0003986
45 CFR Part 164 - Security and Privacy, current as of Oct 2024
US Department of Health and Human Services
Regulations
Free
HIPAA Security and Privacy Rule
45 CFR Part 164 - Security and Privacy, current as of Oct 2024
Varies
The document as a whole was last reviewed and released on 2024-10-14T00:00:00-0700.
0003986
Free
US Department of Health and Human Services
Regulations
HIPAA Security and Privacy Rule
45 CFR Part 164 - Security and Privacy, current as of Oct 2024
Varies
The document as a whole was last reviewed and released on 2024-10-14T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within 45 CFR Part 164 - Security and Privacy, current as of Oct 2024 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for 45 CFR Part 164 - Security and Privacy, current as of Oct 2024 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii). § 164.306(e)] | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). § 164.308(a)(1)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 | Establish/Maintain Documentation | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Business Processes | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Business Processes | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Establish/Maintain Documentation | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Establish/Maintain Documentation | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Establish Roles | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Establish/Maintain Documentation | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Business Processes | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Behavior | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Establish/Maintain Documentation | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Establish/Maintain Documentation | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The probability and criticality of potential risks to electronic protected health information. § 164.306(b)(2)(iv)] | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The probability and criticality of potential risks to electronic protected health information. § 164.306(b)(2)(iv)] | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Establish/Maintain Documentation | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Establish/Maintain Documentation | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. § 164.308(a)(1)(ii)(A)] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Establish/Maintain Documentation | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Establish/Maintain Documentation | Detective | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Business Processes | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Behavior | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and Risk Management | Detective | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Establish/Maintain Documentation | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Business Processes | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and Risk Management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and Risk Management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Establish/Maintain Documentation | Preventive | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Process or Activity | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and Risk Management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 | Testing | Detective | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Establish/Maintain Documentation | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Establish/Maintain Documentation | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Establish/Maintain Documentation | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Establish/Maintain Documentation | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Establish/Maintain Documentation | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Establish/Maintain Documentation | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Establish/Maintain Documentation | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Establish/Maintain Documentation | Preventive | |
| Include risk responses in the risk management program. CC ID 13195 | Establish/Maintain Documentation | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Business Processes | Preventive | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Establish/Maintain Documentation | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive | |
Harmonization Methods and Manual of Style | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Harmonization Methods and Manual of Style CC ID 06095 | IT Impact Zone | IT Impact Zone | |
| Structure the language of compliance documents. CC ID 06098 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain general sentence structure guidelines. CC ID 06131 | Establish/Maintain Documentation | Preventive | |
| Use brevity of language. CC ID 06137 [{written form}{amendment}{protected health information} Denial. The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: § 164.526(d)(1)] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. § 164.530(a)(1)(i)] | Establish Roles | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [{be responsible}A covered entity must document the following and retain the documentation as required by §164.530(j): The titles of the persons or offices responsible for receiving and processing requests for access by individuals. § 164.524(e)(2) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Human Resources Management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources Management | Preventive | |
| Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Establish Roles | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources Management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources Management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources Management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources Management | Preventive | |
| Assign the role of security management to applicable controls. CC ID 06444 | Establish Roles | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources Management | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Establish Roles | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Establish Roles | Preventive | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Establish Roles | Preventive | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Establish Roles | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 [{accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals. § 164.528(d)(3)] | Establish Roles | Preventive | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Establish Roles | Preventive | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Establish Roles | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Establish/Maintain Documentation | Preventive | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Establish Roles | Preventive | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Establish Roles | Preventive | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Establish Roles | Preventive | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Establish Roles | Preventive | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Establish Roles | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources Management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. § 164.308(a)(3)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources Management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources Management | Preventive | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources Management | Preventive | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources Management | Preventive | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources Management | Preventive | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources Management | Preventive | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources Management | Preventive | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources Management | Preventive | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources Management | Preventive | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources Management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Establish/Maintain Documentation | Preventive | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources Management | Preventive | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Establish/Maintain Documentation | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Establish/Maintain Documentation | Preventive | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Establish/Maintain Documentation | Preventive | |
| Train all new hires, as necessary. CC ID 06673 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and § 164.530(b)(2)(i)(B)] | Behavior | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the personnel security policy. CC ID 14113 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the personnel security policy. CC ID 14111 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the personnel security policy. CC ID 14110 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Communicate | Preventive | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 [Implementation specification: Personnel designations. A covered entity must document the personnel designations in paragraph (a)(1) of this section as required by paragraph (j) of this section. § 164.530(a)(2)] | Human Resources Management | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Testing | Detective | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Technical Security | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. § 164.308(a)(3)(ii)(C)] | Technical Security | Corrective | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources Management | Preventive | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Data and Information Management | Corrective | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources Management | Preventive | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Behavior | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Communicate | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources Management | Preventive | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources Management | Corrective | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Behavior | Preventive | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources Management | Preventive | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Establish/Maintain Documentation | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources Management | Detective | |
| Train all personnel and third parties, as necessary. CC ID 00785 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: § 164.530(b)(2)(i)] | Behavior | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Training | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Business Processes | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources Management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. § 164.530(b)(2)(i)(C)] | Behavior | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Behavior | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Behavior | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Behavior | Preventive | |
| Document all training in a training record. CC ID 01423 [A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. § 164.530(b)(2)(ii)] | Establish/Maintain Documentation | Detective | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Behavior | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 | Testing | Detective | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 [{stipulated time frame}A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: To each member of the covered entity's workforce by no later than the compliance date for the covered entity; § 164.530(b)(2)(i)(A)] | Establish/Maintain Documentation | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Training | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Training | Preventive | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include ethical culture in the security awareness program. CC ID 12801 | Human Resources Management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Training | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Training | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources Management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Training | Preventive | |
| Include risk management in the security awareness program. CC ID 13040 | Training | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Behavior | Preventive | |
| Conduct personal data processing training. CC ID 13757 [Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. § 164.530(b)(1)] | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Include cloud security in the security awareness program. CC ID 13039 | Training | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). § 164.308(a)(5)(i)] | Establish/Maintain Documentation | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Implement: Security reminders (Addressable). Periodic security updates. § 164.308(a)(5)(ii)(A)] | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Behavior | Corrective | |
| Conduct tampering prevention training. CC ID 11875 | Training | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Training | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Training | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Training | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Training | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Training | Preventive | |
| Conduct crime prevention training. CC ID 06350 | Behavior | Preventive | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Establish/Maintain Documentation | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. § 164.308(a)(1)(ii)(C) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. This standard does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of §164.502(j) or paragraph (g)(2) of this section. § 164.530(e)(1)] | Behavior | Corrective | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Communicate | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the business environment in which the organization operates. CC ID 12798 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The size, complexity, and capabilities of the covered entity or business associate. § 164.306(b)(2)(i) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1)] | Business Processes | Preventive | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
| Include resources in the analysis of the internal business environment. CC ID 12942 | Process or Activity | Preventive | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Process or Activity | Preventive | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Process or Activity | Preventive | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
| Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Monitor and Evaluate Occurrences | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [Implement the implementation specification if reasonable and appropriate; or § 164.306(d)(3)(ii)(A) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications. § 164.306(d)(2) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {external requirement} A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section. § 164.530(i)(2)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 | Establish/Maintain Documentation | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 [{Notice of Privacy Practices} Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published. § 164.520(b)(1)(viii) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: Such change is effective only with respect to protected health information created or received after the effective date of the notice. § 164.530(i)(4)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Establish/Maintain Documentation | Preventive | |
| Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Establish/Maintain Documentation | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 | Establish/Maintain Documentation | Detective | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Business Processes | Preventive | |
| Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{put in place} Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). § 164.314(a)(2)(ii) An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110); § 164.512(i)(2)(iv)(A)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{written form} {electronic format} A covered entity or business associate must, in accordance with §164.306: Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and § 164.316(b)(1)(i) {Notice of Privacy Practices} Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section. § 164.520(e) {external requirement} A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section. § 164.530(i)(2)(iii) A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that: Prior to the effective date of the change, the policy or procedure, as revised, is documented as required by paragraph (j) of this section. § 164.530(i)(5)(ii) {written form}A covered entity must: Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form; § 164.530(j)(1)(i)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 [Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Ensure that the policy or procedure, as revised to reflect a change in the covered entity's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of this subpart; § 164.530(i)(4)(i)(A) {Notice of Privacy Practices}A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that: The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of this subpart; and § 164.530(i)(5)(i)] | Establish/Maintain Documentation | Preventive | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Establish Roles | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{not be suitable}{reason}If implementing the implementation specification is not reasonable and appropriate— Document why it would not be reasonable and appropriate to implement the implementation specification; and § 164.306(d)(3)(ii)(B)$(1) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii)] | Establish/Maintain Documentation | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [{not be suitable}If implementing the implementation specification is not reasonable and appropriate— Implement an equivalent alternative measure if reasonable and appropriate. § 164.306(d)(3)(ii)(B)$(2)] | Establish/Maintain Documentation | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Business Processes | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Communicate | Preventive | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 [{make available}A covered entity or business associate must, in accordance with §164.306: Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. § 164.316(b)(2)(ii)] | Behavior | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Behavior | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 164.312(b)] | Log Management | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Process or Activity | Preventive | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Configuration | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Implement: Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. § 164.308(a)(5)(ii)(C)] | Log Management | Detective | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Log Management | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Technical Security | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 164.308(a)(1)(ii)(D)] | Log Management | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Investigate | Corrective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [{technical evaluation} Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 164.308(a)(8)] | Technical Security | Detective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any. § 164.530(e)(2)] | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Correct compliance violations. CC ID 13515 [{employee}The plan documents must: Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section with the plan document provisions required by this paragraph. § 164.504(f)(2)(iii)(C) A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. § 164.504(e)(1)(ii)] | Process or Activity | Corrective | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. § 164.308(a)(7)(i)] | Establish/Maintain Documentation | Preventive | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Testing | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Investigate | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Investigate | Detective | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Communicate | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Establish/Maintain Documentation | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Establish/Maintain Documentation | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Establish/Maintain Documentation | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Establish/Maintain Documentation | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Establish/Maintain Documentation | Preventive | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Testing | Detective | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Establish/Maintain Documentation | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Systems Continuity | Detective | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Establish/Maintain Documentation | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Establish/Maintain Documentation | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 | Establish/Maintain Documentation | Preventive | |
| Include business units in the scope of the continuity framework. CC ID 11898 | Establish/Maintain Documentation | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Establish/Maintain Documentation | Preventive | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 | Systems Continuity | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Systems Continuity | Preventive | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Establish/Maintain Documentation | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Establish/Maintain Documentation | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Establish/Maintain Documentation | Preventive | |
| Include Quality Management in the continuity framework. CC ID 12239 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 | Establish/Maintain Documentation | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Establish/Maintain Documentation | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 | Establish Roles | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Systems Continuity | Preventive | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Establish/Maintain Documentation | Preventive | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Systems Continuity | Corrective | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Communicate | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. § 164.308(a)(7)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Systems Continuity | Corrective | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Communicate | Corrective | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Human Resources Management | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Establish/Maintain Documentation | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 | Establish/Maintain Documentation | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Monitor and Evaluate Occurrences | Detective | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
| Record business continuity management system performance for posterity. CC ID 12411 | Monitor and Evaluate Occurrences | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Establish/Maintain Documentation | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Establish/Maintain Documentation | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Testing | Detective | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. § 164.308(a)(7)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 | Establish Roles | Preventive | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Establish/Maintain Documentation | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Communicate | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Establish/Maintain Documentation | Preventive | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Systems Continuity | Detective | |
| Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 | Configuration | Preventive | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 | Configuration | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Physical and Environmental Protection | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Physical and Environmental Protection | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Configuration | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Physical and Environmental Protection | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Physical and Environmental Protection | Preventive | |
| Implement redundancy in life-safety systems. CC ID 02228 | Physical and Environmental Protection | Preventive | |
| Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Establish/Maintain Documentation | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Establish/Maintain Documentation | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Establish/Maintain Documentation | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Establish/Maintain Documentation | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 | Establish/Maintain Documentation | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Establish/Maintain Documentation | Preventive | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Establish/Maintain Documentation | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components. § 164.308(a)(7)(ii)(E)] | Establish/Maintain Documentation | Detective | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Systems Continuity | Preventive | |
| Review and prioritize the importance of each business process. CC ID 11689 | Establish/Maintain Documentation | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 | Systems Continuity | Preventive | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Configuration | Corrective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Establish/Maintain Documentation | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Process or Activity | Corrective | |
| Define and prioritize critical business records. CC ID 11687 | Establish/Maintain Documentation | Preventive | |
| Identify all critical business records. CC ID 00737 | Records Management | Detective | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Establish/Maintain Documentation | Detective | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Human Resources Management | Preventive | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Behavior | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Establish/Maintain Documentation | Detective | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Establish/Maintain Documentation | Preventive | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Establish/Maintain Documentation | Preventive | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Establish/Maintain Documentation | Preventive | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Establish/Maintain Documentation | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Establish/Maintain Documentation | Preventive | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Data and Information Management | Preventive | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Establish/Maintain Documentation | Preventive | |
| Include online capabilities in the continuity plan. CC ID 11690 | Establish/Maintain Documentation | Preventive | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Establish/Maintain Documentation | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Establish/Maintain Documentation | Preventive | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Establish/Maintain Documentation | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Establish/Maintain Documentation | Detective | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Establish/Maintain Documentation | Preventive | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Establish/Maintain Documentation | Preventive | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Establish/Maintain Documentation | Preventive | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Testing | Detective | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Testing | Detective | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Testing | Detective | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Establish/Maintain Documentation | Preventive | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Systems Continuity | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Physical and Environmental Protection | Corrective | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Establish/Maintain Documentation | Detective | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Physical and Environmental Protection | Preventive | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Establish/Maintain Documentation | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Establish/Maintain Documentation | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. § 164.308(a)(7)(ii)(A)] | Systems Continuity | Preventive | |
| Determine which data elements to back up. CC ID 13483 | Data and Information Management | Detective | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Systems Continuity | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Physical and Environmental Protection | Preventive | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Testing | Detective | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Configuration | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Establish/Maintain Documentation | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Data and Information Management | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Data and Information Management | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Data and Information Management | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
| Perform backup procedures for in scope systems. CC ID 11692 | Process or Activity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
| Back up all records. CC ID 11974 | Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Establish/Maintain Documentation | Preventive | |
| Encrypt backup data. CC ID 00958 | Configuration | Preventive | |
| Log the execution of each backup. CC ID 00956 | Establish/Maintain Documentation | Preventive | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Testing | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Testing | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Testing | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Testing | Corrective | |
| Digitally sign disk images, as necessary. CC ID 06814 | Establish/Maintain Documentation | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 | Establish/Maintain Documentation | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Establish/Maintain Documentation | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Establish/Maintain Documentation | Preventive | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Log Management | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Communicate | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Communicate | Corrective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Testing | Detective | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Acquisition/Sale of Assets or Services | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Establish/Maintain Documentation | Preventive | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Establish/Maintain Documentation | Preventive | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Acquisition/Sale of Assets or Services | Preventive | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Acquisition/Sale of Assets or Services | Preventive | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Business Processes | Detective | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Business Processes | Detective | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Establish/Maintain Documentation | Detective | |
| Validate information security continuity controls regularly. CC ID 12008 | Systems Continuity | Preventive | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Communicate | Preventive | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 | Establish/Maintain Documentation | Preventive | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 [Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. § 164.308(a)(7)(ii)(D)] | Establish/Maintain Documentation | Preventive | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Establish/Maintain Documentation | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Establish/Maintain Documentation | Preventive | |
| Include test scripts in the continuity test plan. CC ID 14875 | Establish/Maintain Documentation | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Establish/Maintain Documentation | Preventive | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the continuity test plan. CC ID 14399 | Establish/Maintain Documentation | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Establish/Maintain Documentation | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Establish/Maintain Documentation | Preventive | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Establish/Maintain Documentation | Preventive | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 | Establish/Maintain Documentation | Preventive | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 | Establish/Maintain Documentation | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {Notice of privacy practices} Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law. § 164.530(i)(3) A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this subpart or subpart D of this part. § 164.530(i)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Behavior | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Establish/Maintain Documentation | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. § 164.306(b)(2)(ii)] | Process or Activity | Preventive | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Human Resources Management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Process or Activity | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Business Processes | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
| Review the relevance of information supporting internal controls. CC ID 12420 [{be reasonable}{be appropriate} Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and § 164.306(d)(3)(i)] | Business Processes | Detective | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Process or Activity | Preventive | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. § 164.308(a)(1)(i)] | Establish/Maintain Documentation | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Establish/Maintain Documentation | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Establish/Maintain Documentation | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Establish/Maintain Documentation | Preventive | |
| Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
| Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
| Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Communicate | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Communicate | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii). § 164.306(e)] | Establish/Maintain Documentation | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Establish/Maintain Documentation | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 [{technical evaluation} Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 164.308(a)(8)] | Business Processes | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. § 164.308(a)(2)] | Human Resources Management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Communicate | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Communicate | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Establish/Maintain Documentation | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Establish/Maintain Documentation | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Communicate | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Communicate | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Establish/Maintain Documentation | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Establish/Maintain Documentation | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Process or Activity | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Process or Activity | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Establish/Maintain Documentation | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Communicate | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Communicate | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Establish/Maintain Documentation | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Communicate | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Establish/Maintain Documentation | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Business Processes | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Behavior | Detective | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Process or Activity | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Process or Activity | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Process or Activity | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Process or Activity | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Process or Activity | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Establish/Maintain Documentation | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Process or Activity | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Business Processes | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Communicate | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Communicate | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Establish/Maintain Documentation | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Establish/Maintain Documentation | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Communicate | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Business Processes | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Data and Information Management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Establish/Maintain Documentation | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Establish/Maintain Documentation | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Communicate | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 [{requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 [Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes. § 164.514(e)(4)(i) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {refrain from disclosing}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; § 164.514(e)(4)(ii)(C)(1)] | Establish/Maintain Documentation | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 [{person}Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish who is permitted to use or receive the limited data set; and § 164.514(e)(4)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; § 164.514(e)(4)(ii)(C)(3)] | Establish/Maintain Documentation | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 [Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes. § 164.514(e)(4)(i) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {refrain from disclosing}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; § 164.514(e)(4)(ii)(C)(1)] | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; § 164.514(e)(4)(ii)(C)(2)] | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 [{refrain from contacting}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not identify the information or contact the individuals. § 164.514(e)(4)(ii)(C)(5)] | Establish/Maintain Documentation | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and § 164.514(e)(4)(ii)(C)(4)] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Covered entities and business associates must do the following: Ensure compliance with this subpart by its workforce. § 164.306(a)(4) A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of this subpart, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed. § 164.504(g)(1) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law. § 164.512(a)(2) Administrative requirements. A covered entity is required to comply with the administrative requirements of §164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. § 164.414(a) Standard: minimum necessary requirements. In order to comply with §164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for, or the use and disclosure of, protected health information. § 164.514(d)(1) {refrain from disclosing}{refrain from using} Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual. § 164.502(f) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in §§164.308, 164.310, 164.312, 164.314 and 164.316 with respect to all electronic protected health information. § 164.306(c) {requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The covered entities participating in the organized health care arrangement agree to abide by the terms of the notice with respect to protected health information created or received by the covered entity as part of its participation in the organized health care arrangement; § 164.520(d)(1) {Notice of Privacy Practices}{make available} Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable. § 164.520(c)(2)(iv) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: § 164.530(i)(4)(ii) A group health plan described in paragraph (k)(1) of this section is subject to the standard and implementation specification in paragraph (j) of this section only with respect to plan documents amended in accordance with §164.504(f). § 164.530(k)(2)] | Establish/Maintain Documentation | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 | Business Processes | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 [Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). § 164.310(a)(2)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Maintenance | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Maintenance | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Maintenance | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Maintenance | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [Standard: Security incident procedures. Implement policies and procedures to address security incidents. § 164.308(a)(6)(i)] | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Human Resources Management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Establish/Maintain Documentation | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Establish/Maintain Documentation | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 [{breach notification} A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under §164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available. § 164.410(c)(2)] | Establish/Maintain Documentation | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority} Standard. A covered entity shall, following the discovery of a breach of unsecured protected health informationpan> as provided in §164.404(a)(2), notify the Secretary. § 164.408(a)] | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 [Standard: Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate. § 164.530(f)] | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. § 164.404(a)(1) {breach notification}{Secretary}{individual}{at the same time} Implementation specifications: Breaches involving 500 or more individuals. For breaches of erb">;" class="term_primary-noun">unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in §164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by §164.404(a) and in the manner specified on the HHS Web site. § 164.408(b) {stipulated amount}{breach notification} Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site. § 164.408(c)] | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 [{oral communication}{law enforcement}{criminal investigation}{national security}{breach notification} If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time. § 164.412(b) {breach notification}If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall: If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or § 164.412(a)] | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 [{oral communication}{law enforcement}{criminal investigation}{national security}{breach notification} If the statement is made orally, document the statement, :#CBD0E5;" class="term_secondary-verb">including the identity of the official making the statement, and color:#CBD0E5;" class="term_secondary-verb">delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time. § 164.412(b)] | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 [{breach notification}{media} Implementation specifications: Content of notification. The notification required by paragraph (a) of this section shall meet the requirements of §164.404(c). § 164.406(c)] | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 [{breach notification} Plain language requirement. The notification required by paragraph (a) of this section shall be written in plain language. § 164.404(c)(2)] | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; § 164.404(c)(1)(A)] | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; § 164.404(c)(1)(A)] | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); § 164.404(c)(1)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 [{covered entity}{breach notification} The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, style="background-color:#CBD0E5;" class="term_secondary-verb">accessed, acquired, ckground-color:#CBD0E5;" class="term_secondary-verb">used, or disclosed during the breach. § 164.410(c)(1)] | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: Any steps individuals should take to protect themselves from potential harm resulting from the breach; § 164.404(c)(1)(C)] | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. § 164.404(c)(1)(E)] | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under §164.502(g)(4) of subpart E), written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(ii) {breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(i)] | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 [{be out-of-date}{breach notification} In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. § 164.404(d)(2)(i) {breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual under paragraph (d)(1)(i) of this section, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual under paragraph (d)(1)(ii). § 164.404(d)(2)] | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Additional notice in urgent situations. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section. § 164.404(d)(3)] | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 [{breach notification}{stipulated time frame}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: y-verb">Include> a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach. § 164.404(d)(2)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 [{breach notification}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and § 164.404(d)(2)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 [{breach notification} Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in §164.404(a)(2), notifyn> style="background-color:#F0BBBC;" class="term_primary-noun">prominent media outlets serving the State or jurisdiction. § 164.406(a)] | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 [{breach notification}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and § 164.404(d)(2)(ii)(A)] | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(i)] | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
| Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Establish/Maintain Documentation | Preventive | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Technical Security | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 [Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. § 164.310(a)(2)(i) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. § 164.312(a)(2)(ii)] | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Process or Activity | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Data and Information Management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 [{stipulated amount}{breach notification} Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall rb">maintainn> a log> or other background-color:#F0BBBC;" class="term_primary-noun">documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site. § 164.408(c)] | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Establish/Maintain Documentation | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Establish/Maintain Documentation | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{breach notification}{stipulated time frame} Implementation specification: Timeliness of notification. Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.406(b) {breach notification} Implementation specification: Timeliness of notification. Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.404(b) {breach notification}{covered entity}{stipulated time frame} Implementation specifications: Timeliness of notification. Except as provided in §164.412, a business associate shall erm_primary-verb">provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.410(b)] | Communicate | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Establish/Maintain Documentation | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Establish/Maintain Documentation | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Establish/Maintain Documentation | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Establish/Maintain Documentation | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Establish/Maintain Documentation | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Establish/Maintain Documentation | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Establish/Maintain Documentation | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Establish/Maintain Documentation | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Establish/Maintain Documentation | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Establish/Maintain Documentation | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Establish/Maintain Documentation | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Establish/Maintain Documentation | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Establish/Maintain Documentation | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Establish/Maintain Documentation | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Establish/Maintain Documentation | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Establish/Maintain Documentation | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Establish/Maintain Documentation | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Communicate | Preventive | |
| Mitigate reported incidents. CC ID 12973 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cost management procedures. CC ID 00873 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The costs of security measures. § 164.306(b)(2)(iii)] | Business Processes | Detective | |
| Update the business cases for cost management procedures, as necessary. CC ID 13642 | Business Processes | Preventive | |
| Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Investigate | Detective | |
| Identify deviations in cost management procedures. CC ID 13640 | Investigate | Detective | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: Such change meets the implementation specifications in paragraphs (i)(4)(i)(A)-(C) of this section; and § 164.530(i)(4)(ii)(A) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a)] | Establish/Maintain Documentation | Preventive | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 [A covered entity or business associate must, in accordance with §164.306: Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. § 164.316(b)(2)(iii)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
| Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective | |
| Conduct official proceedings, as necessary. CC ID 13836 | Human Resources Management | Preventive | |
| Conduct hearings, as necessary. CC ID 13016 | Process or Activity | Detective | |
| Notify interested personnel and affected parties of the date, time, and place of the hearing. CC ID 13017 | Communicate | Preventive | |
| Issue subpoenas, as necessary. CC ID 14350 [{privacy notice} {not be disclosed} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or § 164.520(b)(1)(iii)(D)] | Communicate | Corrective | |
| Include a description of the documents to be produced for the hearing on the subpoena. CC ID 14358 | Communicate | Detective | |
| Include the subject matter for the testimony on the subpoena. CC ID 14356 | Communicate | Detective | |
| Include the date, time, and place of the hearing on the subpoena. CC ID 14354 | Communicate | Detective | |
| Include the statutory authority on the subpoena. CC ID 14353 | Communicate | Preventive | |
| Deliver the subpoena to interested personnel and affected parties. CC ID 14357 | Communicate | Detective | |
| Include the addressee on the subpoena. CC ID 14351 | Communicate | Detective | |
| Identify alleged violations of law, regulations, or policy/guidance on the subpoena, as necessary. CC ID 14856 | Establish/Maintain Documentation | Detective | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. § 164.310(a)(1)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Establish/Maintain Documentation | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Establish/Maintain Documentation | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Establish/Maintain Documentation | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Establish/Maintain Documentation | Preventive | |
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and Environmental Protection | Preventive | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and Environmental Protection | Preventive | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and Environmental Protection | Preventive | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Communicate | Corrective | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Monitor and Evaluate Occurrences | Detective | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Configuration | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Configuration | Preventive | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Monitor and Evaluate Occurrences | Detective | |
| Inspect device surfaces to detect tampering. CC ID 11868 | Investigate | Detective | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Investigate | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Communicate | Preventive | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. § 164.310(a)(2)(ii)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
| Protect the facility from crime. CC ID 06347 | Physical and Environmental Protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Establish/Maintain Documentation | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and Environmental Protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Establish/Maintain Documentation | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and Environmental Protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and Environmental Protection | Preventive | |
| Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
| Maintain all security alarm systems. CC ID 11669 | Physical and Environmental Protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 | Establish/Maintain Documentation | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. § 164.310(a)(2)(iii)] | Establish/Maintain Documentation | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Establish/Maintain Documentation | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Establish/Maintain Documentation | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Testing | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Establish/Maintain Documentation | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Log Management | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Log Management | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Log Management | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Log Management | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Log Management | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Log Management | Preventive | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Establish/Maintain Documentation | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and Environmental Protection | Corrective | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Establish/Maintain Documentation | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
| Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Behavior | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Behavior | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Establish/Maintain Documentation | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Business Processes | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Establish/Maintain Documentation | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and Environmental Protection | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Process or Activity | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Configuration | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Testing | Detective | |
| Secure unissued access mechanisms. CC ID 06713 | Technical Security | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Establish/Maintain Documentation | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Technical Security | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Establish/Maintain Documentation | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and Environmental Protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and Environmental Protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and Environmental Protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and Environmental Protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and Environmental Protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Establish/Maintain Documentation | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and Environmental Protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and Environmental Protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Establish/Maintain Documentation | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Monitor and Evaluate Occurrences | Detective | |
| Establish and maintain a visitor log. CC ID 00715 | Log Management | Preventive | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Establish/Maintain Documentation | Preventive | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Behavior | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Log Management | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 | Log Management | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Log Management | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Log Management | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Log Management | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Establish/Maintain Documentation | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Log Management | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Log Management | Preventive | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Establish/Maintain Documentation | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Log Management | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Log Management | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Log Management | Preventive | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
| Include the requestor's name in the physical access log. CC ID 16922 | Log Management | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Monitor and Evaluate Occurrences | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Monitor and Evaluate Occurrences | Detective | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Configuration | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Configuration | Preventive | |
| Retain video events according to Records Management procedures. CC ID 06304 | Records Management | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and Environmental Protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Establish/Maintain Documentation | Preventive | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and Environmental Protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and Environmental Protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Establish Roles | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Establish/Maintain Documentation | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and Environmental Protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Configuration | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Behavior | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Behavior | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Business Processes | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Behavior | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Behavior | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. § 164.310(c)] | Physical and Environmental Protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Records Management | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Records Management | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Business Processes | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Data and Information Management | Detective | |
| Restrict physical access to distributed assets. CC ID 11865 | Physical and Environmental Protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and Environmental Protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 | Physical and Environmental Protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
| Control access to restricted storage media. CC ID 04889 | Data and Information Management | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and Environmental Protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Records Management | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Log Management | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Establish/Maintain Documentation | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Behavior | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 | Records Management | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and Environmental Protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and Environmental Protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Configuration | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Communicate | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Process or Activity | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1)] | Physical and Environmental Protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1)] | Physical and Environmental Protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Technical Security | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Technical Security | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Establish/Maintain Documentation | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and Environmental Protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and Environmental Protection | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Monitor and Evaluate Occurrences | Detective | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and Environmental Protection | Corrective | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Establish/Maintain Documentation | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and Environmental Protection | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Communicate | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Communicate | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Establish/Maintain Documentation | Preventive | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Process or Activity | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Establish/Maintain Documentation | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Establish/Maintain Documentation | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Establish/Maintain Documentation | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and Environmental Protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and Environmental Protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Data and Information Management | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and Environmental Protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Establish/Maintain Documentation | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Behavior | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Behavior | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Behavior | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Behavior | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Behavior | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Configuration | Preventive | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Investigate | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Monitor and Evaluate Occurrences | Corrective | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Technical Security | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Establish/Maintain Documentation | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and Environmental Protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Technical Security | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Configuration | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Technical Security | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Establish/Maintain Documentation | Preventive | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and Environmental Protection | Preventive | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and Environmental Protection | Detective | |
| Lock closable storage containers. CC ID 06307 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Establish/Maintain Documentation | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Business Processes | Preventive | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Establish/Maintain Documentation | Preventive | |
| Control the issuance of payment cards. CC ID 06403 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Establish/Maintain Documentation | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Establish Roles | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Records Management | Preventive | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and Environmental Protection | Preventive | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and Environmental Protection | Preventive | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Business Processes | Preventive | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Establish/Maintain Documentation | Preventive | |
| Notify customers about payment card usage security measures. CC ID 06407 | Behavior | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and Environmental Protection | Preventive | |
| Install and protect network cabling. CC ID 08624 | Physical and Environmental Protection | Preventive | |
| Control physical access to network cables. CC ID 00723 | Process or Activity | Preventive | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and Environmental Protection | Preventive | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and Environmental Protection | Preventive | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and Environmental Protection | Detective | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and Environmental Protection | Preventive | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and Environmental Protection | Preventive | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and Environmental Protection | Detective | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and Environmental Protection | Preventive | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Establish/Maintain Documentation | Preventive | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and Environmental Protection | Preventive | |
