain Documentation
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [{management controls} {operational controls} Document decisions concerning the management, operational, and technical controls selected to mitigate identified risks. § 5.5.2. Table 29. Row 1 Description Bullet 1]	Leadership and high level objectives	Establish/Maintain Documentation
Align business continuity objectives with the business continuity policy. CC ID 12408 [Define the organization's overall contingency objectives. § 5.1.7. Table 14. Row 1 Description Bullet 1]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [Establish a Monitoring Process to Assess How the Implemented Process is Working § 5.3.3. Table 23. Row 6 Key Activities 6.]	Monitoring and measurement	Establish/Maintain Documentation
Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an audit and accountability policy. CC ID 14035 [Develop and Deploy the Information System Activity Review/Audit Policy § 5.3.2. Table 22. Row 3 Key Activities 3.]	Monitoring and measurement	Establish/Maintain Documentation
Include compliance requirements in the audit and accountability policy. CC ID 14103	Monitoring and measurement	Establish/Maintain Documentation
Include coordination amongst entities in the audit and accountability policy. CC ID 14102	Monitoring and measurement	Establish/Maintain Documentation
Include the purpose in the audit and accountability policy. CC ID 14100	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the audit and accountability policy. CC ID 14098	Monitoring and measurement	Establish/Maintain Documentation
Include management commitment in the audit and accountability policy. CC ID 14097	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the audit and accountability policy. CC ID 14096	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095	Monitoring and measurement	Communicate
Establish, implement, and maintain audit and accountability procedures. CC ID 14057 [{logging procedures} Begin logging and auditing procedures. § 5.3.2. Table 22. Row 5 Description Bullet 2]	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137	Monitoring and measurement	Communicate
Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 5.3.2. ¶ 1 Activate the necessary audit system. § 5.3.2. Table 22. Row 5 Description Bullet 1]	Monitoring and measurement	Log Management
Review and approve the use of continuous security management systems. CC ID 13181	Monitoring and measurement	Process or Activity
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169	Monitoring and measurement	Establish/Maintain Documentation
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Monitoring and measurement	Acquisition/Sale of Assets or Services
Establish, implement, and maintain an event logging policy. CC ID 15217	Monitoring and measurement	Establish/Maintain Documentation
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Monitoring and measurement	Data and Information Management
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Develop and Deploy the Information System Activity Review Process Implementation Specification (Required) § 5.1.1. Table 8. Row 7 Key Activities 7. Implement regular reviews of information system activity and consider ways to automate the review for the protection of ePHI. § 5.1.1. Table 8. Row 7 Description Bullet 2 Implement the Information System Activity Review and Audit Process § 5.1.1. Table 8. Row 9 Key Activities 9.]	Monitoring and measurement	Log Management
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Data and Information Management
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain log analysis tools. CC ID 17056	Monitoring and measurement	Technical Security
Document the event information to be logged in the event information log specification. CC ID 00639 [Determine the Activities That Will Be Tracked or Audited § 5.3.2. Table 22. Row 1 Key Activities 1. Determine what activities need to be captured using the results of the risk assessment and risk management processes. § 5.3.2. Table 22. Row 1 Description Bullet 2 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.3.2. Table 22. Row 4 Description Bullet 1 Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. § 5.1.1. Table 8. Row 8 Description Bullet 1]	Monitoring and measurement	Configuration
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Monitoring and measurement	Configuration
Establish, implement, and maintain network monitoring operations. CC ID 16444	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 [Conduct Evaluation § 5.1.8. Table 15. Row 3 Key Activities 3. Determine when evaluations are conducted in response to an environmental or operational change that affects the security of ePHI (e.g., prior to the change, contemporaneous with the change, after the change). § 5.1.8. Table 15. Row 3 Description Bullet 3 {regular basis} Repeat Evaluations Periodically § 5.1.8. Table 15. Row 5 Key Activities 5. In addition to periodic reevaluations, consider repeating evaluations when environmental and operational changes that affect the security of ePHI are made to the organization (e.g., if new technology is adopted or if there are newly recognized risks to the security of ePHI). § 5.1.8. Table 15. Row 5 Description Bullet 2 {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4 {if} {is appropriate} Determine Whether Internal or External Evaluation is Most Appropriate § 5.1.8. Table 15. Row 1 Key Activities 1.]	Monitoring and measurement	Establish/Maintain Documentation
Implement automated audit tools. CC ID 04882 [Implement regular reviews of information system activity and consider ways to automate the review for the protection of ePHI. § 5.1.1. Table 8. Row 7 Description Bullet 2 Implement tools that can provide reports on the level of compliance, integration, or maturity of a particular security safeguard deployed to protect ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 5 Select the Tools That Will Be Deployed for Auditing and System Activity Reviews § 5.3.2. Table 22. Row 2 Key Activities 2. {evaluation tool} Use an evaluation strategy and tool that considers all elements of the HIPAA Security Rule and can be tracked, such as a questionnaire or checklist. § 5.1.8. Table 15. Row 2 Description Bullet 4]	Monitoring and measurement	Acquisition/Sale of Assets or Services
Assign senior management to approve test plans. CC ID 13071 [Secure management support for the evaluation process to ensure participation. § 5.1.8. Table 15. Row 3 Description Bullet 4]	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain a testing program. CC ID 00654	Monitoring and measurement	Behavior
Document improvement actions based on test results and exercises. CC ID 16840 [Develop security program priorities and establish targets for continuous improvement. § 5.1.8. Table 15. Row 4 Description Bullet 3 Utilize the results of evaluations to inform impactful security changes to protect ePHI. § 5.1.8. Table 15. Row 4 Description Bullet 4]	Monitoring and measurement	Establish/Maintain Documentation
Define the test requirements for each testing program. CC ID 13177 [Decide how to segment the type of testing based on the assessment of business impact and the acceptability of a sustained loss of service. § 5.1.7. Table 14. Row 7 Description Bullet 6]	Monitoring and measurement	Establish/Maintain Documentation
Include test requirements for the use of production data in the testing program. CC ID 17201	Monitoring and measurement	Testing
Include test requirements for the use of human subjects in the testing program. CC ID 16222	Monitoring and measurement	Testing
Define the test frequency for each testing program. CC ID 13176 [Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1]	Monitoring and measurement	Establish/Maintain Documentation
Ensure protocols are free from injection flaws. CC ID 16401	Monitoring and measurement	Process or Activity
Prevent adversaries from disabling or compromising security controls. CC ID 17057	Monitoring and measurement	Technical Security
Document and maintain test results. CC ID 17028 [{evaluation} Document Results § 5.1.8. Table 15. Row 4 Key Activities 4. Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Monitoring and measurement	Testing
Include the pass or fail test status in the test results. CC ID 17106	Monitoring and measurement	Establish/Maintain Documentation
Include time information in the test results. CC ID 17105	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the system tested in the test results. CC ID 17104	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 [Communicate evaluation results, metrics, and/or measurements to relevant organizational personnel. § 5.1.8. Table 15. Row 4 Description Bullet 5]	Monitoring and measurement	Communicate
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule § 5.1.8. Table 15. Row 2 Key Activities 2.]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics standard and template. CC ID 02157 [Consider determining any specific evaluation metrics and/or measurements to be captured during evaluation. Metrics and/or measurements can assist in tracking progress over time. § 5.1.8. Table 15. Row 2 Description Bullet 3]	Monitoring and measurement	Establish/Maintain Documentation
Preserve the identity of individuals in audit trails. CC ID 10594 [Ensure that system activity can be traced to a specific user. § 5.3.1. Table 21. Row 3 Description Bullet 2]	Monitoring and measurement	Log Management
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Business Processes
Include evidence of the closure of findings in the corrective action plan. CC ID 16978	Monitoring and measurement	Actionable Reports or Measurements
Include roles and responsibilities in the corrective action plan. CC ID 16926 [Identify and assign responsibility for the measures and activities necessary to correct deficiencies and ensure that proper physical access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 1]	Monitoring and measurement	Establish/Maintain Documentation
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Establish/Maintain Documentation
Include actions taken to resolve issues in the corrective action plan. CC ID 16884	Monitoring and measurement	Establish/Maintain Documentation
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Establish/Maintain Documentation
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the corrective action plan to interested personnel and affected parties. CC ID 16883	Monitoring and measurement	Communicate
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Decide whether the evaluation will be conducted with internal staff resources or external consultants. § 5.1.8. Table 15. Row 1 Description Bullet 1]	Audits and risk management	Establish Roles
Rotate auditors, as necessary. CC ID 15589	Audits and risk management	Audits and Risk Management
Withdraw the approvals of auditors, as necessary. CC ID 17260	Audits and risk management	Business Processes
Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283	Audits and risk management	Communicate
Define the qualification requirements for auditors. CC ID 17259	Audits and risk management	Human Resources Management
Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265	Audits and risk management	Communicate
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 [Use internal resources to supplement an external source of help because these internal resources can provide the best institutional knowledge and history of internal policies and practices. § 5.1.8. Table 15. Row 1 Description Bullet 3]	Audits and risk management	Establish Roles
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [{external experts} {internal auditors} Engage external expertise to assist the internal evaluation team where additional skills and expertise are determined to be reasonable and appropriate. § 5.1.8. Table 15. Row 1 Description Bullet 2]	Audits and risk management	Audits and Risk Management
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain an audit program. CC ID 00684 [Develop and document organizational policies and procedures for conducting evaluation. § 5.1.8. Table 15. Row 2 Description Bullet 1]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain audit policies. CC ID 13166	Audits and risk management	Establish/Maintain Documentation
Define what constitutes a threat to independence. CC ID 16824	Audits and risk management	Audits and Risk Management
Mitigate the threats to an auditor's independence. CC ID 17282	Audits and risk management	Process or Activity
Include resource requirements in the audit program. CC ID 15237	Audits and risk management	Establish/Maintain Documentation
Include risks and opportunities in the audit program. CC ID 15236	Audits and risk management	Establish/Maintain Documentation
Establish and maintain audit terms. CC ID 13880	Audits and risk management	Establish/Maintain Documentation
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973	Audits and risk management	Process or Activity
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883	Audits and risk management	Establish/Maintain Documentation
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain an in scope system description. CC ID 14873	Audits and risk management	Establish/Maintain Documentation
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551	Audits and risk management	Audits and Risk Management
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558	Audits and risk management	Audits and Risk Management
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548	Audits and risk management	Audits and Risk Management
Include facility locations in the audit assertion's in scope system description. CC ID 17261	Audits and risk management	Establish/Maintain Documentation
Include third party data in the audit assertion's in scope system description. CC ID 16554	Audits and risk management	Audits and Risk Management
Include third party personnel in the audit assertion's in scope system description. CC ID 16552	Audits and risk management	Audits and Risk Management
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506	Audits and risk management	Audits and Risk Management
Include third party assets in the audit assertion's in scope system description. CC ID 16550	Audits and risk management	Audits and Risk Management
Include third party services in the audit assertion's in scope system description. CC ID 16503	Audits and risk management	Establish/Maintain Documentation
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501	Audits and risk management	Establish/Maintain Documentation
Include availability commitments in the audit assertion's in scope system description. CC ID 14914	Audits and risk management	Establish/Maintain Documentation
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549	Audits and risk management	Audits and Risk Management
Include changes in the audit assertion's in scope system description. CC ID 14894	Audits and risk management	Establish/Maintain Documentation
Include external communications in the audit assertion's in scope system description. CC ID 14913	Audits and risk management	Establish/Maintain Documentation
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878	Audits and risk management	Establish/Maintain Documentation
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911	Audits and risk management	Establish/Maintain Documentation
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896	Audits and risk management	Establish/Maintain Documentation
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895	Audits and risk management	Establish/Maintain Documentation
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891	Audits and risk management	Establish/Maintain Documentation
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889	Audits and risk management	Establish/Maintain Documentation
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897	Audits and risk management	Establish/Maintain Documentation
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502	Audits and risk management	Establish/Maintain Documentation
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916	Audits and risk management	Establish/Maintain Documentation
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910	Audits and risk management	Establish/Maintain Documentation
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909	Audits and risk management	Establish/Maintain Documentation
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907	Audits and risk management	Establish/Maintain Documentation
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904	Audits and risk management	Establish/Maintain Documentation
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893	Audits and risk management	Establish/Maintain Documentation
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892	Audits and risk management	Establish/Maintain Documentation
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887	Audits and risk management	Establish/Maintain Documentation
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884	Audits and risk management	Establish/Maintain Documentation
Include commitments to third parties in the audit assertion. CC ID 14899	Audits and risk management	Establish/Maintain Documentation
Determine the completeness of the audit assertion's in scope system description. CC ID 14883	Audits and risk management	Establish/Maintain Documentation
Include system requirements in the audit assertion's in scope system description. CC ID 14881	Audits and risk management	Establish/Maintain Documentation
Include third party controls in the audit assertion's in scope system description. CC ID 14880	Audits and risk management	Establish/Maintain Documentation
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256	Audits and risk management	Audits and Risk Management
Identify personnel who should attend the closing meeting. CC ID 15261	Audits and risk management	Business Processes
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254	Audits and risk management	Audits and Risk Management
Include third party assets in the audit scope. CC ID 16504	Audits and risk management	Audits and Risk Management
Examine the availability of the audit criteria in the audit program. CC ID 16520	Audits and risk management	Investigate
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Audits and risk management	Establish/Maintain Documentation
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and risk management	Audits and Risk Management
Include in scope information in the audit program. CC ID 16198	Audits and risk management	Establish/Maintain Documentation
Include the date of the audit in the representation letter. CC ID 16517	Audits and risk management	Audits and Risk Management
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Audits and risk management	Establish/Maintain Documentation
Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162	Audits and risk management	Audits and Risk Management
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Audits and risk management	Establish/Maintain Documentation
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Audits and risk management	Establish/Maintain Documentation
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772	Audits and risk management	Establish/Maintain Documentation
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769	Audits and risk management	Establish/Maintain Documentation
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Audits and risk management	Establish/Maintain Documentation
Include an in scope system description in the audit assertion. CC ID 14872	Audits and risk management	Establish/Maintain Documentation
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Audits and risk management	Establish/Maintain Documentation
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Audits and risk management	Establish/Maintain Documentation
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Audits and risk management	Establish/Maintain Documentation
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Audits and risk management	Establish/Maintain Documentation
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248	Audits and risk management	Communicate
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263	Audits and risk management	Business Processes
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912	Audits and risk management	Business Processes
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954	Audits and risk management	Behavior
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951	Audits and risk management	Audits and Risk Management
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Business Processes
Audit in scope audit items and compliance documents. CC ID 06730	Audits and risk management	Audits and Risk Management
Conduct onsite inspections, as necessary. CC ID 16199	Audits and risk management	Testing
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Process or Activity
Implement procedures that collect sufficient audit evidence. CC ID 07153 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Audits and Risk Management
Refrain from using audit evidence that is not sufficient. CC ID 17163	Audits and risk management	Audits and Risk Management
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847	Audits and risk management	Communicate
Provide transactional walkthrough procedures for external auditors. CC ID 00672 [Evaluation may include reviewing organizational policies and procedures, assessing the implementation of security controls, collecting evidence of security control implementation, and performing physical walk-throughs. § 5.1.8. Table 15. Row 3 Description Bullet 7]	Audits and risk management	Testing
Establish, implement, and maintain interview procedures. CC ID 16282	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the interview procedures. CC ID 16297	Audits and risk management	Human Resources Management
Coordinate the scheduling of interviews. CC ID 16293	Audits and risk management	Process or Activity
Create a schedule for the interviews. CC ID 16292	Audits and risk management	Process or Activity
Identify interviewees. CC ID 16290	Audits and risk management	Process or Activity
Explain the testing results to the interviewee. CC ID 16291	Audits and risk management	Process or Activity
Establish and maintain work papers, as necessary. CC ID 13891	Audits and risk management	Establish/Maintain Documentation
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775	Audits and risk management	Establish/Maintain Documentation
Include audit irregularities in the work papers. CC ID 16774	Audits and risk management	Establish/Maintain Documentation
Include corrective actions in the work papers. CC ID 16771	Audits and risk management	Establish/Maintain Documentation
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770	Audits and risk management	Establish/Maintain Documentation
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768	Audits and risk management	Establish/Maintain Documentation
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Audits and risk management	Establish/Maintain Documentation
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518	Audits and risk management	Audits and Risk Management
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971	Audits and risk management	Process or Activity
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894	Audits and risk management	Establish/Maintain Documentation
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968	Audits and risk management	Establish/Maintain Documentation
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982	Audits and risk management	Establish/Maintain Documentation
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981	Audits and risk management	Establish/Maintain Documentation
Establish and maintain organizational audit reports. CC ID 06731	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the audit report. CC ID 17263	Audits and risk management	Establish/Maintain Documentation
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and risk management	Audits and Risk Management
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and risk management	Audits and Risk Management
Include audit subject matter in the audit report. CC ID 14882	Audits and risk management	Establish/Maintain Documentation
Include an other-matter paragraph in the audit report. CC ID 14901	Audits and risk management	Establish/Maintain Documentation
Include that the auditee did not provide comments in the audit report. CC ID 16849	Audits and risk management	Establish/Maintain Documentation
Include written agreements in the audit report. CC ID 17266	Audits and risk management	Establish/Maintain Documentation
Write the audit report using clear and conspicuous language. CC ID 13948	Audits and risk management	Establish/Maintain Documentation
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Audits and risk management	Establish/Maintain Documentation
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Audits and risk management	Establish/Maintain Documentation
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Audits and risk management	Establish/Maintain Documentation
Include a description of the financial information being reported on in the audit report. CC ID 13965	Audits and risk management	Establish/Maintain Documentation
Include references to any adjustments of financial information in the audit report. CC ID 13964	Audits and risk management	Establish/Maintain Documentation
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Audits and risk management	Establish/Maintain Documentation
Include references to historical financial information used in the audit report. CC ID 13961	Audits and risk management	Establish/Maintain Documentation
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Audits and risk management	Establish/Maintain Documentation
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Audits and risk management	Establish/Maintain Documentation
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Audits and risk management	Establish/Maintain Documentation
Include any discussions of significant findings in the audit report. CC ID 13955	Audits and risk management	Establish/Maintain Documentation
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Audits and risk management	Establish/Maintain Documentation
Include the audit criteria in the audit report. CC ID 13945	Audits and risk management	Establish/Maintain Documentation
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Audits and risk management	Establish/Maintain Documentation
Include all hypothetical assumptions in the audit report. CC ID 13947	Audits and risk management	Establish/Maintain Documentation
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Audits and risk management	Establish/Maintain Documentation
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931	Audits and risk management	Establish/Maintain Documentation
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Audits and risk management	Establish/Maintain Documentation
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Audits and risk management	Establish/Maintain Documentation
Include a review of the subject matter expert's findings in the audit report. CC ID 13972	Audits and risk management	Establish/Maintain Documentation
Include all restrictions on the audit in the audit report. CC ID 13930	Audits and risk management	Establish/Maintain Documentation
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Audits and risk management	Establish/Maintain Documentation
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Audits and risk management	Establish/Maintain Documentation
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Audits and risk management	Establish/Maintain Documentation
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Audits and risk management	Establish/Maintain Documentation
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Audits and risk management	Establish/Maintain Documentation
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Audits and risk management	Establish/Maintain Documentation
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and risk management	Audits and Risk Management
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Audits and risk management	Establish/Maintain Documentation
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Audits and risk management	Establish/Maintain Documentation
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Audits and risk management	Establish/Maintain Documentation
Include recommended corrective actions in the audit report. CC ID 16197 [Document each evaluation finding as well as remediation options, recommendations, and decisions. § 5.1.8. Table 15. Row 4 Description Bullet 1]	Audits and risk management	Establish/Maintain Documentation
Include the cost of corrective action in the audit report. CC ID 17015	Audits and risk management	Audits and Risk Management
Include risks and opportunities in the audit report. CC ID 16196	Audits and risk management	Establish/Maintain Documentation
Include the description of tests of controls and results in the audit report. CC ID 14898	Audits and risk management	Establish/Maintain Documentation
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Audits and risk management	Establish/Maintain Documentation
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Audits and risk management	Establish/Maintain Documentation
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Audits and risk management	Establish/Maintain Documentation
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and risk management	Audits and Risk Management
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Audits and risk management	Establish/Maintain Documentation
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Audits and risk management	Establish/Maintain Documentation
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Audits and risk management	Establish/Maintain Documentation
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Audits and risk management	Establish/Maintain Documentation
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Audits and risk management	Establish/Maintain Documentation
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Audits and risk management	Establish/Maintain Documentation
Include the results of the business impact analysis in the audit report. CC ID 17208	Audits and risk management	Establish/Maintain Documentation
Include qualified opinions in the audit report. CC ID 13928	Audits and risk management	Establish/Maintain Documentation
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Audits and risk management	Establish/Maintain Documentation
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Audits and risk management	Establish/Maintain Documentation
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Audits and risk management	Establish/Maintain Documentation
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Audits and risk management	Establish/Maintain Documentation
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Audits and risk management	Establish/Maintain Documentation
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Audits and risk management	Human Resources Management
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Audits and risk management	Communicate
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Audits and risk management	Communicate
Include the audit criteria in the audit plan. CC ID 15262	Audits and risk management	Establish/Maintain Documentation
Include a list of reference documents in the audit plan. CC ID 15260	Audits and risk management	Establish/Maintain Documentation
Include the languages to be used for the audit in the audit plan. CC ID 15252	Audits and risk management	Establish/Maintain Documentation
Include the allocation of resources in the audit plan. CC ID 15251	Audits and risk management	Establish/Maintain Documentation
Include communication protocols in the audit plan. CC ID 15247	Audits and risk management	Establish/Maintain Documentation
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246	Audits and risk management	Establish/Maintain Documentation
Include meeting schedules in the audit plan. CC ID 15245	Audits and risk management	Establish/Maintain Documentation
Include the time frames for the audit in the audit plan. CC ID 15244	Audits and risk management	Establish/Maintain Documentation
Include the time frames for conducting the audit in the audit plan. CC ID 15243	Audits and risk management	Establish/Maintain Documentation
Include the locations to be audited in the audit plan. CC ID 15242	Audits and risk management	Establish/Maintain Documentation
Include the processes to be audited in the audit plan. CC ID 15241	Audits and risk management	Establish/Maintain Documentation
Include audit objectives in the audit plan. CC ID 15240	Audits and risk management	Establish/Maintain Documentation
Include the risks associated with audit activities in the audit plan. CC ID 15239	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238	Audits and risk management	Communicate
Establish, implement, and maintain a risk management program. CC ID 12051 [Implement a Risk Management Program Implementation Specification (Required) § 5.1.1. Table 8. Row 3 Key Activities 3. {risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Audits and risk management	Establish/Maintain Documentation
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Establish/Maintain Documentation
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Business Processes
Integrate the risk management program into daily business decision-making. CC ID 13659 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2]	Audits and risk management	Business Processes
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Establish/Maintain Documentation
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Audits and Risk Management
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Business Processes
Establish, implement, and maintain a risk management policy. CC ID 17192 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Audits and risk management	Establish/Maintain Documentation
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Establish/Maintain Documentation
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Data and Information Management
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Establish/Maintain Documentation
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Communicate
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Communicate
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217	Audits and risk management	Audits and Risk Management
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248	Audits and risk management	Establish/Maintain Documentation
Include metrics in the fundamental rights impact assessment. CC ID 17249	Audits and risk management	Establish/Maintain Documentation
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244	Audits and risk management	Establish/Maintain Documentation
Include user safeguards in the fundamental rights impact assessment. CC ID 17255	Audits and risk management	Establish/Maintain Documentation
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the fundamental rights impact assessment. CC ID 17243	Audits and risk management	Establish/Maintain Documentation
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254	Audits and risk management	Establish/Maintain Documentation
Include risk management measures in the fundamental rights impact assessment. CC ID 17224	Audits and risk management	Establish/Maintain Documentation
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223	Audits and risk management	Establish/Maintain Documentation
Include risks in the fundamental rights impact assessment. CC ID 17222	Audits and risk management	Establish/Maintain Documentation
Include affected parties in the fundamental rights impact assessment. CC ID 17221	Audits and risk management	Establish/Maintain Documentation
Include the frequency in the fundamental rights impact assessment. CC ID 17220	Audits and risk management	Establish/Maintain Documentation
Include the usage duration in the fundamental rights impact assessment. CC ID 17219	Audits and risk management	Establish/Maintain Documentation
Include system use in the fundamental rights impact assessment. CC ID 17218	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Process or Activity
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Establish/Maintain Documentation
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Communicate
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Technical Security
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Human Resources Management
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{identify} {unauthorized sources} Conduct this activity as part of a risk analysis. § 5.3.3. Table 23. Row 2 Description Bullet 2]	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 [Remediation and corrective action plans that arise from incidents should serve as input to the risk assessment/management process. § 5.1.6. Table 13. Row 4 Description Bullet 3]	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Audits and Risk Management
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [{authorized access} Assign degrees of significance to each vulnerability identified and ensure that proper access is allowed. § 5.2.1. Table 17. Row 1 Description Bullet 2 Identify Any Possible Unauthorized Sources That May Be Able to Intercept the Information and Modify It § 5.3.3. Table 23. Row 2 Key Activities 2. Identify scenarios that may result in modification to the ePHI by unauthorized sources (e.g., hackers, ransomware, insider threats, business competitors, user errors). § 5.3.3. Table 23. Row 2 Description Bullet 1 Identify Any Possible Unauthorized Sources That May Be Able to Intercept and/or Modify the Information § 5.3.5. Table 25. Row 1 Key Activities 1. Identify scenarios (e.g., telehealth, claims processing) that may result in access to or modification of the ePHI by unauthorized sources during transmission (e.g., hackers, disgruntled employees, business competitors). § 5.3.5. Table 25. Row 1 Description Bullet 2 Identify scenarios and pathways that may put ePHI at a high level of risk. § 5.3.5. Table 25. Row 1 Description Bullet 3]	Audits and risk management	Technical Security
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Ensure that any risks associated with a device's surroundings are known and analyzed for possible negative impacts. § 5.2.2. Table 18. Row 3 Description Bullet 1]	Audits and risk management	Audits and Risk Management
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Risk management should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts § 5.1.1. Table 8. Row 3 Description Bullet 2 {include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and risk management	Audits and Risk Management
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Business Processes
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Audits and risk management	Communicate
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Identify points of electronic access that require or should require authentication. Ensure that the regulated entity's risk analysis properly assesses risks for such access points (e.g., risks of unauthorized access from within the enterprise could be different than those of remote unauthorized access). § 5.3.4. Table 24. Row 1 Description Bullet 2]	Audits and risk management	Testing
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Establish/Maintain Documentation
Include physical assets in the scope of the risk assessment. CC ID 13075 [Conduct an Analysis of Existing Physical Security Vulnerabilities § 5.2.1. Table 17. Row 1 Key Activities 1. Inventory facilities and identify shortfalls and/or vulnerabilities in current physical security capabilities. § 5.2.1. Table 17. Row 1 Description Bullet 1]	Audits and risk management	Establish/Maintain Documentation
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Establish/Maintain Documentation
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Establish/Maintain Documentation
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Communicate
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Establish/Maintain Documentation
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Establish/Maintain Documentation
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Establish/Maintain Documentation
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Establish/Maintain Documentation
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Communicate
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Establish/Maintain Documentation
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Analyze the Risks Associated with Each Type of Access § 5.2.3. Table 19. Row 2 Key Activities 2. Determine which type of access identified in Key Activity 1 poses the greatest threat to the security of ePHI. § 5.2.3. Table 19. Row 2 Description Bullet 1]	Audits and risk management	Audits and Risk Management
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [{include} Incidents caused by or influenced by known risks should feed back into the risk assessment process for a reevaluation of impact and/or likelihood. § 5.1.6. Table 13. Row 4 Description Bullet 2]	Audits and risk management	Audits and Risk Management
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Audits and risk management	Establish/Maintain Documentation
Approve the risk acceptance level, as necessary. CC ID 17168	Audits and risk management	Process or Activity
Document the results of the gap analysis. CC ID 16271 [Document known gaps between identified risks, mitigating security controls, and any acceptance of risk, including justification. § 5.1.8. Table 15. Row 4 Description Bullet 2]	Audits and risk management	Establish/Maintain Documentation
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [{management control} {operational control} Implement the decisions concerning the management, operational, and technical controls selected to mitigate identified risks. § 5.1.1. Table 8. Row 5 Description Bullet 1 Consider whether multiple access control methods are needed to protect ePHI according to the results of the risk assessment. § 5.1.4. Table 11. Row 2 Description Bullet 8]	Audits and risk management	Audits and Risk Management
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Audits and risk management	Establish/Maintain Documentation
Include time information in the risk treatment plan. CC ID 16993	Audits and risk management	Establish/Maintain Documentation
Include allocation of resources in the risk treatment plan. CC ID 16989	Audits and risk management	Establish/Maintain Documentation
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Establish/Maintain Documentation
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Audits and Risk Management
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Establish/Maintain Documentation
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Audits and risk management	Communicate
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Audits and risk management	Business Processes
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Audits and risk management	Establish/Maintain Documentation
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Establish/Maintain Documentation
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Audits and Risk Management
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Communicate
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Communicate
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Establish/Maintain Documentation
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Communicate
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Establish/Maintain Documentation
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Communicate
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Establish/Maintain Documentation
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Establish/Maintain Documentation
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Establish/Maintain Documentation
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Establish/Maintain Documentation
Include supply chain risk management procedures in the risk management program. CC ID 13190	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Communicate
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Human Resources Management
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Communicate
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain digital identification procedures. CC ID 13714 [HIPAA Standard: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. § 5.3.4. ¶ 1]	Technical security	Establish/Maintain Documentation
Implement digital identification processes. CC ID 13731	Technical security	Process or Activity
Implement identity proofing processes. CC ID 13719	Technical security	Process or Activity
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Technical security	Process or Activity
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Technical security	Process or Activity
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Technical security	Process or Activity
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Technical security	Establish/Maintain Documentation
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Technical security	Configuration
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Technical security	Process or Activity
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Technical security	Process or Activity
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Technical security	Process or Activity
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Technical security	Process or Activity
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Technical security	Process or Activity
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Technical security	Configuration
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Technical security	Configuration
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Technical security	Configuration
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Technical security	Process or Activity
Allow records that relate to the data subject as proof of identity. CC ID 13772	Technical security	Process or Activity
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Technical security	Process or Activity
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Technical security	Process or Activity
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Technical security	Process or Activity
Refrain from approving attributes in the identity proofing process. CC ID 13716	Technical security	Process or Activity
Establish, implement, and maintain an access control program. CC ID 11702 [Implement policies and procedures for granting access to ePHI, such as through access to a workstation, transaction, program, process, or other mechanism. § 5.1.4. Table 11. Row 2 Description Bullet 1 If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization. § 5.1.4. Table 11. Row 1 Description Bullet 1 Implement Policies and Procedures for Access Establishment and Modification Implementation Specification (Addressable) § 5.1.4. Table 11. Row 3 Key Activities 3. Implement policies and procedures that – based on the covered entity or business associate's access authorization policies – establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. § 5.1.4. Table 11. Row 3 Description Bullet 1 HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). § 5.3.1. ¶ 1 {access control} Integrate these activities into the access granting and management process. § 5.3.1. Table 21. Row 1 Description Bullet 3 Develop Access Control Policy and Procedures § 5.3.1. Table 21. Row 4 Key Activities 4. {access control} Implement the policy and procedures using existing or additional hardware or software solutions. § 5.3.1. Table 21. Row 5 Description Bullet 1 {access control} Enforce the policy and procedures as a matter of ongoing operations. § 5.3.1. Table 21. Row 6 Description Bullet 1 Identify Technical Access Control Capabilities § 5.3.1. Table 21. Row 2 Key Activities 2. HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 5.1.3. ¶ 1 Implement Policies and Procedures for Authorizing Access Implementation Specification (Addressable) Implement Policies and Procedures for Authorizing Access Implementation Specification (Addressable) § 5.1.4. Table 11. Row 2 Key Activities 2.]	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain access control policies. CC ID 00512 [Establish a formal policy for access control that will guide the development of procedures. § 5.3.1. Table 21. Row 4 Description Bullet 1]	Technical security	Establish/Maintain Documentation
Include compliance requirements in the access control policy. CC ID 14006 [{are feasible} {are cost-effective} Specify requirements for access control that are both feasible and cost-effective. § 5.3.1. Table 21. Row 4 Description Bullet 2]	Technical security	Establish/Maintain Documentation
Include coordination amongst entities in the access control policy. CC ID 14005	Technical security	Establish/Maintain Documentation
Include management commitment in the access control policy. CC ID 14004	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the access control policy. CC ID 14003	Technical security	Establish/Maintain Documentation
Include the scope in the access control policy. CC ID 14002	Technical security	Establish/Maintain Documentation
Include the purpose in the access control policy. CC ID 14001	Technical security	Establish/Maintain Documentation
Document the business need justification for user accounts. CC ID 15490	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513 [HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. § 5.1.4. ¶ 1]	Technical security	Establish/Maintain Documentation
Implement safeguards to protect access credentials from unauthorized access. CC ID 16433	Technical security	Technical Security
Inventory all user accounts. CC ID 13732	Technical security	Establish/Maintain Documentation
Establish and maintain contact information for user accounts, as necessary. CC ID 15418	Technical security	Data and Information Management
Control access rights to organizational assets. CC ID 00004 [Select the basis for restricting access to ePHI. § 5.1.4. Table 11. Row 2 Description Bullet 3 Decide and document how access to ePHI will be granted for privileged functions § 5.1.4. Table 11. Row 2 Description Bullet 5 Implement technical access controls to limit access to ePHI to only that which has been granted in accordance with the regulated entity's information access management policies and procedures (see 45 CFR 164.308(a)(4)). § 5.3.1. Table 21. Row 2 Description Bullet 3]	Technical security	Technical Security
Configure access control lists in accordance with organizational standards. CC ID 16465	Technical security	Configuration
Assign user permissions based on job responsibilities. CC ID 00538 [Analyze Workloads and Operations to Identify the Access Needs of All Users § 5.3.1. Table 21. Row 1 Key Activities 1.]	Technical security	Technical Security
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Isolate Healthcare Clearinghouse Functions Implementation Specification (Required) § 5.1.4. Table 11. Row 1 Key Activities 1.]	Technical security	Configuration
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Technical security	Configuration
Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164	Technical security	Communicate
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Technical security	Configuration
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Technical security	Configuration
Configure the "tlscert" argument to organizational standards. CC ID 14520	Technical security	Configuration
Configure the "tlskey" argument to organizational standards. CC ID 14519	Technical security	Configuration
Enable access control for objects and users on each system. CC ID 04553 [Determine the access control capabilities of all systems with ePHI. § 5.3.1. Table 21. Row 2 Description Bullet 1 Authentication requires establishing the validity of a transmission source and/or verifying an individual's claim that they have been authorized for specific access privileges to information and information systems. § 5.3.4. Table 24. Row 1 Description Bullet 3]	Technical security	Configuration
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 [Consider all applications and systems containing ePHI that should only be available to authorized users, processes, and services. § 5.3.1. Table 21. Row 1 Description Bullet 2]	Technical security	Technical Security
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Technical Security
Enforce access restrictions for restricted data. CC ID 01921 [Ensure that the modification of technical controls that affect a user's access to ePHI continue to limit access to ePHI to that which has been granted in accordance with the regulated entity's information access management policies and procedures (see 45 CFR 164.308(a)(4)). § 5.3.1. Table 21. Row 6 Description Bullet 3 {plan sponsor} Amend Plan Documents of the Group Health Plan to Address Adequate Separation Implementation Specification (Required) § 5.4.2. Table 27. Row 2 Key Activities 2. Amend the plan documents to incorporate provisions to require the plan sponsor to ensure that the adequate separation between the group health plan and plan sponsor required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. § 5.4.2. Table 27. Row 2 Description Bullet 1 HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 5.1.3. ¶ 1]	Technical security	Data and Information Management
Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005	Technical security	Establish/Maintain Documentation
Review all user privileges, as necessary. CC ID 06784 [Regularly review personnel access to ePHI to ensure that access is still authorized and needed § 5.1.4. Table 11. Row 3 Description Bullet 4 Review and Update Access for Users and Processes § 5.3.1. Table 21. Row 6 Key Activities 6. Consider implementing a user recertification process to ensure that least privilege is enforced. § 5.3.1. Table 21. Row 9 Description Bullet 2]	Technical security	Technical Security
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [Determine whether direct access to ePHI will ever be appropriate for individuals external to the organization (e.g., business partners or patients seeking access to their own ePHI). § 5.1.4. Table 11. Row 2 Description Bullet 9 Implement procedures to determine that the access of a workforce member to ePHI is appropriate. § 5.1.3. Table 10. Row 4 Description Bullet 1 Establish standards for granting access to ePHI. § 5.1.4. Table 11. Row 3 Description Bullet 2 Modify personnel access to ePHI, as needed, based on review activities. § 5.1.4. Table 11. Row 3 Description Bullet 5 Establish procedures for updating access when users require the following: Increased access § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 2 Establish procedures for updating access when users require the following: Initial access § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 1 Establish procedures for updating access when users require the following: Access to different systems or applications than those they currently have § 5.3.1. Table 21. Row 6 Description Bullet 4 Sub-Bullet 3]	Technical security	Technical Security
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [Ensure that there is a list of personnel with authority to approve user requests to access ePHI and systems with ePHI. § 5.1.4. Table 11. Row 2 Description Bullet 6]	Technical security	Establish/Maintain Documentation
Refrain from storing logon credentials for third party applications. CC ID 13690	Technical security	Technical Security
Establish, implement, and maintain a password policy. CC ID 16346	Technical security	Establish/Maintain Documentation
Enforce the password policy. CC ID 16347	Technical security	Technical Security
Maintain a log of the overrides of the biometric system. CC ID 17000	Technical security	Log Management
Establish, implement, and maintain biometric collection procedures. CC ID 15419	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain access control procedures. CC ID 11663 [{do not exist} If no clearinghouse functions exist, document this finding. If a clearinghouse exists within the organization, implement procedures for access that are consistent with the HIPAA Privacy Rule. § 5.1.4. Table 11. Row 1 Description Bullet 3 Decide and document procedures for how access to ePHI will be granted to workforce members within the organization. § 5.1.4. Table 11. Row 2 Description Bullet 2 Select an access control method (e.g., identity-based, rolebased, or other reasonable and appropriate means of access.) § 5.1.4. Table 11. Row 2 Description Bullet 4 Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1 Identify an approach for access control. § 5.3.1. Table 21. Row 1 Description Bullet 1 Implement Access Control Procedures Using Selected Hardware and Software § 5.3.1. Table 21. Row 5 Key Activities 5. Determine whether any changes are needed for access control mechanisms. § 5.3.1. Table 21. Row 6 Description Bullet 2]	Technical security	Establish/Maintain Documentation
Grant access to authorized personnel or systems. CC ID 12186 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2 Provide formal authorization from the appropriate authority before granting access to ePHI. § 5.1.4. Table 11. Row 3 Description Bullet 3]	Technical security	Configuration
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Communicate
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 [Identify in writing who has the business need and who has been granted permission to view, alter, retrieve, and store ePHI and at what times, under what circumstances, and for what purposes. § 5.1.3. Table 10. Row 2 Description Bullet 3]	Technical security	Establish/Maintain Documentation
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Technical security	Establish/Maintain Documentation
Include the user's location in the system record. CC ID 16996	Technical security	Log Management
Include the date and time that access was reviewed in the system record. CC ID 16416	Technical security	Data and Information Management
Include the date and time that access rights were changed in the system record. CC ID 16415	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Technical security	Establish/Maintain Documentation
Include the purpose in the identification and authentication policy. CC ID 14234	Technical security	Establish/Maintain Documentation
Include the scope in the identification and authentication policy. CC ID 14232	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the identification and authentication policy. CC ID 14230	Technical security	Establish/Maintain Documentation
Include management commitment in the identification and authentication policy. CC ID 14229	Technical security	Establish/Maintain Documentation
Include coordination amongst entities in the identification and authentication policy. CC ID 14227	Technical security	Establish/Maintain Documentation
Include compliance requirements in the identification and authentication policy. CC ID 14225	Technical security	Establish/Maintain Documentation
Establish the requirements for Authentication Assurance Levels. CC ID 16958	Technical security	Establish/Maintain Documentation
Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197	Technical security	Communicate
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Identify the methods available for authentication. Under the HIPAA Security Rule, authentication is the corroboration that a person is the one claimed (45 CFR § 164.304). § 5.3.4. Table 24. Row 1 Description Bullet 1 Evaluate Available Authentication Options § 5.3.4. Table 24. Row 2 Key Activities 2. Weigh the relative advantages and disadvantages of commonly used authentication approaches. § 5.3.4. Table 24. Row 2 Description Bullet 1 Select and Implement Authentication Options § 5.3.4. Table 24. Row 3 Key Activities 3. {authentication methods} Implement the methods selected in organizational operations and activities. § 5.3.4. Table 24. Row 3 Description Bullet 2 Consider the results of the analysis conducted under Key Activity 2 and select appropriate authentication methods based on the results of the risk assessment and risk management processes. § 5.3.4. Table 24. Row 3 Description Bullet 1 Determine Authentication Applicability to Current Systems/Applications § 5.3.4. Table 24. Row 1 Key Activities 1.]	Technical security	Establish/Maintain Documentation
Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002	Technical security	Technical Security
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Technical security	Communicate
Require individuals to report lost or damaged authentication mechanisms. CC ID 17035	Technical security	Communicate
Establish and maintain a memorized secret list. CC ID 13791	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007	Technical security	Process or Activity
Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006	Technical security	Technical Security
Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003	Technical security	Technical Security
Notify a user when an authenticator for a user account is changed. CC ID 13820	Technical security	Communicate
Establish, implement, and maintain a system and information integrity policy. CC ID 14034 [{integrity requirements} Develop the Integrity Policy and Requirements § 5.3.3. Table 23. Row 3 Key Activities 3.]	Technical security	Establish/Maintain Documentation
Include compliance requirements in the system and information integrity policy. CC ID 14151 [{risk analysis} Establish a formal written set of integrity requirements based on the results of the analysis completed in Key Activities 1 and 2. § 5.3.3. Table 23. Row 3 Description Bullet 1]	Technical security	Establish/Maintain Documentation
Include coordination amongst entities in the system and information integrity policy. CC ID 14150	Technical security	Establish/Maintain Documentation
Include management commitment in the system and information integrity policy. CC ID 14149	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the system and information integrity policy. CC ID 14148	Technical security	Establish/Maintain Documentation
Include the scope in the system and information integrity policy. CC ID 14147	Technical security	Establish/Maintain Documentation
Include the purpose in the system and information integrity policy. CC ID 14146	Technical security	Establish/Maintain Documentation
Disseminate and communicate the system and information integrity policy to interested personnel and affected parties. CC ID 14145	Technical security	Communicate
Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. § 5.3.3. ¶ 1 {integrity requirements} Implement Procedures to Address These Requirements § 5.3.3. Table 23. Row 4 Key Activities 4. Identify and implement tools and techniques to be developed or procured that support the assurance of integrity. § 5.3.3. Table 23. Row 4 Description Bullet 2 Continually reassess integrity processes as technology and operational environments change to determine whether they need to be revised. § 5.3.3. Table 23. Row 6 Description Bullet 2 Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. § 5.3.5. Table 25. Row 3 Description Bullet 1]	Technical security	Establish/Maintain Documentation
Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142	Technical security	Communicate
Identify and control all network access controls. CC ID 00529 [Determine whether network infrastructure can limit access to systems with ePHI (e.g., network segmentation) § 5.3.1. Table 21. Row 2 Description Bullet 2 Identify points of electronic access that require or should require authentication. Ensure that the regulated entity's risk analysis properly assesses risks for such access points (e.g., risks of unauthorized access from within the enterprise could be different than those of remote unauthorized access). § 5.3.4. Table 24. Row 1 Description Bullet 2]	Technical security	Technical Security
Establish, implement, and maintain network segmentation requirements. CC ID 16380	Technical security	Establish/Maintain Documentation
Enforce the network segmentation requirements. CC ID 16381	Technical security	Process or Activity
Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063	Technical security	Technical Security
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385	Technical security	Technical Security
Include compliance requirements in the network security policy. CC ID 14205	Technical security	Establish/Maintain Documentation
Include coordination amongst entities in the network security policy. CC ID 14204	Technical security	Establish/Maintain Documentation
Include management commitment in the network security policy. CC ID 14203	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the network security policy. CC ID 14202	Technical security	Establish/Maintain Documentation