| Label each end of a network cable run. CC ID 08632 | Physical and Environmental Protection | Preventive | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and Environmental Protection | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and Environmental Protection | Preventive | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Establish/Maintain Documentation | Preventive | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and Environmental Protection | Preventive | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and Environmental Protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and Environmental Protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and Environmental Protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and Environmental Protection | Preventive | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and Environmental Protection | Preventive | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and Environmental Protection | Preventive | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Configuration | Preventive | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and Environmental Protection | Preventive | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and Environmental Protection | Preventive | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and Environmental Protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and Environmental Protection | Preventive | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and Environmental Protection | Preventive | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and Environmental Protection | Preventive | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and Environmental Protection | Preventive | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and Environmental Protection | Preventive | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and Environmental Protection | Preventive | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and Environmental Protection | Preventive | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Establish/Maintain Documentation | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Establish/Maintain Documentation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. § 164.306(a)(1) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1)] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 [{Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The joint notice meets the implementation specifications in paragraph (b) of this section, except that the statements required by this section may be altered to reflect the fact that the notice covers more than one covered entity; and § 164.520(d)(2) {Notice of Privacy Practices}{reserve}{right}{change}{term} For the covered entity to apply a change in its more limited uses and disclosures to protected health information created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), the notice must include the statements required by paragraph (b)(1)(v)(C) of this section. § 164.520(b)(2)(ii) {Notice of privacy practices}A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in §164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must: Maintain a notice under this section; and § 164.520(a)(3)(ii)(A) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with §164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; § 164.520(b)(1)(iii)(A)] | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 [{Notice of Privacy Practices} Header. The notice must contain the following statement as a header or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." § 164.520(b)(1)(i) {Notice of Privacy Practices}The notice must contain: A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for each of the following purposes: treatment, payment, and health care operations. § 164.520(b)(1)(ii)(A) {privacy notice} The notice must contain: If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, such as 42 CFR part 2, the description of such use or disclosure must reflect the more stringent law as defined in § 160.202 of this subchapter. § 164.520(b)(1)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 [{privacy notice} The notice must contain: For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law, such as 42 CFR part 2. § 164.520(b)(1)(ii)(D)] | Establish/Maintain Documentation | Preventive | |
| Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258 [{privacy notice} {not be disclosed} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or § 164.520(b)(1)(iii)(D)] | Establish/Maintain Documentation | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 [{Notice of Privacy Practices} Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by §164.530(a)(1)(ii). § 164.520(b)(1)(vii) {Notice of Privacy Practices} Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by §164.530(a)(1)(ii). § 164.520(b)(1)(vii)] | Establish/Maintain Documentation | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to request restrictions on certain uses and disclosures of protected health information as provided by §164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under §164.522(a)(1) § 164.520(b)(1)(iv)(A)] | Establish/Maintain Documentation | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 [{privacy notice} {substance use disorder treatment} {refrain from receiving} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: If a covered entity that creates or maintains records subject to 42 CFR part 2 intends to use or disclose such records for fundraising for the benefit of the covered entity, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications. § 164.520(b)(1)(iii)(E)] | Establish/Maintain Documentation | Preventive | |
| Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257 [{privacy notice} The notice must contain: A description, including at least one example, of the types of uses and disclosures for which an attestation is required under § 164.509. § 164.520(b)(1)(ii)(G)] | Establish/Maintain Documentation | Preventive | |
| Include prohibitions of use or disclosure in the privacy notice. CC ID 17252 [{privacy notice} The notice must contain: A description, including at least one example, of the types of uses and disclosures prohibited under § 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. § 164.520(b)(1)(ii)(F) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes; § 164.520(b)(1)(iii)(C)] | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with § 164.504(f), the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; § 164.520(b)(1)(iii)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 [{Notice of Privacy Practices} Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: § 164.520(b)(1)(iv) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to inspect and copy protected health information as provided by §164.524; § 164.520(b)(1)(iv)(C) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to amend protected health information as provided by §164.526; § 164.520(b)(1)(iv)(D) When a covered entity changes a privacy practice that is stated in the notice described in §164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has, in accordance with §164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices; or § 164.530(i)(2)(ii) {Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi) {Notice of Privacy Practices}The notice must contain: For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice. § 164.520(b)(1)(v)(C) {Notice of Privacy Practices}The notice must contain: For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice. § 164.520(b)(1)(v)(C) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to request restrictions on certain uses and disclosures of protected health information as provided by §164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under §164.522(a)(1) § 164.520(b)(1)(iv)(A)] | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 [{Notice of Privacy Practices} In addition to the information required by paragraph (b)(1) of this section, if a covered entity elects to limit the uses or disclosures that it is permitted to make under this subpart, the covered entity may describe its more limited uses or disclosures in its notice, provided that the covered entity may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted by §164.512(j)(1)(i). § 164.520(b)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Establish/Maintain Documentation | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 [{Notice of Privacy Practices}{without authorization}The notice must contain: A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual's written authorization. § 164.520(b)(1)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 [{privacy notice} The notice must contain: A statement adequate to put the individual on notice of the potential for information disclosed pursuant to this subpart to be subject to redisclosure by the recipient and no longer protected by this subpart § 164.520(b)(1)(ii)(H)] | Establish/Maintain Documentation | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Establish/Maintain Documentation | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 [{Notice of Privacy Practices}{stipulated time frame} No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice. § 164.520(c)(1)(ii) {Notice of Privacy Practices}{time requirement}Provide the notice: No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or § 164.520(c)(2)(i)(A)] | Establish/Maintain Documentation | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Establish/Maintain Documentation | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 [{Notice of privacy practices} Implementation specifications: Joint notice by separate covered entities. Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: § 164.520(d)] | Establish/Maintain Documentation | Preventive | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 [{Notice of Privacy Practices}{protected health information} Exception for inmates. An inmate does not have a right to notice under this section, and the requirements of this section do not apply to a correctional institution that is a covered entity. § 164.520(a)(4)] | Communicate | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 [{Notice of privacy practices} A health plan must provide the notice: § 164.520(c)(1)(i) {Notice of Privacy Practices}A health plan must provide the notice: Thereafter, at the time of enrollment, to individuals who are new enrollees. § 164.520(c)(1)(i)(B) {Notice of Privacy Practices}A health plan must provide the notice: No later than the compliance date for the health plan, to individuals then covered by the plan; § 164.520(c)(1)(i)(A) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The covered entities included in the joint notice must provide the notice to individuals in accordance with the applicable implementation specifications of paragraph (c) of this section. Provision of the joint notice to an individual by any one of the covered entities included in the joint notice will satisfy the provision requirement of paragraph (c) of this section with respect to all others covered by the joint notice. § 164.520(d)(3) {Notice of privacy practices}Specific requirements for certain covered health care providers. A covered health care provider that has a direct treatment relationship with an individual must: Provide the notice: § 164.520(c)(2)(i) {Notice of Privacy Practices} A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section. § 164.520(c)(3)(ii) {Notice of Privacy Practices} A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section. § 164.520(c)(3)(ii) {Notice of Privacy Practices} For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice. § 164.520(c)(3)(iii) {Notice of Privacy Practices} The health plan satisfies the requirements of paragraph (c)(1) of this section if notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents. § 164.520(c)(1)(iii) {Notice of Privacy Practices} If a health plan has more than one notice, it satisfies the requirements of paragraph (c)(1) of this section by providing the notice that is relevant to the individual or other person requesting the notice. § 164.520(c)(1)(iv) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) {Notice of Privacy Practices}{time requirement}Provide the notice: In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation. § 164.520(c)(2)(i)(B) {Notice of Privacy Practices}{make available} Implementation specifications: Provision of notice. A covered entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable. § 164.520(c) {Notice of Privacy Practices} The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request. § 164.520(c)(3)(iv) {Notice of privacy practices}A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in §164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must: Provide such notice upon request to any person. The provisions of paragraph (c)(1) of this section do not apply to such group health plan. § 164.520(a)(3)(ii)(B) {privacy notice} Required elements. The covered entity, including any covered entity receiving or maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph. § 164.520(b)(1)] | Communicate | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 [{Notice of privacy practices} Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law. § 164.530(i)(3) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Communicate | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 [{Notice of Privacy Practices}If there is a material change to the notice: A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan. § 164.520(c)(1)(v)(A) {Notice of Privacy Practices}If there is a material change to the notice: A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan. § 164.520(c)(1)(v)(A) {Notice of Privacy Practices}{make available} Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable. § 164.520(c)(2)(iv) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Communicate | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Communicate | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 [{Notice of Privacy Practices}Provide the notice: Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; § 164.520(c)(2)(ii)] | Communicate | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 [{Notice of Privacy Practices}Provide the notice: Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; § 164.520(c)(2)(ii)] | Establish/Maintain Documentation | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Establish/Maintain Documentation | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Establish/Maintain Documentation | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Establish/Maintain Documentation | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Establish/Maintain Documentation | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 [{privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with §164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; § 164.520(b)(1)(iii)(A)] | Establish/Maintain Documentation | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Establish/Maintain Documentation | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Communicate | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Communicate | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Communicate | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Communicate | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Communicate | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Data and Information Management | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Communicate | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 [{Notice of Privacy Practices}The notice must contain: A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information; § 164.520(b)(1)(v)(A) {Notice of Privacy Practices}Covered entity's duties. The notice must contain: A statement that the covered entity is required to abide by the terms of the notice currently in effect; and § 164.520(b)(1)(v)(B) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Communicate | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Establish/Maintain Documentation | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Data and Information Management | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 [{Notice of Privacy Practices} Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: § 164.520(b)(1)(iv) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to receive an accounting of disclosures of protected health information as provided by §164.528; and § 164.520(b)(1)(iv)(E) {Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Communicate | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Communicate | Preventive | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Process or Activity | Detective | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Data and Information Management | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Communicate | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Establish/Maintain Documentation | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Behavior | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Establish Roles | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Establish/Maintain Documentation | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Establish/Maintain Documentation | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Establish/Maintain Documentation | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Establish/Maintain Documentation | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Establish/Maintain Documentation | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Establish/Maintain Documentation | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Establish/Maintain Documentation | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Establish/Maintain Documentation | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Data and Information Management | Preventive | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Process or Activity | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [{access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: If applicable, a statement of the individual's review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and § 164.524(d)(2)(ii) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. § 164.508(c)(4)] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Process or Activity | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Data and Information Management | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Data and Information Management | Preventive | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Technical Security | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Records Management | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Records Management | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Records Management | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Records Management | Corrective | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Behavior | Preventive | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Behavior | Preventive | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Data and Information Management | Preventive | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Records Management | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Records Management | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Communicate | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Data and Information Management | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Data and Information Management | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Establish/Maintain Documentation | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Establish/Maintain Documentation | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Establish/Maintain Documentation | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Communicate | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Communicate | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Communicate | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Communicate | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Data and Information Management | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Data and Information Management | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Data and Information Management | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 [{protected health information}Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or § 164.512(c)(2)(i) {protected health information}Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. § 164.512(c)(2)(ii)] | Communicate | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Communicate | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Communicate | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Communicate | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Communicate | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [Implementation specifications: Provision of access. If the covered entity provides an individual with access, in whole or in part, to protected health information, the covered entity must comply with the following requirements. § 164.524(c) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and § 164.514(d)(4)(iii)(A) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. § 164.522(b)(1)(i) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual. § 164.522(b)(1)(ii) A covered entity must document the following and retain the documentation as required by §164.530(j): The designated record sets that are subject to access by individuals; and § 164.524(e)(1)] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Process or Activity | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Process or Activity | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Process or Activity | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Process or Activity | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Process or Activity | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A business associate is required to disclose protected health information: To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information. § 164.502(a)(4)(ii)] | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [{privacy notice} {types} {use} {disclosure} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: § 164.520(b)(1)(iii) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [{access}{disclosure accounting}A covered entity is required to disclose protected health information: To an individual, when requested under, and required by §164.524 or §164.528; and § 164.502(a)(2)(i) {stipulated time frame} An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: § 164.528(a)(1) The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. The covered entity must provide the individual with the accounting requested; or § 164.528(c)(1)(i)] | Data and Information Management | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available the information required to provide an accounting of disclosures in accordance with §164.528; § 164.504(f)(2)(ii)(G)] | Establish/Maintain Documentation | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Establish/Maintain Documentation | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Establish/Maintain Documentation | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [{stipulated time frame} Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity. § 164.528(b)(1) {stipulated time frame} Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity. § 164.528(b)(1) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief description of the protected health information disclosed; and § 164.528(b)(2)(iii) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period; § 164.528(b)(3)(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A brief description of the type of protected health information that was disclosed; § 164.528(b)(4)(i)(C) {accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The information required to be included in an accounting under paragraph (b) of this section for disclosures of protected health information that are subject to an accounting under paragraph (a) of this section; § 164.528(d)(1)] | Establish/Maintain Documentation | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: The date of the disclosure; § 164.528(b)(2)(i) {final date}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; § 164.528(b)(4)(i)(D)] | Establish/Maintain Documentation | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: The name of the entity or person who received the protected health information and, if known, the address of such entity or person; § 164.528(b)(2)(ii) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and § 164.528(b)(4)(i)(E)] | Establish/Maintain Documentation | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §164.502(a)(2)(ii) or §164.512, if any. § 164.528(b)(2)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 [If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The frequency, periodicity, or number of the disclosures made during the accounting period; and § 164.528(b)(3)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 [{final date}If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The date of the last such disclosure during the accounting period. § 164.528(b)(3)(iii) {final date}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; § 164.528(b)(4)(i)(D)] | Establish/Maintain Documentation | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 [{refrain from disclosing}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity. § 164.528(b)(4)(i)(F) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name of the protocol or other research activity; § 164.528(b)(4)(i)(A) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and § 164.528(b)(4)(i)(E)] | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Data and Information Management | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [{disclosure}{protected health information} Implementation specifications: Content of the accounting. The covered entity must provide the individual with a written accounting that meets the following requirements. § 164.528(b) {stipulated time frame} An individual may request an accounting of disclosures for a period of time less than six years from the date of the request. § 164.528(a)(3) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2)] | Communicate | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Establish/Maintain Documentation | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Process or Activity | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Establish/Maintain Documentation | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Technical Security | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Process or Activity | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Document the policy or procedure, as revised, as required by paragraph (j) of this section; and § 164.530(i)(4)(i)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Establish/Maintain Documentation | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Establish/Maintain Documentation | Detective | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Establish/Maintain Documentation | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 [{Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and § 164.520(d)(2)(ii) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request. § 164.520(b)(1)(iv)(F) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: Describes with reasonable specificity the covered entities, or class of entities, to which the joint notice applies; § 164.520(d)(2)(i) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: If applicable, states that the covered entities participating in the organized health care arrangement will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement. § 164.520(d)(2)(iii) {Notice of privacy practices}Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to receive confidential communications of protected health information as provided by §164.522(b), as applicable; § 164.520(b)(1)(iv)(B) {privacy notice} Required elements. The covered entity, including any covered entity receiving or maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph. § 164.520(b)(1)] | Establish/Maintain Documentation | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Establish/Maintain Documentation | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Establish/Maintain Documentation | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Establish/Maintain Documentation | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Establish/Maintain Documentation | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Establish/Maintain Documentation | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Establish/Maintain Documentation | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Establish/Maintain Documentation | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Establish/Maintain Documentation | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Establish/Maintain Documentation | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 [{Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi)] | Establish/Maintain Documentation | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Establish/Maintain Documentation | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Establish/Maintain Documentation | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Establish/Maintain Documentation | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Establish/Maintain Documentation | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Establish/Maintain Documentation | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Establish/Maintain Documentation | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Establish/Maintain Documentation | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Establish/Maintain Documentation | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Establish/Maintain Documentation | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Establish/Maintain Documentation | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 [{Notice of Privacy Practices} A covered entity that maintains a web site that provides information about the covered entity's customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site. § 164.520(c)(3)(i) {Notice of Privacy Practices}{make available}If the covered health care provider maintains a physical service delivery site: Have the notice available at the service delivery site for individuals to request to take with them; and § 164.520(c)(2)(iii)(A) {Notice of Privacy Practices}If the covered health care provider maintains a physical service delivery site: Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice; and § 164.520(c)(2)(iii)(B)] | Establish/Maintain Documentation | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Communicate | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Communicate | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Process or Activity | Preventive | |
| Approve the privacy plan. CC ID 14700 | Business Processes | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Establish/Maintain Documentation | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Communicate | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{Notice of Privacy Practices}{stipulated time frame}If there is a material change to the notice: A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to the notice. § 164.520(c)(1)(v)(B)] | Behavior | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Communicate | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Business Processes | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Communicate | Corrective | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Establish/Maintain Documentation | Preventive | |
| Provide a copy of the data subject's consent to the data subject. CC ID 17234 | Communicate | Preventive | |
| Date the data subject's consent. CC ID 17233 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A covered entity may not condition treatment or payment on the individual's choice with respect to the receipt of fundraising communications. § 164.514(f)(2)(iii) {refrain from receiving}{will not adversely affect} With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. § 164.514(f)(2)(ii)] | Human Resources Management | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Business Processes | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of: § 164.508(a)(3)(i) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. § 164.508(b)(4)(iii) {Notice of privacy practices}{protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by §164.520, a reference to the covered entity's notice. § 164.508(c)(2)(i)(B) {protected health information}Core elements. A valid authorization under this section must contain at least the following elements: The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. § 164.508(c)(1)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{use}{disclosure}{protected health information} Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that: § 164.508(b)(5) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The individual's right to revoke the authorization in writing, and either: § 164.508(c)(2)(i) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or § 164.508(c)(2)(i)(A) {Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E)] | Establish/Maintain Documentation | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Establish/Maintain Documentation | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 [{protected health information}{disclosure recipient}Core elements. A valid authorization under this section must contain at least the following elements: The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. § 164.508(c)(1)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 [{protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. § 164.508(c)(1)(vi)] | Establish/Maintain Documentation | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Establish/Maintain Documentation | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 [{protected health information}{sale} Such authorization must state that the disclosure will result in remuneration to the covered entity. § 164.508(a)(4)(ii) {use}{disclosure}{protected health information} If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at §164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved. § 164.508(a)(3)(ii) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart. § 164.508(c)(2)(iii) {protected health information}Core elements. A valid authorization under this section must contain at least the following elements: A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. § 164.508(c)(1)(iv) {protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. § 164.508(c)(1)(i)] | Establish/Maintain Documentation | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 [Core elements. A valid authorization under this section must contain at least the following elements: An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. § 164.508(c)(1)(v)] | Establish/Maintain Documentation | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Business Processes | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 {protected health information} The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so. § 164.510(a)(3)(ii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or § 164.510(b)(2)(ii) {refrain from receiving}{will not adversely affect} With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. § 164.514(f)(2)(ii)] | Data and Information Management | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Technical Security | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Business Processes | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Process or Activity | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Establish/Maintain Documentation | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Communicate | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 [{use}{disclosure}{protected health information} Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j). § 164.508(b)(6) {disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The individual orally agrees to the termination and the oral agreement is documented; or § 164.522(a)(2)(ii)] | Records Management | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: § 164.508(b)(4)] | Data and Information Management | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Data and Information Management | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 [{opt in}{refrain from receiving} A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications. § 164.514(f)(2)(v)] | Data and Information Management | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Human Resources Management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Human Resources Management | Preventive | |
| Notify the supervisory authority. CC ID 00472 [A covered entity is not in compliance with the standards in paragraph (e) of this section if the covered entity knew of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: Reported the problem to the Secretary. § 164.514(e)(4)(iii)(A)(2)] | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{make available}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this subpart; § 164.504(f)(2)(ii)(H)] | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Data and Information Management | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Establish/Maintain Documentation | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Human Resources Management | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Establish/Maintain Documentation | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Establish/Maintain Documentation | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Establish/Maintain Documentation | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Establish/Maintain Documentation | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Establish/Maintain Documentation | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Establish/Maintain Documentation | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Establish/Maintain Documentation | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Establish/Maintain Documentation | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Establish/Maintain Documentation | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Establish/Maintain Documentation | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Establish/Maintain Documentation | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Establish/Maintain Documentation | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Establish/Maintain Documentation | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Establish/Maintain Documentation | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Establish/Maintain Documentation | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Establish/Maintain Documentation | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Establish/Maintain Documentation | Preventive | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Communicate | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Establish/Maintain Documentation | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Establish/Maintain Documentation | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Establish/Maintain Documentation | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Establish/Maintain Documentation | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Establish/Maintain Documentation | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Human Resources Management | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 [For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. § 164.514(d)(3)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed. § 164.504(g)(2) Except pursuant to and in compliance with §164.508(a)(4), a covered entity or business associate may not sell protected health information. § 164.502(a)(5)(ii)(A) {protected health information}The plan documents of the group health plan must be amended to incorporate provisions to: Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. § 164.504(f)(2)(i) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii) Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section. § 164.512(b)(2)] | Establish/Maintain Documentation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Behavior | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Behavior | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Behavior | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 [{unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Establish/Maintain Documentation | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i)] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 [A covered entity is permitted to use or disclose protected health information as follows: Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure; § 164.502(a)(1)(iii)] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Behavior | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 [A covered entity is permitted to use or disclose protected health information as follows: Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure; § 164.502(a)(1)(iii)] | Establish/Maintain Documentation | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Data and Information Management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. § 164.308(a)(3)(ii)(B) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. § 164.308(a)(4)(i) Standard: Confidential communications. A covered health care provider or health plan must comply with the applicable requirements of §164.522(b) in communicating protected health information. § 164.502(h) Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information in accordance with §164.524; § 164.504(f)(2)(ii)(E) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: § 164.524(a)(1) {written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) {written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities. § 164.514(d)(4)(i) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made. § 164.514(d)(4)(ii)] | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §164.502(a)(2)(ii) or §164.512, if any. § 164.528(b)(2)(iv)] | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 [Other responsibility. If the covered entity does not maintain the protected health information that is the subject of the individual's request for access, and the covered entity knows where the requested information is maintained, the covered entity must inform the individual where to direct the request for access. § 164.524(d)(3) {stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher. § 164.528(b)(4)(ii)] | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 [{written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) {be in writing} A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing. § 164.522(b)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 [{confidential communication} A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual. § 164.522(b)(2)(iv) {representative} If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information. § 164.524(c)(3)(ii)] | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 [{confidential communication} A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. § 164.522(b)(2)(iii)] | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{protected health information} If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section. § 164.524(b)(2)(i)(A) {stipulated time frame}{protected health information}{disclosure} The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. § 164.528(c)(1) {protected health information}{stipulated time frame} Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request for access no later than 30 days after receipt of the request as follows. § 164.524(b)(2)(i) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4)] | Behavior | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Communicate | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{access}{protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.524(b)(2)(ii)(A) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and § 164.528(c)(1)(ii)(A)] | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 [{stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2) The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation. § 164.524(c)(2)(iii)(B)] | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [{protected health information} If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section. § 164.524(b)(2)(i)(A) Providing the access requested. The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the covered entity need only produce the protected health information once in response to a request for access. § 164.524(c)(1) Making other information accessible. The covered entity must, to the extent possible, give the individual access to any other protected health information requested, after excluding the protected health information as to which the covered entity has a ground to deny access. § 164.524(d)(1)] | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 [{stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(f)(2)(ii)(F) Right to amend. An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set. § 164.526(a)(1) {be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {stipulated time frame}{protected health information} If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: § 164.526(b)(2)(ii) {amend}{is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment; § 164.526(a)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. § 164.504(f)(1)(i)] | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Data and Information Management | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 [{Personally Identifiable Information} If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart. § 164.502(d)(2)(ii)] | Communicate | Preventive | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [{protected health information}{victim}{abuse}{neglect}{domestic violence}{government agency} Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: § 164.512(c)(2)] | Behavior | Preventive | |
| Refrain from processing restricted data, as necessary. CC ID 12551 [{may not disclose} Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. § 164.502(a) {refrain from disclosing}{employment}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; § 164.504(f)(2)(ii)(C) {protected health information}{refrain from using}{refrain from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section. § 164.512(j)(2)(ii) {may not disclose} Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in §164.522(a). § 164.502(c) {applicable requirement}A covered entity is permitted to use or disclose protected health information as follows: Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508; § 164.502(a)(1)(iv) {protected health information}{refrain from using}{refraining from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or § 164.512(j)(2)(i)] | Records Management | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Process or Activity | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Process or Activity | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Business Processes | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Process or Activity | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Process or Activity | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 [{refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5)] | Business Processes | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 [{refrain from disclosing} Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: § 164.502(a)(5)(i)] | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Establish/Maintain Documentation | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Records Management | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Records Management | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Records Management | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Records Management | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Records Management | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Records Management | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Records Management | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Records Management | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Records Management | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Records Management | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Records Management | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Records Management | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Records Management | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Records Management | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Records Management | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; § 164.502(b)(2)(ii) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: To the individual; § 164.502(a)(1)(i) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: This section. § 164.502(a)(1)(vi)(A) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.512 and, where applicable, § 164.509. § 164.502(a)(1)(vi)(B) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.514(e), (f), or (g). § 164.502(a)(1)(vi)(C) A covered entity or business associate that uses or discloses protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), in reliance on an attestation that is defective under paragraph (b)(2) of this section, is not in compliance with this section. § 164.509(a)(2)] | Establish Roles | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. § 164.510(b)(2)(iii)] | Data and Information Management | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 [A group health plan may: Not permit a health insurance issuer or HMO with respect to the group health plan to disclose protected health information to the plan sponsor except as permitted by this paragraph; § 164.504(f)(3)(ii) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity. § 164.514(e)(3)(ii) {refrain from using}{refrain from disclosing} If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information. § 164.522(a)(1)(iv) Permitted uses. If a covered entity also is a health oversight agency, the covered entity may use protected health information for health oversight activities as permitted by paragraph (d) of this section. § 164.512(d)(4) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: § 164.512(i)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. § 164.512(i)(1)(iii)(C) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: Appropriate military command authorities; and § 164.512(k)(1)(i)(A) Standard: Limited data set. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs (e)(2) and (e)(3) of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph (e)(4) of this section. § 164.514(e)(1) Implementation specifications: Uses and disclosures. A group health plan may: Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and § 164.504(f)(3)(iii) {employment purpose}Implementation specifications: Uses and disclosures. A group health plan may: Not disclose protected health information to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor. § 164.504(f)(3)(iv) {be consistent}If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and § 164.510(a)(3)(i)(A)] | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures to or requests by a health care provider for treatment; § 164.502(b)(2)(i) A covered entity may disclose protected health information for treatment activities of a health care provider. § 164.506(c)(2) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The provision of health care to such individuals; § 164.512(k)(5)(i)(A)] | Data and Information Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 [Conditions on disclosures. If a disclosure is conditioned by this subpart on particular documentation, statements, or representations from the person requesting the protected health information, a covered entity may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face, meet the applicable requirements. § 164.514(h)(2)(i)] | Records Management | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 [A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information. § 164.506(c)(3)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is: § 164.506(c)(4) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement. § 164.506(c)(5) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) A group health plan may: Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with the provisions of paragraph (f)(2) of this section; § 164.504(f)(3)(i) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. § 164.504(f)(1)(iii)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 [Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity. § 164.514(e)(3)(ii) Standard: Uses and disclosures for underwriting and related purposes. If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at §164.502(a)(5)(i) with respect to genetic information included in the protected health information. § 164.514(g) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: An employer, about an individual who is a member of the workforce of the employer, if: § 164.512(b)(1)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A school, about an individual who is a student or prospective student of the school, if: § 164.512(b)(1)(vi) {protected health information} A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only for the purposes of research, public health, or health care operations. § 164.514(e)(3)(i) {requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv) {may not disclose} Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in §164.522(a). § 164.502(c) Standard: Limited data set. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs (e)(2) and (e)(3) of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph (e)(4) of this section. § 164.514(e)(1) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: This section. § 164.502(a)(1)(vi)(A) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.512 and, where applicable, § 164.509. § 164.502(a)(1)(vi)(B) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.514(e), (f), or (g). § 164.502(a)(1)(vi)(C)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 [{protected health information}Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use or disclose for directory purposes such information: § 164.510(a)(1)(ii) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use the following protected health information to maintain a directory of individuals in its facility: § 164.510(a)(1)(i)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 [{cadaveric organ donation purpose} Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. § 164.512(h)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 [Medical suitability determinations. A covered entity that is a component of the Department of State may use protected health information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes: § 164.512(k)(4)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 [Separation or discharge from military service. A covered entity that is a component of the Departments of Defense or Homeland Security may disclose to the Department of Veterans Affairs (DVA) the protected health information of an individual who is a member of the Armed Forces upon the separation or discharge of the individual from military service for the purpose of a determination by DVA of the individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(ii) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: The purposes for which the protected health information may be used or disclosed. § 164.512(k)(1)(i)(B) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: Appropriate military command authorities; and § 164.512(k)(1)(i)(A) Foreign military personnel. A covered entity may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph (k)(1)(i) of this section. § 164.512(k)(1)(iv)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 [A health plan that is a government program providing public benefits may disclose protected health information relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if the sharing of eligibility or enrollment information among such government agencies or the maintenance of such information in a single or combined data system accessible to all such government agencies is required or expressly authorized by statute or regulation. § 164.512(k)(6)(i) Veterans. A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(iii) A covered entity that is a government agency administering a government program providing public benefits may disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs. § 164.512(k)(6)(ii) Standard: Disclosures for workers' compensation. A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. § 164.512(l)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 [Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508: § 164.514(f)(1)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: § 164.512(i)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: § 164.512(i)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. § 164.512(i)(1)(iii)(C) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the use or disclosure sought is solely for research on the protected health information of decedents; § 164.512(i)(1)(iii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Documentation, at the request of the covered entity, of the death of such individuals; and § 164.512(i)(1)(iii)(B) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Required signature. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB or the privacy board, as applicable. § 164.512(i)(2)(v) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved; § 164.512(i)(2)(i) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved; § 164.512(i)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 [{cadaveric organ donation purpose} Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. § 164.512(h) {refrain from removing}Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: No protected health information is to be removed from the covered entity by the researcher in the course of the review; and § 164.512(i)(1)(ii)(B) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: § 164.512(i)(2)(iv) {refrain from conducting}{absence}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: The research could not practicably be conducted without access to and use of the protected health information. § 164.512(i)(2)(ii)(C) {protected health information}{refrain from conducting}{absence}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: The research could not practicably be conducted without the waiver or alteration; and § 164.512(i)(2)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 [Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. § 164.510(b)(2)(iii)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 [Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's care or payment related to the individual's health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. § 164.510(b)(3) {be consistent}If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and § 164.510(a)(3)(i)(A)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed. § 164.504(g)(2)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of such individual or other inmates; § 164.512(k)(5)(i)(B) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The administration and maintenance of the safety, security, and good order of the correctional institution. § 164.512(k)(5)(i)(F) National Instant Criminal Background Check System. A covered entity may use or disclose protected health information for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm under 18 U.S.C. 922(g)(4), provided the covered entity: § 164.512(k)(7) {protected health information} Exercise of professional judgment. The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in making a use or disclosure in accordance with §164.510 or acts on a good faith belief in making a disclosure in accordance with §164.512(j). § 164.514(h)(2)(iv)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or § 164.512(b)(1)(iv) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include: § 164.512(b)(1)(iii) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i)] | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 [Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: § 164.512(c)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; § 164.512(b)(1)(ii) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law; § 164.512(c)(1)(i)] | Data and Information Management | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 [{may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(1) {may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(2) {may not disclose} {reproductive health care} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section. § 164.502(a)(5)(iii)(A)(3) {may not disclose} A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part. § 164.509(a)(1)] | Business Processes | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 [{refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1)] | Establish/Maintain Documentation | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 [{refrain from permitting} Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. § 164.506(b)(2) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: § 164.508(b)(3) Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the institutional review board or privacy board, pursuant to paragraph (i)(2)(ii)(C) of this section; § 164.512(i)(2)(iii) A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: The name of any individual(s) whose protected health information is sought, if practicable. § 164.509(c)(1)(i)(A) {be impracticable} A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: If including the name(s) of any individual(s) whose protected health information is sought is not practicable, a description of the class of individuals whose protected health information is sought. § 164.509(c)(1)(i)(B) A valid attestation under this section must contain the following elements: The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure. § 164.509(c)(1)(ii) A valid attestation under this section must contain the following elements: The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure. § 164.509(c)(1)(iii) A valid attestation under this section must contain the following elements: A clear statement that the use or disclosure is not for a purpose prohibited under § 164.502(a)(5)(iii). § 164.509(c)(1)(iv) A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: § 164.509(c)(1)(i) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person. § 164.509(c)(1)(v)] | Establish/Maintain Documentation | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 [{refrain from permitting} Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. § 164.506(b)(2)] | Data and Information Management | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 [Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: § 164.508(a)(2) Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: § 164.508(a)(2)] | Data and Information Management | Preventive | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 [Material misrepresentations. If, during the course of using or disclosing protected health information in reasonable reliance on a facially valid attestation, a covered entity or business associate discovers information reasonably showing that any representation made in the attestation was materially false, leading to a use or disclosure for a purpose prohibited under § 164.502(a)(5)(iii), the covered entity or business associate must cease such use or disclosure. § 164.509(d)] | Business Processes | Preventive | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 [{may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(1) {may not disclose} {reproductive health care} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section. § 164.502(a)(5)(iii)(A)(3) {may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(2) {may not disclose} A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part. § 164.509(a)(1)] | Business Processes | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made pursuant to an authorization under §164.508; § 164.502(b)(2)(iii) {data subject}A covered entity is permitted to use or disclose protected health information as follows: Pursuant to an agreement under, or as otherwise permitted by, §164.510; and § 164.502(a)(1)(v) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Obtains the individual's agreement; § 164.510(b)(2)(i) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Data and Information Management | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required for compliance with applicable requirements of this subchapter. § 164.502(b)(2)(vi)] | Data and Information Management | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or § 164.512(j)(1)(i)(B)] | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or § 164.512(b)(1)(iv)] | Data and Information Management | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) {protected health information}Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use or disclose for directory purposes such information: § 164.510(a)(1)(ii) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) Medical suitability determinations. A covered entity that is a component of the Department of State may use protected health information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes: § 164.512(k)(4) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: An employer, about an individual who is a member of the workforce of the employer, if: § 164.512(b)(1)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A school, about an individual who is a student or prospective student of the school, if: § 164.512(b)(1)(vi) Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph. § 164.512(g)(1) National Instant Criminal Background Check System. A covered entity may use or disclose protected health information for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm under 18 U.S.C. 922(g)(4), provided the covered entity: § 164.512(k)(7) Foreign military personnel. A covered entity may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph (k)(1)(i) of this section. § 164.512(k)(1)(iv) {protected health information} Exercise of professional judgment. The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in making a use or disclosure in accordance with §164.510 or acts on a good faith belief in making a disclosure in accordance with §164.512(j). § 164.514(h)(2)(iv)] | Data and Information Management | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [Standard: Uses and disclosures for underwriting and related purposes. If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at §164.502(a)(5)(i) with respect to genetic information included in the protected health information. § 164.514(g) Veterans. A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(iii)] | Data and Information Management | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from receiving} A covered entity may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (f)(2)(ii) of this section. § 164.514(f)(2)(iv)] | Communicate | Corrective | |
| Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a)] | Data and Information Management | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Data and Information Management | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: § 164.512(i)(1)] | Data and Information Management | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 [{external requirement} Standard: Waiver of rights. A covered entity may not require individuals to waive their rights under §160.306 of this subchapter, this subpart, or subpart D of this part, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. § 164.530(h)] | Data and Information Management | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
| Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 [Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508: § 164.514(f)(1) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include: § 164.512(b)(1)(iii) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Data and Information Management | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. § 164.510(a)(3)(i)(B)] | Process or Activity | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 [{refrain from disclosing} A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity's notice of privacy practices. § 164.514(f)(2)(i)] | Data and Information Management | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Data and Information Management | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Data and Information Management | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Data and Information Management | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; § 164.512(i)(1)(ii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: The protected health information for which use or access is sought is necessary for the research purposes. § 164.512(i)(1)(ii)(C) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the use or disclosure sought is solely for research on the protected health information of decedents; § 164.512(i)(1)(iii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Documentation, at the request of the covered entity, of the death of such individuals; and § 164.512(i)(1)(iii)(B)] | Data and Information Management | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from disclosing}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; § 164.504(f)(2)(ii)(A) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required by law, as described by §164.512(a); and § 164.502(b)(2)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; § 164.512(b)(1)(ii) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. § 164.512(a)(1) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary for law enforcement authorities to identify or apprehend an individual: § 164.512(j)(1)(ii)] | Data and Information Management | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Data and Information Management | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Data and Information Management | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Permitted uses. A covered entity that is a correctional institution may use protected health information of individuals who are inmates for any purpose for which such protected health information may be disclosed. § 164.512(k)(5)(ii) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: The purposes for which the protected health information may be used or disclosed. § 164.512(k)(1)(i)(B)] | Data and Information Management | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Data and Information Management | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Data and Information Management | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Data and Information Management | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 [Uses and disclosures for disaster relief purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section. The requirements in paragraphs (b)(2), (b)(3), or (b)(5) of this section apply to such uses and disclosures to the extent that the covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. § 164.510(b)(4) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and § 164.512(j)(1)(i)(A)] | Data and Information Management | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Data and Information Management | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 {protected health information} The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so. § 164.510(a)(3)(ii) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi)] | Behavior | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Establish/Maintain Documentation | Preventive | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Communicate | Corrective | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{may not disclose} Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. § 164.502(a) {refrain from disclosing}{employment}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; § 164.504(f)(2)(ii)(C) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) {refrain from disclosing} Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: § 164.502(a)(5)(i) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) {protected health information}{refrain from using}{refrain from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section. § 164.512(j)(2)(ii) {applicable requirement}A covered entity is permitted to use or disclose protected health information as follows: Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508; § 164.502(a)(1)(iv) {refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5) Implementation specifications: Uses and disclosures. A group health plan may: Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and § 164.504(f)(3)(iii) {protected health information}{refrain from using}{refraining from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or § 164.512(j)(2)(i) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue. § 164.512(f)(2)(ii) {refrain from disclosing}{be inconsistent}{Notice of Privacy Practices} Standard: Uses and disclosures consistent with notice. A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. § 164.502(i)] | Records Management | Preventive | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Communicate | Corrective | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made pursuant to an authorization under §164.508; § 164.502(b)(2)(iii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Obtains the individual's agreement; § 164.510(b)(2)(i) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. § 164.506(b)(1) Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in §164.501 of this subpart. § 164.508(a)(4)(i) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: If the individual agrees to the disclosure; or § 164.512(c)(1)(ii) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The individual agrees to the disclosure; or § 164.512(f)(3)(i) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Data and Information Management | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Establish/Maintain Documentation | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [{data subject}A covered entity is permitted to use or disclose protected health information as follows: Pursuant to an agreement under, or as otherwise permitted by, §164.510; and § 164.502(a)(1)(v)] | Data and Information Management | Detective | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [{protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or § 164.508(c)(2)(i)(A)] | Establish/Maintain Documentation | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Establish/Maintain Documentation | Preventive | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Communicate | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 [{oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Data and Information Management | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Data and Information Management | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 [{refrain from disclosing} A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity's notice of privacy practices. § 164.514(f)(2)(i)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 [Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph. § 164.512(g)(1) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter; § 164.502(b)(2)(iv) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of: § 164.512(d)(1) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 [A business associate is required to disclose protected health information: When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate's compliance with this subchapter. § 164.502(a)(4)(i)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 [Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: n compliance with and as limited by the relevant requirements of: An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: § 164.512(f)(1)(ii)(C)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's health care or payment related to the individual's health care. § 164.510(b)(1)(i) Uses and disclosures when the individual is deceased. If the individual is deceased, a covered entity may disclose to a family member, or other persons identified in paragraph (b)(1) of this section who were involved in the individual's care or payment for health care prior to the individual's death, protected health information of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. § 164.510(b)(5) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [Funeral directors. A covered entity may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the covered entity may disclose the protected health information prior to, and in reasonable anticipation of, the individual's death. § 164.512(g)(2) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another; § 164.512(k)(5)(i)(D)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 [Uses and disclosures for disaster relief purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section. The requirements in paragraphs (b)(2), (b)(3), or (b)(5) of this section apply to such uses and disclosures to the extent that the covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. § 164.510(b)(4) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of the officers or employees of or others at the correctional institution; § 164.512(k)(5)(i)(C)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; § 164.512(i)(1)(ii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: The protected health information for which use or access is sought is necessary for the research purposes. § 164.512(i)(1)(ii)(C)] | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [National security and intelligence activities. A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333). § 164.512(k)(2) Protective services for the President and others. A covered entity may disclose protected health information to authorized Federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056 or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879. § 164.512(k)(3)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Data and Information Management | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. § 164.510(a)(3)(i)(B) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. § 164.512(f)(3)(ii)(C)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and § 164.512(j)(1)(i)(A) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is expressly authorized by statute or regulation and: The covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or § 164.512(c)(1)(iii)(A) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or § 164.512(j)(1)(i)(B) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: § 164.512(e)(1)(ii) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or § 164.512(e)(1)(i) {law enforcement activity}Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is expressly authorized by statute or regulation and: If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. § 164.512(c)(1)(iii)(B) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: In compliance with and as limited by the relevant requirements of: A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer; § 164.512(f)(1)(ii)(A) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: In compliance with and as limited by the relevant requirements of: A grand jury subpoena; or § 164.512(f)(1)(ii)(B) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim; § 164.512(f)(3)(ii)(A) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: § 164.512(f)(3)(ii)] | Data and Information Management | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Establish/Maintain Documentation | Detective | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [{refrain from disclosing}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; § 164.504(f)(2)(ii)(A) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required for compliance with applicable requirements of this subchapter. § 164.502(b)(2)(vi) A covered entity is required to disclose protected health information: When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter. § 164.502(a)(2)(ii) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required by law, as described by §164.512(a); and § 164.502(b)(2)(v) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or § 164.512(f)(1)(i) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. § 164.512(a)(1) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: § 164.512(k)(5)(i) Standard: Disclosures for law enforcement purposes. A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this section are met, as applicable. § 164.512(f) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Data and Information Management | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary for law enforcement authorities to identify or apprehend an individual: § 164.512(j)(1)(ii) Permitted disclosure: Decedents. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct. § 164.512(f)(4) Permitted disclosure: Crime on premises. A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. § 164.512(f)(5) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: Law enforcement on the premises of the correctional institution; or § 164.512(k)(5)(i)(E) {be necessary} A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to: § 164.512(f)(6)(i) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and § 164.512(f)(3)(ii)(B)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 [Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: To the individual; § 164.502(a)(1)(i)] | Data and Information Management | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 [Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that: § 164.502(d)(2)] | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Communicate | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and § 164.512(i)(2)(ii)(A)(2) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. § 164.310(d)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Communicate | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Records Management | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Business Processes | Preventive | |
| Refrain from selling restricted data, as necessary. CC ID 17165 | Data and Information Management | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 [{refrain from using}{refrain from disclosing} If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information. § 164.522(a)(1)(iv) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi)] | Data and Information Management | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 [{written form}{refrain from disclosing}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; § 164.512(i)(2)(ii)(A)(3) {written form}{refrain from disclosing}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; § 164.512(i)(2)(ii)(A)(3)] | Data and Information Management | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Establish/Maintain Documentation | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Data and Information Management | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Data and Information Management | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Data and Information Management | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. § 164.506(b)(1)] | Data and Information Management | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Data and Information Management | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or § 164.510(b)(2)(ii) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if: The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full. § 164.522(a)(1)(vi)(B) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if: The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and § 164.522(a)(1)(vi)(A) {family member}{friend}{relative}A covered entity must permit an individual to request that the covered entity restrict: Disclosures permitted under §164.510(b). § 164.522(a)(1)(i)(B) A covered entity must permit an individual to request that the covered entity restrict: Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and § 164.522(a)(1)(i)(A) {disclosure}{use}{protected health information} Except as provided in paragraph (a)(1)(vi) of this section, a covered entity is not required to agree to a restriction. § 164.522(a)(1)(ii)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. § 164.504(f)(1)(i) {protected health information}The plan documents of the group health plan must be amended to incorporate provisions to: Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. § 164.504(f)(2)(i) Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart. § 164.514(h)(1)(ii) If the individual has not submitted a written statement of disagreement, the covered entity must include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the protected health information only if the individual has requested such action in accordance with paragraph (d)(1)(iii) of this section. § 164.526(d)(5)(ii) {request}{denial}{amendment} If a statement of disagreement has been submitted by the individual, the covered entity must include the material appended in accordance with paragraph (d)(4) of this section, or, at the election of the covered entity, an accurate summary of any such information, with any subsequent disclosure of the protected health information to which the disagreement relates. § 164.526(d)(5)(i)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Communicate | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 [{protected health information} Review requests for disclosure on an individual basis in accordance with such criteria. § 164.514(d)(3)(ii)(B) {protected health information} Review requests for disclosure on an individual basis in accordance with such criteria. § 164.514(d)(4)(iii)(B)] | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{protected health information} Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section. § 164.524(a)(4) {written form}{timely manner}{access}{protected health information} Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: § 164.524(d)(2) {civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii) Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Psychotherapy notes; and § 164.524(a)(1)(i) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.524(d)(2)(iii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: As part of a limited data set in accordance with §164.514(e); or § 164.528(a)(1)(viii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: Pursuant to an authorization as provided in §164.508; § 164.528(a)(1)(iv) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To carry out treatment, payment and health care operations as provided in §164.506; § 164.528(a)(1)(i) The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and § 164.526(d)(1)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. § 164.524(a)(2)(v)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: For national security or intelligence purposes as provided in §164.512(k)(2); § 164.528(a)(1)(vi)] | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate. § 164.524(a)(2)(ii) {protected health information}A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person; § 164.524(a)(3)(i) {protected health information}A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person. § 164.524(a)(3)(iii)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 [A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or § 164.524(a)(3)(ii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To individuals of protected health information about them as provided in §164.502; § 164.528(a)(1)(ii)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: That occurred prior to the compliance date for the covered entity. § 164.528(a)(1)(ix)] | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access to protected health information created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research. § 164.524(a)(2)(iii)] | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [The covered entity must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official, as provided in §164.512(d) or (f), respectively, for the time specified by such agency or official, if such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required. § 164.528(a)(2)(i) {spoken communication}{impede}{health oversight agency}{law enforcement}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; and § 164.528(a)(2)(ii)(B) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To correctional institutions or law enforcement officials as provided in §164.512(k)(5); § 164.528(a)(1)(vii)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [{civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii) {civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii)] | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law. § 164.524(a)(2)(iv) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in §164.502; § 164.528(a)(1)(iii)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{protected health information}{written form} If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section. § 164.524(b)(2)(i)(B) {written form}{timely manner}{access}{protected health information} Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: § 164.524(d)(2) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: The basis for the denial; § 164.524(d)(2)(i)] | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 [{protected health information} Reviewable grounds for denial. A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: § 164.524(a)(3) {protected health information} Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section. § 164.524(a)(4) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: If applicable, a statement of the individual's review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and § 164.524(d)(2)(ii)] | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: For the facility's directory or to persons involved in the individual's care or other notification purposes as provided in §164.510; § 164.528(a)(1)(v)] | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; § 164.502(b)(2)(ii) {access}{disclosure accounting}A covered entity is required to disclose protected health information: To an individual, when requested under, and required by §164.524 or §164.528; and § 164.502(a)(2)(i)] | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 [{representative} If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information. § 164.524(c)(3)(ii) Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Except with respect to disclosures under §164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and § 164.514(h)(1)(i)] | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 [The covered entity must provide the access as requested by the individual in a timely manner as required by paragraph (b)(2) of this section, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at the individual's request. The covered entity may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access. § 164.524(c)(3)(i) {protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for access. § 164.524(b)(2)(ii)(B) {stipulated time frame}{spoken communication}{accounting of disclosures}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to paragraph (a)(2)(i) of this section is submitted during that time. § 164.528(a)(2)(ii)(C) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for an accounting. § 164.528(c)(1)(ii)(B)] | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{access}{protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.524(b)(2)(ii)(A) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and § 164.528(c)(1)(ii)(A) If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.526(b)(2)(ii)(A)] | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 [{request for access}{protected health information} If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: § 164.524(b)(2)(ii) {protected health information}{accounting of disclosures}The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: § 164.528(c)(1)(ii)] | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [Fees. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: § 164.524(c)(4) {stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2)] | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. § 164.522(b)(1)(i) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual. § 164.522(b)(1)(ii) The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual. § 164.524(c)(2)(i)] | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 [The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: The individual agrees in advance to such a summary or explanation; and § 164.524(c)(2)(iii)(A) Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. § 164.524(c)(2)(ii)] | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Establish/Maintain Documentation | Preventive | |
| Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953 | Data and Information Management | Preventive | |
| Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Data and Information Management | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Data and Information Management | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Business Processes | Detective | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [{protected health information} A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only for the purposes of research, public health, or health care operations. § 164.514(e)(3)(i) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) {Personally Identifiable Information} If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart. § 164.502(d)(2)(ii) {refrain from disclosing}{be inconsistent}{Notice of Privacy Practices} Standard: Uses and disclosures consistent with notice. A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. § 164.502(i)] | Data and Information Management | Preventive | |
| Post the collection purpose. CC ID 00101 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Data and Information Management | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 [{protected health information}{disclosure}{use} Plain language requirement. The authorization must be written in plain language. § 164.508(c)(3) Plain language requirement. The attestation must be written in plain language. § 164.509(c)(2)] | Data and Information Management | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Data and Information Management | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Data and Information Management | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Establish/Maintain Documentation | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
| Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
| Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures to or requests by a health care provider for treatment; § 164.502(b)(2)(i)] | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Data and Information Management | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Data and Information Management | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Data and Information Management | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Data and Information Management | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Data and Information Management | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Data and Information Management | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Data and Information Management | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Data and Information Management | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Data and Information Management | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 [{refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5)] | Data and Information Management | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Data and Information Management | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Data and Information Management | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Data and Information Management | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Data and Information Management | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Data and Information Management | Preventive | |
| Validate the business need for maintaining collected restricted data. CC ID 17090 | Data and Information Management | Preventive | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and § 164.514(d)(3)(ii)(A) {improper disclosure}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to protect the identifiers from improper use and disclosure; § 164.512(i)(2)(ii)(A)(1) {improper disclosure}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to protect the identifiers from improper use and disclosure; § 164.512(i)(2)(ii)(A)(1) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. § 164.530(c)(2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. § 164.530(c)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 [{electronic protected health information} {are not required} Covered entities and business associates must do the following: Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. § 164.306(a)(3) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. § 164.306(b)(1) Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. § 164.314(b)(1) {electronic protected health information} Covered entities and business associates must do the following: le="background-color:#B7D8ED;" class="term_primary-verb">Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. § 164.306(a)(2)] | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 [{incidental disclosure} A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. § 164.530(c)(2)(ii) {incidental disclosure} A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. § 164.530(c)(2)(ii)] | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: § 164.514(c) {protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity. § 164.502(d)(1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity. § 164.502(d)(1)] | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 [{refrain from deriving}{protected health information}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and § 164.514(c)(1)] | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 [{protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) {protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that: Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and § 164.502(d)(2)(i)] | Data and Information Management | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Establish/Maintain Documentation | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
| Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Data and Information Management | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Business Processes | Preventive | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Behavior | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Establish/Maintain Documentation | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Communicate | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Data and Information Management | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Data and Information Management | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Data and Information Management | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Data and Information Management | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Data and Information Management | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Establish/Maintain Documentation | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Data and Information Management | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Records Management | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 | Behavior | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Establish/Maintain Documentation | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Data and Information Management | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Data and Information Management | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Data and Information Management | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Data and Information Management | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Data and Information Management | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Data and Information Management | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Data and Information Management | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Data and Information Management | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Data and Information Management | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Data and Information Management | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Business Processes | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Data and Information Management | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Data and Information Management | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Data and Information Management | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Data and Information Management | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Data and Information Management | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Data and Information Management | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Communicate | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Behavior | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Establish/Maintain Documentation | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Data and Information Management | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Data and Information Management | Preventive | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Process or Activity | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Establish/Maintain Documentation | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Establish/Maintain Documentation | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Establish/Maintain Documentation | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Establish/Maintain Documentation | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Establish/Maintain Documentation | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Establish/Maintain Documentation | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Business Processes | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Communicate | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Human Resources Management | Detective | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Behavior | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 [Standard: Complaints to the covered entity. A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part. § 164.530(d)(1)] | Data and Information Management | Corrective | |
| File privacy rights violation complaints in writing. CC ID 00477 | Establish/Maintain Documentation | Corrective | |
| Include supporting documentation in the privacy rights violation complaint. CC ID 16997 | Establish/Maintain Documentation | Preventive | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Establish/Maintain Documentation | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Establish/Maintain Documentation | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [{amendment}{protected health information}{instruction}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement; § 164.526(d)(1)(ii) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.526(d)(1)(iv)] | Behavior | Corrective | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Business Processes | Preventive | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Behavior | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [Implementation specification: Actions on notices of amendment. A covered entity that is informed by another covered entity of an amendment to an individual's protected health information, in accordance with paragraph (c)(3) of this section, must amend the protected health information in designated record sets as provided by paragraph (c)(1) of this section. § 164.526(e) Making the amendment. The covered entity must make the appropriate amendment to the protected health information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment. § 164.526(c)(1) If the covered entity grants the requested amendment, in whole or in part, it must take the actions required by paragraphs (c)(1) and (2) of this section. § 164.526(b)(2)(i)(A)] | Data and Information Management | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [{protected health information} Informing the individual. In accordance with paragraph (b) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual's identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (c)(3) of this section. § 164.526(c)(2)] | Behavior | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Establish/Maintain Documentation | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 [{protected health information}{be responsible} Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). § 164.526(f) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520. § 164.530(a)(1)(ii) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.526(d)(1)(iv) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.524(d)(2)(iii)] | Establish/Maintain Documentation | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{protected health information}{be permissible}If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for an amendment. § 164.526(b)(2)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Document unresolved challenges. CC ID 13568 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 [A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Is not part of the designated record set; § 164.526(a)(2)(ii) {amend}{is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment; § 164.526(a)(2)(i) {be complete}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Is accurate and complete. § 164.526(a)(2)(iv) {is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Would not be available for inspection under §164.524; or § 164.526(a)(2)(iii)] | Establish/Maintain Documentation | Preventive | |
| Notify individuals of their right to challenge personal data. CC ID 00457 [{be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {protected health information} Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement. § 164.526(d)(2)] | Data and Information Management | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 [{be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {amendment}{protected health information}{instruction}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement; § 164.526(d)(1)(ii)] | Data and Information Management | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 [{disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is: § 164.522(a)(2)(iii) {disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The individual orally agrees to the termination and the oral agreement is documented; or § 164.522(a)(2)(ii) (disclosure}{use}{protected health information}A covered entity may terminate a restriction, if: The individual agrees to or requests the termination in writing; § 164.522(a)(2)(i)] | Configuration | Preventive | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Human Resources Management | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Data and Information Management | Preventive | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Communicate | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 [{stipulated time frame}{protected health information} The covered entity must act on the individual's request for an amendment no later than 60 days after receipt of such a request, as follows. § 164.526(b)(2)(i)] | Data and Information Management | Preventive | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [{written form} If the covered entity denies the requested amendment, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d)(1) of this section. § 164.526(b)(2)(i)(B) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The basis for the denial, in accordance with paragraph (a)(2) of this section; § 164.526(d)(1)(i) {written form}{amendment}{protected health information} Denial. The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: § 164.526(d)(1) If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.526(b)(2)(ii)(A)] | Behavior | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [{protected health information} Informing the individual. In accordance with paragraph (b) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual's identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (c)(3) of this section. § 164.526(c)(2) The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: Persons identified by the individual as having received protected health information about the individual and needing the amendment; and § 164.526(c)(3)(i) The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: Persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual. § 164.526(c)(3)(ii)] | Behavior | Corrective | |
| Notify third parties of unresolved challenges. CC ID 13559 [{denial}{amendment}{statement of disagreement} When a subsequent disclosure described in paragraph (d)(5)(i) or (ii) of this section is made using a standard transaction under part 162 of this subchapter that does not permit the additional material to be included with the disclosure, the covered entity may separately transmit the material required by paragraph (d)(5)(i) or (ii) of this section, as applicable, to the recipient of the standard transaction. § 164.526(d)(5)(iii)] | Communicate | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [{protected health information} Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement. § 164.526(d)(2) {written form} Rebuttal statement. The covered entity may prepare a written rebuttal to the individual's statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement. § 164.526(d)(3)] | Establish/Maintain Documentation | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Establish/Maintain Documentation | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Data and Information Management | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Business Processes | Corrective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Behavior | Detective | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Establish/Maintain Documentation | Preventive | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Behavior | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Behavior | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Behavior | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Behavior | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Behavior | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Communicate | Corrective | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 [Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. § 164.530(d)(2)] | Establish/Maintain Documentation | Corrective | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Behavior | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Establish/Maintain Documentation | Detective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Behavior | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Behavior | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Behavior | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Data and Information Management | Corrective | |
| Define the organization's liability based on the applicable law. CC ID 00504 [Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at §164.402. § 164.414(b)] | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Establish/Maintain Documentation | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Communicate | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Communicate | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Establish/Maintain Documentation | Preventive | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Behavior | Preventive | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 [{Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi) Must refrain from intimidation and retaliation as provided in §160.316 of this subchapter. § 164.530(g)(2) {external requirement} May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by this subpart or subpart D of this part, including the filing of a complaint under this section; and § 164.530(g)(1)] | Testing | Detective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(f)(2)(ii)(F)] | Data and Information Management | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [A covered entity or business associate must, in accordance with §164.306: Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. § 164.316(b)(2)(i) {Notice of Privacy Practices} Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section. § 164.520(e) Implementation specification: Documentation. A covered entity must document the following and retain the documentation as required by §164.530(j): § 164.524(e) {protected health information}{be responsible} Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). § 164.526(f) {stipulated time frame} Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later. § 164.530(j)(2) {written form}{accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The written accounting that is provided to the individual under this section; and § 164.528(d)(2) A covered entity must: If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and § 164.530(j)(1)(ii) A covered entity must: If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation. § 164.530(j)(1)(iii)] | Records Management | Preventive | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. § 164.310(d)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Perform destruction at authorized facilities. CC ID 17074 | Business Processes | Preventive | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Business Processes | Preventive | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Data and Information Management | Preventive | |
| Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. § 164.310(d)(2)(ii)] | Data and Information Management | Preventive | |
| Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records Management | Preventive | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Testing | Detective | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Process or Activity | Preventive | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Testing | Detective | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Business Processes | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Establish/Maintain Documentation | Preventive | |
| Manage the disposition status for all records. CC ID 00972 [Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. § 164.530(d)(2)] | Records Management | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Data and Information Management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 [A covered entity must: Maintain documentation sufficient to meet its burden of proof under §164.414(b). § 164.530(j)(1)(iv)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain file naming conventions. CC ID 16971 | Records Management | Preventive | |
| Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records Management | Detective | |
| Compress encrypted files in accordance with applicable requirements. CC ID 16973 | Data and Information Management | Preventive | |
| Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records Management | Detective | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Monitor and Evaluate Occurrences | Detective | |
| Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records Management | Detective | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Technical Security | Preventive | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records Management | Preventive | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 | Monitor and Evaluate Occurrences | Detective | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [{written form} {electronic format} A covered entity or business associate must, in accordance with §164.306: If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 164.316(b)(1)(ii) {use}{disclosure}{protected health information} Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j). § 164.508(b)(6) {disclose}{use}{protected health information} Implementation specification: Documentation. A covered entity must document a restriction in accordance with §160.530(j) of this subchapter. § 164.522(a)(3) Recordkeeping. The covered entity must, as appropriate, identify the record or protected health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the covered entity's denial of the request, the individual's statement of disagreement, if any, and the covered entity's rebuttal, if any, to the designated record set. § 164.526(d)(4) {spoken communication}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Document the statement, including the identity of the agency or official making the statement; § 164.528(a)(2)(ii)(A) {spoken communication}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Document the statement, including the identity of the agency or official making the statement; § 164.528(a)(2)(ii)(A)] | Records Management | Detective | |
| Establish, implement, and maintain authorization records. CC ID 14367 [Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: An Institutional Review Board (IRB), established in accordance with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or § 164.512(i)(1)(i)(A) {unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Establish/Maintain Documentation | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Establish/Maintain Documentation | Preventive | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Data and Information Management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
| Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Log Management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records Management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Data and Information Management | Detective | |
| Establish, implement, and maintain Electronic Document and Records Management systems. CC ID 16913 | Data and Information Management | Preventive | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Business Processes | Preventive | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Business Processes | Preventive | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Business Processes | Preventive | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Business Processes | Preventive | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records Management | Preventive | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Business Processes | Preventive | |
| Include record integrity techniques in the records management procedures. CC ID 06418 | Establish/Maintain Documentation | Preventive | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Establish/Maintain Documentation | Preventive | |
| Control error handling when data is being inputted. CC ID 00922 | Data and Information Management | Detective | |
| Use automated entry devices to reduce errors during data input. CC ID 06626 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [{not been destroyed} Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. § 164.312(c)(2)] | Establish Roles | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Establish/Maintain Documentation | Preventive | |
| Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Technical Security | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Establish/Maintain Documentation | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain access controls for all records. CC ID 00371 | Records Management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Establish/Maintain Documentation | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Technical Security | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. § 164.310(d)(2)(iv)] | Records Management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records Management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Testing | Detective | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Technical Security | Preventive | |
| Implement electronic storage media integrity controls. CC ID 00946 | Configuration | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Configuration | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Configuration | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 [Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Log Management | Preventive | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Establish/Maintain Documentation | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Establish/Maintain Documentation | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Establish/Maintain Documentation | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Establish/Maintain Documentation | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Establish/Maintain Documentation | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Establish/Maintain Documentation | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Establish/Maintain Documentation | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Process or Activity | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Process or Activity | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Process or Activity | Corrective | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Establish/Maintain Documentation | Preventive | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Testing | Detective | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 | Establish/Maintain Documentation | Preventive | |
| Include printed output in output distribution procedures. CC ID 13477 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Establish/Maintain Documentation | Detective | |
| Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records Management | Preventive | |
| Establish and maintain reconciliation audit trails. CC ID 11647 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data processing output log. CC ID 06624 | Log Management | Preventive | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Establish/Maintain Documentation | Preventive | |
| Review and approve output exceptions. CC ID 06625 | Records Management | Preventive | |
| Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Testing | Detective | |
| Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Business Processes | Detective | |
| Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Process or Activity | Detective | |
| Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Process or Activity | Detective | |
| Remove non-public information from publicly accessible systems. CC ID 14246 | Data and Information Management | Corrective | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records Management | Preventive | |
| Convert hard copy records to electronic records, as necessary. CC ID 16927 | Data and Information Management | Preventive | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records Management | Preventive | |
| Process restricted information in a secure environment. CC ID 13058 | Process or Activity | Preventive | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records Management | Preventive | |
| Establish, implement, and maintain data availability controls. CC ID 15301 | Data and Information Management | Preventive | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Technical Security | Preventive | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records Management | Preventive | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 | Process or Activity | Preventive | |
| Assign ownership for all electronic records. CC ID 14814 | Establish/Maintain Documentation | Preventive | |
| Attribute electronic records, as necessary. CC ID 14820 | Establish/Maintain Documentation | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. § 164.312(a)(2)(iii)] | Configuration | Preventive | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | Technical Security | Preventive | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | Configuration | Preventive | |
| Invalidate unexpected session identifiers. CC ID 15307 | Configuration | Preventive | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | Configuration | Preventive | |
| Reject session identifiers that are not valid. CC ID 15306 | Configuration | Preventive | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | Configuration | Preventive | |
| Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 | Configuration | Preventive | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | Configuration | Preventive | |
| Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 | Configuration | Preventive | |
| Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 | Configuration | Preventive | |
| Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 | Configuration | Preventive | |
| Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 | Configuration | Preventive | |
| Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 | Configuration | Preventive | |
| Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 | Configuration | Preventive | |
| Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 | Configuration | Preventive | |
| Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 | Configuration | Preventive | |
| Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 | Configuration | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 [Implement: Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. § 164.308(a)(5)(ii)(D)] | Establish/Maintain Documentation | Preventive | |
| Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | Technical Security | Preventive | |
| Configure authenticator activation codes in accordance with organizational standards. CC ID 17032 | Configuration | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | Configuration | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 | Configuration | Preventive | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | Configuration | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | Business Processes | Corrective | |
| Configure the system to prevent unencrypted authenticator use. CC ID 04457 | Configuration | Preventive | |
| Disable store passwords using reversible encryption. CC ID 01708 | Configuration | Preventive | |
| Configure the system to encrypt authenticators. CC ID 06735 | Configuration | Preventive | |
| Configure the system to mask authenticators. CC ID 02037 | Configuration | Preventive | |
| Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | Configuration | Preventive | |
| Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | Establish/Maintain Documentation | Preventive | |
| Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | Establish/Maintain Documentation | Preventive | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | Configuration | Preventive | |
| Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | Establish/Maintain Documentation | Preventive | |
| Disable machine account password changes. CC ID 01737 | Configuration | Preventive | |
| Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | Establish/Maintain Documentation | Preventive | |
| Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | Establish/Maintain Documentation | Preventive | |
| Configure the "password reuse" setting to organizational standards. CC ID 08724 | Establish/Maintain Documentation | Preventive | |
| Configure the "Disable Remember Password" setting. CC ID 05270 | Configuration | Preventive | |
| Configure the "Minimum password age" to organizational standards. CC ID 01703 | Configuration | Preventive | |
| Configure the LILO/GRUB password. CC ID 01576 | Configuration | Preventive | |
| Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | Configuration | Preventive | |
| Change the default password to Apple's Keychain. CC ID 04482 | Configuration | Preventive | |
| Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | Configuration | Preventive | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | Configuration | Preventive | |
| Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | Configuration | Preventive | |
| Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | Configuration | Preventive | |
| Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | Configuration | Preventive | |
| Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | Configuration | Preventive | |
| Configure the "Send LanMan compatible password" setting. CC ID 05271 | Configuration | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | Configuration | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as proper names, as necessary. CC ID 17030 | Configuration | Preventive | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | Configuration | Preventive | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | Configuration | Preventive | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 | Behavior | Preventive | |
| Discourage affected parties from recording authenticators. CC ID 06788 | Behavior | Preventive | |
| Ensure the root account is the first entry in password files. CC ID 16323 | Data and Information Management | Detective | |
| Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | Establish/Maintain Documentation | Preventive | |
| Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | Establish/Maintain Documentation | Preventive | |
| Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | Configuration | Preventive | |
| Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | Configuration | Preventive | |
| Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | Configuration | Preventive | |
| Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | Configuration | Preventive | |
| Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | Configuration | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Establish/Maintain Documentation | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [A covered entity must identify: Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and § 164.514(d)(2)(i)(A)] | Establish/Maintain Documentation | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Establish/Maintain Documentation | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Establish/Maintain Documentation | Preventive | |
| Include third party access in the access classification scheme. CC ID 11786 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [Implementation specification: Deceased individuals. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. § 164.502(g)(4) Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if: § 164.502(g)(3)(i) Implementation specification: Adults and emancipated minors. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. § 164.502(g)(2) Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's care or payment related to the individual's health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. § 164.510(b)(3) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii) {protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. § 164.508(c)(1)(vi)] | Establish/Maintain Documentation | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Establish/Maintain Documentation | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 [Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if: § 164.502(g)(3)(i) Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative, provided that the conditions at paragraphs (g)(5)(i) and (ii) of this section are met: § 164.502(g)(5)] | Establish/Maintain Documentation | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 [Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. § 164.312(d)] | Establish/Maintain Documentation | Preventive | |
| Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Process or Activity | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Process or Activity | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Process or Activity | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Process or Activity | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Process or Activity | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Establish/Maintain Documentation | Preventive | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Configuration | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Process or Activity | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Process or Activity | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Process or Activity | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Process or Activity | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Process or Activity | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Process or Activity | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Process or Activity | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Process or Activity | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Process or Activity | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Configuration | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Configuration | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Configuration | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Process or Activity | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Process or Activity | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Process or Activity | Detective | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Business Processes | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Process or Activity | Detective | |
| Verify proof of identity records. CC ID 13761 | Investigate | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Process or Activity | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 [Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the request is in writing, the request is on the appropriate government letterhead; or § 164.514(h)(2)(ii)(B) Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status; § 164.514(h)(2)(ii)(A) Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official. § 164.514(h)(2)(ii)(C) Authority of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority. § 164.514(h)(2)(iii)(B) Authority of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; § 164.514(h)(2)(iii)(A)] | Process or Activity | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Process or Activity | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Process or Activity | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Process or Activity | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Process or Activity | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Process or Activity | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Process or Activity | Detective | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4). § 164.312(a)(1) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 164.308(a)(3)(i) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. § 164.308(a)(4)(ii)(A) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. § 164.308(a)(4)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 | Establish/Maintain Documentation | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 | Establish/Maintain Documentation | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. § 164.308(a)(4)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Establish/Maintain Documentation | Preventive | |
| Identify information system users. CC ID 12081 | Technical Security | Detective | |
| Review user accounts. CC ID 00525 | Technical Security | Detective | |
| Match user accounts to authorized parties. CC ID 12126 | Configuration | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical Security | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Review shared accounts. CC ID 11840 | Technical Security | Detective | |
| Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
| Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 [{workforce}A covered entity must identify: For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. § 164.514(d)(2)(i)(B) {workforce}A covered entity must identify: For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. § 164.514(d)(2)(i)(B)] | Human Resources Management | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Communicate | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Configuration | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 [Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 164.308(a)(3)(i) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Ensure that the adequate separation required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; § 164.314(b)(2)(ii) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established. § 164.504(f)(2)(ii)(J) Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must: § 164.504(f)(2)(iii)] | Data and Information Management | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive | |
| Control user privileges. CC ID 11665 [The plan documents must: Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and § 164.504(f)(2)(iii)(B)] | Technical Security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Establish/Maintain Documentation | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 | Technical Security | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Behavior | Corrective | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Configuration | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Behavior | Corrective | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical Security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Human Resources Management | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Establish/Maintain Documentation | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical Security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical Security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Establish/Maintain Documentation | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical Security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Human Resources Management | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical Security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical Security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical Security | Corrective | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Establish/Maintain Documentation | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Configuration | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical Security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical Security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical Security | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Log Management | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Establish/Maintain Documentation | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical Security | Corrective | |
| Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 [The plan documents must: Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating to payment under, health care operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description; § 164.504(f)(2)(iii)(A)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Log Management | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Communicate | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Except with respect to disclosures under §164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and § 164.514(h)(1)(i)] | Establish/Maintain Documentation | Preventive | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical Security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Employ unique identifiers. CC ID 01273 [Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. § 164.312(a)(2)(i)] | Testing | Detective | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Data and Information Management | Preventive | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 | Establish/Maintain Documentation | Preventive | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical Security | Preventive | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Process or Activity | Preventive | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Human Resources Management | Preventive | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Testing | Detective | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 | Testing | Detective | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical Security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Configuration | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Configuration | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical Security | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Communicate | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Configuration | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical Security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Establish Roles | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Process or Activity | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical Security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical Security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical Security | Preventive | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Testing | Detective | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Process or Activity | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Configuration | Corrective | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Communicate | Preventive | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [{improper destruction} Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. § 164.312(c)(1) {refrain from modifying} Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. § 164.312(e)(2)(i)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Communicate | Preventive | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Data and Information Management | Preventive | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section. § 164.514(d)(2)(ii) The plan documents must: Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and § 164.504(f)(2)(iii)(B)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. § 164.312(e)(1)] | Establish/Maintain Documentation | Preventive | |
| Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Establish/Maintain Documentation | Preventive | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 | Establish/Maintain Documentation | Preventive | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Data and Information Management | Preventive | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Data and Information Management | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Establish/Maintain Documentation | Preventive | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Establish/Maintain Documentation | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Establish/Maintain Documentation | Preventive | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 | Establish/Maintain Documentation | Preventive | |
| Include communication requirements in the information exchange procedures. CC ID 17026 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Establish/Maintain Documentation | Preventive | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the information exchange procedures. CC ID 17021 | Establish/Maintain Documentation | Preventive | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Establish/Maintain Documentation | Preventive | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Establish/Maintain Documentation | Preventive | |
| Test the information exchange procedures. CC ID 17115 | Testing | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Data and Information Management | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Data and Information Management | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Data and Information Management | Preventive | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Data and Information Management | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Data and Information Management | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 | Technical Security | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Log Management | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical Security | Preventive | |
| Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical Security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Establish/Maintain Documentation | Preventive | |
| Revoke membership in the whitelist, as necessary. CC ID 13827 | Establish/Maintain Documentation | Corrective | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Configuration | Preventive | |
| Block uncategorized sites using URL filtering. CC ID 12140 | Technical Security | Preventive | |
| Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical Security | Detective | |
| Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Data and Information Management | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Establish/Maintain Documentation | Preventive | |
| Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Behavior | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. § 164.312(a)(2)(iv)] | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Establish/Maintain Documentation | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Configuration | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. § 164.312(e)(2)(ii)] | Data and Information Management | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical Security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Data and Information Management | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Implement: Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. § 164.308(a)(5)(ii)(B)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Communicate | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Behavior | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 | Configuration | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
| Scan for malicious code, as necessary. CC ID 11941 | Investigate | Detective | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Testing | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Testing | Detective | |
| Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical Security | Preventive | |
| Protect the system against replay attacks. CC ID 04552 | Technical Security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Establish/Maintain Documentation | Corrective | |
| Log and react to all malicious code activity. CC ID 07072 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical Security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical Security | Corrective | |
| Lock antivirus configurations. CC ID 10047 | Configuration | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{be permissible}{business associate contract} The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. § 164.504(e)(3)(iii) A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. § 164.504(e)(1)(ii)] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{business associate contract} Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a). § 164.308(b)(3) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of §164.504(e). § 164.502(e)(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}{requirement}If a covered entity and its business associate are both governmental entities: The covered entity may comply with this paragraph and §164.314(a)(1), if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and §164.314(a)(2), if applicable. § 164.504(e)(3)(i)(A) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. § 164.314(a)(1)] | Process or Activity | Detective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. § 164.504(e)(2)(i)(B)] | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: § 164.504(e)(4)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and § 164.504(e)(2)(i)(A) {business associate contract}Provide that the business associate will: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(e)(2)(ii)(F) {business associate contract}{refrain from disclosing}{protected health information}Provide that the business associate will: Not use or further disclose the information other than as permitted or required by the contract or as required by law; § 164.504(e)(2)(ii)(A) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {person}Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish who is permitted to use or receive the limited data set; and § 164.514(e)(4)(ii)(B) {refrain from contacting}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not identify the information or contact the individuals. § 164.514(e)(4)(ii)(C)(5)] | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Business associate contracts. The contract must provide that the business associate will— Comply with the applicable requirements of this subpart; § 164.314(a)(2)(i)(A) {business associate contract} The contract or other arrangement required by §164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable. § 164.504(e)(1)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}Provide that the business associate will: To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation. § 164.504(e)(2)(ii)(H) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3)] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. § 164.410(a)(1) Business associate contracts. The contract must provide that the business associate will— Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410. § 164.314(a)(2)(i)(C) {protected health information}{business associate contract}Provide that the business associate will: Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410; § 164.504(e)(2)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [Business associate contracts. The contract must provide that the business associate will— Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410. § 164.314(a)(2)(i)(C) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Report to the group health plan any security incident of which it becomes aware. § 164.314(b)(2)(iv) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware; § 164.504(f)(2)(ii)(D) {protected health information}{business associate contract}Provide that the business associate will: Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410; § 164.504(e)(2)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information. § 164.308(b)(2) {be the same} Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by §164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 164.314(a)(2)(iii) Business associate contracts. The contract must provide that the business associate will— In accordance with §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and § 164.314(a)(2)(i)(B) {business associate contract}Provide that the business associate will: In accordance with §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; § 164.504(e)(2)(ii)(D) {business associate contract}{remain confidential}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and § 164.504(e)(4)(ii)(B)(1) {business associate contract}{disclosure recipient}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached. § 164.504(e)(4)(ii)(B)(2) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with §164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information. § 164.502(e)(1)(ii) {be equal} Implementation specifications: Business associate contracts with subcontractors. The requirements of §164.504(e)(2) through (e)(4) apply to the contract or other arrangement required by §164.502(e)(1)(ii) between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 164.504(e)(5) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii)] | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Acquisition/Sale of Assets or Services | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{business associate contract} Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. § 164.504(e)(2)(iii)] | Establish/Maintain Documentation | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and § 164.504(e)(2)(i)(A) {business associate contract}{refrain from disclosing}{protected health information}Provide that the business associate will: Not use or further disclose the information other than as permitted or required by the contract or as required by law; § 164.504(e)(2)(ii)(A) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: To carry out the legal responsibilities of the business associate. § 164.504(e)(4)(i)(B) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: For the proper management and administration of the business associate; or § 164.504(e)(4)(i)(A) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 164.308(b)(1) {electronic protected health information}Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and § 164.314(b)(2)(iii) {business associate contract}{non-compliance}{reporting requirement}Provide that the business associate will: Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; § 164.504(e)(2)(ii)(B) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 164.502(e)(1)(i)] | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [If a covered entity and its business associate are both governmental entities: The covered entity may comply with this paragraph and §164.314(a)(1), if applicable, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section and §164.314(a)(2), if applicable. § 164.504(e)(3)(i)(B) {disclosure recipient}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Ensure that any agents to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information; § 164.504(f)(2)(ii)(B)] | Testing | Detective | |
| Include disclosure requirements in third party contracts. CC ID 08825 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}Provide that the business associate will: Make available protected health information in accordance with §164.524; § 164.504(e)(2)(ii)(E) {business associate contract}Provide that the business associate will: Make available the information required to provide an accounting of disclosures in accordance with §164.528; § 164.504(e)(2)(ii)(G) {business associate contract}Provide that the business associate will: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(e)(2)(ii)(F) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The disclosure is required by law; or § 164.504(e)(4)(ii)(A) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii) {business associate contract}{make available}Provide that the business associate will: Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and § 164.504(e)(2)(ii)(I) A business associate is required to disclose protected health information: To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information. § 164.502(a)(4)(ii) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3)] | Business Processes | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{business associate contract}{non-compliance}{reporting requirement}Provide that the business associate will: Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; § 164.504(e)(2)(ii)(B)] | Testing | Detective | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Preventive | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Operational and Systems Continuity | Preventive | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Operational and Systems Continuity | Preventive | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Preventive | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
| Mitigate reported incidents. CC ID 12973 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Preventive | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii). § 164.306(e)] | Audits and risk management | Detective | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and risk management | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The probability and criticality of potential risks to electronic protected health information. § 164.306(b)(2)(iv)] | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The probability and criticality of potential risks to electronic protected health information. § 164.306(b)(2)(iv)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Detective | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and risk management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Preventive | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Detective | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Preventive | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 [{make available}A covered entity or business associate must, in accordance with §164.306: Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. § 164.316(b)(2)(ii)] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Corrective | |
| Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Technical security | Preventive | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Preventive | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Preventive | |
| Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Preventive | |
| Train all new hires, as necessary. CC ID 06673 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and § 164.530(b)(2)(i)(B)] | Human Resources management | Preventive | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Human Resources management | Preventive | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: § 164.530(b)(2)(i)] | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. § 164.530(b)(2)(i)(C)] | Human Resources management | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Preventive | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Corrective | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. § 164.308(a)(1)(ii)(C) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. This standard does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of §164.502(j) or paragraph (g)(2) of this section. § 164.530(e)(1)] | Human Resources management | Corrective | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Detective | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. § 164.404(a)(1) {breach notification}{Secretary}{individual}{at the same time} Implementation specifications: Breaches involving 500 or more individuals. For breaches of erb">;" class="term_primary-noun">unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in §164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by §164.404(a) and in the manner specified on the HHS Web site. § 164.408(b) {stipulated amount}{breach notification} Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site. § 164.408(c)] | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 [{oral communication}{law enforcement}{criminal investigation}{national security}{breach notification} If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time. § 164.412(b) {breach notification}If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall: If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or § 164.412(a)] | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under §164.502(g)(4) of subpart E), written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(ii) {breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(i)] | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 [{be out-of-date}{breach notification} In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. § 164.404(d)(2)(i) {breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual under paragraph (d)(1)(i) of this section, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual under paragraph (d)(1)(ii). § 164.404(d)(2)] | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Additional notice in urgent situations. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section. § 164.404(d)(3)] | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 [{breach notification} Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in §164.404(a)(2), notifyn> style="background-color:#F0BBBC;" class="term_primary-noun">prominent media outlets serving the State or jurisdiction. § 164.406(a)] | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 [{breach notification}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and § 164.404(d)(2)(ii)(A)] | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(i)] | Operational management | Corrective | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 | System hardening through configuration management | Preventive | |
| Discourage affected parties from recording authenticators. CC ID 06788 | System hardening through configuration management | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Preventive | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Preventive | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{Notice of Privacy Practices}{stipulated time frame}If there is a material change to the notice: A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to the notice. § 164.520(c)(1)(v)(B)] | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority. CC ID 00472 [A covered entity is not in compliance with the standards in paragraph (e) of this section if the covered entity knew of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: Reported the problem to the Secretary. § 164.514(e)(4)(iii)(A)(2)] | Privacy protection for information and data | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{protected health information} If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section. § 164.524(b)(2)(i)(A) {stipulated time frame}{protected health information}{disclosure} The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. § 164.528(c)(1) {protected health information}{stipulated time frame} Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request for access no later than 30 days after receipt of the request as follows. § 164.524(b)(2)(i) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4)] | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{access}{protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.524(b)(2)(ii)(A) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and § 164.528(c)(1)(ii)(A)] | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 [{stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2) The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation. § 164.524(c)(2)(iii)(B)] | Privacy protection for information and data | Detective | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [{protected health information}{victim}{abuse}{neglect}{domestic violence}{government agency} Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: § 164.512(c)(2)] | Privacy protection for information and data | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 {protected health information} The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so. § 164.510(a)(3)(ii) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi)] | Privacy protection for information and data | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [{amendment}{protected health information}{instruction}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement; § 164.526(d)(1)(ii) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.526(d)(1)(iv)] | Privacy protection for information and data | Corrective | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [{protected health information} Informing the individual. In accordance with paragraph (b) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual's identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (c)(3) of this section. § 164.526(c)(2)] | Privacy protection for information and data | Corrective | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [{written form} If the covered entity denies the requested amendment, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d)(1) of this section. § 164.526(b)(2)(i)(B) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The basis for the denial, in accordance with paragraph (a)(2) of this section; § 164.526(d)(1)(i) {written form}{amendment}{protected health information} Denial. The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: § 164.526(d)(1) If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.526(b)(2)(ii)(A)] | Privacy protection for information and data | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [{protected health information} Informing the individual. In accordance with paragraph (b) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual's identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (c)(3) of this section. § 164.526(c)(2) The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: Persons identified by the individual as having received protected health information about the individual and needing the amendment; and § 164.526(c)(3)(i) The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: Persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual. § 164.526(c)(3)(ii)] | Privacy protection for information and data | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Detective | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Preventive | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Corrective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Corrective | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze the business environment in which the organization operates. CC ID 12798 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The size, complexity, and capabilities of the covered entity or business associate. § 164.306(b)(2)(i) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1)] | Leadership and high level objectives | Preventive | |
| Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Preventive | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Detective | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Preventive | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Preventive | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Operational and Systems Continuity | Detective | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
| Review the relevance of information supporting internal controls. CC ID 12420 [{be reasonable}{be appropriate} Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and § 164.306(d)(3)(i)] | Operational management | Detective | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 [{technical evaluation} Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 164.308(a)(8)] | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [Standard: Security incident procedures. Implement policies and procedures to address security incidents. § 164.308(a)(6)(i)] | Operational management | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
| Remediate security violations according to organizational standards. CC ID 12338 [Standard: Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate. § 164.530(f)] | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
| Establish, implement, and maintain cost management procedures. CC ID 00873 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The costs of security measures. § 164.306(b)(2)(iii)] | Operational management | Detective | |
| Update the business cases for cost management procedures, as necessary. CC ID 13642 | Operational management | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: Such change meets the implementation specifications in paragraphs (i)(4)(i)(A)-(C) of this section; and § 164.530(i)(4)(ii)(A) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Operational management | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Corrective | |
| Perform destruction at authorized facilities. CC ID 17074 | Records management | Preventive | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Preventive | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Preventive | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Preventive | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Preventive | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Preventive | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Preventive | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Preventive | |
| Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Detective | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 [{confidential communication} A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. § 164.522(b)(2)(iii)] | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 [{refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5)] | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 [{refrain from disclosing} Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: § 164.502(a)(5)(i)] | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 [{may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(1) {may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(2) {may not disclose} {reproductive health care} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section. § 164.502(a)(5)(iii)(A)(3) {may not disclose} A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part. § 164.509(a)(1)] | Privacy protection for information and data | Preventive | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 [Material misrepresentations. If, during the course of using or disclosing protected health information in reasonable reliance on a facially valid attestation, a covered entity or business associate discovers information reasonably showing that any representation made in the attestation was materially false, leading to a use or disclosure for a purpose prohibited under § 164.502(a)(5)(iii), the covered entity or business associate must cease such use or disclosure. § 164.509(d)] | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 [{may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(1) {may not disclose} {reproductive health care} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section. § 164.502(a)(5)(iii)(A)(3) {may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(2) {may not disclose} A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part. § 164.509(a)(1)] | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Preventive | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Corrective | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: § 164.504(e)(4)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and § 164.504(e)(2)(i)(A) {business associate contract}Provide that the business associate will: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(e)(2)(ii)(F) {business associate contract}{refrain from disclosing}{protected health information}Provide that the business associate will: Not use or further disclose the information other than as permitted or required by the contract or as required by law; § 164.504(e)(2)(ii)(A) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {person}Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish who is permitted to use or receive the limited data set; and § 164.514(e)(4)(ii)(B) {refrain from contacting}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not identify the information or contact the individuals. § 164.514(e)(4)(ii)(C)(5)] | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in third party contracts. CC ID 08825 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}Provide that the business associate will: Make available protected health information in accordance with §164.524; § 164.504(e)(2)(ii)(E) {business associate contract}Provide that the business associate will: Make available the information required to provide an accounting of disclosures in accordance with §164.528; § 164.504(e)(2)(ii)(G) {business associate contract}Provide that the business associate will: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(e)(2)(ii)(F) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The disclosure is required by law; or § 164.504(e)(4)(ii)(A) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii) {business associate contract}{make available}Provide that the business associate will: Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and § 164.504(e)(2)(ii)(I) A business associate is required to disclose protected health information: To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information. § 164.502(a)(4)(ii) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3)] | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Preventive | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Preventive | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Corrective | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Preventive | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Corrective | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Corrective | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{breach notification}{stipulated time frame} Implementation specification: Timeliness of notification. Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.406(b) {breach notification} Implementation specification: Timeliness of notification. Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.404(b) {breach notification}{covered entity}{stipulated time frame} Implementation specifications: Timeliness of notification. Except as provided in §164.412, a business associate shall erm_primary-verb">provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.410(b)] | Operational management | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the date, time, and place of the hearing. CC ID 13017 | Operational management | Preventive | |
| Issue subpoenas, as necessary. CC ID 14350 [{privacy notice} {not be disclosed} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or § 164.520(b)(1)(iii)(D)] | Operational management | Corrective | |
| Include a description of the documents to be produced for the hearing on the subpoena. CC ID 14358 | Operational management | Detective | |
| Include the subject matter for the testimony on the subpoena. CC ID 14356 | Operational management | Detective | |
| Include the date, time, and place of the hearing on the subpoena. CC ID 14354 | Operational management | Detective | |
| Include the statutory authority on the subpoena. CC ID 14353 | Operational management | Preventive | |
| Deliver the subpoena to interested personnel and affected parties. CC ID 14357 | Operational management | Detective | |
| Include the addressee on the subpoena. CC ID 14351 | Operational management | Detective | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 [{Notice of Privacy Practices}{protected health information} Exception for inmates. An inmate does not have a right to notice under this section, and the requirements of this section do not apply to a correctional institution that is a covered entity. § 164.520(a)(4)] | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 [{Notice of privacy practices} A health plan must provide the notice: § 164.520(c)(1)(i) {Notice of Privacy Practices}A health plan must provide the notice: Thereafter, at the time of enrollment, to individuals who are new enrollees. § 164.520(c)(1)(i)(B) {Notice of Privacy Practices}A health plan must provide the notice: No later than the compliance date for the health plan, to individuals then covered by the plan; § 164.520(c)(1)(i)(A) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The covered entities included in the joint notice must provide the notice to individuals in accordance with the applicable implementation specifications of paragraph (c) of this section. Provision of the joint notice to an individual by any one of the covered entities included in the joint notice will satisfy the provision requirement of paragraph (c) of this section with respect to all others covered by the joint notice. § 164.520(d)(3) {Notice of privacy practices}Specific requirements for certain covered health care providers. A covered health care provider that has a direct treatment relationship with an individual must: Provide the notice: § 164.520(c)(2)(i) {Notice of Privacy Practices} A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section. § 164.520(c)(3)(ii) {Notice of Privacy Practices} A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section. § 164.520(c)(3)(ii) {Notice of Privacy Practices} For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice. § 164.520(c)(3)(iii) {Notice of Privacy Practices} The health plan satisfies the requirements of paragraph (c)(1) of this section if notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents. § 164.520(c)(1)(iii) {Notice of Privacy Practices} If a health plan has more than one notice, it satisfies the requirements of paragraph (c)(1) of this section by providing the notice that is relevant to the individual or other person requesting the notice. § 164.520(c)(1)(iv) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) {Notice of Privacy Practices}{time requirement}Provide the notice: In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation. § 164.520(c)(2)(i)(B) {Notice of Privacy Practices}{make available} Implementation specifications: Provision of notice. A covered entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable. § 164.520(c) {Notice of Privacy Practices} The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request. § 164.520(c)(3)(iv) {Notice of privacy practices}A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in §164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must: Provide such notice upon request to any person. The provisions of paragraph (c)(1) of this section do not apply to such group health plan. § 164.520(a)(3)(ii)(B) {privacy notice} Required elements. The covered entity, including any covered entity receiving or maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph. § 164.520(b)(1)] | Privacy protection for information and data | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 [{Notice of privacy practices} Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law. § 164.530(i)(3) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Privacy protection for information and data | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 [{Notice of Privacy Practices}If there is a material change to the notice: A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan. § 164.520(c)(1)(v)(A) {Notice of Privacy Practices}If there is a material change to the notice: A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan. § 164.520(c)(1)(v)(A) {Notice of Privacy Practices}{make available} Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable. § 164.520(c)(2)(iv) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 [{Notice of Privacy Practices}Provide the notice: Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; § 164.520(c)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 [{Notice of Privacy Practices}The notice must contain: A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information; § 164.520(b)(1)(v)(A) {Notice of Privacy Practices}Covered entity's duties. The notice must contain: A statement that the covered entity is required to abide by the terms of the notice currently in effect; and § 164.520(b)(1)(v)(B) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Privacy protection for information and data | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 [{Notice of Privacy Practices} Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: § 164.520(b)(1)(iv) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to receive an accounting of disclosures of protected health information as provided by §164.528; and § 164.520(b)(1)(iv)(E) {Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 [{protected health information}Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or § 164.512(c)(2)(i) {protected health information}Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. § 164.512(c)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [{disclosure}{protected health information} Implementation specifications: Content of the accounting. The covered entity must provide the individual with a written accounting that meets the following requirements. § 164.528(b) {stipulated time frame} An individual may request an accounting of disclosures for a period of time less than six years from the date of the request. § 164.528(a)(3) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Corrective | |
| Provide a copy of the data subject's consent to the data subject. CC ID 17234 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 [{Personally Identifiable Information} If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart. § 164.502(d)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from receiving} A covered entity may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (f)(2)(ii) of this section. § 164.514(f)(2)(iv)] | Privacy protection for information and data | Corrective | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Corrective | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Corrective | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{access}{protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.524(b)(2)(ii)(A) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and § 164.528(c)(1)(ii)(A) If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.526(b)(2)(ii)(A)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Preventive | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Preventive | |
| Notify third parties of unresolved challenges. CC ID 13559 [{denial}{amendment}{statement of disagreement} When a subsequent disclosure described in paragraph (d)(5)(i) or (ii) of this section is made using a standard transaction under part 162 of this subchapter that does not permit the additional material to be included with the disclosure, the covered entity may separately transmit the material required by paragraph (d)(5)(i) or (ii) of this section, as applicable, to the recipient of the standard transaction. § 164.526(d)(5)(iii)] | Privacy protection for information and data | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Corrective | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Preventive | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Preventive | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Detective | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Corrective | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Technical security | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 | Technical security | Preventive | |
| Lock antivirus configurations. CC ID 10047 | Technical security | Preventive | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Preventive | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Preventive | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
| Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 | Operational and Systems Continuity | Preventive | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 | Operational and Systems Continuity | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Corrective | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Preventive | |
| Encrypt backup data. CC ID 00958 | Operational and Systems Continuity | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Detective | |
| Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. § 164.312(a)(2)(iii)] | System hardening through configuration management | Preventive | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | System hardening through configuration management | Preventive | |
| Invalidate unexpected session identifiers. CC ID 15307 | System hardening through configuration management | Preventive | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | System hardening through configuration management | Preventive | |
| Reject session identifiers that are not valid. CC ID 15306 | System hardening through configuration management | Preventive | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 | System hardening through configuration management | Preventive | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | System hardening through configuration management | Preventive | |
| Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 | System hardening through configuration management | Preventive | |
| Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 | System hardening through configuration management | Preventive | |
| Configure authenticator activation codes in accordance with organizational standards. CC ID 17032 | System hardening through configuration management | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 | System hardening through configuration management | Preventive | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | System hardening through configuration management | Preventive | |
| Configure the system to prevent unencrypted authenticator use. CC ID 04457 | System hardening through configuration management | Preventive | |
| Disable store passwords using reversible encryption. CC ID 01708 | System hardening through configuration management | Preventive | |
| Configure the system to encrypt authenticators. CC ID 06735 | System hardening through configuration management | Preventive | |
| Configure the system to mask authenticators. CC ID 02037 | System hardening through configuration management | Preventive | |
| Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | System hardening through configuration management | Preventive | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Preventive | |
| Disable machine account password changes. CC ID 01737 | System hardening through configuration management | Preventive | |
| Configure the "Disable Remember Password" setting. CC ID 05270 | System hardening through configuration management | Preventive | |
| Configure the "Minimum password age" to organizational standards. CC ID 01703 | System hardening through configuration management | Preventive | |
| Configure the LILO/GRUB password. CC ID 01576 | System hardening through configuration management | Preventive | |
| Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | System hardening through configuration management | Preventive | |
| Change the default password to Apple's Keychain. CC ID 04482 | System hardening through configuration management | Preventive | |
| Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | System hardening through configuration management | Preventive | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Preventive | |
| Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | System hardening through configuration management | Preventive | |
| Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | System hardening through configuration management | Preventive | |
| Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | System hardening through configuration management | Preventive | |
| Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | System hardening through configuration management | Preventive | |
| Configure the "Send LanMan compatible password" setting. CC ID 05271 | System hardening through configuration management | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | System hardening through configuration management | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as proper names, as necessary. CC ID 17030 | System hardening through configuration management | Preventive | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Preventive | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Preventive | |
| Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | System hardening through configuration management | Preventive | |
| Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | System hardening through configuration management | Preventive | |
| Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | System hardening through configuration management | Preventive | |
| Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | System hardening through configuration management | Preventive | |
| Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | System hardening through configuration management | Preventive | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 [{disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is: § 164.522(a)(2)(iii) {disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The individual orally agrees to the termination and the oral agreement is documented; or § 164.522(a)(2)(ii) (disclosure}{use}{protected health information}A covered entity may terminate a restriction, if: The individual agrees to or requests the termination in writing; § 164.522(a)(2)(i)] | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 [Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 164.308(a)(3)(i) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Ensure that the adequate separation required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; § 164.314(b)(2)(ii) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established. § 164.504(f)(2)(ii)(J) Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must: § 164.504(f)(2)(iii)] | Technical security | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Technical security | Preventive | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Preventive | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section. § 164.514(d)(2)(ii) The plan documents must: Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and § 164.504(f)(2)(iii)(B)] | Technical security | Preventive | |
| Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Technical security | Preventive | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Preventive | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Preventive | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Technical security | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. § 164.312(e)(2)(ii)] | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Preventive | |
| Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Preventive | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Operational and Systems Continuity | Preventive | |
| Determine which data elements to back up. CC ID 13483 | Operational and Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Operational and Systems Continuity | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Preventive | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Corrective | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority} Standard. A covered entity shall, following the discovery of a breach of unsecured protected health informationpan> as provided in §164.404(a)(2), notify the Secretary. § 164.408(a)] | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Preventive | |
| Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Detective | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Preventive | |
| Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. § 164.310(d)(2)(ii)] | Records management | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Preventive | |
| Compress encrypted files in accordance with applicable requirements. CC ID 16973 | Records management | Preventive | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Detective | |
| Establish, implement, and maintain Electronic Document and Records Management systems. CC ID 16913 | Records management | Preventive | |
| Control error handling when data is being inputted. CC ID 00922 | Records management | Detective | |
| Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Preventive | |
| Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Corrective | |
| Convert hard copy records to electronic records, as necessary. CC ID 16927 | Records management | Preventive | |
| Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A business associate is required to disclose protected health information: To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information. § 164.502(a)(4)(ii)] | Privacy protection for information and data | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [{access}{disclosure accounting}A covered entity is required to disclose protected health information: To an individual, when requested under, and required by §164.524 or §164.528; and § 164.502(a)(2)(i) {stipulated time frame} An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: § 164.528(a)(1) The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. The covered entity must provide the individual with the accounting requested; or § 164.528(c)(1)(i)] | Privacy protection for information and data | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 {protected health information} The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so. § 164.510(a)(3)(ii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or § 164.510(b)(2)(ii) {refrain from receiving}{will not adversely affect} With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. § 164.514(f)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: § 164.508(b)(4)] | Privacy protection for information and data | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 [{opt in}{refrain from receiving} A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications. § 164.514(f)(2)(v)] | Privacy protection for information and data | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §164.502(a)(2)(ii) or §164.512, if any. § 164.528(b)(2)(iv)] | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 [Other responsibility. If the covered entity does not maintain the protected health information that is the subject of the individual's request for access, and the covered entity knows where the requested information is maintained, the covered entity must inform the individual where to direct the request for access. § 164.524(d)(3) {stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher. § 164.528(b)(4)(ii)] | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 [{stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4)] | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. § 164.510(b)(2)(iii)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures to or requests by a health care provider for treatment; § 164.502(b)(2)(i) A covered entity may disclose protected health information for treatment activities of a health care provider. § 164.506(c)(2) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The provision of health care to such individuals; § 164.512(k)(5)(i)(A)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 [A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information. § 164.506(c)(3)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is: § 164.506(c)(4) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement. § 164.506(c)(5) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) A group health plan may: Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with the provisions of paragraph (f)(2) of this section; § 164.504(f)(3)(i) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. § 164.504(f)(1)(iii)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 [Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity. § 164.514(e)(3)(ii) Standard: Uses and disclosures for underwriting and related purposes. If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at §164.502(a)(5)(i) with respect to genetic information included in the protected health information. § 164.514(g) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: An employer, about an individual who is a member of the workforce of the employer, if: § 164.512(b)(1)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A school, about an individual who is a student or prospective student of the school, if: § 164.512(b)(1)(vi) {protected health information} A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only for the purposes of research, public health, or health care operations. § 164.514(e)(3)(i) {requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv) {may not disclose} Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in §164.522(a). § 164.502(c) Standard: Limited data set. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs (e)(2) and (e)(3) of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph (e)(4) of this section. § 164.514(e)(1) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: This section. § 164.502(a)(1)(vi)(A) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.512 and, where applicable, § 164.509. § 164.502(a)(1)(vi)(B) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.514(e), (f), or (g). § 164.502(a)(1)(vi)(C)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 [{protected health information}Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use or disclose for directory purposes such information: § 164.510(a)(1)(ii) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use the following protected health information to maintain a directory of individuals in its facility: § 164.510(a)(1)(i)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 [{cadaveric organ donation purpose} Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. § 164.512(h)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 [Medical suitability determinations. A covered entity that is a component of the Department of State may use protected health information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes: § 164.512(k)(4)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 [Separation or discharge from military service. A covered entity that is a component of the Departments of Defense or Homeland Security may disclose to the Department of Veterans Affairs (DVA) the protected health information of an individual who is a member of the Armed Forces upon the separation or discharge of the individual from military service for the purpose of a determination by DVA of the individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(ii) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: The purposes for which the protected health information may be used or disclosed. § 164.512(k)(1)(i)(B) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: Appropriate military command authorities; and § 164.512(k)(1)(i)(A) Foreign military personnel. A covered entity may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph (k)(1)(i) of this section. § 164.512(k)(1)(iv)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 [A health plan that is a government program providing public benefits may disclose protected health information relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if the sharing of eligibility or enrollment information among such government agencies or the maintenance of such information in a single or combined data system accessible to all such government agencies is required or expressly authorized by statute or regulation. § 164.512(k)(6)(i) Veterans. A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(iii) A covered entity that is a government agency administering a government program providing public benefits may disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs. § 164.512(k)(6)(ii) Standard: Disclosures for workers' compensation. A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. § 164.512(l)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 [Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508: § 164.514(f)(1)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 [Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. § 164.510(b)(2)(iii)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 [Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's care or payment related to the individual's health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. § 164.510(b)(3) {be consistent}If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and § 164.510(a)(3)(i)(A)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed. § 164.504(g)(2)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of such individual or other inmates; § 164.512(k)(5)(i)(B) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The administration and maintenance of the safety, security, and good order of the correctional institution. § 164.512(k)(5)(i)(F) National Instant Criminal Background Check System. A covered entity may use or disclose protected health information for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm under 18 U.S.C. 922(g)(4), provided the covered entity: § 164.512(k)(7) {protected health information} Exercise of professional judgment. The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in making a use or disclosure in accordance with §164.510 or acts on a good faith belief in making a disclosure in accordance with §164.512(j). § 164.514(h)(2)(iv)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or § 164.512(b)(1)(iv) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include: § 164.512(b)(1)(iii) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 [Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: § 164.512(c)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; § 164.512(b)(1)(ii) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law; § 164.512(c)(1)(i)] | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 [{refrain from permitting} Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. § 164.506(b)(2)] | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 [Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: § 164.508(a)(2) Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: § 164.508(a)(2)] | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made pursuant to an authorization under §164.508; § 164.502(b)(2)(iii) {data subject}A covered entity is permitted to use or disclose protected health information as follows: Pursuant to an agreement under, or as otherwise permitted by, §164.510; and § 164.502(a)(1)(v) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Obtains the individual's agreement; § 164.510(b)(2)(i) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required for compliance with applicable requirements of this subchapter. § 164.502(b)(2)(vi)] | Privacy protection for information and data | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or § 164.512(j)(1)(i)(B)] | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or § 164.512(b)(1)(iv)] | Privacy protection for information and data | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) {protected health information}Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use or disclose for directory purposes such information: § 164.510(a)(1)(ii) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) Medical suitability determinations. A covered entity that is a component of the Department of State may use protected health information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes: § 164.512(k)(4) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: An employer, about an individual who is a member of the workforce of the employer, if: § 164.512(b)(1)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A school, about an individual who is a student or prospective student of the school, if: § 164.512(b)(1)(vi) Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph. § 164.512(g)(1) National Instant Criminal Background Check System. A covered entity may use or disclose protected health information for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm under 18 U.S.C. 922(g)(4), provided the covered entity: § 164.512(k)(7) Foreign military personnel. A covered entity may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph (k)(1)(i) of this section. § 164.512(k)(1)(iv) {protected health information} Exercise of professional judgment. The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in making a use or disclosure in accordance with §164.510 or acts on a good faith belief in making a disclosure in accordance with §164.512(j). § 164.514(h)(2)(iv)] | Privacy protection for information and data | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [Standard: Uses and disclosures for underwriting and related purposes. If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at §164.502(a)(5)(i) with respect to genetic information included in the protected health information. § 164.514(g) Veterans. A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(iii)] | Privacy protection for information and data | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a)] | Privacy protection for information and data | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: § 164.512(i)(1)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 [{external requirement} Standard: Waiver of rights. A covered entity may not require individuals to waive their rights under §160.306 of this subchapter, this subpart, or subpart D of this part, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. § 164.530(h)] | Privacy protection for information and data | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
| Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 [Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508: § 164.514(f)(1) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include: § 164.512(b)(1)(iii) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 [{refrain from disclosing} A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity's notice of privacy practices. § 164.514(f)(2)(i)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; § 164.512(i)(1)(ii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: The protected health information for which use or access is sought is necessary for the research purposes. § 164.512(i)(1)(ii)(C) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the use or disclosure sought is solely for research on the protected health information of decedents; § 164.512(i)(1)(iii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Documentation, at the request of the covered entity, of the death of such individuals; and § 164.512(i)(1)(iii)(B)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from disclosing}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; § 164.504(f)(2)(ii)(A) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required by law, as described by §164.512(a); and § 164.502(b)(2)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; § 164.512(b)(1)(ii) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. § 164.512(a)(1) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary for law enforcement authorities to identify or apprehend an individual: § 164.512(j)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Permitted uses. A covered entity that is a correctional institution may use protected health information of individuals who are inmates for any purpose for which such protected health information may be disclosed. § 164.512(k)(5)(ii) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: The purposes for which the protected health information may be used or disclosed. § 164.512(k)(1)(i)(B)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 [Uses and disclosures for disaster relief purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section. The requirements in paragraphs (b)(2), (b)(3), or (b)(5) of this section apply to such uses and disclosures to the extent that the covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. § 164.510(b)(4) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and § 164.512(j)(1)(i)(A)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made pursuant to an authorization under §164.508; § 164.502(b)(2)(iii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Obtains the individual's agreement; § 164.510(b)(2)(i) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. § 164.506(b)(1) Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in §164.501 of this subpart. § 164.508(a)(4)(i) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: If the individual agrees to the disclosure; or § 164.512(c)(1)(ii) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The individual agrees to the disclosure; or § 164.512(f)(3)(i) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [{data subject}A covered entity is permitted to use or disclose protected health information as follows: Pursuant to an agreement under, or as otherwise permitted by, §164.510; and § 164.502(a)(1)(v)] | Privacy protection for information and data | Detective | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 [{oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 [{refrain from disclosing} A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity's notice of privacy practices. § 164.514(f)(2)(i)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 [Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph. § 164.512(g)(1) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter; § 164.502(b)(2)(iv) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of: § 164.512(d)(1) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 [A business associate is required to disclose protected health information: When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate's compliance with this subchapter. § 164.502(a)(4)(i)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 [Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: n compliance with and as limited by the relevant requirements of: An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: § 164.512(f)(1)(ii)(C)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's health care or payment related to the individual's health care. § 164.510(b)(1)(i) Uses and disclosures when the individual is deceased. If the individual is deceased, a covered entity may disclose to a family member, or other persons identified in paragraph (b)(1) of this section who were involved in the individual's care or payment for health care prior to the individual's death, protected health information of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. § 164.510(b)(5) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [Funeral directors. A covered entity may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the covered entity may disclose the protected health information prior to, and in reasonable anticipation of, the individual's death. § 164.512(g)(2) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another; § 164.512(k)(5)(i)(D)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 [Uses and disclosures for disaster relief purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section. The requirements in paragraphs (b)(2), (b)(3), or (b)(5) of this section apply to such uses and disclosures to the extent that the covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. § 164.510(b)(4) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of the officers or employees of or others at the correctional institution; § 164.512(k)(5)(i)(C)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; § 164.512(i)(1)(ii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: The protected health information for which use or access is sought is necessary for the research purposes. § 164.512(i)(1)(ii)(C)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [National security and intelligence activities. A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333). § 164.512(k)(2) Protective services for the President and others. A covered entity may disclose protected health information to authorized Federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056 or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879. § 164.512(k)(3)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. § 164.510(a)(3)(i)(B) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. § 164.512(f)(3)(ii)(C)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and § 164.512(j)(1)(i)(A) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is expressly authorized by statute or regulation and: The covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or § 164.512(c)(1)(iii)(A) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or § 164.512(j)(1)(i)(B) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: § 164.512(e)(1)(ii) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or § 164.512(e)(1)(i) {law enforcement activity}Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is expressly authorized by statute or regulation and: If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. § 164.512(c)(1)(iii)(B) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: In compliance with and as limited by the relevant requirements of: A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer; § 164.512(f)(1)(ii)(A) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: In compliance with and as limited by the relevant requirements of: A grand jury subpoena; or § 164.512(f)(1)(ii)(B) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim; § 164.512(f)(3)(ii)(A) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: § 164.512(f)(3)(ii)] | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [{refrain from disclosing}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; § 164.504(f)(2)(ii)(A) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required for compliance with applicable requirements of this subchapter. § 164.502(b)(2)(vi) A covered entity is required to disclose protected health information: When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter. § 164.502(a)(2)(ii) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required by law, as described by §164.512(a); and § 164.502(b)(2)(v) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or § 164.512(f)(1)(i) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. § 164.512(a)(1) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: § 164.512(k)(5)(i) Standard: Disclosures for law enforcement purposes. A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this section are met, as applicable. § 164.512(f) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary for law enforcement authorities to identify or apprehend an individual: § 164.512(j)(1)(ii) Permitted disclosure: Decedents. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct. § 164.512(f)(4) Permitted disclosure: Crime on premises. A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. § 164.512(f)(5) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: Law enforcement on the premises of the correctional institution; or § 164.512(k)(5)(i)(E) {be necessary} A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to: § 164.512(f)(6)(i) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and § 164.512(f)(3)(ii)(B)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 [Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: To the individual; § 164.502(a)(1)(i)] | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 [Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that: § 164.502(d)(2)] | Privacy protection for information and data | Preventive | |
| Refrain from selling restricted data, as necessary. CC ID 17165 | Privacy protection for information and data | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 [{refrain from using}{refrain from disclosing} If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information. § 164.522(a)(1)(iv) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi)] | Privacy protection for information and data | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 [{written form}{refrain from disclosing}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; § 164.512(i)(2)(ii)(A)(3) {written form}{refrain from disclosing}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; § 164.512(i)(2)(ii)(A)(3)] | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. § 164.506(b)(1)] | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or § 164.510(b)(2)(ii) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if: The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full. § 164.522(a)(1)(vi)(B) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if: The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and § 164.522(a)(1)(vi)(A) {family member}{friend}{relative}A covered entity must permit an individual to request that the covered entity restrict: Disclosures permitted under §164.510(b). § 164.522(a)(1)(i)(B) A covered entity must permit an individual to request that the covered entity restrict: Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and § 164.522(a)(1)(i)(A) {disclosure}{use}{protected health information} Except as provided in paragraph (a)(1)(vi) of this section, a covered entity is not required to agree to a restriction. § 164.522(a)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 [{protected health information} Review requests for disclosure on an individual basis in accordance with such criteria. § 164.514(d)(3)(ii)(B) {protected health information} Review requests for disclosure on an individual basis in accordance with such criteria. § 164.514(d)(4)(iii)(B)] | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. § 164.524(a)(2)(v)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: For national security or intelligence purposes as provided in §164.512(k)(2); § 164.528(a)(1)(vi)] | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate. § 164.524(a)(2)(ii) {protected health information}A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person; § 164.524(a)(3)(i) {protected health information}A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person. § 164.524(a)(3)(iii)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 [A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or § 164.524(a)(3)(ii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To individuals of protected health information about them as provided in §164.502; § 164.528(a)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: That occurred prior to the compliance date for the covered entity. § 164.528(a)(1)(ix)] | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access to protected health information created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research. § 164.524(a)(2)(iii)] | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [The covered entity must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official, as provided in §164.512(d) or (f), respectively, for the time specified by such agency or official, if such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required. § 164.528(a)(2)(i) {spoken communication}{impede}{health oversight agency}{law enforcement}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; and § 164.528(a)(2)(ii)(B) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To correctional institutions or law enforcement officials as provided in §164.512(k)(5); § 164.528(a)(1)(vii)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [{civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii) {civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law. § 164.524(a)(2)(iv) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in §164.502; § 164.528(a)(1)(iii)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{protected health information}{written form} If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section. § 164.524(b)(2)(i)(B) {written form}{timely manner}{access}{protected health information} Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: § 164.524(d)(2) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: The basis for the denial; § 164.524(d)(2)(i)] | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 [{protected health information} Reviewable grounds for denial. A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: § 164.524(a)(3) {protected health information} Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section. § 164.524(a)(4) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: If applicable, a statement of the individual's review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and § 164.524(d)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; § 164.502(b)(2)(ii) {access}{disclosure accounting}A covered entity is required to disclose protected health information: To an individual, when requested under, and required by §164.524 or §164.528; and § 164.502(a)(2)(i)] | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 [{representative} If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information. § 164.524(c)(3)(ii) Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Except with respect to disclosures under §164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and § 164.514(h)(1)(i)] | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 [The covered entity must provide the access as requested by the individual in a timely manner as required by paragraph (b)(2) of this section, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at the individual's request. The covered entity may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access. § 164.524(c)(3)(i) {protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for access. § 164.524(b)(2)(ii)(B) {stipulated time frame}{spoken communication}{accounting of disclosures}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to paragraph (a)(2)(i) of this section is submitted during that time. § 164.528(a)(2)(ii)(C) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for an accounting. § 164.528(c)(1)(ii)(B)] | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 [{request for access}{protected health information} If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: § 164.524(b)(2)(ii) {protected health information}{accounting of disclosures}The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: § 164.528(c)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [Fees. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: § 164.524(c)(4) {stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2)] | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. § 164.522(b)(1)(i) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual. § 164.522(b)(1)(ii) The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual. § 164.524(c)(2)(i)] | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 [The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: The individual agrees in advance to such a summary or explanation; and § 164.524(c)(2)(iii)(A) Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. § 164.524(c)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [{protected health information} A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only for the purposes of research, public health, or health care operations. § 164.514(e)(3)(i) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) {Personally Identifiable Information} If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart. § 164.502(d)(2)(ii) {refrain from disclosing}{be inconsistent}{Notice of Privacy Practices} Standard: Uses and disclosures consistent with notice. A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. § 164.502(i)] | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 [{protected health information}{disclosure}{use} Plain language requirement. The authorization must be written in plain language. § 164.508(c)(3) Plain language requirement. The attestation must be written in plain language. § 164.509(c)(2)] | Privacy protection for information and data | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures to or requests by a health care provider for treatment; § 164.502(b)(2)(i)] | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 [{refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5)] | Privacy protection for information and data | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Preventive | |
| Validate the business need for maintaining collected restricted data. CC ID 17090 | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 [{incidental disclosure} A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. § 164.530(c)(2)(ii) {incidental disclosure} A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. § 164.530(c)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: § 164.514(c) {protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity. § 164.502(d)(1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity. § 164.502(d)(1)] | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 [{refrain from deriving}{protected health information}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and § 164.514(c)(1)] | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 [{protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) {protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that: Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and § 164.502(d)(2)(i)] | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 [Standard: Complaints to the covered entity. A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part. § 164.530(d)(1)] | Privacy protection for information and data | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [Implementation specification: Actions on notices of amendment. A covered entity that is informed by another covered entity of an amendment to an individual's protected health information, in accordance with paragraph (c)(3) of this section, must amend the protected health information in designated record sets as provided by paragraph (c)(1) of this section. § 164.526(e) Making the amendment. The covered entity must make the appropriate amendment to the protected health information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment. § 164.526(c)(1) If the covered entity grants the requested amendment, in whole or in part, it must take the actions required by paragraphs (c)(1) and (2) of this section. § 164.526(b)(2)(i)(A)] | Privacy protection for information and data | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
| Notify individuals of their right to challenge personal data. CC ID 00457 [{be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {protected health information} Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement. § 164.526(d)(2)] | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 [{be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {amendment}{protected health information}{instruction}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement; § 164.526(d)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 [{stipulated time frame}{protected health information} The covered entity must act on the individual's request for an amendment no later than 60 days after receipt of such a request, as follows. § 164.526(b)(2)(i)] | Privacy protection for information and data | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Corrective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
| Keep restricted data up-to-date and valid. CC ID 00091 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(f)(2)(ii)(F)] | Privacy protection for information and data | Preventive | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Preventive | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Preventive | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. § 164.530(a)(1)(i)] | Human Resources management | Preventive | |
| Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
| Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Preventive | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Preventive | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 [{accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals. § 164.528(d)(3)] | Human Resources management | Preventive | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Preventive | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Preventive | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Preventive | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Preventive | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Preventive | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Preventive | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Preventive | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [{not been destroyed} Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. § 164.312(c)(2)] | Records management | Preventive | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; § 164.502(b)(2)(ii) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: To the individual; § 164.502(a)(1)(i) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: This section. § 164.502(a)(1)(vi)(A) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.512 and, where applicable, § 164.509. § 164.502(a)(1)(vi)(B) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.514(e), (f), or (g). § 164.502(a)(1)(vi)(C) A covered entity or business associate that uses or discloses protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), in reliance on an attestation that is defective under paragraph (b)(2) of this section, is not in compliance with this section. § 164.509(a)(2)] | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [Implement the implementation specification if reasonable and appropriate; or § 164.306(d)(3)(ii)(A) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications. § 164.306(d)(2) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {external requirement} A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section. § 164.530(i)(2)(iii)] | Leadership and high level objectives | Preventive | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 | Leadership and high level objectives | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 [{Notice of Privacy Practices} Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published. § 164.520(b)(1)(viii) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: Such change is effective only with respect to protected health information created or received after the effective date of the notice. § 164.530(i)(4)(ii)(B)] | Leadership and high level objectives | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Preventive | |
| Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Detective | |
| Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{put in place} Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). § 164.314(a)(2)(ii) An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110); § 164.512(i)(2)(iv)(A)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{written form} {electronic format} A covered entity or business associate must, in accordance with §164.306: Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and § 164.316(b)(1)(i) {Notice of Privacy Practices} Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section. § 164.520(e) {external requirement} A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section. § 164.530(i)(2)(iii) A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that: Prior to the effective date of the change, the policy or procedure, as revised, is documented as required by paragraph (j) of this section. § 164.530(i)(5)(ii) {written form}A covered entity must: Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form; § 164.530(j)(1)(i)] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 [Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Ensure that the policy or procedure, as revised to reflect a change in the covered entity's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of this subpart; § 164.530(i)(4)(i)(A) {Notice of Privacy Practices}A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that: The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of this subpart; and § 164.530(i)(5)(i)] | Leadership and high level objectives | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{not be suitable}{reason}If implementing the implementation specification is not reasonable and appropriate— Document why it would not be reasonable and appropriate to implement the implementation specification; and § 164.306(d)(3)(ii)(B)$(1) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii)] | Leadership and high level objectives | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [{not be suitable}If implementing the implementation specification is not reasonable and appropriate— Implement an equivalent alternative measure if reasonable and appropriate. § 164.306(d)(3)(ii)(B)$(2)] | Leadership and high level objectives | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any. § 164.530(e)(2)] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). § 164.308(a)(1)(ii)(B)] | Audits and risk management | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Audits and risk management | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Preventive | |
| Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [A covered entity must identify: Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and § 164.514(d)(2)(i)(A)] | Technical security | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Technical security | Preventive | |
| Include third party access in the access classification scheme. CC ID 11786 | Technical security | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [Implementation specification: Deceased individuals. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. § 164.502(g)(4) Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if: § 164.502(g)(3)(i) Implementation specification: Adults and emancipated minors. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. § 164.502(g)(2) Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's care or payment related to the individual's health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. § 164.510(b)(3) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii) {protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. § 164.508(c)(1)(vi)] | Technical security | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 [Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if: § 164.502(g)(3)(i) Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative, provided that the conditions at paragraphs (g)(5)(i) and (ii) of this section are met: § 164.502(g)(5)] | Technical security | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 [Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. § 164.312(d)] | Technical security | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4). § 164.312(a)(1) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 164.308(a)(3)(i) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. § 164.308(a)(4)(ii)(A) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. § 164.308(a)(4)(ii)(C)] | Technical security | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 | Technical security | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 | Technical security | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 | Technical security | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. § 164.308(a)(4)(ii)(B)] | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Technical security | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 [The plan documents must: Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating to payment under, health care operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description; § 164.504(f)(2)(iii)(A)] | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Except with respect to disclosures under §164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and § 164.514(h)(1)(i)] | Technical security | Preventive | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Technical security | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [{improper destruction} Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. § 164.312(c)(1) {refrain from modifying} Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. § 164.312(e)(2)(i)] | Technical security | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. § 164.312(e)(1)] | Technical security | Preventive | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Preventive | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 | Technical security | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Preventive | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Technical security | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Technical security | Preventive | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 | Technical security | Preventive | |
| Include communication requirements in the information exchange procedures. CC ID 17026 | Technical security | Preventive | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Technical security | Preventive | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Technical security | Preventive | |
| Include security controls in the information exchange procedures. CC ID 17021 | Technical security | Preventive | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Technical security | Preventive | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Technical security | Preventive | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Technical security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Technical security | Preventive | |
| Revoke membership in the whitelist, as necessary. CC ID 13827 | Technical security | Corrective | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. § 164.312(a)(2)(iv)] | Technical security | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Technical security | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Technical security | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Implement: Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. § 164.308(a)(5)(ii)(B)] | Technical security | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Corrective | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. § 164.310(a)(1)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Preventive | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Preventive | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. § 164.310(a)(2)(ii)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. § 164.310(a)(2)(iii)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Preventive | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Preventive | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Preventive | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Preventive | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. § 164.308(a)(7)(i)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Operational and Systems Continuity | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Operational and Systems Continuity | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 | Operational and Systems Continuity | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Operational and Systems Continuity | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Preventive | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 | Operational and Systems Continuity | Preventive | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Preventive | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Operational and Systems Continuity | Preventive | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 | Operational and Systems Continuity | Preventive | |
| Include business units in the scope of the continuity framework. CC ID 11898 | Operational and Systems Continuity | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Operational and Systems Continuity | Preventive | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Preventive | |
| Include Quality Management in the continuity framework. CC ID 12239 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 | Operational and Systems Continuity | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Preventive | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Preventive | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. § 164.308(a)(7)(ii)(C)] | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. § 164.308(a)(7)(ii)(B)] | Operational and Systems Continuity | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Preventive | |
| Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 | Operational and Systems Continuity | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Preventive | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 [Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components. § 164.308(a)(7)(ii)(E)] | Operational and Systems Continuity | Detective | |
| Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business records. CC ID 11687 | Operational and Systems Continuity | Preventive | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Operational and Systems Continuity | Detective | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Detective | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Preventive | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Operational and Systems Continuity | Preventive | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Operational and Systems Continuity | Preventive | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Operational and Systems Continuity | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Preventive | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Operational and Systems Continuity | Preventive | |
| Include online capabilities in the continuity plan. CC ID 11690 | Operational and Systems Continuity | Preventive | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Operational and Systems Continuity | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Operational and Systems Continuity | Preventive | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Operational and Systems Continuity | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Operational and Systems Continuity | Detective | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Operational and Systems Continuity | Preventive | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Operational and Systems Continuity | Preventive | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Operational and Systems Continuity | Preventive | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Operational and Systems Continuity | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Preventive | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Operational and Systems Continuity | Detective | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Preventive | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Preventive | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 | Operational and Systems Continuity | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Preventive | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Detective | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 | Operational and Systems Continuity | Preventive | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 [Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. § 164.308(a)(7)(ii)(D)] | Operational and Systems Continuity | Preventive | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Preventive | |
| Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Preventive | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Preventive | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Preventive | |
| Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Preventive | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Preventive | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Preventive | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Preventive | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 | Operational and Systems Continuity | Preventive | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 | Operational and Systems Continuity | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. § 164.308(a)(3)(ii)(A)] | Human Resources management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Preventive | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Preventive | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Preventive | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Preventive | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Preventive | |
| Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Preventive | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Preventive | |
| Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Preventive | |
| Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Preventive | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Preventive | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Document all training in a training record. CC ID 01423 [A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. § 164.530(b)(2)(ii)] | Human Resources management | Detective | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 [{stipulated time frame}A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: To each member of the covered entity's workforce by no later than the compliance date for the covered entity; § 164.530(b)(2)(i)(A)] | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). § 164.308(a)(5)(i)] | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {Notice of privacy practices} Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law. § 164.530(i)(3) A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this subpart or subpart D of this part. § 164.530(i)(2)(i)] | Operational management | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. § 164.308(a)(1)(i)] | Operational management | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Operational management | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Operational management | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Operational management | Preventive | |
| Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
| Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii). § 164.306(e)] | Operational management | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 [{requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv)] | Operational management | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 [Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes. § 164.514(e)(4)(i) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {refrain from disclosing}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; § 164.514(e)(4)(ii)(C)(1)] | Operational management | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 [{person}Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish who is permitted to use or receive the limited data set; and § 164.514(e)(4)(ii)(B)] | Operational management | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; § 164.514(e)(4)(ii)(C)(3)] | Operational management | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 [Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes. § 164.514(e)(4)(i) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {refrain from disclosing}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; § 164.514(e)(4)(ii)(C)(1)] | Operational management | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; § 164.514(e)(4)(ii)(C)(2)] | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 [{refrain from contacting}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not identify the information or contact the individuals. § 164.514(e)(4)(ii)(C)(5)] | Operational management | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and § 164.514(e)(4)(ii)(C)(4)] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Covered entities and business associates must do the following: Ensure compliance with this subpart by its workforce. § 164.306(a)(4) A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of this subpart, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed. § 164.504(g)(1) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law. § 164.512(a)(2) Administrative requirements. A covered entity is required to comply with the administrative requirements of §164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. § 164.414(a) Standard: minimum necessary requirements. In order to comply with §164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for, or the use and disclosure of, protected health information. § 164.514(d)(1) {refrain from disclosing}{refrain from using} Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual. § 164.502(f) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in §§164.308, 164.310, 164.312, 164.314 and 164.316 with respect to all electronic protected health information. § 164.306(c) {requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The covered entities participating in the organized health care arrangement agree to abide by the terms of the notice with respect to protected health information created or received by the covered entity as part of its participation in the organized health care arrangement; § 164.520(d)(1) {Notice of Privacy Practices}{make available} Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable. § 164.520(c)(2)(iv) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: § 164.530(i)(4)(ii) A group health plan described in paragraph (k)(1) of this section is subject to the standard and implementation specification in paragraph (j) of this section only with respect to plan documents amended in accordance with §164.504(f). § 164.530(k)(2)] | Operational management | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 [Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). § 164.310(a)(2)(iv)] | Operational management | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 [{breach notification} A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under §164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available. § 164.410(c)(2)] | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 [{oral communication}{law enforcement}{criminal investigation}{national security}{breach notification} If the statement is made orally, document the statement, :#CBD0E5;" class="term_secondary-verb">including the identity of the official making the statement, and color:#CBD0E5;" class="term_secondary-verb">delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time. § 164.412(b)] | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 [{breach notification}{media} Implementation specifications: Content of notification. The notification required by paragraph (a) of this section shall meet the requirements of §164.404(c). § 164.406(c)] | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 [{breach notification} Plain language requirement. The notification required by paragraph (a) of this section shall be written in plain language. § 164.404(c)(2)] | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; § 164.404(c)(1)(A)] | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; § 164.404(c)(1)(A)] | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); § 164.404(c)(1)(B)] | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 [{covered entity}{breach notification} The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, style="background-color:#CBD0E5;" class="term_secondary-verb">accessed, acquired, ckground-color:#CBD0E5;" class="term_secondary-verb">used, or disclosed during the breach. § 164.410(c)(1)] | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: Any steps individuals should take to protect themselves from potential harm resulting from the breach; § 164.404(c)(1)(C)] | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. § 164.404(c)(1)(E)] | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 [{breach notification}{stipulated time frame}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: y-verb">Include> a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach. § 164.404(d)(2)(ii)(B)] | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 [{breach notification}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and § 164.404(d)(2)(ii)(A)] | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 [Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. § 164.310(a)(2)(i) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. § 164.312(a)(2)(ii)] | Operational management | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Preventive | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Preventive | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Preventive | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Preventive | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Preventive | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Preventive | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Preventive | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Preventive | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Preventive | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Preventive | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Preventive | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Preventive | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Preventive | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a)] | Operational management | Preventive | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 [A covered entity or business associate must, in accordance with §164.306: Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. § 164.316(b)(2)(iii)] | Operational management | Preventive | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Corrective | |
| Identify alleged violations of law, regulations, or policy/guidance on the subpoena, as necessary. CC ID 14856 | Operational management | Detective | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 [Implement: Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. § 164.308(a)(5)(ii)(D)] | System hardening through configuration management | Preventive | |
| Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | System hardening through configuration management | Preventive | |
| Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | System hardening through configuration management | Preventive | |
| Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | System hardening through configuration management | Preventive | |
| Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | System hardening through configuration management | Preventive | |
| Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | System hardening through configuration management | Preventive | |
| Configure the "password reuse" setting to organizational standards. CC ID 08724 | System hardening through configuration management | Preventive | |
| Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | System hardening through configuration management | Preventive | |
| Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. § 164.310(d)(2)(i)] | Records management | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 [A covered entity must: Maintain documentation sufficient to meet its burden of proof under §164.414(b). § 164.530(j)(1)(iv)] | Records management | Preventive | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Preventive | |
| Establish, implement, and maintain authorization records. CC ID 14367 [Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: An Institutional Review Board (IRB), established in accordance with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or § 164.512(i)(1)(i)(A) {unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Records management | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
| Include record integrity techniques in the records management procedures. CC ID 06418 | Records management | Preventive | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Preventive | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Preventive | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 | Records management | Detective | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Preventive | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Preventive | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 | Records management | Preventive | |
| Include printed output in output distribution procedures. CC ID 13477 | Records management | Preventive | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 | Records management | Preventive | |
| Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Preventive | |
| Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Detective | |
| Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Preventive | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Detective | |
| Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Preventive | |
| Assign ownership for all electronic records. CC ID 14814 | Records management | Preventive | |
| Attribute electronic records, as necessary. CC ID 14820 | Records management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. § 164.306(a)(1) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1)] | Privacy protection for information and data | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 [{Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The joint notice meets the implementation specifications in paragraph (b) of this section, except that the statements required by this section may be altered to reflect the fact that the notice covers more than one covered entity; and § 164.520(d)(2) {Notice of Privacy Practices}{reserve}{right}{change}{term} For the covered entity to apply a change in its more limited uses and disclosures to protected health information created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), the notice must include the statements required by paragraph (b)(1)(v)(C) of this section. § 164.520(b)(2)(ii) {Notice of privacy practices}A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in §164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must: Maintain a notice under this section; and § 164.520(a)(3)(ii)(A) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with §164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; § 164.520(b)(1)(iii)(A)] | Privacy protection for information and data | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 [{Notice of Privacy Practices} Header. The notice must contain the following statement as a header or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." § 164.520(b)(1)(i) {Notice of Privacy Practices}The notice must contain: A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for each of the following purposes: treatment, payment, and health care operations. § 164.520(b)(1)(ii)(A) {privacy notice} The notice must contain: If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, such as 42 CFR part 2, the description of such use or disclosure must reflect the more stringent law as defined in § 160.202 of this subchapter. § 164.520(b)(1)(ii)(C)] | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 [{privacy notice} The notice must contain: For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law, such as 42 CFR part 2. § 164.520(b)(1)(ii)(D)] | Privacy protection for information and data | Preventive | |
| Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258 [{privacy notice} {not be disclosed} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or § 164.520(b)(1)(iii)(D)] | Privacy protection for information and data | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 [{Notice of Privacy Practices} Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by §164.530(a)(1)(ii). § 164.520(b)(1)(vii) {Notice of Privacy Practices} Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by §164.530(a)(1)(ii). § 164.520(b)(1)(vii)] | Privacy protection for information and data | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to request restrictions on certain uses and disclosures of protected health information as provided by §164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under §164.522(a)(1) § 164.520(b)(1)(iv)(A)] | Privacy protection for information and data | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 [{privacy notice} {substance use disorder treatment} {refrain from receiving} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: If a covered entity that creates or maintains records subject to 42 CFR part 2 intends to use or disclose such records for fundraising for the benefit of the covered entity, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications. § 164.520(b)(1)(iii)(E)] | Privacy protection for information and data | Preventive | |
| Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257 [{privacy notice} The notice must contain: A description, including at least one example, of the types of uses and disclosures for which an attestation is required under § 164.509. § 164.520(b)(1)(ii)(G)] | Privacy protection for information and data | Preventive | |
| Include prohibitions of use or disclosure in the privacy notice. CC ID 17252 [{privacy notice} The notice must contain: A description, including at least one example, of the types of uses and disclosures prohibited under § 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. § 164.520(b)(1)(ii)(F) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes; § 164.520(b)(1)(iii)(C)] | Privacy protection for information and data | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with § 164.504(f), the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; § 164.520(b)(1)(iii)(B)] | Privacy protection for information and data | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 [{Notice of Privacy Practices} Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: § 164.520(b)(1)(iv) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to inspect and copy protected health information as provided by §164.524; § 164.520(b)(1)(iv)(C) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to amend protected health information as provided by §164.526; § 164.520(b)(1)(iv)(D) When a covered entity changes a privacy practice that is stated in the notice described in §164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has, in accordance with §164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices; or § 164.530(i)(2)(ii) {Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi) {Notice of Privacy Practices}The notice must contain: For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice. § 164.520(b)(1)(v)(C) {Notice of Privacy Practices}The notice must contain: For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice. § 164.520(b)(1)(v)(C) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to request restrictions on certain uses and disclosures of protected health information as provided by §164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under §164.522(a)(1) § 164.520(b)(1)(iv)(A)] | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 [{Notice of Privacy Practices} In addition to the information required by paragraph (b)(1) of this section, if a covered entity elects to limit the uses or disclosures that it is permitted to make under this subpart, the covered entity may describe its more limited uses or disclosures in its notice, provided that the covered entity may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted by §164.512(j)(1)(i). § 164.520(b)(2)(i)] | Privacy protection for information and data | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 [{Notice of Privacy Practices}{without authorization}The notice must contain: A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual's written authorization. § 164.520(b)(1)(ii)(B)] | Privacy protection for information and data | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 [{privacy notice} The notice must contain: A statement adequate to put the individual on notice of the potential for information disclosed pursuant to this subpart to be subject to redisclosure by the recipient and no longer protected by this subpart § 164.520(b)(1)(ii)(H)] | Privacy protection for information and data | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 [{Notice of Privacy Practices}{stipulated time frame} No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice. § 164.520(c)(1)(ii) {Notice of Privacy Practices}{time requirement}Provide the notice: No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or § 164.520(c)(2)(i)(A)] | Privacy protection for information and data | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 [{Notice of privacy practices} Implementation specifications: Joint notice by separate covered entities. Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: § 164.520(d)] | Privacy protection for information and data | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 [{Notice of Privacy Practices}Provide the notice: Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; § 164.520(c)(2)(ii)] | Privacy protection for information and data | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 [{privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with §164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; § 164.520(b)(1)(iii)(A)] | Privacy protection for information and data | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [{access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: If applicable, a statement of the individual's review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and § 164.524(d)(2)(ii) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. § 164.508(c)(4)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [Implementation specifications: Provision of access. If the covered entity provides an individual with access, in whole or in part, to protected health information, the covered entity must comply with the following requirements. § 164.524(c) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and § 164.514(d)(4)(iii)(A) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. § 164.522(b)(1)(i) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual. § 164.522(b)(1)(ii) A covered entity must document the following and retain the documentation as required by §164.530(j): The designated record sets that are subject to access by individuals; and § 164.524(e)(1)] | Privacy protection for information and data | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [{privacy notice} {types} {use} {disclosure} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: § 164.520(b)(1)(iii) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Privacy protection for information and data | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available the information required to provide an accounting of disclosures in accordance with §164.528; § 164.504(f)(2)(ii)(G)] | Privacy protection for information and data | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [{stipulated time frame} Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity. § 164.528(b)(1) {stipulated time frame} Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity. § 164.528(b)(1) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief description of the protected health information disclosed; and § 164.528(b)(2)(iii) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period; § 164.528(b)(3)(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A brief description of the type of protected health information that was disclosed; § 164.528(b)(4)(i)(C) {accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The information required to be included in an accounting under paragraph (b) of this section for disclosures of protected health information that are subject to an accounting under paragraph (a) of this section; § 164.528(d)(1)] | Privacy protection for information and data | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: The date of the disclosure; § 164.528(b)(2)(i) {final date}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; § 164.528(b)(4)(i)(D)] | Privacy protection for information and data | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: The name of the entity or person who received the protected health information and, if known, the address of such entity or person; § 164.528(b)(2)(ii) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and § 164.528(b)(4)(i)(E)] | Privacy protection for information and data | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §164.502(a)(2)(ii) or §164.512, if any. § 164.528(b)(2)(iv)] | Privacy protection for information and data | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 [If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The frequency, periodicity, or number of the disclosures made during the accounting period; and § 164.528(b)(3)(ii)] | Privacy protection for information and data | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 [{final date}If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The date of the last such disclosure during the accounting period. § 164.528(b)(3)(iii) {final date}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; § 164.528(b)(4)(i)(D)] | Privacy protection for information and data | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 [{refrain from disclosing}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity. § 164.528(b)(4)(i)(F) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Privacy protection for information and data | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name of the protocol or other research activity; § 164.528(b)(4)(i)(A) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Privacy protection for information and data | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Privacy protection for information and data | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and § 164.528(b)(4)(i)(E)] | Privacy protection for information and data | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Document the policy or procedure, as revised, as required by paragraph (j) of this section; and § 164.530(i)(4)(i)(B)] | Privacy protection for information and data | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Detective | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 [{Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and § 164.520(d)(2)(ii) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request. § 164.520(b)(1)(iv)(F) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: Describes with reasonable specificity the covered entities, or class of entities, to which the joint notice applies; § 164.520(d)(2)(i) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: If applicable, states that the covered entities participating in the organized health care arrangement will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement. § 164.520(d)(2)(iii) {Notice of privacy practices}Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to receive confidential communications of protected health information as provided by §164.522(b), as applicable; § 164.520(b)(1)(iv)(B) {privacy notice} Required elements. The covered entity, including any covered entity receiving or maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph. § 164.520(b)(1)] | Privacy protection for information and data | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 [{Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi)] | Privacy protection for information and data | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 [{Notice of Privacy Practices} A covered entity that maintains a web site that provides information about the covered entity's customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site. § 164.520(c)(3)(i) {Notice of Privacy Practices}{make available}If the covered health care provider maintains a physical service delivery site: Have the notice available at the service delivery site for individuals to request to take with them; and § 164.520(c)(2)(iii)(A) {Notice of Privacy Practices}If the covered health care provider maintains a physical service delivery site: Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice; and § 164.520(c)(2)(iii)(B)] | Privacy protection for information and data | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Preventive | |
| Date the data subject's consent. CC ID 17233 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of: § 164.508(a)(3)(i) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. § 164.508(b)(4)(iii) {Notice of privacy practices}{protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by §164.520, a reference to the covered entity's notice. § 164.508(c)(2)(i)(B) {protected health information}Core elements. A valid authorization under this section must contain at least the following elements: The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. § 164.508(c)(1)(ii)] | Privacy protection for information and data | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{use}{disclosure}{protected health information} Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that: § 164.508(b)(5) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The individual's right to revoke the authorization in writing, and either: § 164.508(c)(2)(i) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or § 164.508(c)(2)(i)(A) {Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E)] | Privacy protection for information and data | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 [{protected health information}{disclosure recipient}Core elements. A valid authorization under this section must contain at least the following elements: The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. § 164.508(c)(1)(iii)] | Privacy protection for information and data | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 [{protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. § 164.508(c)(1)(vi)] | Privacy protection for information and data | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 [{protected health information}{sale} Such authorization must state that the disclosure will result in remuneration to the covered entity. § 164.508(a)(4)(ii) {use}{disclosure}{protected health information} If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at §164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved. § 164.508(a)(3)(ii) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart. § 164.508(c)(2)(iii) {protected health information}Core elements. A valid authorization under this section must contain at least the following elements: A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. § 164.508(c)(1)(iv) {protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. § 164.508(c)(1)(i)] | Privacy protection for information and data | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 [Core elements. A valid authorization under this section must contain at least the following elements: An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. § 164.508(c)(1)(v)] | Privacy protection for information and data | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 [For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. § 164.514(d)(3)(i)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed. § 164.504(g)(2) Except pursuant to and in compliance with §164.508(a)(4), a covered entity or business associate may not sell protected health information. § 164.502(a)(5)(ii)(A) {protected health information}The plan documents of the group health plan must be amended to incorporate provisions to: Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. § 164.504(f)(2)(i) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii) Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section. § 164.512(b)(2)] | Privacy protection for information and data | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 [{unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Privacy protection for information and data | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i)] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 [A covered entity is permitted to use or disclose protected health information as follows: Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure; § 164.502(a)(1)(iii)] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 [A covered entity is permitted to use or disclose protected health information as follows: Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure; § 164.502(a)(1)(iii)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. § 164.308(a)(3)(ii)(B) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. § 164.308(a)(4)(i) Standard: Confidential communications. A covered health care provider or health plan must comply with the applicable requirements of §164.522(b) in communicating protected health information. § 164.502(h) Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information in accordance with §164.524; § 164.504(f)(2)(ii)(E) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: § 164.524(a)(1) {written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) {written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities. § 164.514(d)(4)(i) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made. § 164.514(d)(4)(ii)] | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 [{written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) {be in writing} A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing. § 164.522(b)(2)(i)] | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 [{confidential communication} A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual. § 164.522(b)(2)(iv) {representative} If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information. § 164.524(c)(3)(ii)] | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [{protected health information} If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section. § 164.524(b)(2)(i)(A) Providing the access requested. The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the covered entity need only produce the protected health information once in response to a request for access. § 164.524(c)(1) Making other information accessible. The covered entity must, to the extent possible, give the individual access to any other protected health information requested, after excluding the protected health information as to which the covered entity has a ground to deny access. § 164.524(d)(1)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(f)(2)(ii)(F) Right to amend. An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set. § 164.526(a)(1) {be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {stipulated time frame}{protected health information} If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: § 164.526(b)(2)(ii) {amend}{is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment; § 164.526(a)(2)(i)] | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. § 164.504(f)(1)(i)] | Privacy protection for information and data | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 [A group health plan may: Not permit a health insurance issuer or HMO with respect to the group health plan to disclose protected health information to the plan sponsor except as permitted by this paragraph; § 164.504(f)(3)(ii) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity. § 164.514(e)(3)(ii) {refrain from using}{refrain from disclosing} If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information. § 164.522(a)(1)(iv) Permitted uses. If a covered entity also is a health oversight agency, the covered entity may use protected health information for health oversight activities as permitted by paragraph (d) of this section. § 164.512(d)(4) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: § 164.512(i)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. § 164.512(i)(1)(iii)(C) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: Appropriate military command authorities; and § 164.512(k)(1)(i)(A) Standard: Limited data set. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs (e)(2) and (e)(3) of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph (e)(4) of this section. § 164.514(e)(1) Implementation specifications: Uses and disclosures. A group health plan may: Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and § 164.504(f)(3)(iii) {employment purpose}Implementation specifications: Uses and disclosures. A group health plan may: Not disclose protected health information to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor. § 164.504(f)(3)(iv) {be consistent}If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and § 164.510(a)(3)(i)(A)] | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: § 164.512(i)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: § 164.512(i)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. § 164.512(i)(1)(iii)(C) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the use or disclosure sought is solely for research on the protected health information of decedents; § 164.512(i)(1)(iii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Documentation, at the request of the covered entity, of the death of such individuals; and § 164.512(i)(1)(iii)(B) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Required signature. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB or the privacy board, as applicable. § 164.512(i)(2)(v) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved; § 164.512(i)(2)(i) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved; § 164.512(i)(2)(i)] | Privacy protection for information and data | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 [{cadaveric organ donation purpose} Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. § 164.512(h) {refrain from removing}Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: No protected health information is to be removed from the covered entity by the researcher in the course of the review; and § 164.512(i)(1)(ii)(B) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: § 164.512(i)(2)(iv) {refrain from conducting}{absence}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: The research could not practicably be conducted without access to and use of the protected health information. § 164.512(i)(2)(ii)(C) {protected health information}{refrain from conducting}{absence}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: The research could not practicably be conducted without the waiver or alteration; and § 164.512(i)(2)(ii)(B)] | Privacy protection for information and data | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 [{refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1)] | Privacy protection for information and data | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 [{refrain from permitting} Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. § 164.506(b)(2) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: § 164.508(b)(3) Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the institutional review board or privacy board, pursuant to paragraph (i)(2)(ii)(C) of this section; § 164.512(i)(2)(iii) A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: The name of any individual(s) whose protected health information is sought, if practicable. § 164.509(c)(1)(i)(A) {be impracticable} A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: If including the name(s) of any individual(s) whose protected health information is sought is not practicable, a description of the class of individuals whose protected health information is sought. § 164.509(c)(1)(i)(B) A valid attestation under this section must contain the following elements: The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure. § 164.509(c)(1)(ii) A valid attestation under this section must contain the following elements: The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure. § 164.509(c)(1)(iii) A valid attestation under this section must contain the following elements: A clear statement that the use or disclosure is not for a purpose prohibited under § 164.502(a)(5)(iii). § 164.509(c)(1)(iv) A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: § 164.509(c)(1)(i) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person. § 164.509(c)(1)(v)] | Privacy protection for information and data | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [{protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or § 164.508(c)(2)(i)(A)] | Privacy protection for information and data | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and § 164.512(i)(2)(ii)(A)(2) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. § 164.310(d)(2)(i)] | Privacy protection for information and data | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. § 164.504(f)(1)(i) {protected health information}The plan documents of the group health plan must be amended to incorporate provisions to: Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. § 164.504(f)(2)(i) Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart. § 164.514(h)(1)(ii) If the individual has not submitted a written statement of disagreement, the covered entity must include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the protected health information only if the individual has requested such action in accordance with paragraph (d)(1)(iii) of this section. § 164.526(d)(5)(ii) {request}{denial}{amendment} If a statement of disagreement has been submitted by the individual, the covered entity must include the material appended in accordance with paragraph (d)(4) of this section, or, at the election of the covered entity, an accurate summary of any such information, with any subsequent disclosure of the protected health information to which the disagreement relates. § 164.526(d)(5)(i)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{protected health information} Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section. § 164.524(a)(4) {written form}{timely manner}{access}{protected health information} Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: § 164.524(d)(2) {civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii) Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Psychotherapy notes; and § 164.524(a)(1)(i) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.524(d)(2)(iii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: As part of a limited data set in accordance with §164.514(e); or § 164.528(a)(1)(viii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: Pursuant to an authorization as provided in §164.508; § 164.528(a)(1)(iv) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To carry out treatment, payment and health care operations as provided in §164.506; § 164.528(a)(1)(i) The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and § 164.526(d)(1)(iii)] | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Preventive | |
| Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and § 164.514(d)(3)(ii)(A) {improper disclosure}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to protect the identifiers from improper use and disclosure; § 164.512(i)(2)(ii)(A)(1) {improper disclosure}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to protect the identifiers from improper use and disclosure; § 164.512(i)(2)(ii)(A)(1) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. § 164.530(c)(2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. § 164.530(c)(2)(i)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Preventive | |
| File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Corrective | |
| Include supporting documentation in the privacy rights violation complaint. CC ID 16997 | Privacy protection for information and data | Preventive | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 [{protected health information}{be responsible} Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). § 164.526(f) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520. § 164.530(a)(1)(ii) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.526(d)(1)(iv) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.524(d)(2)(iii)] | Privacy protection for information and data | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{protected health information}{be permissible}If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for an amendment. § 164.526(b)(2)(ii)(B)] | Privacy protection for information and data | Preventive | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 [A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Is not part of the designated record set; § 164.526(a)(2)(ii) {amend}{is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment; § 164.526(a)(2)(i) {be complete}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Is accurate and complete. § 164.526(a)(2)(iv) {is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Would not be available for inspection under §164.524; or § 164.526(a)(2)(iii)] | Privacy protection for information and data | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [{protected health information} Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement. § 164.526(d)(2) {written form} Rebuttal statement. The covered entity may prepare a written rebuttal to the individual's statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement. § 164.526(d)(3)] | Privacy protection for information and data | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Preventive | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Preventive | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 [Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. § 164.530(d)(2)] | Privacy protection for information and data | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Privacy protection for information and data | Detective | |
| Define the organization's liability based on the applicable law. CC ID 00504 [Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at §164.402. § 164.414(b)] | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Preventive | |
| Structure the language of compliance documents. CC ID 06098 | Harmonization Methods and Manual of Style | Preventive | |
| Establish, implement, and maintain general sentence structure guidelines. CC ID 06131 | Harmonization Methods and Manual of Style | Preventive | |
| Use brevity of language. CC ID 06137 [{written form}{amendment}{protected health information} Denial. The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: § 164.526(d)(1)] | Harmonization Methods and Manual of Style | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{be permissible}{business associate contract} The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. § 164.504(e)(3)(iii) A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. § 164.504(e)(1)(ii)] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. § 164.504(e)(2)(i)(B)] | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Business associate contracts. The contract must provide that the business associate will— Comply with the applicable requirements of this subpart; § 164.314(a)(2)(i)(A) {business associate contract} The contract or other arrangement required by §164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable. § 164.504(e)(1)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}Provide that the business associate will: To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation. § 164.504(e)(2)(ii)(H) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3)] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. § 164.410(a)(1) Business associate contracts. The contract must provide that the business associate will— Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410. § 164.314(a)(2)(i)(C) {protected health information}{business associate contract}Provide that the business associate will: Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410; § 164.504(e)(2)(ii)(C)] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [Business associate contracts. The contract must provide that the business associate will— Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410. § 164.314(a)(2)(i)(C) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Report to the group health plan any security incident of which it becomes aware. § 164.314(b)(2)(iv) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware; § 164.504(f)(2)(ii)(D) {protected health information}{business associate contract}Provide that the business associate will: Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410; § 164.504(e)(2)(ii)(C)] | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information. § 164.308(b)(2) {be the same} Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by §164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 164.314(a)(2)(iii) Business associate contracts. The contract must provide that the business associate will— In accordance with §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and § 164.314(a)(2)(i)(B) {business associate contract}Provide that the business associate will: In accordance with §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; § 164.504(e)(2)(ii)(D) {business associate contract}{remain confidential}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and § 164.504(e)(4)(ii)(B)(1) {business associate contract}{disclosure recipient}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached. § 164.504(e)(4)(ii)(B)(2) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with §164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information. § 164.502(e)(1)(ii) {be equal} Implementation specifications: Business associate contracts with subcontractors. The requirements of §164.504(e)(2) through (e)(4) apply to the contract or other arrangement required by §164.502(e)(1)(ii) between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 164.504(e)(5) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii)] | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{business associate contract} Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. § 164.504(e)(2)(iii)] | Third Party and supply chain oversight | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and § 164.504(e)(2)(i)(A) {business associate contract}{refrain from disclosing}{protected health information}Provide that the business associate will: Not use or further disclose the information other than as permitted or required by the contract or as required by law; § 164.504(e)(2)(ii)(A) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: To carry out the legal responsibilities of the business associate. § 164.504(e)(4)(i)(B) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: For the proper management and administration of the business associate; or § 164.504(e)(4)(i)(A) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A)] | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
| Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 [{workforce}A covered entity must identify: For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. § 164.514(d)(2)(i)(B) {workforce}A covered entity must identify: For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. § 164.514(d)(2)(i)(B)] | Technical security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Preventive | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Technical security | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [{be responsible}A covered entity must document the following and retain the documentation as required by §164.530(j): The titles of the persons or offices responsible for receiving and processing requests for access by individuals. § 164.524(e)(2) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Human Resources management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Preventive | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Preventive | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources management | Preventive | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Preventive | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Preventive | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Preventive | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Preventive | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Preventive | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Preventive | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Preventive | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Preventive | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources management | Preventive | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 [Implementation specification: Personnel designations. A covered entity must document the personnel designations in paragraph (a)(1) of this section as required by paragraph (j) of this section. § 164.530(a)(2)] | Human Resources management | Preventive | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Preventive | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Preventive | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Corrective | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Detective | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Include ethical culture in the security awareness program. CC ID 12801 | Human Resources management | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. § 164.308(a)(2)] | Operational management | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
| Conduct official proceedings, as necessary. CC ID 13836 | Operational management | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A covered entity may not condition treatment or payment on the individual's choice with respect to the receipt of fundraising communications. § 164.514(f)(2)(iii) {refrain from receiving}{will not adversely affect} With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. § 164.514(f)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Detective | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Corrective | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
| Verify proof of identity records. CC ID 13761 | Technical security | Detective | |
| Scan for malicious code, as necessary. CC ID 11941 | Technical security | Detective | |
| Inspect device surfaces to detect tampering. CC ID 11868 | Physical and environmental protection | Detective | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Physical and environmental protection | Detective | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Detective | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
| Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Operational management | Detective | |
| Identify deviations in cost management procedures. CC ID 13640 | Operational management | Detective | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 164.312(b)] | Monitoring and measurement | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Implement: Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. § 164.308(a)(5)(ii)(C)] | Monitoring and measurement | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Monitoring and measurement | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 164.308(a)(1)(ii)(D)] | Monitoring and measurement | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Preventive | |
| Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Preventive | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Preventive | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 [Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Records management | Preventive | |
| Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Detective | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Detective | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Detective | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Detective | |
| Monitor the location of distributed assets. CC ID 11684 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Physical and environmental protection | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Corrective | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Detective | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Detective | |
| Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Preventive | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Detective | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Detective | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Detective | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Detective | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Preventive | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Preventive | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Preventive | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and environmental protection | Preventive | |
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Preventive | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Corrective | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Detective | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. § 164.310(c)] | Physical and environmental protection | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
| Restrict physical access to distributed assets. CC ID 11865 | Physical and environmental protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 | Physical and environmental protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1)] | Physical and environmental protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Preventive | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Corrective | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Preventive | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Preventive | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Preventive | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Detective | |
| Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Preventive | |
| Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Preventive | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Preventive | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Preventive | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Preventive | |
| Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Preventive | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Preventive | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Preventive | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Detective | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Preventive | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Preventive | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Detective | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Preventive | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Preventive | |
| Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Preventive | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Preventive | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Preventive | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Preventive | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Preventive | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Preventive | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Preventive | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Preventive | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Preventive | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Preventive | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and environmental protection | Preventive | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Preventive | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Preventive | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Preventive | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Preventive | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Preventive | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Preventive | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Preventive | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Preventive | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Preventive | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Operational and Systems Continuity | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Preventive | |
| Implement redundancy in life-safety systems. CC ID 02228 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Corrective | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Operational and Systems Continuity | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Preventive | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Preventive | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
| Include resources in the analysis of the internal business environment. CC ID 12942 | Leadership and high level objectives | Preventive | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Preventive | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Preventive | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 [{employee}The plan documents must: Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section with the plan document provisions required by this paragraph. § 164.504(f)(2)(iii)(C) A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. § 164.504(e)(1)(ii)] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
| Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 [Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the request is in writing, the request is on the appropriate government letterhead; or § 164.514(h)(2)(ii)(B) Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status; § 164.514(h)(2)(ii)(A) Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official. § 164.514(h)(2)(ii)(C) Authority of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority. § 164.514(h)(2)(iii)(B) Authority of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; § 164.514(h)(2)(iii)(A)] | Technical security | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Detective | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Technical security | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Preventive | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
| Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Corrective | |
| Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. § 164.306(b)(2)(ii)] | Operational management | Preventive | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Detective | |
| Conduct hearings, as necessary. CC ID 13016 | Operational management | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Corrective | |
| Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Detective | |
| Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Records management | Detective | |
| Process restricted information in a secure environment. CC ID 13058 | Records management | Preventive | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Preventive | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Detective | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{make available}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this subpart; § 164.504(f)(2)(ii)(H)] | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. § 164.510(a)(3)(i)(B)] | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: For the facility's directory or to persons involved in the individual's care or other notification purposes as provided in §164.510; § 164.528(a)(1)(v)] | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{business associate contract} Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a). § 164.308(b)(3) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of §164.504(e). § 164.502(e)(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}{requirement}If a covered entity and its business associate are both governmental entities: The covered entity may comply with this paragraph and §164.314(a)(1), if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and §164.314(a)(2), if applicable. § 164.504(e)(3)(i)(A) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. § 164.314(a)(1)] | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Physical and environmental protection | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Preventive | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Preventive | |
| Identify all critical business records. CC ID 00737 | Operational and Systems Continuity | Detective | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 [{stipulated amount}{breach notification} Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall rb">maintainn> a log> or other background-color:#F0BBBC;" class="term_primary-noun">documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site. § 164.408(c)] | Operational management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [A covered entity or business associate must, in accordance with §164.306: Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. § 164.316(b)(2)(i) {Notice of Privacy Practices} Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section. § 164.520(e) Implementation specification: Documentation. A covered entity must document the following and retain the documentation as required by §164.530(j): § 164.524(e) {protected health information}{be responsible} Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). § 164.526(f) {stipulated time frame} Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later. § 164.530(j)(2) {written form}{accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The written accounting that is provided to the individual under this section; and § 164.528(d)(2) A covered entity must: If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and § 164.530(j)(1)(ii) A covered entity must: If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation. § 164.530(j)(1)(iii)] | Records management | Preventive | |
| Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Preventive | |
| Manage the disposition status for all records. CC ID 00972 [Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. § 164.530(d)(2)] | Records management | Preventive | |
| Establish, implement, and maintain file naming conventions. CC ID 16971 | Records management | Preventive | |
| Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Detective | |
| Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Detective | |
| Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Detective | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [{written form} {electronic format} A covered entity or business associate must, in accordance with §164.306: If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 164.316(b)(1)(ii) {use}{disclosure}{protected health information} Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j). § 164.508(b)(6) {disclose}{use}{protected health information} Implementation specification: Documentation. A covered entity must document a restriction in accordance with §160.530(j) of this subchapter. § 164.522(a)(3) Recordkeeping. The covered entity must, as appropriate, identify the record or protected health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the covered entity's denial of the request, the individual's statement of disagreement, if any, and the covered entity's rebuttal, if any, to the designated record set. § 164.526(d)(4) {spoken communication}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Document the statement, including the identity of the agency or official making the statement; § 164.528(a)(2)(ii)(A) {spoken communication}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Document the statement, including the identity of the agency or official making the statement; § 164.528(a)(2)(ii)(A)] | Records management | Detective | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Preventive | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
| Establish and maintain access controls for all records. CC ID 00371 | Records management | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. § 164.310(d)(2)(iv)] | Records management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
| Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Preventive | |
| Review and approve output exceptions. CC ID 06625 | Records management | Preventive | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records management | Preventive | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Preventive | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Preventive | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records management | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Corrective | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 [{use}{disclosure}{protected health information} Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j). § 164.508(b)(6) {disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The individual orally agrees to the termination and the oral agreement is documented; or § 164.522(a)(2)(ii)] | Privacy protection for information and data | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from processing restricted data, as necessary. CC ID 12551 [{may not disclose} Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. § 164.502(a) {refrain from disclosing}{employment}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; § 164.504(f)(2)(ii)(C) {protected health information}{refrain from using}{refrain from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section. § 164.512(j)(2)(ii) {may not disclose} Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in §164.522(a). § 164.502(c) {applicable requirement}A covered entity is permitted to use or disclose protected health information as follows: Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508; § 164.502(a)(1)(iv) {protected health information}{refrain from using}{refraining from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or § 164.512(j)(2)(i)] | Privacy protection for information and data | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 [Conditions on disclosures. If a disclosure is conditioned by this subpart on particular documentation, statements, or representations from the person requesting the protected health information, a covered entity may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face, meet the applicable requirements. § 164.514(h)(2)(i)] | Privacy protection for information and data | Preventive | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{may not disclose} Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. § 164.502(a) {refrain from disclosing}{employment}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; § 164.504(f)(2)(ii)(C) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) {refrain from disclosing} Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: § 164.502(a)(5)(i) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) {protected health information}{refrain from using}{refrain from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section. § 164.512(j)(2)(ii) {applicable requirement}A covered entity is permitted to use or disclose protected health information as follows: Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508; § 164.502(a)(1)(iv) {refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5) Implementation specifications: Uses and disclosures. A group health plan may: Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and § 164.504(f)(3)(iii) {protected health information}{refrain from using}{refraining from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or § 164.512(j)(2)(i) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue. § 164.512(f)(2)(ii) {refrain from disclosing}{be inconsistent}{Notice of Privacy Practices} Standard: Uses and disclosures consistent with notice. A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. § 164.502(i)] | Privacy protection for information and data | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Detective | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 | Operational and Systems Continuity | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Operational and Systems Continuity | Preventive | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Corrective | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Operational and Systems Continuity | Detective | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Corrective | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Corrective | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Detective | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Operational and Systems Continuity | Preventive | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. § 164.308(a)(7)(ii)(A)] | Operational and Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Operational and Systems Continuity | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Detective | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Preventive | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Preventive | |
| Validate information security continuity controls regularly. CC ID 12008 | Operational and Systems Continuity | Preventive | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Preventive | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [{technical evaluation} Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 164.308(a)(8)] | Monitoring and measurement | Detective | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Identify information system users. CC ID 12081 | Technical security | Detective | |
| Review user accounts. CC ID 00525 | Technical security | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Detective | |
| Review shared accounts. CC ID 11840 | Technical security | Detective | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
| Control user privileges. CC ID 11665 [The plan documents must: Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and § 164.504(f)(2)(iii)(B)] | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 | Technical security | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Preventive | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Corrective | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Corrective | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 | Technical security | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Preventive | |
| Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical security | Preventive | |
| Block uncategorized sites using URL filtering. CC ID 12140 | Technical security | Preventive | |
| Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical security | Detective | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Preventive | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Preventive | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Corrective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Preventive | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. § 164.308(a)(3)(ii)(C)] | Human Resources management | Corrective | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Preventive | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive | |
| Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | System hardening through configuration management | Preventive | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Preventive | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Preventive | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Preventive | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 [{electronic protected health information} {are not required} Covered entities and business associates must do the following: Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. § 164.306(a)(3) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. § 164.306(b)(1) Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. § 164.314(b)(1) {electronic protected health information} Covered entities and business associates must do the following: le="background-color:#B7D8ED;" class="term_primary-verb">Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. § 164.306(a)(2)] | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. § 164.308(a)(1)(ii)(A)] | Audits and risk management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Detective | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
| Employ unique identifiers. CC ID 01273 [Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. § 164.312(a)(2)(i)] | Technical security | Detective | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Technical security | Detective | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 | Technical security | Detective | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Detective | |
| Test the information exchange procedures. CC ID 17115 | Technical security | Preventive | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Detective | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Detective | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Detective | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Operational and Systems Continuity | Detective | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Operational and Systems Continuity | Detective | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Operational and Systems Continuity | Detective | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Detective | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Operational and Systems Continuity | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Corrective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 | Human Resources management | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Corrective | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Detective | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Detective | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Detective | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Detective | |
| Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 [{Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi) Must refrain from intimidation and retaliation as provided in §160.316 of this subchapter. § 164.530(g)(2) {external requirement} May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by this subpart or subpart D of this part, including the filing of a complaint under this section; and § 164.530(g)(1)] | Privacy protection for information and data | Detective | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 164.308(b)(1) {electronic protected health information}Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and § 164.314(b)(2)(iii) {business associate contract}{non-compliance}{reporting requirement}Provide that the business associate will: Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; § 164.504(e)(2)(ii)(B) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 164.502(e)(1)(i)] | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [If a covered entity and its business associate are both governmental entities: The covered entity may comply with this paragraph and §164.314(a)(1), if applicable, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section and §164.314(a)(2), if applicable. § 164.504(e)(3)(i)(B) {disclosure recipient}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Ensure that any agents to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information; § 164.504(f)(2)(ii)(B)] | Third Party and supply chain oversight | Detective | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{business associate contract}{non-compliance}{reporting requirement}Provide that the business associate will: Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; § 164.504(e)(2)(ii)(B)] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Preventive | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Preventive | |
| Include risk management in the security awareness program. CC ID 13040 | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 [Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. § 164.530(b)(1)] | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Include cloud security in the security awareness program. CC ID 13039 | Human Resources management | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Implement: Security reminders (Addressable). Periodic security updates. § 164.308(a)(5)(ii)(A)] | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 [{employee}The plan documents must: Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section with the plan document provisions required by this paragraph. § 164.504(f)(2)(iii)(C) A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. § 164.504(e)(1)(ii)] | Monitoring and measurement | Process or Activity | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Establish/Maintain Documentation | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Establish/Maintain Documentation | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Behavior | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Behavior | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Technical Security | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Technical Security | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Technical Security | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Configuration | |
| Revoke membership in the whitelist, as necessary. CC ID 13827 | Technical security | Establish/Maintain Documentation | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Establish/Maintain Documentation | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Technical Security | |
| Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Communicate | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Physical and Environmental Protection | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Physical and Environmental Protection | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Systems Continuity | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Systems Continuity | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Communicate | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Systems Continuity | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Configuration | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Process or Activity | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Testing | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Communicate | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Technical Security | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. § 164.308(a)(3)(ii)(C)] | Human Resources management | Technical Security | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Data and Information Management | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Human Resources Management | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Behavior | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. § 164.308(a)(1)(ii)(C) Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. This standard does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of §164.502(j) or paragraph (g)(2) of this section. § 164.530(e)(1)] | Human Resources management | Behavior | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 [{breach notification} A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under §164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available. § 164.410(c)(2)] | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority} Standard. A covered entity shall, following the discovery of a breach of unsecured protected health informationpan> as provided in §164.404(a)(2), notify the Secretary. § 164.408(a)] | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. § 164.404(a)(1) {breach notification}{Secretary}{individual}{at the same time} Implementation specifications: Breaches involving 500 or more individuals. For breaches of erb">;" class="term_primary-noun">unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in §164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by §164.404(a) and in the manner specified on the HHS Web site. § 164.408(b) {stipulated amount}{breach notification} Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site. § 164.408(c)] | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 [{oral communication}{law enforcement}{criminal investigation}{national security}{breach notification} If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time. § 164.412(b) {breach notification}If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall: If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or § 164.412(a)] | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under §164.502(g)(4) of subpart E), written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(ii) {breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(i)] | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 [{be out-of-date}{breach notification} In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. § 164.404(d)(2)(i) {breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the individual under paragraph (d)(1)(i) of this section, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual under paragraph (d)(1)(ii). § 164.404(d)(2)] | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Additional notice in urgent situations. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section. § 164.404(d)(3)] | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 [{breach notification} Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in §164.404(a)(2), notifyn> style="background-color:#F0BBBC;" class="term_primary-noun">prominent media outlets serving the State or jurisdiction. § 164.406(a)] | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 [{breach notification}The notification required by paragraph (a) of this section shall be provided in the following form: Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. § 164.404(d)(1)(i)] | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 [Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. § 164.310(a)(2)(i) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. § 164.312(a)(2)(ii)] | Operational management | Establish/Maintain Documentation | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Establish/Maintain Documentation | |
| Issue subpoenas, as necessary. CC ID 14350 [{privacy notice} {not be disclosed} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or § 164.520(b)(1)(iii)(D)] | Operational management | Communicate | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Business Processes | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Process or Activity | |
| Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Data and Information Management | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 [{Notice of Privacy Practices}Provide the notice: Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; § 164.520(c)(2)(ii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Records Management | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Records Management | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Communicate | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from receiving} A covered entity may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (f)(2)(ii) of this section. § 164.514(f)(2)(iv)] | Privacy protection for information and data | Communicate | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Communicate | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Communicate | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 [Standard: Complaints to the covered entity. A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part. § 164.530(d)(1)] | Privacy protection for information and data | Data and Information Management | |
| File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [{amendment}{protected health information}{instruction}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement; § 164.526(d)(1)(ii) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.526(d)(1)(iv)] | Privacy protection for information and data | Behavior | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Behavior | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [Implementation specification: Actions on notices of amendment. A covered entity that is informed by another covered entity of an amendment to an individual's protected health information, in accordance with paragraph (c)(3) of this section, must amend the protected health information in designated record sets as provided by paragraph (c)(1) of this section. § 164.526(e) Making the amendment. The covered entity must make the appropriate amendment to the protected health information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment. § 164.526(c)(1) If the covered entity grants the requested amendment, in whole or in part, it must take the actions required by paragraphs (c)(1) and (2) of this section. § 164.526(b)(2)(i)(A)] | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [{protected health information} Informing the individual. In accordance with paragraph (b) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual's identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (c)(3) of this section. § 164.526(c)(2)] | Privacy protection for information and data | Behavior | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [{written form} If the covered entity denies the requested amendment, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d)(1) of this section. § 164.526(b)(2)(i)(B) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The basis for the denial, in accordance with paragraph (a)(2) of this section; § 164.526(d)(1)(i) {written form}{amendment}{protected health information} Denial. The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: § 164.526(d)(1) If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.526(b)(2)(ii)(A)] | Privacy protection for information and data | Behavior | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [{protected health information} Informing the individual. In accordance with paragraph (b) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual's identification of and agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (c)(3) of this section. § 164.526(c)(2) The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: Persons identified by the individual as having received protected health information about the individual and needing the amendment; and § 164.526(c)(3)(i) The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to: Persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual. § 164.526(c)(3)(ii)] | Privacy protection for information and data | Behavior | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Data and Information Management | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Business Processes | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Communicate | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 [Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. § 164.530(d)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Behavior | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Behavior | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Behavior | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Behavior | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Data and Information Management | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{not be suitable}{reason}If implementing the implementation specification is not reasonable and appropriate— Document why it would not be reasonable and appropriate to implement the implementation specification; and § 164.306(d)(3)(ii)(B)$(1) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Implement: Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. § 164.308(a)(5)(ii)(C)] | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 164.308(a)(1)(ii)(D)] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 [{technical evaluation} Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 164.308(a)(8)] | Monitoring and measurement | Technical Security | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii). § 164.306(e)] | Audits and risk management | Audits and Risk Management | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Audits and Risk Management | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Establish/Maintain Documentation | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Process or Activity | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
| Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Testing | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Process or Activity | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Process or Activity | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Process or Activity | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Process or Activity | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Process or Activity | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Process or Activity | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Process or Activity | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Process or Activity | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Business Processes | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Process or Activity | |
| Verify proof of identity records. CC ID 13761 | Technical security | Investigate | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Process or Activity | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Process or Activity | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Process or Activity | |
| Identify information system users. CC ID 12081 | Technical security | Technical Security | |
| Review user accounts. CC ID 00525 | Technical security | Technical Security | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Configuration | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Technical Security | |
| Review shared accounts. CC ID 11840 | Technical security | Technical Security | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. § 164.312(a)(2)(i)] | Technical security | Testing | |
| Authenticate user identities before unlocking an account. CC ID 11837 | Technical security | Testing | |
| Authenticate user identities before manually resetting an authenticator. CC ID 04567 | Technical security | Testing | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Testing | |
| Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical security | Technical Security | |
| Scan for malicious code, as necessary. CC ID 11941 | Technical security | Investigate | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Testing | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Testing | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Monitor and Evaluate Occurrences | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Technical Security | |
| Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Audits and Risk Management | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect device surfaces to detect tampering. CC ID 11868 | Physical and environmental protection | Investigate | |
| Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Physical and environmental protection | Investigate | |
| Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Physical and Environmental Protection | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Testing | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Log Management | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Physical and Environmental Protection | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Data and Information Management | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor the location of distributed assets. CC ID 11684 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Investigate | |
| Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Physical and Environmental Protection | |
| Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Physical and Environmental Protection | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Testing | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Investigate | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Investigate | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Testing | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Systems Continuity | |
| Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Operational and Systems Continuity | Systems Continuity | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Testing | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Systems Continuity | |
| Define and prioritize critical business functions. CC ID 00736 [Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components. § 164.308(a)(7)(ii)(E)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all critical business records. CC ID 00737 | Operational and Systems Continuity | Records Management | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Operational and Systems Continuity | Testing | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Operational and Systems Continuity | Testing | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Operational and Systems Continuity | Testing | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine which data elements to back up. CC ID 13483 | Operational and Systems Continuity | Data and Information Management | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Testing | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Systems Continuity | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 | Operational and Systems Continuity | Testing | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Testing | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Testing | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Operational and Systems Continuity | Testing | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Operational and Systems Continuity | Business Processes | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Business Processes | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Testing | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Monitor and Evaluate Occurrences | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Human Resources Management | |
| Document all training in a training record. CC ID 01423 [A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. § 164.530(b)(2)(ii)] | Human Resources management | Establish/Maintain Documentation | |
| Conduct tests and evaluate training. CC ID 06672 | Human Resources management | Testing | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Monitor and Evaluate Occurrences | |
| Review the relevance of information supporting internal controls. CC ID 12420 [{be reasonable}{be appropriate} Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and § 164.306(d)(3)(i)] | Operational management | Business Processes | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Communicate | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Behavior | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 [{breach notification}{media} Implementation specifications: Content of notification. The notification required by paragraph (a) of this section shall meet the requirements of §164.404(c). § 164.406(c)] | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: Any steps individuals should take to protect themselves from potential harm resulting from the breach; § 164.404(c)(1)(C)] | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Process or Activity | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
| Establish, implement, and maintain cost management procedures. CC ID 00873 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The costs of security measures. § 164.306(b)(2)(iii)] | Operational management | Business Processes | |
| Perform an impact assessment of any deviations found in the cost management procedures. CC ID 13641 | Operational management | Investigate | |
| Identify deviations in cost management procedures. CC ID 13640 | Operational management | Investigate | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Configuration | |
| Conduct hearings, as necessary. CC ID 13016 | Operational management | Process or Activity | |
| Include a description of the documents to be produced for the hearing on the subpoena. CC ID 14358 | Operational management | Communicate | |
| Include the subject matter for the testimony on the subpoena. CC ID 14356 | Operational management | Communicate | |
| Include the date, time, and place of the hearing on the subpoena. CC ID 14354 | Operational management | Communicate | |
| Deliver the subpoena to interested personnel and affected parties. CC ID 14357 | Operational management | Communicate | |
| Include the addressee on the subpoena. CC ID 14351 | Operational management | Communicate | |
| Identify alleged violations of law, regulations, or policy/guidance on the subpoena, as necessary. CC ID 14856 | Operational management | Establish/Maintain Documentation | |
| Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Data and Information Management | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Testing | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Testing | |
| Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Records Management | |
| Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Records Management | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Monitor and Evaluate Occurrences | |
| Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Records Management | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Monitor and Evaluate Occurrences | |
| Capture the records required by organizational compliance requirements. CC ID 00912 [{written form} {electronic format} A covered entity or business associate must, in accordance with §164.306: If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. § 164.316(b)(1)(ii) {use}{disclosure}{protected health information} Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j). § 164.508(b)(6) {disclose}{use}{protected health information} Implementation specification: Documentation. A covered entity must document a restriction in accordance with §160.530(j) of this subchapter. § 164.522(a)(3) Recordkeeping. The covered entity must, as appropriate, identify the record or protected health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the covered entity's denial of the request, the individual's statement of disagreement, if any, and the covered entity's rebuttal, if any, to the designated record set. § 164.526(d)(4) {spoken communication}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Document the statement, including the identity of the agency or official making the statement; § 164.528(a)(2)(ii)(A) {spoken communication}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Document the statement, including the identity of the agency or official making the statement; § 164.528(a)(2)(ii)(A)] | Records management | Records Management | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Data and Information Management | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Data and Information Management | |
| Control error handling when data is being inputted. CC ID 00922 | Records management | Data and Information Management | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Monitor and Evaluate Occurrences | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Testing | |
| Provide audit trails for all pertinent records. CC ID 00372 | Records management | Establish/Maintain Documentation | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Process or Activity | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Testing | |
| Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Establish/Maintain Documentation | |
| Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Testing | |
| Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Business Processes | |
| Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Process or Activity | |
| Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Records management | Process or Activity | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Process or Activity | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{access}{protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.524(b)(2)(ii)(A) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and § 164.528(c)(1)(ii)(A)] | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 [{stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2) The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation. § 164.524(c)(2)(iii)(B)] | Privacy protection for information and data | Behavior | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Process or Activity | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [{data subject}A covered entity is permitted to use or disclose protected health information as follows: Pursuant to an agreement under, or as otherwise permitted by, §164.510; and § 164.502(a)(1)(v)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Business Processes | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Human Resources Management | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Behavior | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Behavior | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Behavior | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Behavior | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 [{Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi) Must refrain from intimidation and retaliation as provided in §160.316 of this subchapter. § 164.530(g)(2) {external requirement} May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by this subpart or subpart D of this part, including the filing of a complaint under this section; and § 164.530(g)(1)] | Privacy protection for information and data | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{business associate contract} Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a). § 164.308(b)(3) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of §164.504(e). § 164.502(e)(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}{requirement}If a covered entity and its business associate are both governmental entities: The covered entity may comply with this paragraph and §164.314(a)(1), if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and §164.314(a)(2), if applicable. § 164.504(e)(3)(i)(A) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. § 164.314(a)(1)] | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 [{business associate contract} Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. § 164.504(e)(2)(iii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 164.308(b)(1) {electronic protected health information}Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and § 164.314(b)(2)(iii) {business associate contract}{non-compliance}{reporting requirement}Provide that the business associate will: Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; § 164.504(e)(2)(ii)(B) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. § 164.502(e)(1)(i)] | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [If a covered entity and its business associate are both governmental entities: The covered entity may comply with this paragraph and §164.314(a)(1), if applicable, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section and §164.314(a)(2), if applicable. § 164.504(e)(3)(i)(B) {disclosure recipient}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Ensure that any agents to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information; § 164.504(f)(2)(ii)(B)] | Third Party and supply chain oversight | Testing | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{business associate contract}{non-compliance}{reporting requirement}Provide that the business associate will: Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; § 164.504(e)(2)(ii)(B)] | Third Party and supply chain oversight | Testing | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the business environment in which the organization operates. CC ID 12798 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The size, complexity, and capabilities of the covered entity or business associate. § 164.306(b)(2)(i) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1)] | Leadership and high level objectives | Business Processes | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