Include the scope in the network security policy. CC ID 14201	Technical security	Establish/Maintain Documentation
Include the purpose in the network security policy. CC ID 14200	Technical security	Establish/Maintain Documentation
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199	Technical security	Communicate
Establish, implement, and maintain system and communications protection procedures. CC ID 14052	Technical security	Establish/Maintain Documentation
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206	Technical security	Communicate
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443	Technical security	Establish/Maintain Documentation
Include the date of the most recent update on the network diagram. CC ID 14319	Technical security	Establish/Maintain Documentation
Include virtual systems in the network diagram. CC ID 16324	Technical security	Data and Information Management
Include the organization's name in the network diagram. CC ID 14318	Technical security	Establish/Maintain Documentation
Include Internet Protocol addresses in the network diagram. CC ID 16244	Technical security	Establish/Maintain Documentation
Include Domain Name System names in the network diagram. CC ID 16240	Technical security	Establish/Maintain Documentation
Accept, by formal signature, the security implications of the network topology. CC ID 12323	Technical security	Establish/Maintain Documentation
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137	Technical security	Communicate
Maintain up-to-date data flow diagrams. CC ID 10059 [Identify all pathways by which ePHI will be transmitted into, within, and outside of the organization. § 5.3.5. Table 25. Row 1 Description Bullet 1]	Technical security	Establish/Maintain Documentation
Include information flows to third parties in the data flow diagram. CC ID 13185	Technical security	Establish/Maintain Documentation
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Technical security	Establish/Maintain Documentation
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Technical security	Communicate
Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050	Technical security	Technical Security
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical security	Technical Security
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Technical Security
Implement gateways between security domains. CC ID 16493	Technical security	Systems Design, Build, and Implementation
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical security	Technical Security
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical security	Technical Security
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881	Technical security	Technical Security
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical security	Technical Security
Secure the network access control standard against unauthorized changes. CC ID 11920	Technical security	Establish/Maintain Documentation
Configure network ports to organizational standards. CC ID 14007	Technical security	Configuration
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Technical security	Establish/Maintain Documentation
Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089	Technical security	Communicate
Protect data stored at external locations. CC ID 16333	Technical security	Data and Information Management
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Technical Security
Filter packets based on IPv6 header fields. CC ID 17048	Technical security	Technical Security
Filter traffic at firewalls based on application layer attributes. CC ID 17054	Technical security	Technical Security
Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [Authentication requires establishing the validity of a transmission source and/or verifying an individual's claim that they have been authorized for specific access privileges to information and information systems. § 5.3.4. Table 24. Row 1 Description Bullet 3]	Technical security	Testing
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [HIPAA Standard: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. § 5.3.5. ¶ 1 Establish a formal written set of requirements for transmitting ePHI. § 5.3.5. Table 25. Row 2 Description Bullet 1 Develop and Implement Transmission Security Policy and Procedures § 5.3.5. Table 25. Row 2 Key Activities 2.]	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a document printing policy. CC ID 14384	Technical security	Establish/Maintain Documentation
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain information exchange procedures. CC ID 11782 [Identify methods of transmission that will be used to safeguard ePHI. § 5.3.5. Table 25. Row 2 Description Bullet 2 Identify tools and techniques that will be used to support the transmission security policy. § 5.3.5. Table 25. Row 2 Description Bullet 3 Implement procedures for transmitting ePHI using hardware and/or software, if needed. § 5.3.5. Table 25. Row 2 Description Bullet 4 Develop and Implement Transmission Security Policy and Procedures § 5.3.5. Table 25. Row 2 Key Activities 2.]	Technical security	Establish/Maintain Documentation
Include the connected Information Technology assets in the information exchange procedures. CC ID 17025	Technical security	Establish/Maintain Documentation
Include connection termination procedures in the information exchange procedures. CC ID 17027	Technical security	Establish/Maintain Documentation
Include the data sensitivity levels in the information exchange procedures. CC ID 17024	Technical security	Establish/Maintain Documentation
Include communication requirements in the information exchange procedures. CC ID 17026	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the information exchange procedures. CC ID 17023	Technical security	Establish/Maintain Documentation
Include contact information in the information exchange procedures. CC ID 17307	Technical security	Establish/Maintain Documentation
Include implementation procedures in the information exchange procedures. CC ID 17022	Technical security	Establish/Maintain Documentation
Include security controls in the information exchange procedures. CC ID 17021	Technical security	Establish/Maintain Documentation
Include testing procedures in the information exchange procedures. CC ID 17020	Technical security	Establish/Maintain Documentation
Include measurement criteria in the information exchange procedures. CC ID 17019	Technical security	Establish/Maintain Documentation
Include training requirements in the information exchange procedures. CC ID 17017	Technical security	Establish/Maintain Documentation
Test the information exchange procedures. CC ID 17115	Technical security	Testing
Perform content sanitization on data-in-transit. CC ID 16512	Technical security	Data and Information Management
Perform content conversion on data-in-transit. CC ID 16510	Technical security	Data and Information Management
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Technical security	Data and Information Management
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Technical security	Log Management
Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234	Technical security	Data and Information Management
Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 [Consider any mobile devices that leave the physical facility as well as remote workers who access devices that create, store, process, or transmit ePHI. § 5.2.3. Table 19. Row 1 Description Bullet 2]	Technical security	Establish/Maintain Documentation
Include information security requirements in the remote access and teleworking program. CC ID 15704	Technical security	Establish/Maintain Documentation
Implement multifactor authentication techniques. CC ID 00561 [Consider implementing MFA solutions when the risk to ePHI is sufficiently high. § 5.3.4. Table 24. Row 2 Description Bullet 4]	Technical security	Configuration
Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173	Technical security	Technical Security
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical security	Technical Security
Document and approve requests to bypass multifactor authentication. CC ID 15464	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: Implement a mechanism to encrypt and decrypt ePHI. § 5.3.1. Table 21. Row 8 Description Bullet 1 Sub-Bullet 2]	Technical security	Establish/Maintain Documentation
Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207	Technical security	Establish/Maintain Documentation
Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206	Technical security	Establish/Maintain Documentation
Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Implement Encryption Implementation Specification (Addressable) § 5.3.5. Table 25. Row 4 Key Activities 4. Implement a mechanism to encrypt ePHI whenever appropriate. § 5.3.5. Table 25. Row 4 Description Bullet 1]	Technical security	Data and Information Management
Digitally sign records and data, as necessary. CC ID 16507	Technical security	Data and Information Management
Decrypt restricted data for the minimum time required. CC ID 12308	Technical security	Data and Information Management
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Technical security	Data and Information Management
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Technical security	Communicate
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Technical security	Data and Information Management
Establish, implement, and maintain a physical security program. CC ID 11757 [Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. § 5.2.1. Table 17. Row 3 Description Bullet 1 HIPAA Standard: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. § 5.2.1. ¶ 1]	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain physical security plans. CC ID 13307	Physical and environmental protection	Establish/Maintain Documentation
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309	Physical and environmental protection	Establish/Maintain Documentation
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315	Physical and environmental protection	Establish/Maintain Documentation
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211	Physical and environmental protection	Configuration
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215	Physical and environmental protection	Configuration
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319	Physical and environmental protection	Communicate
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Develop a Facility Security Plan Implementation Specification (Addressable) § 5.2.1. Table 17. Row 3 Key Activities 3. If there are impediments to physically securing devices and/or the facilities where devices are located, additional safeguards should be considered, such as: § 5.2.3. Table 19. Row 3 Description Bullet 2]	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Establish/Maintain Documentation
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Establish/Maintain Documentation
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Behavior
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Establish/Maintain Documentation
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Technical Security
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Establish/Maintain Documentation
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Establish/Maintain Documentation
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Establish/Maintain Documentation
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Communicate
Identify and document physical access controls for all physical entry points. CC ID 01637 [Identify points of access to the facility and existing security controls. § 5.2.1. Table 17. Row 3 Description Bullet 4]	Physical and environmental protection	Establish/Maintain Documentation
Control physical access to (and within) the facility. CC ID 01329 [{authorized access} Assign degrees of significance to each vulnerability identified and ensure that proper access is allowed. § 5.2.1. Table 17. Row 1 Description Bullet 2 Identify and assign responsibility for the measures and activities necessary to correct deficiencies and ensure that proper physical access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 1 {authorized access} Develop and deploy policies and procedures to ensure that repairs, upgrades, and/or modifications are made to the appropriate physical areas of the facility while ensuring that proper access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 2 Identify points of access to the facility and existing security controls. § 5.2.1. Table 17. Row 3 Description Bullet 4]	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain physical access procedures. CC ID 13629 [Determine which types of facilities require access controls to safeguard ePHI, such as: § 5.2.1. Table 17. Row 1 Description Bullet 3 Implement procedures to provide facility access to authorized personnel and visitors and exclude unauthorized persons. § 5.2.1. Table 17. Row 4 Description Bullet 2 Develop Access Control and Validation Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 4 Key Activities 4. Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1]	Physical and environmental protection	Establish/Maintain Documentation
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 [Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. § 5.2.1. Table 17. Row 4 Description Bullet 1]	Physical and environmental protection	Establish/Maintain Documentation
Log the individual's address in the facility access list. CC ID 16921	Physical and environmental protection	Log Management
Log the contact information for the person authorizing access in the facility access list. CC ID 16920	Physical and environmental protection	Log Management
Log the organization's name in the facility access list. CC ID 16919	Physical and environmental protection	Log Management
Log the individual's name in the facility access list. CC ID 16918	Physical and environmental protection	Log Management
Log the purpose in the facility access list. CC ID 16982	Physical and environmental protection	Log Management
Log the level of access in the facility access list. CC ID 16975	Physical and environmental protection	Log Management
Authorize physical access to sensitive areas based on job functions. CC ID 12462 [Develop Access Control and Validation Procedures Implementation Specification (Addressable) § 5.2.1. Table 17. Row 4 Key Activities 4.]	Physical and environmental protection	Establish/Maintain Documentation
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Human Resources Management
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Process or Activity
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Process or Activity
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Establish/Maintain Documentation
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Physical and Environmental Protection
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Human Resources Management
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Physical and Environmental Protection
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Establish/Maintain Documentation
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Business Processes
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Establish/Maintain Documentation
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Physical and Environmental Protection
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Physical and Environmental Protection
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Human Resources Management
Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001	Physical and environmental protection	Business Processes
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Establish/Maintain Documentation
Restrict physical access mechanisms to authorized parties. CC ID 16924	Physical and environmental protection	Process or Activity
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Establish/Maintain Documentation
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Physical and Environmental Protection
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Communicate
Record the purpose of the visit in the visitor log. CC ID 16917	Physical and environmental protection	Log Management
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Establish/Maintain Documentation
Record the date and time of departure in the visitor log. CC ID 16897	Physical and environmental protection	Log Management
Record the type of identification used in the visitor log. CC ID 16916	Physical and environmental protection	Log Management
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Monitor and Evaluate Occurrences
Include the requestor's name in the physical access log. CC ID 16922	Physical and environmental protection	Log Management
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [HIPAA Standard: Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. § 5.2.3. ¶ 1 Identify All Methods of Physical Access to Workstations and Devices § 5.2.3. Table 19. Row 1 Key Activities 1. Document the different ways that users access workstations and other devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.3. Table 19. Row 1 Description Bullet 1 Document the different ways that users access workstations and other devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.3. Table 19. Row 1 Description Bullet 1 Identify and Implement Physical Safeguards for Workstations and Devices § 5.2.3. Table 19. Row 3 Key Activities 3. If there are impediments to physically securing devices and/or the facilities where devices are located, additional safeguards should be considered, such as: § 5.2.3. Table 19. Row 3 Description Bullet 2]	Physical and environmental protection	Physical and Environmental Protection
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Maintain Accountability for Hardware and Electronic Media Implementation Specification (Addressable) § 5.2.4. Table 20. Row 3 Key Activities 3.]	Physical and environmental protection	Records Management
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Physical and environmental protection	Log Management
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Physical and environmental protection	Technical Security
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and environmental protection	Physical and Environmental Protection
Restrict physical access to distributed assets. CC ID 11865 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2 Implement physical safeguards and other security measures to minimize the possibility of inappropriate access to ePHI through computing devices. § 5.2.3. Table 19. Row 3 Description Bullet 1]	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a media protection policy. CC ID 14029	Physical and environmental protection	Establish/Maintain Documentation
Include compliance requirements in the media protection policy. CC ID 14185	Physical and environmental protection	Establish/Maintain Documentation
Include coordination amongst entities in the media protection policy. CC ID 14184	Physical and environmental protection	Establish/Maintain Documentation
Include management commitment in the media protection policy. CC ID 14182	Physical and environmental protection	Establish/Maintain Documentation
Include roles and responsibilities in the media protection policy. CC ID 14180	Physical and environmental protection	Establish/Maintain Documentation
Include the scope in the media protection policy. CC ID 14167	Physical and environmental protection	Establish/Maintain Documentation
Include the purpose in the media protection policy. CC ID 14166	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165	Physical and environmental protection	Communicate
Establish, implement, and maintain media protection procedures. CC ID 14062	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186	Physical and environmental protection	Communicate
Establish, implement, and maintain removable storage media controls. CC ID 06680 [Identify removable media and their uses. § 5.2.4. Table 20. Row 2 Description Bullet 3]	Physical and environmental protection	Data and Information Management
Treat archive media as evidence. CC ID 00960	Physical and environmental protection	Records Management
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Physical and Environmental Protection
Include Information Technology assets in the asset removal policy. CC ID 13162	Physical and environmental protection	Establish/Maintain Documentation
Obtain management approval prior to decommissioning assets. CC ID 17269	Physical and environmental protection	Business Processes
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1]	Physical and environmental protection	Physical and Environmental Protection
Control the removal of assets through physical entry points and physical exit points. CC ID 11681 [HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 5.2.4. ¶ 1]	Physical and environmental protection	Physical and Environmental Protection
Maintain records of all system components entering and exiting the facility. CC ID 14304	Physical and environmental protection	Log Management
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1 Determine the proper function and manner by which specific workstations or classes of workstations are permitted to access ePHI (e.g., applications permitting access to ePHI that are allowed on workstations used by a hospital's customer service call center or its radiology department). § 5.2.2. Table 18. Row 1 Description Bullet 4]	Physical and environmental protection	Establish/Maintain Documentation
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Physical and environmental protection	Data and Information Management
Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925	Physical and environmental protection	Communicate
Establish, implement, and maintain a mobile device management program. CC ID 15212	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a mobile device management policy. CC ID 15214	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998	Physical and environmental protection	Communicate
Establish, implement, and maintain mobile device activation procedures. CC ID 16999	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [Consider any mobile devices that leave the physical facility as well as remote workers who access devices that create, store, process, or transmit ePHI. § 5.2.3. Table 19. Row 1 Description Bullet 2]	Physical and environmental protection	Establish/Maintain Documentation
Include a "Return to Sender" text file on mobile devices. CC ID 17075	Physical and environmental protection	Process or Activity
Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076	Physical and environmental protection	Establish/Maintain Documentation
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Physical and environmental protection	Business Processes
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and environmental protection	Physical and Environmental Protection
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Physical and environmental protection	Data and Information Management
Secure system components from unauthorized viewing. CC ID 01437 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2]	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain asset return procedures. CC ID 04537 [Develop a standard set of procedures that should be followed to recover access control devices (e.g., identification badges, keys, access cards) when employment ends. § 5.1.3. Table 10. Row 5 Description Bullet 2]	Physical and environmental protection	Establish/Maintain Documentation
Protect customer property under the care of the organization. CC ID 11685	Physical and environmental protection	Physical and Environmental Protection
Provide storage media shelving capable of bearing all potential loads. CC ID 11400	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain returned card procedures. CC ID 13567	Physical and environmental protection	Establish/Maintain Documentation
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572	Physical and environmental protection	Business Processes
Establish, implement, and maintain a mailing control log. CC ID 16136	Physical and environmental protection	Establish/Maintain Documentation
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134	Physical and environmental protection	Establish Roles
Inventory payment cards, as necessary. CC ID 13547	Physical and environmental protection	Records Management
Establish, implement, and maintain payment card disposal procedures. CC ID 16135	Physical and environmental protection	Establish/Maintain Documentation
Color code cables in accordance with organizational standards. CC ID 16422	Physical and environmental protection	Physical and Environmental Protection
Install and maintain network jacks and outlet boxes. CC ID 08635	Physical and environmental protection	Physical and Environmental Protection
Color code outlet boxes in accordance with organizational standards. CC ID 16451	Physical and environmental protection	Physical and Environmental Protection
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142	Physical and environmental protection	Physical and Environmental Protection
Install and maintain network patch panels. CC ID 08636	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain facility maintenance procedures. CC ID 00710 [{authorized access} Develop and deploy policies and procedures to ensure that repairs, upgrades, and/or modifications are made to the appropriate physical areas of the facility while ensuring that proper access is allowed. § 5.2.1. Table 17. Row 2 Description Bullet 2]	Physical and environmental protection	Establish/Maintain Documentation
Design the Information Technology facility with a low profile. CC ID 16140	Physical and environmental protection	Physical and Environmental Protection
Require critical facilities to have adequate room for evacuation. CC ID 11686	Physical and environmental protection	Physical and Environmental Protection
Build critical facilities according to applicable building codes. CC ID 06366	Physical and environmental protection	Physical and Environmental Protection
Build critical facilities with materials that limit electromagnetic interference. CC ID 16131	Physical and environmental protection	Physical and Environmental Protection
Remotely control operational conditions at unmanned facilities. CC ID 11680	Physical and environmental protection	Technical Security
Establish, implement, and maintain facility demolition procedures. CC ID 16133	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain work environment requirements. CC ID 06613 [Analyze Physical Surroundings for Physical Attributes § 5.2.2. Table 18. Row 3 Key Activities 3. HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1]	Physical and environmental protection	Establish/Maintain Documentation
Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a business continuity program. CC ID 13210 [HIPAA Standard: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. § 5.1.7. ¶ 1]	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a business continuity policy. CC ID 12405 [Develop a Contingency Planning Policy § 5.1.7. Table 14. Row 1 Key Activities 1.]	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the business continuity policy. CC ID 17203	Operational and Systems Continuity	Systems Continuity
Include compliance requirements in the business continuity policy. CC ID 14237	Operational and Systems Continuity	Establish/Maintain Documentation
Include coordination amongst entities in the business continuity policy. CC ID 14235	Operational and Systems Continuity	Establish/Maintain Documentation
Include management commitment in the business continuity policy. CC ID 14233	Operational and Systems Continuity	Establish/Maintain Documentation
Include the scope in the business continuity policy. CC ID 14231	Operational and Systems Continuity	Establish/Maintain Documentation
Include roles and responsibilities in the business continuity policy. CC ID 14190	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198	Operational and Systems Continuity	Communicate
Include the purpose in the business continuity policy. CC ID 14188	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a business continuity testing policy. CC ID 13235	Operational and Systems Continuity	Establish/Maintain Documentation
Include testing cycles and test scope in the business continuity testing policy. CC ID 13236	Operational and Systems Continuity	Establish/Maintain Documentation
Include documentation requirements in the business continuity testing policy. CC ID 14377	Operational and Systems Continuity	Establish/Maintain Documentation
Include reporting requirements in the business continuity testing policy. CC ID 14397	Operational and Systems Continuity	Establish/Maintain Documentation
Include test requirements for crisis management in the business continuity testing policy. CC ID 13240	Operational and Systems Continuity	Establish/Maintain Documentation
Include test requirements for support functions in the business continuity testing policy. CC ID 13239	Operational and Systems Continuity	Establish/Maintain Documentation
Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238	Operational and Systems Continuity	Establish/Maintain Documentation
Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237	Operational and Systems Continuity	Establish/Maintain Documentation
Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257	Operational and Systems Continuity	Establish/Maintain Documentation
Include data recovery in the business continuity testing strategy. CC ID 13262	Operational and Systems Continuity	Establish/Maintain Documentation
Include testing critical applications in the business continuity testing strategy. CC ID 13261	Operational and Systems Continuity	Establish/Maintain Documentation
Include reconciling transaction data in the business continuity testing strategy. CC ID 13260	Operational and Systems Continuity	Establish/Maintain Documentation
Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a continuity framework. CC ID 00732 [{contingency plan} Establish the organizational framework, roles, and responsibilities for this area. § 5.1.7. Table 14. Row 1 Description Bullet 2]	Operational and Systems Continuity	Establish/Maintain Documentation
Establish and maintain the scope of the continuity framework. CC ID 11908 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Operational and Systems Continuity	Establish/Maintain Documentation
Include network security in the scope of the continuity framework. CC ID 16327	Operational and Systems Continuity	Establish/Maintain Documentation
Refrain from including exclusions that could affect business continuity. CC ID 12740	Operational and Systems Continuity	Records Management
Include business functions in the scope of the continuity framework. CC ID 12699	Operational and Systems Continuity	Establish/Maintain Documentation
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Operational and Systems Continuity	Systems Continuity
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [{contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1]	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a shelter in place plan. CC ID 16260	Operational and Systems Continuity	Establish/Maintain Documentation
Designate safe rooms in the shelter in place plan. CC ID 16276	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [{contingency plan} Establish the organizational framework, roles, and responsibilities for this area. § 5.1.7. Table 14. Row 1 Description Bullet 2]	Operational and Systems Continuity	Establish Roles
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573	Operational and Systems Continuity	Communicate
Establish, implement, and maintain a continuity plan. CC ID 00752 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Develop and Implement an Emergency Mode Operation Plan Implementation Specification (Required) § 5.1.7. Table 14. Row 6 Key Activities 6.]	Operational and Systems Continuity	Establish/Maintain Documentation
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Communicate
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Human Resources Management
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Human Resources Management
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Systems Continuity
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Configuration
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Establish/Maintain Documentation
Include tolerance levels in the continuity plan. CC ID 17305	Operational and Systems Continuity	Systems Continuity
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Operational and Systems Continuity	Establish/Maintain Documentation
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Process or Activity
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Process or Activity
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Establish/Maintain Documentation
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Establish/Maintain Documentation
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Establish Roles
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Communicate
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a recovery plan. CC ID 13288 [Establish (and implement as needed) procedures to restore any loss of data. § 5.1.7. Table 14. Row 5 Description Bullet 2 Develop Recovery Strategy § 5.1.7. Table 14. Row 4 Key Activities 4. {be cost-effective} Establish cost-effective strategies for recovering these critical services or processes. § 5.1.7. Table 14. Row 2 Description Bullet 7]	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to restore system interconnections in the recovery plan. CC ID 17100	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Establish/Maintain Documentation
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Establish/Maintain Documentation
Include voltage and frequency requirements in the recovery plan. CC ID 17098	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Human Resources Management
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 [Develop Data Backup and Storage Procedures Implementation Specification (Addressable) § 5.2.4. Table 20. Row 4 Key Activities 4.]	Operational and Systems Continuity	Establish/Maintain Documentation
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Establish/Maintain Documentation
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Communicate
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045	Operational and Systems Continuity	Communicate
Identify and document critical facilities. CC ID 17304	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [{are feasible} Ensure that identified preventive measures are practical and feasible in terms of their applicability in a given environment. § 5.1.7. Table 14. Row 3 Description Bullet 2 {contingency plan} Identify preventive measures for each defined scenario that could result in the loss of a critical service operation involving the use of ePHI. § 5.1.7. Table 14. Row 3 Description Bullet 1]	Operational and Systems Continuity	Establish/Maintain Documentation
Include emergency operating procedures in the continuity plan. CC ID 11694 [{emergency mode operation} "Emergency mode" operation involves only those critical business processes that must occur to protect the security of ePHI during and immediately after a crisis situation. § 5.1.7. Table 14. Row 6 Description Bullet 2 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1 Establish (and implement as needed) procedures to enable the continuation of critical business processes to protect the security of ePHI while operating in emergency mode. § 5.1.7. Table 14. Row 6 Description Bullet 1]	Operational and Systems Continuity	Establish/Maintain Documentation
Include load-shedding in the emergency operating procedures. CC ID 17133	Operational and Systems Continuity	Establish/Maintain Documentation
Include redispatch of generation requests in the emergency operating procedures. CC ID 17132	Operational and Systems Continuity	Establish/Maintain Documentation
Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130	Operational and Systems Continuity	Establish/Maintain Documentation
Include outages in the emergency operating procedures. CC ID 17129	Operational and Systems Continuity	Establish/Maintain Documentation
Include energy resource management in the emergency operating procedures. CC ID 17128	Operational and Systems Continuity	Establish/Maintain Documentation
Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [Determine the amount of time that the organization can tolerate disruptions to these operations, materials, or services (e.g., due to power outages). § 5.1.7. Table 14. Row 2 Description Bullet 4 {contingency strategy} {criticality analysis} Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and the associated priorities identified in Key Activity 2. § 5.1.7. Table 14. Row 4 Description Bullet 1]	Operational and Systems Continuity	Establish/Maintain Documentation
Define and prioritize critical business records. CC ID 11687 [Identify the activities and material involving ePHI that are critical to business operations. § 5.1.7. Table 14. Row 2 Description Bullet 2]	Operational and Systems Continuity	Establish/Maintain Documentation
Include the protection of personnel in the continuity plan. CC ID 06378	Operational and Systems Continuity	Establish/Maintain Documentation
Identify alternate personnel for each person on the critical personnel list. CC ID 12771 [Consider assigning secondary personnel to be part of the incident response team in the event that primary personnel are unavailable. § 5.1.6. Table 13. Row 2 Description Bullet 3]	Operational and Systems Continuity	Human Resources Management
Establish, implement, and maintain a critical third party list. CC ID 06815 [Consider whether any vendor/service provider arrangements are critical to operations and address them as appropriate to ensure availability and reliability. § 5.1.7. Table 14. Row 2 Description Bullet 6]	Operational and Systems Continuity	Establish/Maintain Documentation
Include the capacity of critical resources in the critical resource list. CC ID 17099	Operational and Systems Continuity	Establish/Maintain Documentation
Include website continuity procedures in the continuity plan. CC ID 01380	Operational and Systems Continuity	Establish/Maintain Documentation
Include a backup rotation scheme in the backup policy. CC ID 16219	Operational and Systems Continuity	Establish/Maintain Documentation
Include naming conventions in the backup policy. CC ID 16218	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Establish and implement procedures to create and maintain retrievable exact copies of ePHI. § 5.1.7. Table 14. Row 5 Description Bullet 1 {contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Develop Data Backup and Storage Procedures Implementation Specification (Addressable) § 5.2.4. Table 20. Row 4 Key Activities 4.]	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271	Operational and Systems Continuity	Communicate
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Operational and Systems Continuity	Data and Information Management
Perform full backups in accordance with organizational standards. CC ID 16376	Operational and Systems Continuity	Data and Information Management
Perform incremental backups in accordance with organizational standards. CC ID 16375	Operational and Systems Continuity	Data and Information Management
Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374	Operational and Systems Continuity	Data and Information Management
Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827	Operational and Systems Continuity	Establish/Maintain Documentation
Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279	Operational and Systems Continuity	Establish/Maintain Documentation
Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280	Operational and Systems Continuity	Establish/Maintain Documentation
Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080	Operational and Systems Continuity	Communicate
Train personnel on the continuity plan. CC ID 00759 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3 Train those with defined plan responsibilities in their roles. § 5.1.7. Table 14. Row 7 Description Bullet 3]	Operational and Systems Continuity	Behavior
Include coordination and interfaces among third parties in continuity plan training. CC ID 17102	Operational and Systems Continuity	Training
Include cross-team coordination in continuity plan training. CC ID 16235	Operational and Systems Continuity	Training
Include stay at home order training in the continuity plan training. CC ID 14382	Operational and Systems Continuity	Training
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388	Operational and Systems Continuity	Training
Include personal protection in continuity plan training. CC ID 14394	Operational and Systems Continuity	Training
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 [{contingency plan} Address scope, resource requirements, training, testing, plan maintenance, and backup requirements. § 5.1.7. Table 14. Row 1 Description Bullet 3]	Operational and Systems Continuity	Testing
Establish, implement, and maintain a continuity test plan. CC ID 04896 [Make key decisions regarding how the testing is to occur (e.g., tabletop exercise versus staging a real operational scenario, including actual loss of capability). § 5.1.7. Table 14. Row 7 Description Bullet 5 Implement procedures for the periodic testing and revision of contingency plans. § 5.1.7. Table 14. Row 7 Description Bullet 1]	Operational and Systems Continuity	Establish/Maintain Documentation
Include success criteria for testing the plan in the continuity test plan. CC ID 14877	Operational and Systems Continuity	Establish/Maintain Documentation
Include recovery procedures in the continuity test plan. CC ID 14876	Operational and Systems Continuity	Establish/Maintain Documentation
Include test scripts in the continuity test plan. CC ID 14875	Operational and Systems Continuity	Establish/Maintain Documentation
Include test objectives and scope of testing in the continuity test plan. CC ID 14874	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the continuity test plan, as necessary. CC ID 14400	Operational and Systems Continuity	Establish/Maintain Documentation
Include the succession plan in the continuity test plan, as necessary. CC ID 14401	Operational and Systems Continuity	Establish/Maintain Documentation
Include contact information in the continuity test plan. CC ID 14399	Operational and Systems Continuity	Establish/Maintain Documentation
Include testing all system components in the continuity test plan. CC ID 13508	Operational and Systems Continuity	Establish/Maintain Documentation
Include test scenarios in the continuity test plan. CC ID 13506	Operational and Systems Continuity	Establish/Maintain Documentation
Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243	Operational and Systems Continuity	Establish/Maintain Documentation
Include the risk assessment results in the continuity test plan. CC ID 17205	Operational and Systems Continuity	Establish/Maintain Documentation
Include the business impact analysis test results in the continuity test plan CC ID 17204	Operational and Systems Continuity	Establish/Maintain Documentation
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Testing
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Testing
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Testing
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [If possible, involve external entities (e.g., vendors, alternative site or service providers) in testing exercises. § 5.1.7. Table 14. Row 7 Description Bullet 4]	Operational and Systems Continuity	Testing
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Testing
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Establish/Maintain Documentation
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Operational and Systems Continuity	Testing
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Operational and Systems Continuity	Actionable Reports or Measurements
Address identified deficiencies in the continuity plan test results. CC ID 17209	Operational and Systems Continuity	Testing
Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134	Operational and Systems Continuity	Communicate
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [Identify the individual who has final responsibility for security. § 5.1.2. Table 9. Row 1 Description Bullet 1 {security responsibility} Assign and Document the Individual's Responsibility § 5.1.2. Table 9. Row 2 Key Activities 2.]	Human Resources management	Establish Roles
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 [Select a Security Official to be Assigned Responsibility for HIPAA Security § 5.1.2. Table 9. Row 1 Key Activities 1.]	Human Resources management	Human Resources Management
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [If available, consider engaging corporate, legal, or regulatory compliance staff when conducting the analysis. § 5.1.8. Table 15. Row 2 Description Bullet 6 Determine in advance what departments and/or staff will participate in the evaluation. § 5.1.8. Table 15. Row 3 Description Bullet 1]	Human Resources management	Business Processes
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143	Human Resources management	Human Resources Management
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152	Human Resources management	Human Resources Management
Define and assign workforce roles and responsibilities. CC ID 13267 [Define roles and responsibilities for all job functions. § 5.1.3. Table 10. Row 2 Description Bullet 1 Establish Clear Job Descriptions and Responsibilities § 5.1.3. Table 10. Row 2 Key Activities 2. Establish Criteria and Procedures for Hiring and Assigning Tasks § 5.1.3. Table 10. Row 3 Key Activities 3.]	Human Resources management	Human Resources Management
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources management	Human Resources Management
Document the use of external experts. CC ID 16263	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for the biometric system. CC ID 17004	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [{risk management program} Create a Risk Management policy and program that outlines organizational risk appetite and risk tolerance, personnel duties, responsible parties, the frequency of risk management, and required documentation. § 5.1.1. Table 8. Row 3 Description Bullet 3]	Human Resources management	Human Resources Management
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Human Resources Management
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777	Human Resources management	Establish Roles
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Establish Roles
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Human Resources Management
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Human Resources Management
Assign the roles and responsibilities for the asset management system. CC ID 14368 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Human Resources management	Establish/Maintain Documentation
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources management	Human Resources Management
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources management	Human Resources Management
Establish, implement, and maintain a personnel management program. CC ID 14018 [Implement Policies and Procedures for Authorization and/or Supervision Implementation Specification (Addressable) § 5.1.3. Table 10. Row 1 Key Activities 1. Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. § 5.1.3. Table 10. Row 1 Description Bullet 1]	Human Resources management	Establish/Maintain Documentation
Categorize the gender of all employees. CC ID 15609	Human Resources management	Human Resources Management
Categorize all employees by racial groups and ethnic groups. CC ID 15627	Human Resources management	Human Resources Management
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822	Human Resources management	Human Resources Management
Establish and maintain Personnel Files for all employees. CC ID 12438	Human Resources management	Human Resources Management
Include credit check results in each employee's personnel file. CC ID 12447	Human Resources management	Human Resources Management
Include any criminal records in each employee's personnel file. CC ID 12446	Human Resources management	Human Resources Management
Include all employee information in each employee's personnel file. CC ID 12445	Human Resources management	Human Resources Management
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444	Human Resources management	Human Resources Management
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441	Human Resources management	Human Resources Management
Include referral follow-up results in each employee's personnel file. CC ID 12440	Human Resources management	Human Resources Management
Include background check results in each employee's personnel file. CC ID 12439	Human Resources management	Human Resources Management
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760	Human Resources management	Establish/Maintain Documentation
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761	Human Resources management	Human Resources Management
Require all new hires to sign the Code of Conduct. CC ID 06665	Human Resources management	Establish/Maintain Documentation
Require all new hires to sign Acceptable Use Policies. CC ID 06662	Human Resources management	Establish/Maintain Documentation
Require new hires to sign nondisclosure agreements. CC ID 06668	Human Resources management	Establish/Maintain Documentation
Train all new hires, as necessary. CC ID 06673	Human Resources management	Behavior
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a personnel security policy. CC ID 14025	Human Resources management	Establish/Maintain Documentation
Include compliance requirements in the personnel security policy. CC ID 14154	Human Resources management	Establish/Maintain Documentation
Include coordination amongst entities in the personnel security policy. CC ID 14114	Human Resources management	Establish/Maintain Documentation
Include management commitment in the personnel security policy. CC ID 14113	Human Resources management	Establish/Maintain Documentation
Include roles and responsibilities in the personnel security policy. CC ID 14112	Human Resources management	Establish/Maintain Documentation
Include the scope in the personnel security policy. CC ID 14111	Human Resources management	Establish/Maintain Documentation
Include the purpose in the personnel security policy. CC ID 14110	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain personnel security procedures. CC ID 14058	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141	Human Resources management	Communicate
Establish, implement, and maintain security clearance level criteria. CC ID 00780	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain staff position risk designations. CC ID 14280	Human Resources management	Human Resources Management
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Establish Roles
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Establish Roles
Establish, implement, and maintain personnel screening procedures. CC ID 11700 [Implement appropriate screening of persons who will have access to ePHI. § 5.1.3. Table 10. Row 4 Description Bullet 2]	Human Resources management	Establish/Maintain Documentation
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources management	Human Resources Management
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Establish/Maintain Documentation
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Process or Activity
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Establish/Maintain Documentation
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Human Resources Management
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Human Resources Management
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Establish/Maintain Documentation
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Testing
Perform a resume check during personnel screening. CC ID 06659	Human Resources management	Human Resources Management
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Human Resources Management
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Human Resources Management
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Communicate
Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977	Human Resources management	Communicate
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Human Resources Management
Establish, implement, and maintain security clearance procedures. CC ID 00783 [Implement a procedure for obtaining clearance from appropriate offices or individuals where access is provided or terminated. § 5.1.3. Table 10. Row 4 Description Bullet 3 Establish a Workforce Clearance Procedure Implementation Specification (Addressable) § 5.1.3. Table 10. Row 4 Key Activities 4.]	Human Resources management	Establish/Maintain Documentation
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Human Resources Management
Establish and maintain security clearances. CC ID 01634	Human Resources management	Human Resources Management
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Establish Termination Procedures Implementation Specification (Addressable) § 5.1.3. Table 10. Row 5 Key Activities 5.]	Human Resources management	Establish/Maintain Documentation
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources management	Human Resources Management
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources management	Human Resources Management
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Human Resources management	Behavior
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Human Resources management	Communicate
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Human Resources Management
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Human Resources management	Behavior
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources management	Human Resources Management
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Human Resources management	Establish/Maintain Documentation
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [Establish Criteria and Procedures for Hiring and Assigning Tasks § 5.1.3. Table 10. Row 3 Key Activities 3. {workforce security} Ensure that these requirements are included as part of the personnel hiring process. § 5.1.3. Table 10. Row 3 Description Bullet 2]	Human Resources management	Establish/Maintain Documentation
Establish and maintain an annual report on compensation. CC ID 14801	Human Resources management	Establish/Maintain Documentation
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800	Human Resources management	Communicate
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798	Human Resources management	Establish/Maintain Documentation
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794	Human Resources management	Establish/Maintain Documentation
Refrain from using employees' privacy choices to take punitive actions. CC ID 16815	Human Resources management	Human Resources Management
Establish, implement, and maintain job applications. CC ID 16180	Human Resources management	Establish/Maintain Documentation
Include a space for the applicant's name on the job application. CC ID 16190	Human Resources management	Human Resources Management
Include a space for the applicant's current address on the job application. CC ID 16189	Human Resources management	Human Resources Management
Include a space for the applicant's social security number on the job application. CC ID 16188	Human Resources management	Human Resources Management
Include a space for the applicant's date of birth on the job application. CC ID 16186	Human Resources management	Human Resources Management
Include a space for previous employers and business relationships on the job application. CC ID 16185	Human Resources management	Human Resources Management
Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184	Human Resources management	Human Resources Management
Include a space for the start date on the job application. CC ID 16187	Human Resources management	Human Resources Management
Include a space to explain legal penalties on the job application. CC ID 16183	Human Resources management	Human Resources Management
Approve the wording of job applications. CC ID 16182	Human Resources management	Human Resources Management
Include a space for past aliases and other used names on job applications. CC ID 12301	Human Resources management	Human Resources Management
Include a space for previous addresses and previous residences on the job application. CC ID 12302	Human Resources management	Human Resources Management
Include a space to explain employment gaps on the job application. CC ID 12303	Human Resources management	Human Resources Management
Train all personnel and third parties, as necessary. CC ID 00785 [Monitor the training program implementation to ensure that all workforce members participate. § 5.1.5. Table 12. Row 7 Description Bullet 4 In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Behavior
Provide new hires limited network access to complete computer-based training. CC ID 17008	Human Resources management	Training
Establish, implement, and maintain an education methodology. CC ID 06671 [{security awareness and training program} Consider using a variety of media and avenues according to what is appropriate for the organization based on workforce size, location, level of education, and other factors. § 5.1.5. Table 12. Row 4 Description Bullet 3]	Human Resources management	Business Processes
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Establish/Maintain Documentation
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Establish/Maintain Documentation
Submit applications for professional certification. CC ID 16192	Human Resources management	Training
Retrain all personnel, as necessary. CC ID 01362 [{environmental changes} Training should be an ongoing, evolving process in response to environmental and operational changes that affect the security of ePHI. § 5.1.5. Table 12. Row 4 Description Bullet 4 Conduct training whenever changes occur in the technology and practices, as appropriate. § 5.1.5. Table 12. Row 7 Description Bullet 3]	Human Resources management	Behavior
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Human Resources Management
Establish, implement, and maintain training plans. CC ID 00828 [{training plan} Develop and Approve a Training Strategy and a Plan § 5.1.5. Table 12. Row 2 Key Activities 2. Monitor and Evaluate the Training Plan § 5.1.5. Table 12. Row 7 Key Activities 7.]	Human Resources management	Establish/Maintain Documentation
Approve training plans, as necessary. CC ID 17193 [{training plan} Develop and Approve a Training Strategy and a Plan § 5.1.5. Table 12. Row 2 Key Activities 2.]	Human Resources management	Training
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Human Resources management	Training
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Human Resources management	Training
Develop or acquire content to update the training plans. CC ID 12867 [{security awareness and training program} Incorporate new information from email advisories, online IT security, daily news, websites, and periodicals, as reasonable and appropriate. § 5.1.5. Table 12. Row 4 Description Bullet 2]	Human Resources management	Training
Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101	Human Resources management	Training
Designate training facilities in the training plan. CC ID 16200	Human Resources management	Training
Include portions of the visitor control program in the training plan. CC ID 13287	Human Resources management	Establish/Maintain Documentation
Include insider threats in the security awareness program. CC ID 16963	Human Resources management	Training
Conduct personal data processing training. CC ID 13757	Human Resources management	Training
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Human Resources management	Training
Establish, implement, and maintain a security awareness program. CC ID 11746 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2 HIPAA Standard: Implement a security awareness and training program for all members of its workforce (including management). § 5.1.5. ¶ 1 Develop Appropriate Awareness and Training Content, Materials, and Methods § 5.1.5. Table 12. Row 4 Key Activities 4. {security awareness training} Implement the Training § 5.1.5. Table 12. Row 5 Key Activities 5. {security awareness training} Schedule and conduct the training outlined in the strategy and plan. § 5.1.5. Table 12. Row 5 Description Bullet 1 {keep current} Keep the security awareness and training program current. § 5.1.5. Table 12. Row 7 Description Bullet 1]	Human Resources management	Establish/Maintain Documentation
Complete security awareness training prior to being granted access to information systems or data. CC ID 17009	Human Resources management	Training
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Establish/Maintain Documentation
Include compliance requirements in the security awareness and training policy. CC ID 14092 [Address the specific HIPAA policies that require security awareness and training in the security awareness and training program. § 5.1.5. Table 12. Row 2 Description Bullet 1]	Human Resources management	Establish/Maintain Documentation
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Communicate
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Establish/Maintain Documentation
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Establish/Maintain Documentation
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Establish/Maintain Documentation
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Establish/Maintain Documentation
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Establish/Maintain Documentation
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Training
Document security awareness requirements. CC ID 12146 [Select topics to be included in the training materials, and consider current and relevant topics (e.g., phishing, email security) for the protection of ePHI. § 5.1.5. Table 12. Row 4 Description Bullet 1]	Human Resources management	Establish/Maintain Documentation
Include safeguards for information systems in the security awareness program. CC ID 13046 [Set organizational expectations for protecting ePHI. § 5.1.5. Table 12. Row 2 Description Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Monitoring login attempts and reporting discrepancies; and § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Creating, changing, and safeguarding passwords. § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 3]	Human Resources management	Establish/Maintain Documentation
Include identity and access management in the security awareness program. CC ID 17013	Human Resources management	Training
Include the encryption process in the security awareness program. CC ID 17014	Human Resources management	Training
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Training
Include data management in the security awareness program. CC ID 17010	Human Resources management	Training
Include e-mail and electronic messaging in the security awareness program. CC ID 17012	Human Resources management	Training
Include updates on emerging issues in the security awareness program. CC ID 13184 [Implement Security Reminders Implementation Specification (Addressable) § 5.1.5. Table 12. Row 6 Key Activities 6. Implement periodic security updates. § 5.1.5. Table 12. Row 6 Description Bullet 1 Provide periodic security updates to staff, business associates, and contractors. § 5.1.5. Table 12. Row 6 Description Bullet 2]	Human Resources management	Training
Include cybersecurity in the security awareness program. CC ID 13183 [As reasonable and appropriate, train workforce members regarding procedures for: Guarding against, detecting, and reporting malicious software; § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 1]	Human Resources management	Training
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Training
Include social networking in the security awareness program. CC ID 17011	Human Resources management	Training
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Training
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 [Incorporate information concerning workforce members' roles and responsibilities in implementing these implementation specifications into training and awareness efforts. § 5.1.5. Table 12. Row 3 Description Bullet 2]	Human Resources management	Establish/Maintain Documentation
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Human Resources management	Establish/Maintain Documentation
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Establish/Maintain Documentation
Document the goals of the security awareness program. CC ID 12145 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Establish/Maintain Documentation