| Include resources in the analysis of the internal business environment. CC ID 12942 | Leadership and high level objectives | Process or Activity | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Process or Activity | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Process or Activity | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity | |
| Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [Implement the implementation specification if reasonable and appropriate; or § 164.306(d)(3)(ii)(A) When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications. § 164.306(d)(2) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {external requirement} A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section. § 164.530(i)(2)(iii)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the effective date on all organizational policies. CC ID 06820 [{Notice of Privacy Practices} Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published. § 164.520(b)(1)(viii) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: Such change is effective only with respect to protected health information created or received after the effective date of the notice. § 164.530(i)(4)(ii)(B)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Business Processes | |
| Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{put in place} Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). § 164.314(a)(2)(ii) An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110); § 164.512(i)(2)(iv)(A)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{written form} {electronic format} A covered entity or business associate must, in accordance with §164.306: Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and § 164.316(b)(1)(i) {Notice of Privacy Practices} Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section. § 164.520(e) {external requirement} A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section. § 164.530(i)(2)(iii) A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that: Prior to the effective date of the change, the policy or procedure, as revised, is documented as required by paragraph (j) of this section. § 164.530(i)(5)(ii) {written form}A covered entity must: Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form; § 164.530(j)(1)(i)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the Authority Document list with external requirements. CC ID 06288 [Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Ensure that the policy or procedure, as revised to reflect a change in the covered entity's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of this subpart; § 164.530(i)(4)(i)(A) {Notice of Privacy Practices}A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that: The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of this subpart; and § 164.530(i)(5)(i)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Establish Roles | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [{not be suitable}If implementing the implementation specification is not reasonable and appropriate— Implement an equivalent alternative measure if reasonable and appropriate. § 164.306(d)(3)(ii)(B)$(2)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Business Processes | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 [{make available}A covered entity or business associate must, in accordance with §164.306: Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. § 164.316(b)(2)(ii)] | Leadership and high level objectives | Behavior | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Behavior | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 164.312(b)] | Monitoring and measurement | Log Management | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Process or Activity | |
| Protect continuous security management systems from unauthorized use. CC ID 13097 | Monitoring and measurement | Configuration | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 | Monitoring and measurement | Log Management | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Technical Security | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity must document the sanctions that are applied, if any. § 164.530(e)(2)] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). § 164.308(a)(1)(ii)(B)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Establish/Maintain Documentation | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Business Processes | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Business Processes | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Establish/Maintain Documentation | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Establish Roles | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Audits and Risk Management | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Business Processes | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Business Processes | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Business Processes | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Audits and Risk Management | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Establish/Maintain Documentation | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Establish/Maintain Documentation | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Establish/Maintain Documentation | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Establish/Maintain Documentation | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Establish/Maintain Documentation | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Establish/Maintain Documentation | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Establish/Maintain Documentation | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
| Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Behavior | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Establish/Maintain Documentation | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Establish/Maintain Documentation | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The probability and criticality of potential risks to electronic protected health information. § 164.306(b)(2)(iv)] | Audits and risk management | Audits and Risk Management | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The probability and criticality of potential risks to electronic protected health information. § 164.306(b)(2)(iv)] | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Audits and Risk Management | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Establish/Maintain Documentation | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Establish/Maintain Documentation | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Establish/Maintain Documentation | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Establish/Maintain Documentation | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Establish/Maintain Documentation | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. § 164.308(a)(1)(ii)(A)] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Establish/Maintain Documentation | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Communicate | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Business Processes | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Audits and risk management | Behavior | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Establish/Maintain Documentation | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Business Processes | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Business Processes | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Audits and Risk Management | |
| Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 | Audits and risk management | Establish/Maintain Documentation | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Establish/Maintain Documentation | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Process or Activity | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Audits and Risk Management | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Establish/Maintain Documentation | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Establish/Maintain Documentation | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Audits and Risk Management | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Audits and Risk Management | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Establish/Maintain Documentation | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Establish/Maintain Documentation | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Establish/Maintain Documentation | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Establish/Maintain Documentation | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Audits and Risk Management | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Audits and Risk Management | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Business Processes | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Business Processes | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Establish/Maintain Documentation | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [A covered entity must identify: Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and § 164.514(d)(2)(i)(A)] | Technical security | Establish/Maintain Documentation | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Establish/Maintain Documentation | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Technical security | Establish/Maintain Documentation | |
| Include third party access in the access classification scheme. CC ID 11786 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [Implementation specification: Deceased individuals. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. § 164.502(g)(4) Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if: § 164.502(g)(3)(i) Implementation specification: Adults and emancipated minors. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation. § 164.502(g)(2) Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's care or payment related to the individual's health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. § 164.510(b)(3) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii) {protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. § 164.508(c)(1)(vi)] | Technical security | Establish/Maintain Documentation | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Establish/Maintain Documentation | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 [Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if: § 164.502(g)(3)(i) Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative, provided that the conditions at paragraphs (g)(5)(i) and (ii) of this section are met: § 164.502(g)(5)] | Technical security | Establish/Maintain Documentation | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 [Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. § 164.312(d)] | Technical security | Establish/Maintain Documentation | |
| Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Process or Activity | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Process or Activity | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Process or Activity | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Process or Activity | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Establish/Maintain Documentation | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Configuration | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Process or Activity | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Process or Activity | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Process or Activity | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Process or Activity | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Process or Activity | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Configuration | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Configuration | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Configuration | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Process or Activity | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 [Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the request is in writing, the request is on the appropriate government letterhead; or § 164.514(h)(2)(ii)(B) Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status; § 164.514(h)(2)(ii)(A) Identity of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official. § 164.514(h)(2)(ii)(C) Authority of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority. § 164.514(h)(2)(iii)(B) Authority of public officials. A covered entity may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of protected health information is to a public official or a person acting on behalf of the public official: A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; § 164.514(h)(2)(iii)(A)] | Technical security | Process or Activity | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Process or Activity | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Process or Activity | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Process or Activity | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Process or Activity | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4). § 164.312(a)(1) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 164.308(a)(3)(i) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. § 164.308(a)(4)(ii)(A) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. § 164.308(a)(4)(ii)(C)] | Technical security | Establish/Maintain Documentation | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 | Technical security | Establish/Maintain Documentation | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 | Technical security | Establish/Maintain Documentation | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. § 164.308(a)(4)(ii)(B)] | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
| Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
| Define access needs for each role assigned to an information system. CC ID 12455 [{workforce}A covered entity must identify: For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. § 164.514(d)(2)(i)(B) {workforce}A covered entity must identify: For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. § 164.514(d)(2)(i)(B)] | Technical security | Human Resources Management | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Communicate | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Configuration | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
| Enforce access restrictions for restricted data. CC ID 01921 [Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. § 164.308(a)(3)(i) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Ensure that the adequate separation required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; § 164.314(b)(2)(ii) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established. § 164.504(f)(2)(ii)(J) Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must: § 164.504(f)(2)(iii)] | Technical security | Data and Information Management | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
| Control user privileges. CC ID 11665 [The plan documents must: Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and § 164.504(f)(2)(iii)(B)] | Technical security | Technical Security | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Establish/Maintain Documentation | |
| Review all user privileges, as necessary. CC ID 06784 | Technical security | Technical Security | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Configuration | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Technical Security | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Human Resources Management | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Establish/Maintain Documentation | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Technical Security | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Establish/Maintain Documentation | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Technical Security | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Human Resources Management | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Technical Security | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Establish/Maintain Documentation | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Configuration | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Technical Security | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Technical Security | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Technical Security | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Log Management | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Establish/Maintain Documentation | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
| Document approving and granting access in the access control log. CC ID 06786 [The plan documents must: Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating to payment under, health care operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description; § 164.504(f)(2)(iii)(A)] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Log Management | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Communicate | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Except with respect to disclosures under §164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and § 164.514(h)(1)(i)] | Technical security | Establish/Maintain Documentation | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Technical Security | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 | Technical security | Data and Information Management | |
| Include instructions to refrain from using previously used authenticators in the access control program. CC ID 11930 | Technical security | Establish/Maintain Documentation | |
| Disallow the use of Personal Identification Numbers as user identifiers. CC ID 06785 | Technical security | Technical Security | |
| Define the activation requirements for identification cards or badges. CC ID 06583 | Technical security | Process or Activity | |
| Require multiple forms of personal identification prior to issuing user identifiers. CC ID 08712 | Technical security | Human Resources Management | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Technical Security | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Configuration | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Configuration | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Technical Security | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Communicate | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Configuration | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Technical Security | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Establish Roles | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Process or Activity | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Technical Security | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Technical Security | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Technical Security | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Process or Activity | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Communicate | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [{improper destruction} Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. § 164.312(c)(1) {refrain from modifying} Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. § 164.312(e)(2)(i)] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Communicate | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Data and Information Management | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section. § 164.514(d)(2)(ii) The plan documents must: Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and § 164.504(f)(2)(iii)(B)] | Technical security | Data and Information Management | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. § 164.312(e)(1)] | Technical security | Establish/Maintain Documentation | |
| Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Technical security | Data and Information Management | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Establish/Maintain Documentation | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 | Technical security | Establish/Maintain Documentation | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Data and Information Management | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Data and Information Management | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Establish/Maintain Documentation | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Technical security | Establish/Maintain Documentation | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Technical security | Establish/Maintain Documentation | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 | Technical security | Establish/Maintain Documentation | |
| Include communication requirements in the information exchange procedures. CC ID 17026 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Technical security | Establish/Maintain Documentation | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Technical security | Establish/Maintain Documentation | |
| Include security controls in the information exchange procedures. CC ID 17021 | Technical security | Establish/Maintain Documentation | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Technical security | Establish/Maintain Documentation | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Technical security | Establish/Maintain Documentation | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Technical security | Establish/Maintain Documentation | |
| Test the information exchange procedures. CC ID 17115 | Technical security | Testing | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Data and Information Management | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Data and Information Management | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Data and Information Management | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Data and Information Management | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Data and Information Management | |
| Review and approve information exchange system connections. CC ID 07143 | Technical security | Technical Security | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Log Management | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Technical Security | |
| Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical security | Technical Security | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Technical security | Establish/Maintain Documentation | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Technical security | Configuration | |
| Block uncategorized sites using URL filtering. CC ID 12140 | Technical security | Technical Security | |
| Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Technical security | Data and Information Management | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Technical security | Establish/Maintain Documentation | |
| Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Technical security | Behavior | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. § 164.312(a)(2)(iv)] | Technical security | Establish/Maintain Documentation | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Technical security | Establish/Maintain Documentation | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Configuration | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. § 164.312(e)(2)(ii)] | Technical security | Data and Information Management | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Technical Security | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Data and Information Management | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Implement: Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. § 164.308(a)(5)(ii)(B)] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Communicate | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Communicate | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Establish/Maintain Documentation | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Behavior | |
| Install security and protection software, as necessary. CC ID 00575 | Technical security | Configuration | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Technical Security | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Technical Security | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Establish Roles | |
| Lock antivirus configurations. CC ID 10047 | Technical security | Configuration | |
| Establish, implement, and maintain a physical security program. CC ID 11757 [Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. § 164.310(a)(1)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Establish/Maintain Documentation | |
| Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Physical and Environmental Protection | |
| Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Physical and Environmental Protection | |
| Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Physical and Environmental Protection | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Configuration | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Configuration | |
| Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Communicate | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. § 164.310(a)(2)(ii)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Physical and Environmental Protection | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Establish/Maintain Documentation | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Establish/Maintain Documentation | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 [Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. § 164.310(a)(2)(iii)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Physical and Environmental Protection | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Establish/Maintain Documentation | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Physical and Environmental Protection | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Testing | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Establish/Maintain Documentation | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Log Management | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Log Management | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Log Management | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Log Management | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Log Management | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Log Management | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Testing | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Behavior | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Physical and Environmental Protection | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Behavior | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Physical and Environmental Protection | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Behavior | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Process or Activity | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Establish/Maintain Documentation | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Configuration | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Configuration | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Configuration | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Process or Activity | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Configuration | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Establish/Maintain Documentation | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Technical Security | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Configuration | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Configuration | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Physical and Environmental Protection | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Physical and Environmental Protection | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Physical and Environmental Protection | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
| Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Log Management | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Behavior | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Log Management | |
| Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Log Management | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Log Management | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Log Management | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Log Management | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Log Management | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Log Management | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Log Management | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Log Management | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Configuration | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Configuration | |
| Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Records Management | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Establish/Maintain Documentation | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Physical and Environmental Protection | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Establish Roles | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Establish/Maintain Documentation | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Physical and Environmental Protection | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Configuration | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Behavior | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Behavior | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Business Processes | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Behavior | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. § 164.310(c)] | Physical and environmental protection | Physical and Environmental Protection | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Physical and environmental protection | Records Management | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Records Management | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Business Processes | |
| Restrict physical access to distributed assets. CC ID 11865 | Physical and environmental protection | Physical and Environmental Protection | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect electronic storage media with physical access controls. CC ID 00720 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Data and Information Management | |
| Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Data and Information Management | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Physical and Environmental Protection | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Records Management | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Behavior | |
| Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Records Management | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Physical and Environmental Protection | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Configuration | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Process or Activity | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1)] | Physical and environmental protection | Physical and Environmental Protection | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 [Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. § 164.310(d)(1)] | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Establish/Maintain Documentation | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Establish/Maintain Documentation | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Physical and Environmental Protection | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Process or Activity | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Physical and Environmental Protection | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Physical and Environmental Protection | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Data and Information Management | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 | Physical and environmental protection | Establish/Maintain Documentation | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Behavior | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Behavior | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Behavior | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Behavior | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Behavior | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Configuration | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Establish/Maintain Documentation | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Technical Security | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Configuration | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Technical Security | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Physical and Environmental Protection | |
| Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Business Processes | |
| Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Establish/Maintain Documentation | |
| Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Establish Roles | |
| Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Records Management | |
| Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Physical and Environmental Protection | |
| Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Physical and Environmental Protection | |
| Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Establish/Maintain Documentation | |
| Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Physical and Environmental Protection | |
| Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Process or Activity | |
| Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Physical and Environmental Protection | |
| Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Physical and Environmental Protection | |
| Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Physical and Environmental Protection | |
| Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Physical and Environmental Protection | |
| Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Establish/Maintain Documentation | |
| Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Physical and Environmental Protection | |
| Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Physical and Environmental Protection | |
| Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Physical and Environmental Protection | |
| Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Physical and Environmental Protection | |
| Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Physical and Environmental Protection | |
| Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Physical and Environmental Protection | |
| Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Physical and Environmental Protection | |
| Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Configuration | |
| Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Physical and Environmental Protection | |
| Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Physical and Environmental Protection | |
| Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Physical and Environmental Protection | |
| Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Physical and Environmental Protection | |
| Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Physical and Environmental Protection | |
| Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Physical and Environmental Protection | |
| Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Physical and Environmental Protection | |
| Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Physical and environmental protection | Establish/Maintain Documentation | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. § 164.308(a)(7)(i)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Systems Continuity | |
| Include compliance requirements in the business continuity policy. CC ID 14237 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include management commitment in the business continuity policy. CC ID 14233 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Communicate | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Records Management | |
| Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include business units in the scope of the continuity framework. CC ID 11898 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include information security continuity in the scope of the continuity framework. CC ID 12009 | Operational and Systems Continuity | Systems Continuity | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Systems Continuity | |
| Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Quality Management in the continuity framework. CC ID 12239 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain a system continuity plan philosophy. CC ID 00734 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 | Operational and Systems Continuity | Establish Roles | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Operational and Systems Continuity | Systems Continuity | |
| Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Communicate | |
| Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. § 164.308(a)(7)(ii)(C)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Systems Continuity | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Systems Continuity | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Human Resources Management | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Behavior | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Technical Security | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
| Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Configuration | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Systems Continuity | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 [Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. § 164.308(a)(7)(ii)(B)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Establish Roles | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Communicate | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726 | Operational and Systems Continuity | Configuration | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 | Operational and Systems Continuity | Configuration | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Configuration | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Implement redundancy in life-safety systems. CC ID 02228 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include outages in the emergency operating procedures. CC ID 17129 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Systems Continuity | |
| Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Systems Continuity | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Audits and Risk Management | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and prioritize critical business records. CC ID 11687 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Human Resources Management | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Behavior | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Operational and Systems Continuity | Data and Information Management | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include online capabilities in the continuity plan. CC ID 11690 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Operational and Systems Continuity | Systems Continuity | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. § 164.308(a)(7)(ii)(A)] | Operational and Systems Continuity | Systems Continuity | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Operational and Systems Continuity | Systems Continuity | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Configuration | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Operational and Systems Continuity | Data and Information Management | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Data and Information Management | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Systems Continuity | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Data and Information Management | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Data and Information Management | |
| Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Process or Activity | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Data and Information Management | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Data and Information Management | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Systems Continuity | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Data and Information Management | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Encrypt backup data. CC ID 00958 | Operational and Systems Continuity | Configuration | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Systems Continuity | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Log Management | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Communicate | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Validate information security continuity controls regularly. CC ID 12008 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 [Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. § 164.308(a)(7)(ii)(D)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the risk assessment results in the continuity test plan. CC ID 17205 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the business impact analysis test results in the continuity test plan CC ID 17204 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. § 164.530(a)(1)(i)] | Human Resources management | Establish Roles | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [{be responsible}A covered entity must document the following and retain the documentation as required by §164.530(j): The titles of the persons or offices responsible for receiving and processing requests for access by individuals. § 164.524(e)(2) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Human Resources Management | |
| Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Establish Roles | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources management | Human Resources Management | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Human Resources Management | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Human Resources Management | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Human Resources Management | |
| Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Establish Roles | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Human Resources Management | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Establish Roles | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Establish Roles | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Establish Roles | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Establish Roles | |
| Assign the role of data custodian to applicable controls. CC ID 04789 [{accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals. § 164.528(d)(3)] | Human Resources management | Establish Roles | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Establish Roles | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Establish Roles | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Establish/Maintain Documentation | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Establish Roles | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Establish Roles | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Establish Roles | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Establish Roles | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Establish Roles | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Human Resources Management | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. § 164.308(a)(3)(ii)(A)] | Human Resources management | Establish/Maintain Documentation | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources management | Human Resources Management | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 | Human Resources management | Human Resources Management | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Human Resources Management | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Human Resources Management | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Human Resources Management | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Human Resources Management | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Human Resources Management | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Human Resources Management | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Human Resources Management | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Establish/Maintain Documentation | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources management | Human Resources Management | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Establish/Maintain Documentation | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Establish/Maintain Documentation | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Establish/Maintain Documentation | |
| Train all new hires, as necessary. CC ID 06673 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and § 164.530(b)(2)(i)(B)] | Human Resources management | Behavior | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Establish/Maintain Documentation | |
| Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Communicate | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 [Implementation specification: Personnel designations. A covered entity must document the personnel designations in paragraph (a)(1) of this section as required by paragraph (j) of this section. § 164.530(a)(2)] | Human Resources management | Human Resources Management | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Human Resources Management | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Human Resources Management | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 | Human Resources management | Behavior | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Communicate | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Behavior | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Human Resources Management | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Establish/Maintain Documentation | |
| Train all personnel and third parties, as necessary. CC ID 00785 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: § 164.530(b)(2)(i)] | Human Resources management | Behavior | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Training | |
| Establish, implement, and maintain an education methodology. CC ID 06671 | Human Resources management | Business Processes | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Human Resources Management | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Retrain all personnel, as necessary. CC ID 01362 [A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. § 164.530(b)(2)(i)(C)] | Human Resources management | Behavior | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Behavior | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Behavior | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Behavior | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Behavior | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain training plans. CC ID 00828 [{stipulated time frame}A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: To each member of the covered entity's workforce by no later than the compliance date for the covered entity; § 164.530(b)(2)(i)(A)] | Human Resources management | Establish/Maintain Documentation | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Training | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Training | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include ethical culture in the security awareness program. CC ID 12801 | Human Resources management | Human Resources Management | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Training | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Training | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Human Resources Management | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Training | |
| Include risk management in the security awareness program. CC ID 13040 | Human Resources management | Training | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Behavior | |
| Conduct personal data processing training. CC ID 13757 [Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. § 164.530(b)(1)] | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Include cloud security in the security awareness program. CC ID 13039 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). § 164.308(a)(5)(i)] | Human Resources management | Establish/Maintain Documentation | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Implement: Security reminders (Addressable). Periodic security updates. § 164.308(a)(5)(ii)(A)] | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Training | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Training | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Training | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Training | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Training | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Training | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Behavior | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Establish/Maintain Documentation | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {Notice of privacy practices} Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law. § 164.530(i)(3) A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this subpart or subpart D of this part. § 164.530(i)(2)(i)] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Behavior | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [In deciding which security measures to use, a covered entity or business associate must take into account the following factors: The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. § 164.306(b)(2)(ii)] | Operational management | Process or Activity | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Process or Activity | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Process or Activity | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. § 164.308(a)(1)(i)] | Operational management | Establish/Maintain Documentation | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Operational management | Establish/Maintain Documentation | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Operational management | Establish/Maintain Documentation | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative safeguards} {physical safeguards} Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; § 164.314(b)(2)(i) {administrative safeguard}{technical safeguard} Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. § 164.530(c)(1)] | Operational management | Establish/Maintain Documentation | |
| Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
| Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Communicate | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Communicate | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii). § 164.306(e)] | Operational management | Establish/Maintain Documentation | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Establish/Maintain Documentation | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 [{technical evaluation} Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. § 164.308(a)(8)] | Operational management | Business Processes | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. § 164.308(a)(2)] | Operational management | Human Resources Management | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Communicate | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Communicate | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Establish/Maintain Documentation | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Establish/Maintain Documentation | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Communicate | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Communicate | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Establish/Maintain Documentation | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Establish/Maintain Documentation | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Process or Activity | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Process or Activity | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Establish/Maintain Documentation | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Communicate | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Establish/Maintain Documentation | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Communicate | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Establish/Maintain Documentation | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Business Processes | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Process or Activity | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Process or Activity | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Process or Activity | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Process or Activity | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Process or Activity | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Establish/Maintain Documentation | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Process or Activity | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Business Processes | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Communicate | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Communicate | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Establish/Maintain Documentation | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. § 164.310(b)] | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Establish/Maintain Documentation | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Establish/Maintain Documentation | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Communicate | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Business Processes | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Data and Information Management | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Establish/Maintain Documentation | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Establish/Maintain Documentation | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Establish/Maintain Documentation | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Communicate | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 [{requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv)] | Operational management | Establish/Maintain Documentation | |
| Include use limitations in the use of information agreement. CC ID 06244 [Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes. § 164.514(e)(4)(i) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {refrain from disclosing}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; § 164.514(e)(4)(ii)(C)(1)] | Operational management | Establish/Maintain Documentation | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
| Include information recipients in the use of information agreement. CC ID 06245 [{person}Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish who is permitted to use or receive the limited data set; and § 164.514(e)(4)(ii)(B)] | Operational management | Establish/Maintain Documentation | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware; § 164.514(e)(4)(ii)(C)(3)] | Operational management | Establish/Maintain Documentation | |
| Include disclosure of information in the use of information agreement. CC ID 11830 [Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes. § 164.514(e)(4)(i) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {refrain from disclosing}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law; § 164.514(e)(4)(ii)(C)(1)] | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement; § 164.514(e)(4)(ii)(C)(2)] | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 [{refrain from contacting}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not identify the information or contact the individuals. § 164.514(e)(4)(ii)(C)(5)] | Operational management | Establish/Maintain Documentation | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 [Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and § 164.514(e)(4)(ii)(C)(4)] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Covered entities and business associates must do the following: Ensure compliance with this subpart by its workforce. § 164.306(a)(4) A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of this subpart, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed. § 164.504(g)(1) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law. § 164.512(a)(2) Administrative requirements. A covered entity is required to comply with the administrative requirements of §164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. § 164.414(a) Standard: minimum necessary requirements. In order to comply with §164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for, or the use and disclosure of, protected health information. § 164.514(d)(1) {refrain from disclosing}{refrain from using} Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual. § 164.502(f) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in §§164.308, 164.310, 164.312, 164.314 and 164.316 with respect to all electronic protected health information. § 164.306(c) {requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The covered entities participating in the organized health care arrangement agree to abide by the terms of the notice with respect to protected health information created or received by the covered entity as part of its participation in the organized health care arrangement; § 164.520(d)(1) {Notice of Privacy Practices}{make available} Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable. § 164.520(c)(2)(iv) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: § 164.530(i)(4)(ii) A group health plan described in paragraph (k)(1) of this section is subject to the standard and implementation specification in paragraph (j) of this section only with respect to plan documents amended in accordance with §164.504(f). § 164.530(k)(2)] | Operational management | Establish/Maintain Documentation | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Business Processes | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain maintenance reports. CC ID 11749 [Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). § 164.310(a)(2)(iv)] | Operational management | Establish/Maintain Documentation | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Maintenance | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Maintenance | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Maintenance | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Maintenance | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [Standard: Security incident procedures. Implement policies and procedures to address security incidents. § 164.308(a)(6)(i)] | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Human Resources Management | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Establish/Maintain Documentation | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Establish/Maintain Documentation | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 [Standard: Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate. § 164.530(f)] | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 [{oral communication}{law enforcement}{criminal investigation}{national security}{breach notification} If the statement is made orally, document the statement, :#CBD0E5;" class="term_secondary-verb">including the identity of the official making the statement, and color:#CBD0E5;" class="term_secondary-verb">delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time. § 164.412(b)] | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 [{breach notification} Plain language requirement. The notification required by paragraph (a) of this section shall be written in plain language. § 164.404(c)(2)] | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; § 164.404(c)(1)(A)] | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; § 164.404(c)(1)(A)] | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); § 164.404(c)(1)(B)] | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c)(1)(D)] | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 [{covered entity}{breach notification} The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, style="background-color:#CBD0E5;" class="term_secondary-verb">accessed, acquired, ckground-color:#CBD0E5;" class="term_secondary-verb">used, or disclosed during the breach. § 164.410(c)(1)] | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 [{breach notification}Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. § 164.404(c)(1)(E)] | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 [{breach notification}{stipulated time frame}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: y-verb">Include> a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach. § 164.404(d)(2)(ii)(B)] | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 [{breach notification}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and § 164.404(d)(2)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 [{breach notification}In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and § 164.404(d)(2)(ii)(A)] | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Establish/Maintain Documentation | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Technical Security | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 [{stipulated amount}{breach notification} Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall rb">maintainn> a log> or other background-color:#F0BBBC;" class="term_primary-noun">documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches discovered during the preceding calendar year, in the manner specified on the HHS web site. § 164.408(c)] | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Establish/Maintain Documentation | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Establish/Maintain Documentation | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{breach notification}{stipulated time frame} Implementation specification: Timeliness of notification. Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.406(b) {breach notification} Implementation specification: Timeliness of notification. Except as provided in §164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.404(b) {breach notification}{covered entity}{stipulated time frame} Implementation specifications: Timeliness of notification. Except as provided in §164.412, a business associate shall erm_primary-verb">provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. § 164.410(b)] | Operational management | Communicate | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Establish/Maintain Documentation | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Establish/Maintain Documentation | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Establish/Maintain Documentation | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Establish/Maintain Documentation | |
| Include any consequences to organizational reputation and confidence due to the incident in the incident response report. CC ID 12728 | Operational management | Establish/Maintain Documentation | |
| Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 | Operational management | Establish/Maintain Documentation | |
| Include investments associated with the incident in the incident response report. CC ID 12726 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in the incident response report. CC ID 12725 | Operational management | Establish/Maintain Documentation | |
| Include losses due to the incident in the incident response report. CC ID 12724 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 | Operational management | Establish/Maintain Documentation | |
| Include foregone revenue from the incident in the incident response report. CC ID 12723 | Operational management | Establish/Maintain Documentation | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 | Operational management | Establish/Maintain Documentation | |
| Include implications of the incident in the incident response report. CC ID 12721 | Operational management | Establish/Maintain Documentation | |
| Include measures to prevent similar incidents from occurring in the incident response report. CC ID 12720 | Operational management | Establish/Maintain Documentation | |
| Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 | Operational management | Establish/Maintain Documentation | |
| Include information on all affected assets in the incident response report. CC ID 12718 | Operational management | Establish/Maintain Documentation | |
| Include the scope of the incident in the incident response report. CC ID 12717 | Operational management | Establish/Maintain Documentation | |
| Include the duration of the incident in the incident response report. CC ID 12716 | Operational management | Establish/Maintain Documentation | |
| Include the extent of the incident in the incident response report. CC ID 12715 | Operational management | Establish/Maintain Documentation | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 | Operational management | Establish/Maintain Documentation | |
| Include the reasons the incident occurred in the incident response report. CC ID 12711 | Operational management | Establish/Maintain Documentation | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from the incident in the incident response report. CC ID 12713 | Operational management | Establish/Maintain Documentation | |
| Include where the incident occurred in the incident response report. CC ID 12710 | Operational management | Establish/Maintain Documentation | |
| Include when the incident occurred in the incident response report. CC ID 12709 | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 | Operational management | Establish/Maintain Documentation | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 | Operational management | Communicate | |
| Mitigate reported incidents. CC ID 12973 [Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. § 164.308(a)(6)(ii)] | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Establish/Maintain Documentation | |
| Update the business cases for cost management procedures, as necessary. CC ID 13642 | Operational management | Business Processes | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Implement changes according to the change control program. CC ID 11776 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) If a covered entity has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: Such change meets the implementation specifications in paragraphs (i)(4)(i)(A)-(C) of this section; and § 164.530(i)(4)(ii)(A) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 [Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. § 164.316(a)] | Operational management | Establish/Maintain Documentation | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 [A covered entity or business associate must, in accordance with §164.306: Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. § 164.316(b)(2)(iii)] | Operational management | Establish/Maintain Documentation | |
| Conduct official proceedings, as necessary. CC ID 13836 | Operational management | Human Resources Management | |
| Notify interested personnel and affected parties of the date, time, and place of the hearing. CC ID 13017 | Operational management | Communicate | |
| Include the statutory authority on the subpoena. CC ID 14353 | Operational management | Communicate | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. § 164.312(a)(2)(iii)] | System hardening through configuration management | Configuration | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | System hardening through configuration management | Technical Security | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | System hardening through configuration management | Configuration | |