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Establish/Maintain Documentation
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Human Resources Management
Document the scope of the security awareness program. CC ID 12148 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3]	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Establish/Maintain Documentation
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Human Resources Management
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [In the security awareness and training program, outline the program's scope, goals, target audiences, learning objectives, deployment methods, and evaluation and measurement techniques, as well as the frequency of training. § 5.1.5 Table 12. Row 2 Description Bullet 3 Consider the benefits of ongoing communication with staff (e.g., emails, newsletters) on training topics to achieve HIPAA compliance and protect ePHI. § 5.1.5. Table 12. Row 6 Description Bullet 3 Implement any reasonable technique to disseminate the security messages in an organization, including newsletters, screensavers, video recordings, email messages, teleconferencing sessions, staff meetings, and computer-based training. § 5.1.5. Table 12. Row 5 Description Bullet 2]	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [As reasonable and appropriate, train workforce members regarding procedures for: Monitoring login attempts and reporting discrepancies; and § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 2 As reasonable and appropriate, train workforce members regarding procedures for: Guarding against, detecting, and reporting malicious software; § 5.1.5. Table 12. Row 3 Description Bullet 1 Sub-Bullet 1]	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Training
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a capacity management plan. CC ID 11751	Operational management	Establish/Maintain Documentation
Correlate business processes and applications. CC ID 16300	Operational management	Business Processes
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a compliance policy. CC ID 14807	Operational management	Establish/Maintain Documentation
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Operational management	Establish/Maintain Documentation
Include the scope in the compliance policy. CC ID 14812	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the compliance policy. CC ID 14811	Operational management	Establish/Maintain Documentation
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Operational management	Establish/Maintain Documentation
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Operational management	Communicate
Include management commitment in the compliance policy. CC ID 14808	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a governance policy. CC ID 15587	Operational management	Establish/Maintain Documentation
Conduct governance meetings, as necessary. CC ID 16946	Operational management	Process or Activity
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Operational management	Communicate
Include governance threshold requirements in the governance policy. CC ID 16933	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the governance policy. CC ID 15594	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an internal control framework. CC ID 00820 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Operational management	Establish/Maintain Documentation
Define the scope for the internal control framework. CC ID 16325	Operational management	Business Processes
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Establish/Maintain Documentation
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Establish/Maintain Documentation
Leverage actionable information to support internal controls. CC ID 12414 [Leverage any existing reports or documentation that may already be prepared by the organization addressing the compliance, integration, or maturity of a particular security safeguard deployed to protect ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 7]	Operational management	Business Processes
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4]	Operational management	Establish/Maintain Documentation
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Establish/Maintain Documentation
Include cloud services in the internal control framework. CC ID 17262	Operational management	Establish/Maintain Documentation
Include cloud security controls in the internal control framework. CC ID 17264	Operational management	Establish/Maintain Documentation
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Establish/Maintain Documentation
Share security information with interested personnel and affected parties. CC ID 11732 [Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups, as needed. § 5.1.6. Table 13. Row 1 Description Bullet 5]	Operational management	Communicate
Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152	Operational management	Process or Activity
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Communicate
Establish, implement, and maintain a cybersecurity framework. CC ID 17276	Operational management	Establish/Maintain Documentation
Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279	Operational management	Establish/Maintain Documentation
Include protection measures in the cybersecurity framework. CC ID 17278	Operational management	Establish/Maintain Documentation
Include the scope in the cybersecurity framework. CC ID 17277	Operational management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Operational management	Communicate
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812 [HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations. § 5.1.1. ¶ 1 {security management} Create and Deploy Policies and Procedures § 5.1.1. Table 8. Row 5 Key Activities 5. {security management} Establish a frequency for reviewing policy and procedures. § 5.1.1. Table 8. Row 5 Description Bullet 4 Consider the importance of documenting processes and procedures for demonstrating the adequate implementation of recognized security practices. § 5.5.1. Table 28. Row 1 Description Bullet 2 Consider the importance of documenting the processes and procedures for demonstrating the adequate implementation of recognized security practices. § 5.5.2. Table 29. Row 1 Description Bullet 3]	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373 [{administrative safeguards} {technical safeguards} Amend the plan documents to incorporate provisions to require the plan sponsor to implement administrative, technical, and physical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. § 5.4.2. Table 27. Row 1 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include access control in the information security program. CC ID 12386 [Evaluate Existing Security Measures Related to Access Controls § 5.1.4. Table 11. Row 4 Key Activities 4. Evaluate the security features of access controls that are already in place or those of any planned for implementation, as appropriate. § 5.1.4. Table 11. Row 4 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include asset management in the information security program. CC ID 12380 [{security management} Include all hardware and software that are used to collect, store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 3]	Operational management	Establish/Maintain Documentation
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Establish/Maintain Documentation
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Establish/Maintain Documentation
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Establish/Maintain Documentation
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Establish/Maintain Documentation
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Establish/Maintain Documentation
Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117	Operational management	Communicate
Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116	Operational management	Communicate
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Establish/Maintain Documentation
Monitor and review the effectiveness of the information security program. CC ID 12744 [Develop Standards and Measurements for Reviewing All Standards and Implementation Specifications of the Security Rule § 5.1.8. Table 15. Row 2 Key Activities 2. Once security controls have been implemented in response to the organization's risk assessment and management processes, periodically review these implemented security measures to ensure their continued effectiveness in protecting ePHI. § 5.1.8. Table 15. Row 2 Description Bullet 2]	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information security policy. CC ID 11740 [{security management} Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. § 5.1.1. Table 8. Row 5 Description Bullet 2]	Operational management	Establish/Maintain Documentation
Include data localization requirements in the information security policy. CC ID 16932	Operational management	Establish/Maintain Documentation
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain information security procedures. CC ID 12006 [Create procedures to be followed to accomplish particular security-related tasks. § 5.1.1. Table 8. Row 5 Description Bullet 3 {technical evaluation} HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 5.1.8. ¶ 1]	Operational management	Business Processes
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Process or Activity
Assign ownership of the information security program to the appropriate role. CC ID 00814 [{security training} {security access} Assign appropriate levels of security oversight, training, and access. § 5.1.3. Table 10. Row 2 Description Bullet 2]	Operational management	Establish Roles
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [{security management} Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. § 5.1.1. Table 8. Row 5 Description Bullet 2 HIPAA Standard: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. § 5.1.2. ¶ 1]	Operational management	Human Resources Management
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Business Processes
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Business Processes
Require social media users to clarify that their communications do not represent the organization. CC ID 17046	Operational management	Communicate
Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044	Operational management	Communicate
Define the nomenclature requirements in the operating instructions. CC ID 17112	Operational management	Establish/Maintain Documentation
Define the situations that require time information in the operating instructions. CC ID 17111	Operational management	Establish/Maintain Documentation
Implement alternative actions for oral communications not received or understood. CC ID 17122	Operational management	Communicate
Reissue operating instructions, as necessary. CC ID 17121	Operational management	Communicate
Include congestion management actions in the operational control procedures. CC ID 17135	Operational management	Establish/Maintain Documentation
Update the congestion management actions in a timely manner. CC ID 17145	Operational management	Establish/Maintain Documentation
Coordinate alternate congestion management actions with affected parties. CC ID 17136	Operational management	Process or Activity
Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138	Operational management	Process or Activity
Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146	Operational management	Establish/Maintain Documentation
Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120	Operational management	Communicate
Include continuous monitoring in the operational control procedures. CC ID 17137	Operational management	Establish/Maintain Documentation
Repeat operating instructions received by oral communications to the issuer. CC ID 17119	Operational management	Communicate
Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109	Operational management	Establish/Maintain Documentation
Coordinate the transmission of electricity between affected parties. CC ID 17114	Operational management	Business Processes
Include coordination amongst entities in the operational control procedures. CC ID 17147	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an outage coordination process. CC ID 17161	Operational management	Process or Activity
Coordinate outages with affected parties. CC ID 17160	Operational management	Process or Activity
Coordinate energy resource management with affected parties. CC ID 17150	Operational management	Process or Activity
Coordinate the control of voltage with affected parties. CC ID 17149	Operational management	Process or Activity
Coordinate energy shortages with affected parties. CC ID 17148	Operational management	Process or Activity
Include roles and responsibilities in the operational control procedures. CC ID 17159	Operational management	Establish/Maintain Documentation
Include alternative actions in the operational control procedures. CC ID 17096	Operational management	Establish/Maintain Documentation
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Establish/Maintain Documentation
Approve or deny requests in a timely manner. CC ID 17095	Operational management	Process or Activity
Comply with requests from relevant parties unless justified in not complying. CC ID 17094	Operational management	Business Processes
Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151	Operational management	Communicate
Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093	Operational management	Communicate
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Develop Appropriate Standard Operating Procedures § 5.1.1. Table 8. Row 8 Key Activities 8. Develop Appropriate Standard Operating Procedures § 5.3.2. Table 22. Row 4 Key Activities 4.]	Operational management	Establish/Maintain Documentation
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Process or Activity
Include system use information in the standard operating procedures manual. CC ID 17240	Operational management	Establish/Maintain Documentation
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Establish/Maintain Documentation
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Establish/Maintain Documentation
Include logging procedures in the standard operating procedures manual. CC ID 17214	Operational management	Establish/Maintain Documentation
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Establish/Maintain Documentation
Include resources in the standard operating procedures manual. CC ID 17212	Operational management	Establish/Maintain Documentation
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Establish/Maintain Documentation
Include human oversight measures in the standard operating procedures manual. CC ID 17213	Operational management	Establish/Maintain Documentation
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Establish/Maintain Documentation
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Establish/Maintain Documentation
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Establish/Maintain Documentation
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Establish/Maintain Documentation
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Establish/Maintain Documentation
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Business Processes
Provide support for information sharing activities. CC ID 15644	Operational management	Process or Activity
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Establish/Maintain Documentation
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Establish/Maintain Documentation
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Establish/Maintain Documentation
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Establish/Maintain Documentation
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Establish/Maintain Documentation
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 5.2.2. ¶ 1]	Operational management	Establish/Maintain Documentation
Include usage restrictions in the Acceptable Use Policy. CC ID 15311	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962	Operational management	Establish/Maintain Documentation
Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979	Operational management	Establish/Maintain Documentation
Include consequences in the fax machine and multifunction device usage policy. CC ID 16957	Operational management	Establish/Maintain Documentation
Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965	Operational management	Communicate
Validate recipients prior to sending electronic messages. CC ID 16981	Operational management	Business Processes
Establish, implement, and maintain a Global Address List. CC ID 16934	Operational management	Data and Information Management
Include roles and responsibilities in the e-mail policy. CC ID 17040	Operational management	Establish/Maintain Documentation
Include content requirements in the e-mail policy. CC ID 17041	Operational management	Establish/Maintain Documentation
Include the personal use of business e-mail in the e-mail policy. CC ID 17037	Operational management	Establish/Maintain Documentation
Include usage restrictions in the e-mail policy. CC ID 17039	Operational management	Establish/Maintain Documentation
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Establish/Maintain Documentation
Include message format requirements in the e-mail policy. CC ID 17038	Operational management	Establish/Maintain Documentation
Include the consequences of sending restricted data in the e-mail policy. CC ID 16970	Operational management	Establish/Maintain Documentation
Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980	Operational management	Communicate
Identify the sender in all electronic messages. CC ID 13996	Operational management	Data and Information Management
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Communicate
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Establish/Maintain Documentation
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Establish/Maintain Documentation
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Business Processes
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Business Processes
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Business Processes
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Business Processes
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Each regulated entity (i.e., covered entity or business associate) is responsible for its own Security Rule compliance and violations and should review the following key activities, descriptions, and sample questions through the lens of its own organization. § 5. ¶ 5]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Develop and document policies and procedures related to the proper use and performance of devices that create, store, process, or transmit ePHI. § 5.2.2. Table 18. Row 2 Description Bullet 1 Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2]	Operational management	Business Processes
Establish, implement, and maintain an asset management policy. CC ID 15219	Operational management	Establish/Maintain Documentation
Include coordination amongst entities in the asset management policy. CC ID 16424	Operational management	Business Processes
Establish, implement, and maintain asset management procedures. CC ID 16748	Operational management	Establish/Maintain Documentation
Assign an information owner to organizational assets, as necessary. CC ID 12729 [Analyze business functions and verify the ownership and control of information system elements as necessary. § 5.1.1. Table 8. Row 1 Description Bullet 4]	Operational management	Human Resources Management
Define the requirements for where assets can be located. CC ID 17051	Operational management	Business Processes
Define and prioritize the importance of each asset in the asset management program. CC ID 16837	Operational management	Business Processes
Include life cycle requirements in the security management program. CC ID 16392	Operational management	Establish/Maintain Documentation
Include program objectives in the asset management program. CC ID 14413	Operational management	Establish/Maintain Documentation
Include a commitment to continual improvement in the asset management program. CC ID 14412	Operational management	Establish/Maintain Documentation
Include compliance with applicable requirements in the asset management program. CC ID 14411	Operational management	Establish/Maintain Documentation
Include installation requirements in the asset management program. CC ID 17195	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Operational management	Business Processes
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Operational management	Communicate
Classify assets according to the Asset Classification Policy. CC ID 07186 [Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2 Classify devices based on the capabilities, connections, and allowable activities for each device used. § 5.2.2. Table 18. Row 1 Description Bullet 3]	Operational management	Establish Roles
Classify virtual systems by type and purpose. CC ID 16332	Operational management	Business Processes
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Develop policies and procedures for each type of device and identify and accommodate their unique issues. § 5.2.2. Table 18. Row 1 Description Bullet 2]	Operational management	Establish Roles
Establish, implement, and maintain an asset inventory. CC ID 06631 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3]	Operational management	Business Processes
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Identify all systems that house ePHI. Be sure to identify mobile devices, medical equipment, and IoT devices that store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 2 Inventory facilities and identify shortfalls and/or vulnerabilities in current physical security capabilities. § 5.2.1. Table 17. Row 1 Description Bullet 1 Inventory workstations and devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.2. Table 18. Row 1 Description Bullet 1 Inventory workstations and devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices (e.g., medical equipment, IoT devices, tablets, smart phones). § 5.2.2. Table 18. Row 1 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Establish/Maintain Documentation
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 [Identify all systems that house ePHI. Be sure to identify mobile devices, medical equipment, and IoT devices that store, process, or transmit ePHI. § 5.1.1. Table 8. Row 1 Description Bullet 2 Identify systems covered by the contract/agreement. § 5.1.9. Table 16. Row 1 Description Bullet 3]	Operational management	Data and Information Management
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Technical Security
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Data and Information Management
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Establish/Maintain Documentation
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Data and Information Management
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Data and Information Management
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Establish/Maintain Documentation
Include source code in the asset inventory. CC ID 14858	Operational management	Records Management
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Establish/Maintain Documentation
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Establish/Maintain Documentation
Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196	Operational management	Data and Information Management
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Establish/Maintain Documentation
Record the software version in the asset inventory. CC ID 12196	Operational management	Establish/Maintain Documentation
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Establish/Maintain Documentation
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Establish/Maintain Documentation
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Establish/Maintain Documentation
Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194	Operational management	Data and Information Management
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Establish/Maintain Documentation
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 [Identify Workstation and Device Types and Functions or Uses § 5.2.2. Table 18. Row 1 Key Activities 1.]	Operational management	Establish/Maintain Documentation
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Establish/Maintain Documentation
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Establish/Maintain Documentation
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Establish/Maintain Documentation
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Data and Information Management
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Establish/Maintain Documentation
Record the related business function for applicable assets in the asset inventory. CC ID 06636 [Identify Workstation and Device Types and Functions or Uses § 5.2.2. Table 18. Row 1 Key Activities 1.]	Operational management	Establish/Maintain Documentation
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Data and Information Management
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Data and Information Management
Record the owner for applicable assets in the asset inventory. CC ID 06640 [Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Establish/Maintain Documentation
Record all changes to assets in the asset inventory. CC ID 12190 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a software accountability policy. CC ID 00868 [Ensure that an individual is responsible for and records the receipt and removal of hardware and software with ePHI. § 5.2.4. Table 20. Row 3 Description Bullet 3]	Operational management	Establish/Maintain Documentation
Prevent users from disabling required software. CC ID 16417	Operational management	Technical Security
Establish, implement, and maintain digital legacy procedures. CC ID 16524	Operational management	Establish/Maintain Documentation
Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968	Operational management	Configuration
Establish, implement, and maintain a system disposal program. CC ID 14431	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain disposal procedures. CC ID 16513	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Operational management	Establish/Maintain Documentation
Obtain management approval prior to disposing of information technology assets. CC ID 17270	Operational management	Business Processes
Destroy systems in accordance with the system disposal program. CC ID 16457	Operational management	Business Processes
Approve the release of systems and waste material into the public domain. CC ID 16461	Operational management	Business Processes
Establish, implement, and maintain system destruction procedures. CC ID 16474	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Operational management	Establish/Maintain Documentation
Establish and maintain maintenance reports. CC ID 11749 [Include documentation of the facility inventory, physical maintenance records, and a history of changes, upgrades, and other modifications. § 5.2.1. Table 17. Row 3 Description Bullet 3 Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (e.g., hardware, walls, doors, and locks). § 5.2.1. Table 17. Row 6 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088	Operational management	Maintenance
Include a description of the maintenance performed in the maintenance report. CC ID 17087	Operational management	Maintenance
Include roles and responsibilities in the maintenance report. CC ID 17086	Operational management	Maintenance
Include the date and time of maintenance in the maintenance report. CC ID 17085	Operational management	Maintenance
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Operational management	Establish/Maintain Documentation
Include compliance requirements in the system maintenance policy. CC ID 14217	Operational management	Establish/Maintain Documentation
Include management commitment in the system maintenance policy. CC ID 14216	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Operational management	Establish/Maintain Documentation
Include the scope in the system maintenance policy. CC ID 14214	Operational management	Establish/Maintain Documentation
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Operational management	Communicate
Include the purpose in the system maintenance policy. CC ID 14187	Operational management	Establish/Maintain Documentation
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Operational management	Establish/Maintain Documentation
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Operational management	Communicate
Establish, implement, and maintain a technology refresh schedule. CC ID 16940	Operational management	Establish/Maintain Documentation
Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938	Operational management	Communicate
Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174	Operational management	Process or Activity
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Operational management	Business Processes
Log the performance of all remote maintenance. CC ID 13202	Operational management	Log Management
Conduct offsite maintenance in authorized facilities. CC ID 16473	Operational management	Maintenance
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Operational management	Maintenance
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Operational management	Maintenance
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 [Maintain Maintenance Records Implementation Specification (Addressable) § 5.2.1. Table 17. Row 6 Key Activities 6.]	Operational management	Establish/Maintain Documentation
Restart systems on a periodic basis. CC ID 16498	Operational management	Maintenance
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Maintenance
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Human Resources Management
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Operational management	Process or Activity
Establish, implement, and maintain an end-of-life management process. CC ID 16540	Operational management	Establish/Maintain Documentation
Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937	Operational management	Communicate
Dispose of hardware and software at their life cycle end. CC ID 06278 [Determine and document the appropriate methods to dispose of hardware, software, and the data. § 5.2.4. Table 20. Row 1 Description Bullet 2]	Operational management	Business Processes
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Operational management	Business Processes
Establish, implement, and maintain disposal contracts. CC ID 12199	Operational management	Establish/Maintain Documentation
Include disposal procedures in disposal contracts. CC ID 13905	Operational management	Establish/Maintain Documentation
Remove asset tags prior to disposal of an asset. CC ID 12198	Operational management	Business Processes
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853 [HIPAA Standard: Implement policies and procedures to address security incidents. § 5.1.6. ¶ 1]	Operational management	Business Processes
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Establish/Maintain Documentation
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Communicate
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Establish/Maintain Documentation
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Establish/Maintain Documentation
Include the criteria for an incident in the Incident Management program. CC ID 12173 [Gain an understanding as to what constitutes a true security incident. Under the HIPAA Security Rule, a security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system (45 CFR § 164.304). § 5.1.6. Table 13. Row 1 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include a definition of affected transactions in the incident criteria. CC ID 17180	Operational management	Establish/Maintain Documentation
Include a definition of affected parties in the incident criteria. CC ID 17179	Operational management	Establish/Maintain Documentation
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Establish/Maintain Documentation
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Establish/Maintain Documentation
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Establish/Maintain Documentation
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Establish/Maintain Documentation
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Remediate security violations according to organizational standards. CC ID 12338 [Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Operational management	Business Processes
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Business Processes
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include the incident classification criteria in incident response notifications. CC ID 17293	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include the incident reference code in incident response notifications. CC ID 17292	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include activations of the business continuity plan in incident response notifications. CC ID 17295	Operational management	Establish/Maintain Documentation
Include costs associated with the incident in incident response notifications. CC ID 17300	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Communicate
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Process or Activity
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Process or Activity
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Establish/Maintain Documentation
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Establish/Maintain Documentation
Include response times in the containment strategy. CC ID 13485	Operational management	Establish/Maintain Documentation
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Data and Information Management
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Data and Information Management
Update the incident response procedures using the lessons learned. CC ID 01233 [Update the procedures as required based on changing organizational needs. § 5.1.6. Table 13. Row 3 Description Bullet 6 Incorporate Post-Incident Analysis Into Updates and Revisions § 5.1.6. Table 13. Row 4 Key Activities 4. Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4 Measure effectiveness and update security incident response procedures to reflect lessons learned and identify actions to take that will improve security controls after a security incident. § 5.1.6. Table 13. Row 4 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Establish/Maintain Documentation
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Establish/Maintain Documentation
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Data and Information Management
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Log Management
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Log Management
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Establish/Maintain Documentation
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Develop and Implement Policy and Procedures to Respond to and Report Security Incidents Implementation Specification (Required) § 5.1.6. Table 13. Row 3 Key Activities 3. Establish a reporting mechanism and a process to coordinate responses to the security incident. § 5.1.6. Table 13. Row 1 Description Bullet 4 Establish a specific policy for security incident reporting. § 5.4.2. Table 27. Row 4 Description Bullet 2]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Response program. CC ID 00579 [Ensure that the incident response program covers all parts of the organization in which ePHI is created, stored, processed, or transmitted. § 5.1.6. Table 13. Row 1 Description Bullet 2 Develop and Implement Policy and Procedures to Respond to and Report Security Incidents Implementation Specification (Required) § 5.1.6. Table 13. Row 3 Key Activities 3.]	Operational management	Establish/Maintain Documentation
Create an incident response report. CC ID 12700 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include entities notified of the incident in the incident response report. CC ID 17294	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in the incident response report. CC ID 17298	Operational management	Establish/Maintain Documentation
Include the incident reference code in the incident response report. CC ID 17297	Operational management	Establish/Maintain Documentation
Include how the incident was discovered in the incident response report. CC ID 16987	Operational management	Establish/Maintain Documentation
Include the categories of data that were compromised in the incident response report. CC ID 16985	Operational management	Establish/Maintain Documentation
Include disciplinary actions taken in the incident response report. CC ID 16810	Operational management	Establish/Maintain Documentation
Include the persons responsible for the incident in the incident response report. CC ID 16808	Operational management	Establish/Maintain Documentation
Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789	Operational management	Establish/Maintain Documentation
Include recovery measures in the incident response report. CC ID 17299	Operational management	Establish/Maintain Documentation
Include the date and time of recovery from the incident in the incident response report. CC ID 17296	Operational management	Establish/Maintain Documentation
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182	Operational management	Acquisition/Sale of Assets or Services
Define target resolution times for incident response in the Incident Response program. CC ID 13072 [Determine the Goals of an Incident Response § 5.1.6. Table 13. Row 1 Key Activities 1.]	Operational management	Establish/Maintain Documentation
Mitigate reported incidents. CC ID 12973 [Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 5.1.6. Table 13. Row 3 Description Bullet 1]	Operational management	Actionable Reports or Measurements
Include addressing external communications in the incident response plan. CC ID 13351	Operational management	Establish/Maintain Documentation
Include addressing internal communications in the incident response plan. CC ID 13350	Operational management	Establish/Maintain Documentation
Include change control procedures in the incident response plan. CC ID 15479	Operational management	Establish/Maintain Documentation
Include addressing information sharing in the incident response plan. CC ID 13349	Operational management	Establish/Maintain Documentation
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Operational management	Establish/Maintain Documentation
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Operational management	Establish/Maintain Documentation
Include the management support needed for incident response in the incident response plan. CC ID 14300	Operational management	Establish/Maintain Documentation
Include root cause analysis in the incident response plan. CC ID 16423	Operational management	Establish/Maintain Documentation
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Operational management	Establish/Maintain Documentation
Include the resources needed for incident response in the incident response plan. CC ID 14292	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a cyber incident response plan. CC ID 13286	Operational management	Establish/Maintain Documentation
Disseminate and communicate the cyber incident response plan to interested personnel and affected parties. CC ID 16838	Operational management	Communicate
Include incident response team structures in the Incident Response program. CC ID 01237 [Develop and Deploy an Incident Response Team or Other Reasonable and Appropriate Response Mechanism § 5.1.6. Table 13. Row 2 Key Activities 2. Determine whether the size, scope, mission, and other aspects of the organization justify the reasonableness and appropriateness of maintaining a standing incident response team. § 5.1.6. Table 13. Row 2 Description Bullet 1 Identify appropriate individuals to be part of a formal incident response team if the organization has determined that implementing an incident response team is reasonable and appropriate. § 5.1.6. Table 13. Row 2 Description Bullet 2]	Operational management	Establish/Maintain Documentation
Include identifying remediation actions in the incident response plan. CC ID 13354	Operational management	Establish/Maintain Documentation
Include log management procedures in the incident response program. CC ID 17081	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an incident response policy. CC ID 14024 [Ensure that an organizational incident response policy is in place that addresses all parts of the organization in which ePHI is created, stored, processed, or transmitted. § 5.1.6. Table 13. Row 3 Description Bullet 2]	Operational management	Establish/Maintain Documentation
Include compliance requirements in the incident response policy. CC ID 14108	Operational management	Establish/Maintain Documentation
Include coordination amongst entities in the incident response policy. CC ID 14107 [Establish a reporting mechanism and a process to coordinate responses to the security incident. § 5.1.6. Table 13. Row 1 Description Bullet 4]	Operational management	Establish/Maintain Documentation
Include management commitment in the incident response policy. CC ID 14106	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the incident response policy. CC ID 14105	Operational management	Establish/Maintain Documentation
Include the scope in the incident response policy. CC ID 14104	Operational management	Establish/Maintain Documentation
Include the purpose in the incident response policy. CC ID 14101	Operational management	Establish/Maintain Documentation
Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099	Operational management	Communicate
Include time information in the chain of custody. CC ID 17068	Operational management	Log Management
Include actions performed on evidence in the chain of custody. CC ID 17067	Operational management	Log Management
Include individuals who had custody of evidence in the chain of custody. CC ID 17066	Operational management	Log Management
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Operational management	Establish/Maintain Documentation
Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [Review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input, if reasonable and appropriate. § 5.1.6. Table 13. Row 3 Description Bullet 4]	Operational management	Establish/Maintain Documentation
Document the results of incident response tests and provide them to senior management. CC ID 14857	Operational management	Actionable Reports or Measurements
Establish, implement, and maintain a change control program. CC ID 00886 [Determine what constitutes an environmental or operational change that affects the security of ePHI. § 5.1.8. Table 15. Row 3 Description Bullet 2 Establish the frequency of evaluations. Consider the sensitivity of the ePHI controlled by the organization as well as the organization's size, complexity, and environmental and/or operational changes (e.g., other relevant laws or accreditation requirements). § 5.1.8. Table 15. Row 5 Description Bullet 1 Evaluate existing system capabilities and determine whether any changes or upgrades are necessary. § 5.3.2. Table 22. Row 2 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Include version control in the change control program. CC ID 13119	Operational management	Establish/Maintain Documentation
Include service design and transition in the change control program. CC ID 13920	Operational management	Establish/Maintain Documentation
Perform emergency changes, as necessary. CC ID 12707	Operational management	Process or Activity
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Process or Activity
Log emergency changes after they have been performed. CC ID 12733	Operational management	Establish/Maintain Documentation
Implement changes according to the change control program. CC ID 11776 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Operational management	Business Processes
Provide audit trails for all approved changes. CC ID 13120 [Change policies and procedures as is reasonable and appropriate at any time, provided that the changes are documented and implemented in accordance with the requirements of the HIPAA Security Rule. § 5.5.1. Table 28. Row 2 Description Bullet 1 HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 5.5.1. ¶ 1]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a transition strategy. CC ID 17049	Operational management	Establish/Maintain Documentation
Include monitoring requirements in the transition strategy. CC ID 17290	Operational management	Establish/Maintain Documentation
Include resources in the transition strategy. CC ID 17289	Operational management	Establish/Maintain Documentation
Include time requirements in the transition strategy. CC ID 17288	Operational management	Establish/Maintain Documentation
Document the sources of all software updates. CC ID 13316	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Systems Design, Build, and Implementation
Update associated documentation after the system configuration has been changed. CC ID 00891 [Review documentation periodically and update as needed in response to environmental or operational changes that affect the security of the ePHI. § 5.5.2. Table 29. Row 4 Description Bullet 1]	Operational management	Establish/Maintain Documentation
Establish and maintain a service catalog. CC ID 13634 [{critical operations} {manual processes} Identify the critical services or operations and the manual and automated processes that support them involving ePHI. § 5.1.7. Table 14. Row 2 Description Bullet 3]	Operational management	Establish/Maintain Documentation
Include a service description in the service catalog. CC ID 13917	Operational management	Establish/Maintain Documentation
Assign unique reference numbers to all services in the service catalog. CC ID 14424	Operational management	Establish/Maintain Documentation
Include service deliverables for each service description in the service catalog. CC ID 13918	Operational management	Establish/Maintain Documentation
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914	Operational management	Establish/Maintain Documentation
Categorize services in the service catalog. CC ID 14419	Operational management	Establish/Maintain Documentation
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426	Operational management	Establish/Maintain Documentation
Communicate the service catalog to interested personnel and affected parties. CC ID 13910	Operational management	Communicate
Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: Implement electronic procedures that terminate an electronic session after a predetermined period of inactivity. § 5.3.1. Table 21. Row 8 Description Bullet 1 Sub-Bullet 1]	System hardening through configuration management	Configuration
Refrain from using assertion lifetimes to limit each session. CC ID 13871	System hardening through configuration management	Technical Security
Configure Session Configuration settings in accordance with organizational standards. CC ID 07698	System hardening through configuration management	Configuration
Invalidate unexpected session identifiers. CC ID 15307	System hardening through configuration management	Configuration
Configure the "MaxStartups" settings to organizational standards. CC ID 15329	System hardening through configuration management	Configuration
Reject session identifiers that are not valid. CC ID 15306	System hardening through configuration management	Configuration
Configure the "MaxSessions" settings to organizational standards. CC ID 15330	System hardening through configuration management	Configuration
Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328	System hardening through configuration management	Configuration
Configure Logging settings in accordance with organizational standards. CC ID 07611	System hardening through configuration management	Configuration
Configure all logs to capture auditable events or actionable events. CC ID 06332 [Ensure that the necessary data is available in the system logs to support audit and other related business functions. § 5.3.1. Table 21. Row 3 Description Bullet 3]	System hardening through configuration management	Configuration
Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494	System hardening through configuration management	Log Management
Configure the log to capture startups and shutdowns. CC ID 16491	System hardening through configuration management	Log Management
Configure the log to capture user queries and searches. CC ID 16479	System hardening through configuration management	Log Management
Configure the log to capture Internet Protocol addresses. CC ID 16495	System hardening through configuration management	Log Management
Configure the log to capture error messages. CC ID 16477	System hardening through configuration management	Log Management
Configure the log to capture system failures. CC ID 16475	System hardening through configuration management	Log Management
Configure the log to capture account lockouts. CC ID 16470	System hardening through configuration management	Configuration
Configure the log to capture execution events. CC ID 16469	System hardening through configuration management	Configuration
Configure the log to capture attempts to bypass or circumvent security controls. CC ID 17078	System hardening through configuration management	Log Management
Configure the log to capture AWS Organizations changes. CC ID 15445	System hardening through configuration management	Configuration
Configure the log to capture Identity and Access Management policy changes. CC ID 15442	System hardening through configuration management	Configuration
Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441	System hardening through configuration management	Configuration
Configure the log to capture route table changes. CC ID 15439	System hardening through configuration management	Configuration
Configure the log to capture virtual private cloud changes. CC ID 15435	System hardening through configuration management	Configuration
Configure the log to capture changes to encryption keys. CC ID 15432	System hardening through configuration management	Configuration
Configure the log to capture unauthorized API calls. CC ID 15429	System hardening through configuration management	Configuration
Configure the log to capture changes to network gateways. CC ID 15421	System hardening through configuration management	Configuration
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	System hardening through configuration management	Log Management
Establish, implement, and maintain an information management program. CC ID 14315 [Periodically evaluate written policies and procedures to verify that: § 5.5.1. Table 28. Row 1 Description Bullet 3]	Records management	Establish/Maintain Documentation
Retain records in accordance with applicable requirements. CC ID 00968 [Retain Documentation for at Least Six Years Implementation Specification (Required) § 5.5.2. Table 29. Row 2 Key Activities 2. Retain documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later. § 5.5.2. Table 29. Row 2 Description Bullet 1]	Records management	Records Management
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored. § 5.2.4. Table 20. Row 1 Description Bullet 1]	Records management	Establish/Maintain Documentation
Perform destruction at authorized facilities. CC ID 17074	Records management	Business Processes
Supervise media destruction in accordance with organizational standards. CC ID 16456	Records management	Business Processes
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 [Ensure that ePHI previously stored on any electronic media cannot be accessed and reused. § 5.2.4. Table 20. Row 2 Description Bullet 2]	Records management	Data and Information Management
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Implement procedures for the removal of ePHI from electronic media before the media become available for reuse. § 5.2.4. Table 20. Row 2 Description Bullet 1 Ensure that ePHI is removed from reusable media before they are used to record new information. § 5.2.4. Table 20. Row 2 Description Bullet 4]	Records management	Data and Information Management
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485	Records management	Process or Activity
Use approved media sanitization equipment for destruction. CC ID 16459	Records management	Business Processes
Establish, implement, and maintain records disposition procedures. CC ID 00971 [Determine and document the appropriate methods to dispose of hardware, software, and the data. § 5.2.4. Table 20. Row 1 Description Bullet 2]	Records management	Establish/Maintain Documentation
Require authorized individuals be present to witness records disposition. CC ID 12313	Records management	Data and Information Management
Include the sanitization method in the disposal record. CC ID 17073	Records management	Log Management
Include time information in the disposal record. CC ID 17072	Records management	Log Management
Include the name of the signing officer in the disposal record. CC ID 15710	Records management	Establish/Maintain Documentation
Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891	Records management	Communicate
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Establish/Maintain Documentation
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Establish/Maintain Documentation
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Establish/Maintain Documentation
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Establish/Maintain Documentation
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Data and Information Management
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Data and Information Management
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Records Management
Display required information automatically in electronic health records. CC ID 14442	Records management	Process or Activity
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Establish/Maintain Documentation
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Actionable Reports or Measurements
Create export summaries, as necessary. CC ID 14446	Records management	Process or Activity
Import data files into a patient's electronic health record. CC ID 14448	Records management	Data and Information Management
Export requested sections of the electronic health record. CC ID 14447	Records management	Data and Information Management
Establish and maintain an implantable device list. CC ID 14444	Records management	Records Management
Display the implantable device list to authorized users. CC ID 14445	Records management	Data and Information Management
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Business Processes
Include attributes in the decision support intervention. CC ID 16766	Records management	Data and Information Management
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Records Management
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Records Management
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Records Management
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Records Management
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Log Management
Include record integrity techniques in the records management procedures. CC ID 06418 [Identify and implement methods that will be used to protect ePHI from unauthorized modification. § 5.3.3. Table 23. Row 4 Description Bullet 1]	Records management	Establish/Maintain Documentation
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Implement a Mechanism to Authenticate ePHI Implementation Specification (Addressable) § 5.3.3. Table 23. Row 5 Key Activities 5. Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. § 5.3.3. Table 23. Row 5 Description Bullet 1 Consider possible mechanisms for integrity verification, such as: § 5.3.3. Table 23. Row 5 Description Bullet 2 Implement Integrity Controls Implementation Specification (Addressable) § 5.3.5. Table 25. Row 3 Key Activities 3.]	Records management	Establish Roles
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Process or Activity
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [Develop and Implement Procedures for the Reuse of Electronic Media Implementation Specification (Required) § 5.2.4. Table 20. Row 2 Key Activities 2.]	Records management	Establish/Maintain Documentation
Establish, implement, and maintain an information preservation policy. CC ID 16483	Records management	Establish/Maintain Documentation
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Create a retrievable exact copy of ePHI, when needed, before movement of equipment. § 5.2.4. Table 20. Row 4 Description Bullet 1 Ensure that an exact retrievable copy of the data is retained and protected to maintain the integrity of ePHI during equipment relocation. § 5.2.4. Table 20. Row 4 Description Bullet 2]	Records management	Records Management
Establish, implement, and maintain a removable storage media log. CC ID 12317 [Maintain a record of the movements of hardware and electronic media and any person responsible for them. § 5.2.4. Table 20. Row 3 Description Bullet 1]	Records management	Log Management
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Records management	Establish/Maintain Documentation
Include the date and time in the removable storage media log. CC ID 12318	Records management	Establish/Maintain Documentation
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Records management	Establish/Maintain Documentation
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Records management	Establish/Maintain Documentation
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Records management	Establish/Maintain Documentation
Include the sender's name in the removable storage media log. CC ID 12752	Records management	Establish/Maintain Documentation
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Records management	Establish/Maintain Documentation
Include the reason for transfer in the removable storage media log. CC ID 12316	Records management	Establish/Maintain Documentation
Plan for acquiring facilities, technology, or services. CC ID 06892 [{information technology systems} {information technology services} Acquire Information Technology (IT) Systems and Services § 5.1.1. Table 8. Row 4 Key Activities 4.]	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain acquisition notices. CC ID 16682	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include the geographic locations of the organization in the acquisition notice. CC ID 16723	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include certification that the organizations meet applicable requirements in the acquisition notice. CC ID 16714	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include the capital ratios in the acquisition notice. CC ID 16712	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include the relevant authorities in the acquisition notice. CC ID 16711	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include a description of the subsidiary's activities in the acquisition notice. CC ID 16707	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include the subsidiary's contact information in the acquisition notice. CC ID 16704	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include in scope transactions in the acquisition notice. CC ID 16700	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491	Acquisition or sale of facilities, technology, and services	Communicate
Establish, implement, and maintain system acquisition contracts. CC ID 14758	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285	Acquisition or sale of facilities, technology, and services	Communicate
Obtain user documentation before acquiring products and services. CC ID 14283	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include instructions on how to use the security functions in the user documentation. CC ID 14314	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include security functions in the user documentation. CC ID 14313	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include user responsibilities for maintaining system security in the user documentation. CC ID 14312	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include a description of user interactions in the user documentation. CC ID 14311	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Require the information system developer to create a continuous monitoring plan. CC ID 14307	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include roles and responsibilities in system acquisition contracts. CC ID 14765	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include the acceptance criteria in system acquisition contracts. CC ID 14288	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include audit record generation capabilities in system acquisition contracts. CC ID 16427	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Include environmental considerations in the acquisition feasibility study. CC ID 16224	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666	Acquisition or sale of facilities, technology, and services	Technical Security
Establish, implement, and maintain a product and services acquisition policy. CC ID 14028	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Obtain authorization for marketing new products. CC ID 16805	Acquisition or sale of facilities, technology, and services	Business Processes
Include compliance requirements in the product and services acquisition policy. CC ID 14163	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include coordination amongst entities in the product and services acquisition policy. CC ID 14162	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include management commitment in the product and services acquisition policy. CC ID 14161	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include roles and responsibilities in the product and services acquisition policy. CC ID 14160	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include the scope in the product and services acquisition policy. CC ID 14159	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Include the purpose in the product and services acquisition policy. CC ID 14158	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157	Acquisition or sale of facilities, technology, and services	Communicate
Establish, implement, and maintain product and services acquisition procedures. CC ID 14065	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152	Acquisition or sale of facilities, technology, and services	Communicate
Establish, implement, and maintain the requirements for competitive bid documents. CC ID 16936	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain the requirements for off-contract purchases. CC ID 16929	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Require prior approval from the appropriate authority for any off-contract purchases. CC ID 16928	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain acquisition approval requirements. CC ID 13704	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706	Acquisition or sale of facilities, technology, and services	Communicate
Align the service management program with the Code of Conduct. CC ID 14211	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Install software that originates from approved third parties. CC ID 12184	Acquisition or sale of facilities, technology, and services	Technical Security
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Determine whether a component of the regulated entity constitutes a ass="term_primary-noun">healthcare clearinghouse under the HIPAA Security Rule. Determine whether a component of the regulated entity constitutes a healthcare clearinghouse under the HIPAA Security Rule. § 5.1.4. Table 11. Row 1 Description Bullet 2]	Privacy protection for information and data	Establish/Maintain Documentation
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy notice. CC ID 16543	Privacy protection for information and data	Establish/Maintain Documentation
Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258	Privacy protection for information and data	Establish/Maintain Documentation
Include contact information in the privacy notice. CC ID 14432	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Privacy protection for information and data	Establish/Maintain Documentation
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Establish/Maintain Documentation
Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257	Privacy protection for information and data	Establish/Maintain Documentation
Include prohibitions of use or disclosure in the privacy notice. CC ID 17252	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data collection categories in the privacy notice. CC ID 13457	Privacy protection for information and data	Establish/Maintain Documentation
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Privacy protection for information and data	Establish/Maintain Documentation
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Establish/Maintain Documentation
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Establish/Maintain Documentation
Include the information about the appeal process in the privacy notice. CC ID 15312	Privacy protection for information and data	Establish/Maintain Documentation
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Privacy protection for information and data	Communicate
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Privacy protection for information and data	Communicate
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Establish/Maintain Documentation
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Communicate
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Communicate
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Communicate
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Communicate
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Establish/Maintain Documentation
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Establish/Maintain Documentation
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Establish/Maintain Documentation
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Establish/Maintain Documentation
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Establish/Maintain Documentation
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Establish/Maintain Documentation
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Communicate
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Communicate
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Communicate
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Communicate
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Communicate
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Data and Information Management
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Communicate
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Communicate
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Establish/Maintain Documentation
Deliver notices to the intended parties. CC ID 06240	Privacy protection for information and data	Data and Information Management
Notify data subjects about their privacy rights. CC ID 12989	Privacy protection for information and data	Communicate
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Communicate
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Data and Information Management
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Communicate
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Establish/Maintain Documentation
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Behavior
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Establish Roles
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Establish/Maintain Documentation
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Establish/Maintain Documentation
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Establish/Maintain Documentation
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Establish/Maintain Documentation
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Process or Activity
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Process or Activity
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Data and Information Management
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Data and Information Management
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Technical Security
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Records Management
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Records Management
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Behavior
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Behavior
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Data and Information Management
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Records Management
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Records Management
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Communicate
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Data and Information Management
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Data and Information Management
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Establish/Maintain Documentation
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Establish/Maintain Documentation
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Communicate
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Communicate
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Communicate
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Communicate
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Data and Information Management
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Communicate
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Communicate
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the data retention period for personal data. CC ID 12587	Privacy protection for information and data	Process or Activity
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Process or Activity
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Process or Activity
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Process or Activity
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Process or Activity
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Data and Information Management
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Business Processes
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Business Processes
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Process or Activity
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Process or Activity
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Data and Information Management
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Establish/Maintain Documentation
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Establish/Maintain Documentation
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Establish/Maintain Documentation
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Establish/Maintain Documentation
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Establish/Maintain Documentation
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Establish/Maintain Documentation
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Establish/Maintain Documentation
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Establish/Maintain Documentation
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Establish/Maintain Documentation
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Communicate
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Establish/Maintain Documentation
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Process or Activity
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Establish/Maintain Documentation
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Technical Security
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain a privacy policy. CC ID 06281	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's rights in the privacy policy. CC ID 16355	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Privacy protection for information and data	Establish/Maintain Documentation
Write privacy notices in the official languages required by law. CC ID 16529	Privacy protection for information and data	Establish/Maintain Documentation
Define what is included in the privacy policy. CC ID 00404	Privacy protection for information and data	Establish/Maintain Documentation
Define the information being collected in the privacy policy. CC ID 13115	Privacy protection for information and data	Establish/Maintain Documentation
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Privacy protection for information and data	Establish/Maintain Documentation
Include the means by which information is collected in the privacy policy. CC ID 13114	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the privacy policy. CC ID 14669	Privacy protection for information and data	Establish/Maintain Documentation
Include management commitment in the privacy policy. CC ID 14668	Privacy protection for information and data	Establish/Maintain Documentation
Include coordination amongst entities in the privacy policy. CC ID 14667	Privacy protection for information and data	Establish/Maintain Documentation
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Privacy protection for information and data	Establish/Maintain Documentation
Include compliance requirements in the privacy policy. CC ID 14666	Privacy protection for information and data	Establish/Maintain Documentation
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Privacy protection for information and data	Establish/Maintain Documentation
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Privacy protection for information and data	Establish/Maintain Documentation
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Privacy protection for information and data	Establish/Maintain Documentation
Include a complaint form in the privacy policy. CC ID 12364	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy policy. CC ID 00406	Privacy protection for information and data	Establish/Maintain Documentation
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject categories being processed in the privacy policy. CC ID 00407	Privacy protection for information and data	Establish/Maintain Documentation
Define the retention period for collected information in the privacy policy. CC ID 13116	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Privacy protection for information and data	Establish/Maintain Documentation
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Privacy protection for information and data	Establish/Maintain Documentation
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Privacy protection for information and data	Establish/Maintain Documentation
Include opt-out instructions in the privacy policy. CC ID 00411	Privacy protection for information and data	Establish/Maintain Documentation
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Privacy protection for information and data	Establish/Maintain Documentation
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Privacy protection for information and data	Establish/Maintain Documentation
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Privacy protection for information and data	Establish/Maintain Documentation
Post the privacy policy in an easily seen location. CC ID 00401	Privacy protection for information and data	Establish/Maintain Documentation
Define who will receive the privacy policy. CC ID 00402	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Privacy protection for information and data	Communicate
Establish, implement, and maintain privacy procedures. CC ID 14665	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Privacy protection for information and data	Communicate
Establish, implement, and maintain a privacy plan. CC ID 14672	Privacy protection for information and data	Establish/Maintain Documentation
Align the enterprise architecture with the privacy plan. CC ID 14705	Privacy protection for information and data	Process or Activity
Approve the privacy plan. CC ID 14700	Privacy protection for information and data	Business Processes
Include privacy requirements in the privacy plan. CC ID 14699	Privacy protection for information and data	Establish/Maintain Documentation
Include the information types in the privacy plan. CC ID 14695	Privacy protection for information and data	Establish/Maintain Documentation
Include threats in the privacy plan. CC ID 14694	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the privacy plan. CC ID 14702	Privacy protection for information and data	Establish/Maintain Documentation
Include a description of the operational context in the privacy plan. CC ID 14692	Privacy protection for information and data	Establish/Maintain Documentation
Include risk assessment results in the privacy plan. CC ID 14701	Privacy protection for information and data	Establish/Maintain Documentation
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Privacy protection for information and data	Establish/Maintain Documentation
Include security controls in the privacy plan. CC ID 14681	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Privacy protection for information and data	Communicate
Include a description of the operational environment in the privacy plan. CC ID 14679	Privacy protection for information and data	Establish/Maintain Documentation
Include network diagrams in the privacy plan. CC ID 14678	Privacy protection for information and data	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Privacy protection for information and data	Establish/Maintain Documentation
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943	Privacy protection for information and data	Behavior
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a privacy report. CC ID 14754	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Privacy protection for information and data	Communicate
Protect private communications in keeping with compliance requirements. CC ID 14334	Privacy protection for information and data	Business Processes
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Establish/Maintain Documentation
Provide a copy of the data subject's consent to the data subject. CC ID 17234	Privacy protection for information and data	Communicate
Date the data subject's consent. CC ID 17233	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data request procedures. CC ID 16546	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Privacy protection for information and data	Human Resources Management
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Privacy protection for information and data	Business Processes
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Establish/Maintain Documentation
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Establish/Maintain Documentation
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Establish/Maintain Documentation
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Establish/Maintain Documentation
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Privacy protection for information and data	Business Processes
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Business Processes
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Privacy protection for information and data	Data and Information Management
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Business Processes
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Business Processes
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880	Privacy protection for information and data	Technical Security
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Privacy protection for information and data	Business Processes
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Process or Activity
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Establish/Maintain Documentation
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Business Processes
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Privacy protection for information and data	Communicate
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Records Management
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Privacy protection for information and data	Data and Information Management
Refrain from obtaining consent through deception. CC ID 13556	Privacy protection for information and data	Data and Information Management
Give individuals the ability to change the uses of their personal data. CC ID 00469	Privacy protection for information and data	Data and Information Management
Notify data subjects of the implications of withdrawing consent. CC ID 13551	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Establish/Maintain Documentation
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Privacy protection for information and data	Human Resources Management
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Establish Roles
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Human Resources Management
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Behavior
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Establish/Maintain Documentation
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Business Processes
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Communicate
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Establish/Maintain Documentation
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Business Processes
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Process or Activity
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Process or Activity
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Communicate
Respond to questions about submissions in a timely manner. CC ID 16930	Privacy protection for information and data	Communicate
Cooperate with Data Protection Authorities. CC ID 06870	Privacy protection for information and data	Data and Information Management
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Privacy protection for information and data	Human Resources Management
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Privacy protection for information and data	Establish/Maintain Documentation
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Establish/Maintain Documentation
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Establish/Maintain Documentation
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Establish/Maintain Documentation
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Establish/Maintain Documentation
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Establish/Maintain Documentation
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Establish/Maintain Documentation
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Establish/Maintain Documentation
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Establish/Maintain Documentation
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Establish/Maintain Documentation
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Establish/Maintain Documentation
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Establish/Maintain Documentation
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Establish/Maintain Documentation
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Establish/Maintain Documentation
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data controller of any changes in data processors. CC ID 12648	Privacy protection for information and data	Communicate
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Privacy protection for information and data	Establish/Maintain Documentation
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Establish/Maintain Documentation
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Privacy protection for information and data	Establish/Maintain Documentation
Include the duration of processing in the Data Processing Contract. CC ID 14935	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Privacy protection for information and data	Human Resources Management
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Establish/Maintain Documentation
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Data and Information Management
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Data and Information Management
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Behavior
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Data and Information Management
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Behavior
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Behavior
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Establish/Maintain Documentation
Document personal data use as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Behavior
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125 [Develop policies and procedures that will prevent or preclude the unauthorized access of unattended devices, limit the ability of unauthorized persons to view sensitive information, and dispose of sensitive information as needed. § 5.2.2. Table 18. Row 3 Description Bullet 2 Ensure that ePHI is properly destroyed and cannot be recreated. § 5.2.4. Table 20. Row 1 Description Bullet 3 Implement Methods for the Final Disposal of ePHI Implementation Specification (Required) § 5.2.4. Table 20. Row 1 Key Activities 1.]	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Communicate
Establish, implement, and maintain data access procedures. CC ID 00414	Privacy protection for information and data	Establish/Maintain Documentation
Allow data subjects to submit data requests. CC ID 16545	Privacy protection for information and data	Process or Activity
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Data and Information Management
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Privacy protection for information and data	Data and Information Management
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Data and Information Management
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Data and Information Management
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Data and Information Management
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Establish/Maintain Documentation
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Business Processes
Respond to data access requests in a timely manner. CC ID 00421	Privacy protection for information and data	Behavior
Respond to data access requests in an official language. CC ID 17176	Privacy protection for information and data	Communicate
Delay responding to data access requests, as necessary. CC ID 15504	Privacy protection for information and data	Data and Information Management
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Data and Information Management
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Business Processes
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Process or Activity
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Establish/Maintain Documentation
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Data and Information Management
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Privacy protection for information and data	Establish/Maintain Documentation
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Records Management
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Establish/Maintain Documentation
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Establish/Maintain Documentation
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Privacy protection for information and data	Data and Information Management
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Communicate
Notify the data subject after personal data is used or disclosed. CC ID 06247	Privacy protection for information and data	Behavior
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Records Management
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Process or Activity
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Business Processes
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Process or Activity
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Business Processes
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Business Processes
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Business Processes
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Business Processes
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Process or Activity
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Establish/Maintain Documentation
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Records Management
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Records Management
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Records Management
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Records Management
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Records Management
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Records Management
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Records Management
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Records Management
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Records Management
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Records Management
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Records Management
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Records Management
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Records Management
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Records Management
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Records Management
Process restricted data lawfully and carefully. CC ID 00086	Privacy protection for information and data	Establish Roles
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Technical Security
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Data and Information Management
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Records Management
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Data and Information Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Records Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Process or Activity
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Records Management
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Data and Information Management
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Data and Information Management
Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250	Privacy protection for information and data	Business Processes
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Establish/Maintain Documentation
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Establish/Maintain Documentation
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Data and Information Management
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Data and Information Management
Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251	Privacy protection for information and data	Business Processes
Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256	Privacy protection for information and data	Business Processes
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Data and Information Management
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Data and Information Management
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Data and Information Management
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Data and Information Management
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Data and Information Management
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Privacy protection for information and data	Data and Information Management
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Data and Information Management
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Data and Information Management
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Data and Information Management
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Privacy protection for information and data	Business Processes
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Data and Information Management
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Data and Information Management
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Data and Information Management
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Data and Information Management
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Data and Information Management
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Data and Information Management
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Data and Information Management
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Data and Information Management
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Data and Information Management
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Data and Information Management
Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Process or Activity
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to perform a contract. CC ID 13586	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is needed by law. CC ID 13577	Privacy protection for information and data	Data and Information Management
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Data and Information Management
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Privacy protection for information and data	Behavior
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967	Privacy protection for information and data	Records Management
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Privacy protection for information and data	Data and Information Management
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Establish/Maintain Documentation
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Establish/Maintain Documentation
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Privacy protection for information and data	Establish/Maintain Documentation
Define how a data subject may give consent. CC ID 00160	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Privacy protection for information and data	Communicate
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Data and Information Management
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Privacy protection for information and data	Data and Information Management
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to create a credit report. CC ID 15297	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Data and Information Management
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Data and Information Management
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Communicate
Establish, implement, and maintain restricted data retention procedures. CC ID 00167	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Establish/Maintain Documentation
Capture personal data removal requests. CC ID 13507	Privacy protection for information and data	Communicate
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Privacy protection for information and data	Records Management
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Process or Activity
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Business Processes
Refrain from selling restricted data, as necessary. CC ID 17165	Privacy protection for information and data	Data and Information Management
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Data and Information Management
Refrain from redisclosing or reusing restricted data. CC ID 00169	Privacy protection for information and data	Data and Information Management
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Establish/Maintain Documentation
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Data and Information Management
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Privacy protection for information and data	Data and Information Management
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Data and Information Management
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Data and Information Management
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Data and Information Management
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Data and Information Management
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Behavior
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Data and Information Management
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Data and Information Management
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Establish/Maintain Documentation
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Data and Information Management
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Data and Information Management
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901	Privacy protection for information and data	Communicate
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Data and Information Management
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Data and Information Management
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Communicate
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Establish/Maintain Documentation
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Data and Information Management
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Data and Information Management
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Data and Information Management
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Process or Activity
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Data and Information Management
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Data and Information Management
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Data and Information Management
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Data and Information Management
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Data and Information Management
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Data and Information Management
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Privacy protection for information and data	Data and Information Management
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Communicate
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Data and Information Management
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Process or Activity
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Privacy protection for information and data	Data and Information Management
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Data and Information Management
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Communicate
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Data and Information Management
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Communicate
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Data and Information Management
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Data and Information Management
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Data and Information Management
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Data and Information Management
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Data and Information Management
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Data and Information Management
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Data and Information Management
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Establish/Maintain Documentation
Include cookie management in the privacy framework. CC ID 13809	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain cookie management procedures. CC ID 13810	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953	Privacy protection for information and data	Data and Information Management
Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Privacy protection for information and data	Data and Information Management
Refrain from collecting personal data, as necessary. CC ID 15269	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Establish/Maintain Documentation
Use personal data for specified purposes. CC ID 11831	Privacy protection for information and data	Data and Information Management
Post the collection purpose. CC ID 00101	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Privacy protection for information and data	Data and Information Management
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Establish/Maintain Documentation
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Data and Information Management
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Privacy protection for information and data	Data and Information Management
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Data and Information Management
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Behavior
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Data and Information Management
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Data and Information Management
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Data and Information Management
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Data and Information Management
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Data and Information Management
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Data and Information Management
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Data and Information Management
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Establish/Maintain Documentation
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Data and Information Management
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Data and Information Management
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Data and Information Management
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Data and Information Management
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Data and Information Management
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Data and Information Management
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Data and Information Management
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Data and Information Management
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Establish/Maintain Documentation
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Data and Information Management
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Data and Information Management
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Data and Information Management
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Data and Information Management
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Data and Information Management
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Data and Information Management
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Data and Information Management
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Data and Information Management
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Data and Information Management
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Data and Information Management
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Data and Information Management
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Data and Information Management
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Data and Information Management
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Data and Information Management
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Data and Information Management
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Data and Information Management
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Data and Information Management
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Data and Information Management
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Data and Information Management
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Data and Information Management
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Data and Information Management
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Data and Information Management
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Data and Information Management
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Data and Information Management
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Data and Information Management
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Data and Information Management
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Data and Information Management
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Data and Information Management
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Data and Information Management
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Data and Information Management
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Data and Information Management
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Data and Information Management
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Data and Information Management
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Data and Information Management
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Data and Information Management
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Establish/Maintain Documentation
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Data and Information Management
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Data and Information Management
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Data and Information Management
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Data and Information Management
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Data and Information Management
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Data and Information Management
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Data and Information Management
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Data and Information Management
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Technical Security
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Data and Information Management
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Behavior
Manage health data collection. CC ID 00050	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Data and Information Management
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Data and Information Management
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Data and Information Management
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Behavior
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Establish/Maintain Documentation
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Data and Information Management
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Data and Information Management
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Data and Information Management
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Technical Security
Collect restricted data in a fair and lawful manner. CC ID 00010	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Privacy protection for information and data	Data and Information Management
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent from publicly available information. CC ID 00019	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when needed by law. CC ID 00020	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to create a credit report. CC ID 15287	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Data and Information Management
Collect the minimum amount of restricted data necessary. CC ID 00078	Privacy protection for information and data	Data and Information Management
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Data and Information Management
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027	Privacy protection for information and data	Data and Information Management
Collect restricted data when required by law. CC ID 00031	Privacy protection for information and data	Data and Information Management
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Privacy protection for information and data	Data and Information Management
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Data and Information Management
Collect restricted data for legal purposes. CC ID 00036	Privacy protection for information and data	Data and Information Management
Validate the business need for maintaining collected restricted data. CC ID 17090	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Communicate
Provide the data subject with the data collector's name and contact information. CC ID 00024	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Establish/Maintain Documentation
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Data and Information Management
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Technical Security
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Data and Information Management
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Configuration
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Configuration
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Configuration
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Technical Security
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Data and Information Management
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Log Management
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Log Management
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Technical Security
Implement security measures to protect personal data. CC ID 13606 [Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). § 5.1.1. Table 8. Row 3 Description Bullet 1 Implement physical safeguards and other security measures to minimize the possibility of inappropriate access to ePHI through computing devices. § 5.2.3. Table 19. Row 3 Description Bullet 1 Ensure that an exact retrievable copy of the data is retained and protected to maintain the integrity of ePHI during equipment relocation. § 5.2.4. Table 20. Row 4 Description Bullet 2 Amend Plan Documents of the Group Health Plan to Address the Plan Sponsor's Security of ePHI Implementation Specification (Required) § 5.4.2. Table 27. Row 1 Key Activities 1. HIPAA Standard: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. § 5.4.2. ¶ 1]	Privacy protection for information and data	Technical Security
Implement physical controls to protect personal data. CC ID 00355 [Implement appropriate measures to provide physical security protection for ePHI in a regulated entity's possession. § 5.2.1. Table 17. Row 3 Description Bullet 2]	Privacy protection for information and data	Testing
Limit data leakage. CC ID 00356 [Ensure that ePHI is not inadvertently released or shared with any unauthorized party. § 5.2.4. Table 20. Row 3 Description Bullet 2]	Privacy protection for information and data	Data and Information Management
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Monitor and Evaluate Occurrences
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Business Processes
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Acquisition/Sale of Assets or Services
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Process or Activity
Include text about data ownership in the data handling policy. CC ID 15720	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain call metadata controls. CC ID 04790	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126	Privacy protection for information and data	Data and Information Management
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Data and Information Management
Store de-identifying code and re-identifying code separately. CC ID 16535	Privacy protection for information and data	Data and Information Management
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Privacy protection for information and data	Communicate
Establish, implement, and maintain data handling procedures. CC ID 11756	Privacy protection for information and data	Establish/Maintain Documentation
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Establish/Maintain Documentation
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Data and Information Management
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Data and Information Management
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Business Processes
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Monitor and Evaluate Occurrences
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Communicate
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from an individual prior to transferring personal data. CC ID 06948	Privacy protection for information and data	Data and Information Management
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Privacy protection for information and data	Business Processes
Notify data subjects when their personal data is transferred. CC ID 00352	Privacy protection for information and data	Behavior
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Privacy protection for information and data	Establish/Maintain Documentation
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414	Privacy protection for information and data	Communicate
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314	Privacy protection for information and data	Data and Information Management
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Privacy protection for information and data	Data and Information Management
Prohibit personal data transfers when security is inadequate. CC ID 00345	Privacy protection for information and data	Data and Information Management
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Privacy protection for information and data	Data and Information Management
Refrain from transferring past the first transfer. CC ID 00347	Privacy protection for information and data	Data and Information Management
Document transfer disagreements by the data subject in writing. CC ID 00348	Privacy protection for information and data	Establish/Maintain Documentation
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Privacy protection for information and data	Data and Information Management
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Privacy protection for information and data	Records Management
Follow the instructions of the data transferrer. CC ID 00334	Privacy protection for information and data	Behavior
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Privacy protection for information and data	Establish/Maintain Documentation
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Data and Information Management
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Data and Information Management
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Data and Information Management
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Data and Information Management
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Data and Information Management
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Data and Information Management
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Privacy protection for information and data	Data and Information Management
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Data and Information Management
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Data and Information Management
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Data and Information Management
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Data and Information Management
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Privacy protection for information and data	Data and Information Management
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Privacy protection for information and data	Business Processes
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Privacy protection for information and data	Data and Information Management
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Privacy protection for information and data	Data and Information Management
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Privacy protection for information and data	Data and Information Management
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Privacy protection for information and data	Data and Information Management
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Privacy protection for information and data	Data and Information Management
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Privacy protection for information and data	Data and Information Management
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Privacy protection for information and data	Data and Information Management
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Privacy protection for information and data	Data and Information Management
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Privacy protection for information and data	Communicate
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Privacy protection for information and data	Behavior
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Privacy protection for information and data	Data and Information Management
Obtain consent prior to downloading software to an individual's computer. CC ID 06951	Privacy protection for information and data	Data and Information Management
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Privacy protection for information and data	Process or Activity
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Privacy protection for information and data	Process or Activity
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Privacy protection for information and data	Process or Activity
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [Consider the impact of a merger or acquisition on risks to ePHI. During a merger or acquisition, new data pathways may be introduced that lead to ePHI being stored, processed, or transmitted in previously unanticipated places. § 5.1.1. Table 8. Row 1 Description Bullet 5]	Privacy protection for information and data	Establish/Maintain Documentation
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Establish/Maintain Documentation
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Establish/Maintain Documentation
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Establish/Maintain Documentation
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Establish/Maintain Documentation
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Business Processes
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Communicate
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Data and Information Management
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Behavior
Include supporting documentation in the privacy rights violation complaint. CC ID 16997	Privacy protection for information and data	Establish/Maintain Documentation
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Business Processes
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526	Privacy protection for information and data	Establish/Maintain Documentation
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Establish/Maintain Documentation
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Establish/Maintain Documentation
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Establish/Maintain Documentation
Notify individuals of their right to challenge personal data. CC ID 00457	Privacy protection for information and data	Data and Information Management
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Data and Information Management
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Configuration
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Human Resources Management
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Data and Information Management
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Communicate
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Data and Information Management
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Communicate
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Establish/Maintain Documentation
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Establish/Maintain Documentation
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Establish/Maintain Documentation
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Privacy protection for information and data	Behavior
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Behavior
Define the organization's liability based on the applicable law. CC ID 00504	Privacy protection for information and data	Establish/Maintain Documentation
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Establish/Maintain Documentation
Define the appeal process based on the applicable law. CC ID 00506	Privacy protection for information and data	Establish/Maintain Documentation
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Process or Activity
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Process or Activity
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Communicate
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Communicate
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Establish/Maintain Documentation
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Behavior
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [If part of the strategy depends on external organizations for support, ensure that formal agreements are in place with specific requirements stated. § 5.1.7. Table 14. Row 4 Description Bullet 2 Consider whether any vendor/service provider arrangements are critical to operations and address them as appropriate to ensure availability and reliability. § 5.1.7. Table 14. Row 2 Description Bullet 6 Execute new or update existing agreements or arrangements, as appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 2 Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met § 5.1.9. Table 16. Row 2 Key Activities 2.]	Third Party and supply chain oversight	Establish/Maintain Documentation
Review and update all contracts, as necessary. CC ID 11612 [Execute new or update existing agreements or arrangements, as appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 2]	Third Party and supply chain oversight	Establish/Maintain Documentation
Write contractual agreements in clear and conspicuous language. CC ID 16923	Third Party and supply chain oversight	Acquisition/Sale of Assets or Services
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the purpose in the information flow agreement. CC ID 17016	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the costs in the information flow agreement. CC ID 17018	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the security requirements in the information flow agreement. CC ID 14244	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the interface characteristics in the information flow agreement. CC ID 14240	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the contract duration in third party contracts. CC ID 16221	Third Party and supply chain oversight	Establish/Maintain Documentation
Include roles and responsibilities in third party contracts. CC ID 13487 [{contract} Identify roles and responsibilities. § 5.1.9. Table 16. Row 3 Description Bullet 3]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cryptographic keys in third party contracts. CC ID 16179	Third Party and supply chain oversight	Establish/Maintain Documentation
Include bankruptcy provisions in third party contracts. CC ID 16519	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Third Party and supply chain oversight	Establish/Maintain Documentation
Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Contract Must Provide That Business Associates Will Comply With the Applicable Requirements of the Security Rule Implementation Specification (Required) § 5.4.1. Table 26. Row 1 Key Activities 1.]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410. § 5.4.1. Table 26. Row 3 Description Bullet 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410. § 5.4.1. Table 26. Row 3 Description Bullet 1 Contract Must Provide That Business Associates Will Report Security Incidents Implementation Specification (Required) § 5.4.1. Table 26. Row 3 Key Activities 3. Amend plan documents to incorporate provisions to require the plan sponsor to report any security incident of which it becomes aware to the group health plan. § 5.4.2. Table 27. Row 4 Description Bullet 1 Establish a reporting mechanism and a process for the plan sponsor to use in the event of a security incident. § 5.4.2. Table 27. Row 4 Description Bullet 3 Amend Plan Documents of Group Health Plans to Address the Reporting of Security Incidents Implementation Specification (Required) § 5.4.2. Table 27. Row 4 Key Activities 4.]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a reporting structure in third party contracts. CC ID 06532 [Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI per the BAA or contract. § 5.1.9. Table 16. Row 2 Description Bullet 1 Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract. § 5.4.1. Table 26. Row 3 Description Bullet 2 Establish a reporting mechanism and a process for the plan sponsor to use in the event of a security incident. § 5.4.2. Table 27. Row 4 Description Bullet 3]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include points of contact in third party contracts. CC ID 12355 [Identify the individual or department who will be responsible for coordinating the execution of business associate agreements or other arrangements. § 5.1.9. Table 16. Row 1 Description Bullet 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include financial reporting in third party contracts, as necessary. CC ID 13573	Third Party and supply chain oversight	Establish/Maintain Documentation
Include on-site visits in third party contracts. CC ID 17306	Third Party and supply chain oversight	Establish/Maintain Documentation
Include training requirements in third party contracts. CC ID 16367 [Specify any training requirements associated with the contract/agreement or arrangement, if reasonable and appropriate. § 5.1.9. Table 16. Row 3 Description Bullet 5]	Third Party and supply chain oversight	Acquisition/Sale of Assets or Services
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [Business associates must have a BAA in place with each of their subcontractor business associates. Subcontractor business associates are also directly liable for their own Security Rule violations. § 5.1.9. Table 16. Row 1 Description Bullet 4]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.3 14(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 5.1.9. ¶ 1 {organizational requirements} HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 5.4.1. ¶ 1 In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section. § 5.4.1. Table 26. Row 2 Description Bullet 1 Contract Must Provide That the Business Associates Enter Into Contracts With Subcontractors to Ensure the Protection of ePHI Implementation Specification (Required) § 5.4.1. Table 26. Row 2 Key Activities 2.]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include location requirements in third party contracts. CC ID 16915	Third Party and supply chain oversight	Acquisition/Sale of Assets or Services
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Third Party and supply chain oversight	Establish/Maintain Documentation
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [Establish a reporting mechanism and a process for the business associate to use in the event of a security incident or breach. § 5.4.1. Table 26. Row 3 Description Bullet 3]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026	Third Party and supply chain oversight	Establish/Maintain Documentation
Include end-of-life information in third party contracts. CC ID 15265	Third Party and supply chain oversight	Establish/Maintain Documentation
Approve or deny third party recovery plans, as necessary. CC ID 17124	Third Party and supply chain oversight	Systems Continuity
Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301	Third Party and supply chain oversight	Communicate
Establish and maintain a Third Party Service Provider list. CC ID 12480 [{individual} {is current} Reevaluate the list of business associates to determine who has access to ePHI in order to assess whether the list is complete and current. § 5.1.9. Table 16. Row 1 Description Bullet 2]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include required information in the Third Party Service Provider list. CC ID 14429	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the organization's name in the Third Party Service Provider list. CC ID 17287	Third Party and supply chain oversight	Data and Information Management
Include disclosure requirements in the Third Party Service Provider list. CC ID 17189	Third Party and supply chain oversight	Establish/Maintain Documentation
Include storage locations in the Third Party Service Provider list. CC ID 17184	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the processing location in the Third Party Service Provider list. CC ID 17183	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the transferability of services in the Third Party Service Provider list. CC ID 17185	Third Party and supply chain oversight	Establish/Maintain Documentation
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Third Party and supply chain oversight	Establish/Maintain Documentation
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Third Party and supply chain oversight	Establish/Maintain Documentation
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Third Party and supply chain oversight	Communicate
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Third Party and supply chain oversight	Establish/Maintain Documentation
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Third Party and supply chain oversight	Establish/Maintain Documentation
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Third Party and supply chain oversight	Establish/Maintain Documentation
Categorize all suppliers in the supply chain management program. CC ID 00792 [Identify Entities That Are Business Associates Under the HIPAA Security Rule § 5.1.9. Table 16. Row 1 Key Activities 1.]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [Regulated entities should consider how cloud services and other third-party IT system and service offerings can both assist regulated entities in protecting ePHI while also potentially introducing new risks to ePHI. § 5.1.1. Table 8. Row 4 Description Bullet 1]	Third Party and supply chain oversight	Establish/Maintain Documentation