| Invalidate unexpected session identifiers. CC ID 15307 | System hardening through configuration management | Configuration | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | System hardening through configuration management | Configuration | |
| Reject session identifiers that are not valid. CC ID 15306 | System hardening through configuration management | Configuration | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 | System hardening through configuration management | Configuration | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | System hardening through configuration management | Configuration | |
| Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 | System hardening through configuration management | Configuration | |
| Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 [Implement: Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. § 164.308(a)(5)(ii)(D)] | System hardening through configuration management | Establish/Maintain Documentation | |
| Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | System hardening through configuration management | Technical Security | |
| Configure authenticator activation codes in accordance with organizational standards. CC ID 17032 | System hardening through configuration management | Configuration | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Configuration | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 | System hardening through configuration management | Configuration | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | System hardening through configuration management | Configuration | |
| Configure the system to prevent unencrypted authenticator use. CC ID 04457 | System hardening through configuration management | Configuration | |
| Disable store passwords using reversible encryption. CC ID 01708 | System hardening through configuration management | Configuration | |
| Configure the system to encrypt authenticators. CC ID 06735 | System hardening through configuration management | Configuration | |
| Configure the system to mask authenticators. CC ID 02037 | System hardening through configuration management | Configuration | |
| Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | System hardening through configuration management | Configuration | |
| Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Configuration | |
| Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disable machine account password changes. CC ID 01737 | System hardening through configuration management | Configuration | |
| Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "password reuse" setting to organizational standards. CC ID 08724 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Disable Remember Password" setting. CC ID 05270 | System hardening through configuration management | Configuration | |
| Configure the "Minimum password age" to organizational standards. CC ID 01703 | System hardening through configuration management | Configuration | |
| Configure the LILO/GRUB password. CC ID 01576 | System hardening through configuration management | Configuration | |
| Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | System hardening through configuration management | Configuration | |
| Change the default password to Apple's Keychain. CC ID 04482 | System hardening through configuration management | Configuration | |
| Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | System hardening through configuration management | Configuration | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Configuration | |
| Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | System hardening through configuration management | Configuration | |
| Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | System hardening through configuration management | Configuration | |
| Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | System hardening through configuration management | Configuration | |
| Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | System hardening through configuration management | Configuration | |
| Configure the "Send LanMan compatible password" setting. CC ID 05271 | System hardening through configuration management | Configuration | |
| Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | System hardening through configuration management | Configuration | |
| Configure the authenticator policy to ban or allow authenticators as proper names, as necessary. CC ID 17030 | System hardening through configuration management | Configuration | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Configuration | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Configuration | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 | System hardening through configuration management | Behavior | |
| Discourage affected parties from recording authenticators. CC ID 06788 | System hardening through configuration management | Behavior | |
| Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | System hardening through configuration management | Configuration | |
| Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | System hardening through configuration management | Configuration | |
| Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | System hardening through configuration management | Configuration | |
| Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | System hardening through configuration management | Configuration | |
| Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [A covered entity or business associate must, in accordance with §164.306: Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. § 164.316(b)(2)(i) {Notice of Privacy Practices} Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section. § 164.520(e) Implementation specification: Documentation. A covered entity must document the following and retain the documentation as required by §164.530(j): § 164.524(e) {protected health information}{be responsible} Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). § 164.526(f) {stipulated time frame} Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later. § 164.530(j)(2) {written form}{accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The written accounting that is provided to the individual under this section; and § 164.528(d)(2) A covered entity must: If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and § 164.530(j)(1)(ii) A covered entity must: If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation. § 164.530(j)(1)(iii)] | Records management | Records Management | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. § 164.310(d)(2)(i)] | Records management | Establish/Maintain Documentation | |
| Perform destruction at authorized facilities. CC ID 17074 | Records management | Business Processes | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Business Processes | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Data and Information Management | |
| Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. § 164.310(d)(2)(ii)] | Records management | Data and Information Management | |
| Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Records Management | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Process or Activity | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Business Processes | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Establish/Maintain Documentation | |
| Manage the disposition status for all records. CC ID 00972 [Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. § 164.530(d)(2)] | Records management | Records Management | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Data and Information Management | |
| Establish, implement, and maintain records management procedures. CC ID 11619 [A covered entity must: Maintain documentation sufficient to meet its burden of proof under §164.414(b). § 164.530(j)(1)(iv)] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain file naming conventions. CC ID 16971 | Records management | Records Management | |
| Compress encrypted files in accordance with applicable requirements. CC ID 16973 | Records management | Data and Information Management | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Technical Security | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Records Management | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain authorization records. CC ID 14367 [Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: An Institutional Review Board (IRB), established in accordance with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or § 164.512(i)(1)(i)(A) {unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Records management | Establish/Maintain Documentation | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Log Management | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Records Management | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
| Establish, implement, and maintain Electronic Document and Records Management systems. CC ID 16913 | Records management | Data and Information Management | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Business Processes | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Business Processes | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 | Records management | Business Processes | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Business Processes | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Records Management | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Business Processes | |
| Include record integrity techniques in the records management procedures. CC ID 06418 | Records management | Establish/Maintain Documentation | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Establish/Maintain Documentation | |
| Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Data and Information Management | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [{not been destroyed} Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. § 164.312(c)(2)] | Records management | Establish Roles | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Establish/Maintain Documentation | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Technical Security | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Establish/Maintain Documentation | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Establish/Maintain Documentation | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Establish/Maintain Documentation | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Establish/Maintain Documentation | |
| Establish and maintain access controls for all records. CC ID 00371 | Records management | Records Management | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Data and Information Management | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Establish/Maintain Documentation | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Technical Security | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. § 164.310(d)(2)(iv)] | Records management | Records Management | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Records Management | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Technical Security | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Configuration | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Configuration | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Configuration | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 [Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. § 164.310(d)(2)(iii)] | Records management | Log Management | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Establish/Maintain Documentation | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Establish/Maintain Documentation | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Establish/Maintain Documentation | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Establish/Maintain Documentation | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Establish/Maintain Documentation | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Establish/Maintain Documentation | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Establish/Maintain Documentation | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Process or Activity | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 | Records management | Establish/Maintain Documentation | |
| Include printed output in output distribution procedures. CC ID 13477 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Establish/Maintain Documentation | |
| Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Records Management | |
| Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Log Management | |
| Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Establish/Maintain Documentation | |
| Review and approve output exceptions. CC ID 06625 | Records management | Records Management | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 | Records management | Records Management | |
| Convert hard copy records to electronic records, as necessary. CC ID 16927 | Records management | Data and Information Management | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Records Management | |
| Process restricted information in a secure environment. CC ID 13058 | Records management | Process or Activity | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Records Management | |
| Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Data and Information Management | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Technical Security | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records management | Records Management | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Process or Activity | |
| Assign ownership for all electronic records. CC ID 14814 | Records management | Establish/Maintain Documentation | |
| Attribute electronic records, as necessary. CC ID 14820 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. § 164.306(a)(1) {refrain from using} Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart. § 164.530(i)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 [{Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The joint notice meets the implementation specifications in paragraph (b) of this section, except that the statements required by this section may be altered to reflect the fact that the notice covers more than one covered entity; and § 164.520(d)(2) {Notice of Privacy Practices}{reserve}{right}{change}{term} For the covered entity to apply a change in its more limited uses and disclosures to protected health information created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), the notice must include the statements required by paragraph (b)(1)(v)(C) of this section. § 164.520(b)(2)(ii) {Notice of privacy practices}A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in §164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must: Maintain a notice under this section; and § 164.520(a)(3)(ii)(A) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with §164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; § 164.520(b)(1)(iii)(A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 [{Notice of Privacy Practices} Header. The notice must contain the following statement as a header or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." § 164.520(b)(1)(i) {Notice of Privacy Practices}The notice must contain: A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for each of the following purposes: treatment, payment, and health care operations. § 164.520(b)(1)(ii)(A) {privacy notice} The notice must contain: If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, such as 42 CFR part 2, the description of such use or disclosure must reflect the more stringent law as defined in § 160.202 of this subchapter. § 164.520(b)(1)(ii)(C)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy notice. CC ID 16543 [{privacy notice} The notice must contain: For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law, such as 42 CFR part 2. § 164.520(b)(1)(ii)(D)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the record types which may not be used or disclosed unless required by law in the privacy notice. CC ID 17258 [{privacy notice} {not be disclosed} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or § 164.520(b)(1)(iii)(D)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include contact information in the privacy notice. CC ID 14432 [{Notice of Privacy Practices} Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by §164.530(a)(1)(ii). § 164.520(b)(1)(vii) {Notice of Privacy Practices} Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by §164.530(a)(1)(ii). § 164.520(b)(1)(vii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to request restrictions on certain uses and disclosures of protected health information as provided by §164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under §164.522(a)(1) § 164.520(b)(1)(iv)(A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 [{privacy notice} {substance use disorder treatment} {refrain from receiving} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: If a covered entity that creates or maintains records subject to 42 CFR part 2 intends to use or disclose such records for fundraising for the benefit of the covered entity, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications. § 164.520(b)(1)(iii)(E)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the uses or disclosures that require authorizations in the privacy notice. CC ID 17257 [{privacy notice} The notice must contain: A description, including at least one example, of the types of uses and disclosures for which an attestation is required under § 164.509. § 164.520(b)(1)(ii)(G)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include prohibitions of use or disclosure in the privacy notice. CC ID 17252 [{privacy notice} The notice must contain: A description, including at least one example, of the types of uses and disclosures prohibited under § 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. § 164.520(b)(1)(ii)(F) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes; § 164.520(b)(1)(iii)(C)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) {privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with § 164.504(f), the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; § 164.520(b)(1)(iii)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 [{Notice of Privacy Practices} Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: § 164.520(b)(1)(iv) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to inspect and copy protected health information as provided by §164.524; § 164.520(b)(1)(iv)(C) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to amend protected health information as provided by §164.526; § 164.520(b)(1)(iv)(D) When a covered entity changes a privacy practice that is stated in the notice described in §164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has, in accordance with §164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices; or § 164.530(i)(2)(ii) {Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi) {Notice of Privacy Practices}The notice must contain: For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice. § 164.520(b)(1)(v)(C) {Notice of Privacy Practices}The notice must contain: For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with §164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice. § 164.520(b)(1)(v)(C) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to request restrictions on certain uses and disclosures of protected health information as provided by §164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under §164.522(a)(1) § 164.520(b)(1)(iv)(A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 [{Notice of Privacy Practices} In addition to the information required by paragraph (b)(1) of this section, if a covered entity elects to limit the uses or disclosures that it is permitted to make under this subpart, the covered entity may describe its more limited uses or disclosures in its notice, provided that the covered entity may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted by §164.512(j)(1)(i). § 164.520(b)(2)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 [{Notice of Privacy Practices}{without authorization}The notice must contain: A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual's written authorization. § 164.520(b)(1)(ii)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 [{privacy notice} The notice must contain: A statement adequate to put the individual on notice of the potential for information disclosed pursuant to this subpart to be subject to redisclosure by the recipient and no longer protected by this subpart § 164.520(b)(1)(ii)(H)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the time frame that notice will be given. CC ID 00385 [{Notice of Privacy Practices}{stipulated time frame} No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice. § 164.520(c)(1)(ii) {Notice of Privacy Practices}{time requirement}Provide the notice: No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or § 164.520(c)(2)(i)(A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 [{Notice of privacy practices} Implementation specifications: Joint notice by separate covered entities. Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: § 164.520(d)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 [{Notice of Privacy Practices}{protected health information} Exception for inmates. An inmate does not have a right to notice under this section, and the requirements of this section do not apply to a correctional institution that is a covered entity. § 164.520(a)(4)] | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 [{Notice of privacy practices} A health plan must provide the notice: § 164.520(c)(1)(i) {Notice of Privacy Practices}A health plan must provide the notice: Thereafter, at the time of enrollment, to individuals who are new enrollees. § 164.520(c)(1)(i)(B) {Notice of Privacy Practices}A health plan must provide the notice: No later than the compliance date for the health plan, to individuals then covered by the plan; § 164.520(c)(1)(i)(A) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: The covered entities included in the joint notice must provide the notice to individuals in accordance with the applicable implementation specifications of paragraph (c) of this section. Provision of the joint notice to an individual by any one of the covered entities included in the joint notice will satisfy the provision requirement of paragraph (c) of this section with respect to all others covered by the joint notice. § 164.520(d)(3) {Notice of privacy practices}Specific requirements for certain covered health care providers. A covered health care provider that has a direct treatment relationship with an individual must: Provide the notice: § 164.520(c)(2)(i) {Notice of Privacy Practices} A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section. § 164.520(c)(3)(ii) {Notice of Privacy Practices} A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section. § 164.520(c)(3)(ii) {Notice of Privacy Practices} For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice. § 164.520(c)(3)(iii) {Notice of Privacy Practices} The health plan satisfies the requirements of paragraph (c)(1) of this section if notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents. § 164.520(c)(1)(iii) {Notice of Privacy Practices} If a health plan has more than one notice, it satisfies the requirements of paragraph (c)(1) of this section by providing the notice that is relevant to the individual or other person requesting the notice. § 164.520(c)(1)(iv) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) {Notice of Privacy Practices}{time requirement}Provide the notice: In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation. § 164.520(c)(2)(i)(B) {Notice of Privacy Practices}{make available} Implementation specifications: Provision of notice. A covered entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable. § 164.520(c) {Notice of Privacy Practices} The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request. § 164.520(c)(3)(iv) {Notice of privacy practices}A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in §164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must: Provide such notice upon request to any person. The provisions of paragraph (c)(1) of this section do not apply to such group health plan. § 164.520(a)(3)(ii)(B) {privacy notice} Required elements. The covered entity, including any covered entity receiving or maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph. § 164.520(b)(1)] | Privacy protection for information and data | Communicate | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Update privacy notices, as necessary. CC ID 13474 [{Notice of privacy practices} Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law. § 164.530(i)(3) {Notice of Privacy Practices} Revisions to the notice. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected. § 164.520(b)(3) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Privacy protection for information and data | Communicate | |
| Redeliver privacy notices, as necessary. CC ID 14850 [{Notice of Privacy Practices}If there is a material change to the notice: A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan. § 164.520(c)(1)(v)(A) {Notice of Privacy Practices}If there is a material change to the notice: A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan. § 164.520(c)(1)(v)(A) {Notice of Privacy Practices}{make available} Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable. § 164.520(c)(2)(iv) {make available}Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. § 164.530(i)(4)(i)(C)] | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Communicate | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 [{Notice of Privacy Practices}Provide the notice: Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; § 164.520(c)(2)(ii)] | Privacy protection for information and data | Communicate | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 [{privacy notice} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: In accordance with §164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; § 164.520(b)(1)(iii)(A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Communicate | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Communicate | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Communicate | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Communicate | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Communicate | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Data and Information Management | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Communicate | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 [{Notice of Privacy Practices}The notice must contain: A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information; § 164.520(b)(1)(v)(A) {Notice of Privacy Practices}Covered entity's duties. The notice must contain: A statement that the covered entity is required to abide by the terms of the notice currently in effect; and § 164.520(b)(1)(v)(B) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Privacy protection for information and data | Communicate | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about their privacy rights. CC ID 12989 [{Notice of Privacy Practices} Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: § 164.520(b)(1)(iv) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to receive an accounting of disclosures of protected health information as provided by §164.528; and § 164.520(b)(1)(iv)(E) {Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Privacy protection for information and data | Communicate | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Data and Information Management | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Communicate | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Behavior | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Establish Roles | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [{access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: If applicable, a statement of the individual's review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and § 164.524(d)(2)(ii) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. § 164.508(c)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Process or Activity | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Data and Information Management | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Data and Information Management | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Technical Security | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Records Management | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Records Management | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Behavior | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Behavior | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Data and Information Management | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Records Management | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Records Management | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Communicate | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Data and Information Management | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Data and Information Management | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Communicate | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Data and Information Management | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 [{protected health information}Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or § 164.512(c)(2)(i) {protected health information}Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. § 164.512(c)(2)(ii)] | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Communicate | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Communicate | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [Implementation specifications: Provision of access. If the covered entity provides an individual with access, in whole or in part, to protected health information, the covered entity must comply with the following requirements. § 164.524(c) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and § 164.514(d)(4)(iii)(A) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. § 164.522(b)(1)(i) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual. § 164.522(b)(1)(ii) A covered entity must document the following and retain the documentation as required by §164.530(j): The designated record sets that are subject to access by individuals; and § 164.524(e)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A business associate is required to disclose protected health information: To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information. § 164.502(a)(4)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [{privacy notice} {types} {use} {disclosure} Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable: § 164.520(b)(1)(iii) Right to notice. Except as provided by paragraph (a)(3) or (4) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. § 164.520(a)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [{access}{disclosure accounting}A covered entity is required to disclose protected health information: To an individual, when requested under, and required by §164.524 or §164.528; and § 164.502(a)(2)(i) {stipulated time frame} An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: § 164.528(a)(1) The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. The covered entity must provide the individual with the accounting requested; or § 164.528(c)(1)(i)] | Privacy protection for information and data | Data and Information Management | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a disclosure accounting record. CC ID 13022 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available the information required to provide an accounting of disclosures in accordance with §164.528; § 164.504(f)(2)(ii)(G)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [{stipulated time frame} Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity. § 164.528(b)(1) {stipulated time frame} Except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity. § 164.528(b)(1) Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief description of the protected health information disclosed; and § 164.528(b)(2)(iii) If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The information required by paragraph (b)(2) of this section for the first disclosure during the accounting period; § 164.528(b)(3)(i) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A brief description of the type of protected health information that was disclosed; § 164.528(b)(4)(i)(C) {accounting of disclosures}A covered entity must document the following and retain the documentation as required by §164.530(j): The information required to be included in an accounting under paragraph (b) of this section for disclosures of protected health information that are subject to an accounting under paragraph (a) of this section; § 164.528(d)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: The date of the disclosure; § 164.528(b)(2)(i) {final date}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; § 164.528(b)(4)(i)(D)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: The name of the entity or person who received the protected health information and, if known, the address of such entity or person; § 164.528(b)(2)(ii) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and § 164.528(b)(4)(i)(E)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §164.502(a)(2)(ii) or §164.512, if any. § 164.528(b)(2)(iv)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 [If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The frequency, periodicity, or number of the disclosures made during the accounting period; and § 164.528(b)(3)(ii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 [{final date}If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under §164.502(a)(2)(ii) or §164.512, the accounting may, with respect to such multiple disclosures, provide: The date of the last such disclosure during the accounting period. § 164.528(b)(3)(iii) {final date}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; § 164.528(b)(4)(i)(D)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 [{refrain from disclosing}If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or other research activity. § 164.528(b)(4)(i)(F) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name of the protocol or other research activity; § 164.528(b)(4)(i)(A) If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; § 164.528(b)(4)(i)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 [If, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose in accordance with §164.512(i) for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and § 164.528(b)(4)(i)(E)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [{disclosure}{protected health information} Implementation specifications: Content of the accounting. The covered entity must provide the individual with a written accounting that meets the following requirements. § 164.528(b) {stipulated time frame} An individual may request an accounting of disclosures for a period of time less than six years from the date of the request. § 164.528(a)(3) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. § 164.520(a)(2)] | Privacy protection for information and data | Communicate | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Process or Activity | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Technical Security | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 [Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Document the policy or procedure, as revised, as required by paragraph (j) of this section; and § 164.530(i)(4)(i)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is included in the privacy policy. CC ID 00404 [{Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and § 164.520(d)(2)(ii) {Notice of Privacy Practices}The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request. § 164.520(b)(1)(iv)(F) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: Describes with reasonable specificity the covered entities, or class of entities, to which the joint notice applies; § 164.520(d)(2)(i) {Notice of Privacy Practices}Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: If applicable, states that the covered entities participating in the organized health care arrangement will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement. § 164.520(d)(2)(iii) {Notice of privacy practices}Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: The right to receive confidential communications of protected health information as provided by §164.522(b), as applicable; § 164.520(b)(1)(iv)(B) {privacy notice} Required elements. The covered entity, including any covered entity receiving or maintaining records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph. § 164.520(b)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a complaint form in the privacy policy. CC ID 12364 [{Notice of Privacy Practices}{refrain from retaliating} Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. § 164.520(b)(1)(vi)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Post the privacy policy in an easily seen location. CC ID 00401 [{Notice of Privacy Practices} A covered entity that maintains a web site that provides information about the covered entity's customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site. § 164.520(c)(3)(i) {Notice of Privacy Practices}{make available}If the covered health care provider maintains a physical service delivery site: Have the notice available at the service delivery site for individuals to request to take with them; and § 164.520(c)(2)(iii)(A) {Notice of Privacy Practices}If the covered health care provider maintains a physical service delivery site: Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice; and § 164.520(c)(2)(iii)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Process or Activity | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Business Processes | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Communicate | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{Notice of Privacy Practices}{stipulated time frame}If there is a material change to the notice: A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to the notice. § 164.520(c)(1)(v)(B)] | Privacy protection for information and data | Behavior | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Communicate | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide a copy of the data subject's consent to the data subject. CC ID 17234 | Privacy protection for information and data | Communicate | |
| Date the data subject's consent. CC ID 17233 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [A covered entity may not condition treatment or payment on the individual's choice with respect to the receipt of fundraising communications. § 164.514(f)(2)(iii) {refrain from receiving}{will not adversely affect} With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. § 164.514(f)(2)(ii)] | Privacy protection for information and data | Human Resources Management | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Business Processes | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of: § 164.508(a)(3)(i) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. § 164.508(b)(4)(iii) {Notice of privacy practices}{protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by §164.520, a reference to the covered entity's notice. § 164.508(c)(2)(i)(B) {protected health information}Core elements. A valid authorization under this section must contain at least the following elements: The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. § 164.508(c)(1)(ii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{use}{disclosure}{protected health information} Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that: § 164.508(b)(5) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The individual's right to revoke the authorization in writing, and either: § 164.508(c)(2)(i) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or § 164.508(c)(2)(i)(A) {Notice of Privacy Practices}The notice must contain: A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5). § 164.520(b)(1)(ii)(E)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 [{protected health information}{disclosure recipient}Core elements. A valid authorization under this section must contain at least the following elements: The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. § 164.508(c)(1)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 [{protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. § 164.508(c)(1)(vi)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 [{protected health information}{sale} Such authorization must state that the disclosure will result in remuneration to the covered entity. § 164.508(a)(4)(ii) {use}{disclosure}{protected health information} If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at §164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved. § 164.508(a)(3)(ii) {protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart. § 164.508(c)(2)(iii) {protected health information}Core elements. A valid authorization under this section must contain at least the following elements: A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. § 164.508(c)(1)(iv) {protected health information}{use}{disclosure}Core elements. A valid authorization under this section must contain at least the following elements: A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. § 164.508(c)(1)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 [Core elements. A valid authorization under this section must contain at least the following elements: An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. § 164.508(c)(1)(v)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Business Processes | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 {protected health information} The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so. § 164.510(a)(3)(ii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or § 164.510(b)(2)(ii) {refrain from receiving}{will not adversely affect} With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. § 164.514(f)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Technical Security | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Business Processes | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Process or Activity | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Business Processes | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Communicate | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 [{use}{disclosure}{protected health information} Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j). § 164.508(b)(6) {disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The individual orally agrees to the termination and the oral agreement is documented; or § 164.522(a)(2)(ii)] | Privacy protection for information and data | Records Management | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except: § 164.508(b)(4)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Data and Information Management | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 [{opt in}{refrain from receiving} A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications. § 164.514(f)(2)(v)] | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Human Resources Management | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Human Resources Management | |
| Notify the supervisory authority. CC ID 00472 [A covered entity is not in compliance with the standards in paragraph (e) of this section if the covered entity knew of a pattern of activity or practice of the limited data set recipient that constituted a material breach or violation of the data use agreement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: Reported the problem to the Secretary. § 164.514(e)(4)(iii)(A)(2)] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{make available}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this subpart; § 164.504(f)(2)(ii)(H)] | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Communicate | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Data and Information Management | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Human Resources Management | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Human Resources Management | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 [For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. § 164.514(d)(3)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed. § 164.504(g)(2) Except pursuant to and in compliance with §164.508(a)(4), a covered entity or business associate may not sell protected health information. § 164.502(a)(5)(ii)(A) {protected health information}The plan documents of the group health plan must be amended to incorporate provisions to: Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. § 164.504(f)(2)(i) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii) Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section. § 164.512(b)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Behavior | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Behavior | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 [{unaffiliated third party reviewer}Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure in accordance with paragraph (i)(2)(iv)(C) of this section; § 164.512(i)(2)(iv)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 [A covered entity is permitted to use or disclose protected health information as follows: Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure; § 164.502(a)(1)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Behavior | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 [A covered entity is permitted to use or disclose protected health information as follows: Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure; § 164.502(a)(1)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. § 164.308(a)(3)(ii)(B) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. § 164.308(a)(4)(i) Standard: Confidential communications. A covered health care provider or health plan must comply with the applicable requirements of §164.522(b) in communicating protected health information. § 164.502(h) Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information in accordance with §164.524; § 164.504(f)(2)(ii)(E) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: § 164.524(a)(1) {written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) {written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities. § 164.514(d)(4)(i) For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made. § 164.514(d)(4)(ii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [Except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under §164.502(a)(2)(ii) or §164.512, if any. § 164.528(b)(2)(iv)] | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 [Other responsibility. If the covered entity does not maintain the protected health information that is the subject of the individual's request for access, and the covered entity knows where the requested information is maintained, the covered entity must inform the individual where to direct the request for access. § 164.524(d)(3) {stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2) If the covered entity provides an accounting for research disclosures, in accordance with paragraph (b)(4) of this section, and if it is reasonably likely that the protected health information of the individual was disclosed for such research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher. § 164.528(b)(4)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 [{written form} Individual's request for access. The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement. § 164.524(b)(1) {be in writing} A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing. § 164.522(b)(2)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 [{confidential communication} A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual. § 164.522(b)(2)(iv) {representative} If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information. § 164.524(c)(3)(ii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 [{confidential communication} A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. § 164.522(b)(2)(iii)] | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 [{protected health information} If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section. § 164.524(b)(2)(i)(A) {stipulated time frame}{protected health information}{disclosure} The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. § 164.528(c)(1) {protected health information}{stipulated time frame} Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request for access no later than 30 days after receipt of the request as follows. § 164.524(b)(2)(i) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4)] | Privacy protection for information and data | Behavior | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Communicate | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 [{protected health information} If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (c) of this section. § 164.524(b)(2)(i)(A) Providing the access requested. The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the covered entity need only produce the protected health information once in response to a request for access. § 164.524(c)(1) Making other information accessible. The covered entity must, to the extent possible, give the individual access to any other protected health information requested, after excluding the protected health information as to which the covered entity has a ground to deny access. § 164.524(d)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 [{stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4) {stipulated time frame}{refrain from involving}{protected health information} Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination. § 164.524(d)(4)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(f)(2)(ii)(F) Right to amend. An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set. § 164.526(a)(1) {be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {stipulated time frame}{protected health information} If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: § 164.526(b)(2)(ii) {amend}{is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment; § 164.526(a)(2)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. § 164.504(f)(1)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Data and Information Management | |
| Disclose de-identified data, as necessary. CC ID 13034 [{Personally Identifiable Information} If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart. § 164.502(d)(2)(ii)] | Privacy protection for information and data | Communicate | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [{protected health information}{victim}{abuse}{neglect}{domestic violence}{government agency} Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: § 164.512(c)(2)] | Privacy protection for information and data | Behavior | |
| Refrain from processing restricted data, as necessary. CC ID 12551 [{may not disclose} Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. § 164.502(a) {refrain from disclosing}{employment}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; § 164.504(f)(2)(ii)(C) {protected health information}{refrain from using}{refrain from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section. § 164.512(j)(2)(ii) {may not disclose} Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in §164.522(a). § 164.502(c) {applicable requirement}A covered entity is permitted to use or disclose protected health information as follows: Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508; § 164.502(a)(1)(iv) {protected health information}{refrain from using}{refraining from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or § 164.512(j)(2)(i)] | Privacy protection for information and data | Records Management | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Process or Activity | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Business Processes | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Process or Activity | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 [{refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5)] | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 [{refrain from disclosing} Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: § 164.502(a)(5)(i)] | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Records Management | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Records Management | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Records Management | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Records Management | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Records Management | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Records Management | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Records Management | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Records Management | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Records Management | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Records Management | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Records Management | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Records Management | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Records Management | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Records Management | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Records Management | |
| Process restricted data lawfully and carefully. CC ID 00086 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; § 164.502(b)(2)(ii) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: To the individual; § 164.502(a)(1)(i) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: This section. § 164.502(a)(1)(vi)(A) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.512 and, where applicable, § 164.509. § 164.502(a)(1)(vi)(B) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.514(e), (f), or (g). § 164.502(a)(1)(vi)(C) A covered entity or business associate that uses or discloses protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), in reliance on an attestation that is defective under paragraph (b)(2) of this section, is not in compliance with this section. § 164.509(a)(2)] | Privacy protection for information and data | Establish Roles | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. § 164.510(b)(2)(iii)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 [A group health plan may: Not permit a health insurance issuer or HMO with respect to the group health plan to disclose protected health information to the plan sponsor except as permitted by this paragraph; § 164.504(f)(3)(ii) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity. § 164.514(e)(3)(ii) {refrain from using}{refrain from disclosing} If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information. § 164.522(a)(1)(iv) Permitted uses. If a covered entity also is a health oversight agency, the covered entity may use protected health information for health oversight activities as permitted by paragraph (d) of this section. § 164.512(d)(4) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: § 164.512(i)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. § 164.512(i)(1)(iii)(C) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: Appropriate military command authorities; and § 164.512(k)(1)(i)(A) Standard: Limited data set. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs (e)(2) and (e)(3) of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph (e)(4) of this section. § 164.514(e)(1) Implementation specifications: Uses and disclosures. A group health plan may: Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and § 164.504(f)(3)(iii) {employment purpose}Implementation specifications: Uses and disclosures. A group health plan may: Not disclose protected health information to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor. § 164.504(f)(3)(iv) {be consistent}If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and § 164.510(a)(3)(i)(A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures to or requests by a health care provider for treatment; § 164.502(b)(2)(i) A covered entity may disclose protected health information for treatment activities of a health care provider. § 164.506(c)(2) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The provision of health care to such individuals; § 164.512(k)(5)(i)(A)] | Privacy protection for information and data | Data and Information Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 [Conditions on disclosures. If a disclosure is conditioned by this subpart on particular documentation, statements, or representations from the person requesting the protected health information, a covered entity may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face, meet the applicable requirements. § 164.514(h)(2)(i)] | Privacy protection for information and data | Records Management | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 [A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information. § 164.506(c)(3)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is: § 164.506(c)(4) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement. § 164.506(c)(5) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) A group health plan may: Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with the provisions of paragraph (f)(2) of this section; § 164.504(f)(3)(i) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. § 164.504(f)(1)(iii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 [Standard: Minimum necessary— Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. § 164.502(b) A covered entity may use protected health information to create a limited data set that meets the requirements of paragraph (e)(2) of this section, or disclose protected health information only to a business associate for such purpose, whether or not the limited data set is to be used by the covered entity. § 164.514(e)(3)(ii) Standard: Uses and disclosures for underwriting and related purposes. If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at §164.502(a)(5)(i) with respect to genetic information included in the protected health information. § 164.514(g) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: An employer, about an individual who is a member of the workforce of the employer, if: § 164.512(b)(1)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A school, about an individual who is a student or prospective student of the school, if: § 164.512(b)(1)(vi) {protected health information} A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only for the purposes of research, public health, or health care operations. § 164.514(e)(3)(i) {requirement} A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§164.514(e)(4) and 164.314(a)(1), if applicable. § 164.504(e)(3)(iv) {may not disclose} Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in §164.522(a). § 164.502(c) Standard: Limited data set. A covered entity may use or disclose a limited data set that meets the requirements of paragraphs (e)(2) and (e)(3) of this section, if the covered entity enters into a data use agreement with the limited data set recipient, in accordance with paragraph (e)(4) of this section. § 164.514(e)(1) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: This section. § 164.502(a)(1)(vi)(A) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.512 and, where applicable, § 164.509. § 164.502(a)(1)(vi)(B) A covered entity is permitted to use or disclose protected health information as follows: As permitted by and in compliance with any of the following: Section 164.514(e), (f), or (g). § 164.502(a)(1)(vi)(C)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 [{protected health information}Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use or disclose for directory purposes such information: § 164.510(a)(1)(ii) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use the following protected health information to maintain a directory of individuals in its facility: § 164.510(a)(1)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 [{cadaveric organ donation purpose} Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. § 164.512(h)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 [Medical suitability determinations. A covered entity that is a component of the Department of State may use protected health information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes: § 164.512(k)(4)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 [Separation or discharge from military service. A covered entity that is a component of the Departments of Defense or Homeland Security may disclose to the Department of Veterans Affairs (DVA) the protected health information of an individual who is a member of the Armed Forces upon the separation or discharge of the individual from military service for the purpose of a determination by DVA of the individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(ii) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: The purposes for which the protected health information may be used or disclosed. § 164.512(k)(1)(i)(B) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: Appropriate military command authorities; and § 164.512(k)(1)(i)(A) Foreign military personnel. A covered entity may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph (k)(1)(i) of this section. § 164.512(k)(1)(iv)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 [A health plan that is a government program providing public benefits may disclose protected health information relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if the sharing of eligibility or enrollment information among such government agencies or the maintenance of such information in a single or combined data system accessible to all such government agencies is required or expressly authorized by statute or regulation. § 164.512(k)(6)(i) Veterans. A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(iii) A covered entity that is a government agency administering a government program providing public benefits may disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs. § 164.512(k)(6)(ii) Standard: Disclosures for workers' compensation. A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. § 164.512(l)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 [Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508: § 164.514(f)(1)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: § 164.512(i)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either: § 164.512(i)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. § 164.512(i)(1)(iii)(C) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the use or disclosure sought is solely for research on the protected health information of decedents; § 164.512(i)(1)(iii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Documentation, at the request of the covered entity, of the death of such individuals; and § 164.512(i)(1)(iii)(B) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Required signature. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB or the privacy board, as applicable. § 164.512(i)(2)(v) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved; § 164.512(i)(2)(i) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Identification and date of action. A statement identifying the IRB or privacy board and the date on which the alteration or waiver of authorization was approved; § 164.512(i)(2)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 [{cadaveric organ donation purpose} Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. § 164.512(h) {refrain from removing}Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: No protected health information is to be removed from the covered entity by the researcher in the course of the review; and § 164.512(i)(1)(ii)(B) {protected health information}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: § 164.512(i)(2)(iv) {refrain from conducting}{absence}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: The research could not practicably be conducted without access to and use of the protected health information. § 164.512(i)(2)(ii)(C) {protected health information}{refrain from conducting}{absence}Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: The research could not practicably be conducted without the waiver or alteration; and § 164.512(i)(2)(ii)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 [Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. § 164.510(b)(2)(iii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 [Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's care or payment related to the individual's health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. § 164.510(b)(3) {be consistent}If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and § 164.510(a)(3)(i)(A)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed. § 164.504(g)(2)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of such individual or other inmates; § 164.512(k)(5)(i)(B) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The administration and maintenance of the safety, security, and good order of the correctional institution. § 164.512(k)(5)(i)(F) National Instant Criminal Background Check System. A covered entity may use or disclose protected health information for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm under 18 U.S.C. 922(g)(4), provided the covered entity: § 164.512(k)(7) {protected health information} Exercise of professional judgment. The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in making a use or disclosure in accordance with §164.510 or acts on a good faith belief in making a disclosure in accordance with §164.512(j). § 164.514(h)(2)(iv)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or § 164.512(b)(1)(iv) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include: § 164.512(b)(1)(iii) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; § 164.512(b)(1)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 [Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: § 164.512(c)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; § 164.512(b)(1)(ii) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law; § 164.512(c)(1)(i)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 [{may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(1) {may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(2) {may not disclose} {reproductive health care} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section. § 164.502(a)(5)(iii)(A)(3) {may not disclose} A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part. § 164.509(a)(1)] | Privacy protection for information and data | Business Processes | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 [{refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define and implement valid authorization control requirements. CC ID 06258 [{refrain from permitting} Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. § 164.506(b)(2) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: § 164.508(b)(3) Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following: Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the institutional review board or privacy board, pursuant to paragraph (i)(2)(ii)(C) of this section; § 164.512(i)(2)(iii) A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: The name of any individual(s) whose protected health information is sought, if practicable. § 164.509(c)(1)(i)(A) {be impracticable} A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: If including the name(s) of any individual(s) whose protected health information is sought is not practicable, a description of the class of individuals whose protected health information is sought. § 164.509(c)(1)(i)(B) A valid attestation under this section must contain the following elements: The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure. § 164.509(c)(1)(ii) A valid attestation under this section must contain the following elements: The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure. § 164.509(c)(1)(iii) A valid attestation under this section must contain the following elements: A clear statement that the use or disclosure is not for a purpose prohibited under § 164.502(a)(5)(iii). § 164.509(c)(1)(iv) A valid attestation under this section must contain the following elements: A description of the information requested that identifies the information in a specific fashion, including one of the following: § 164.509(c)(1)(i) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: Signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative's authority to act for the person must also be provided. § 164.509(c)(1)(vi) A valid attestation under this section must contain the following elements: A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person. § 164.509(c)(1)(v)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 [{refrain from permitting} Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. § 164.506(b)(2)] | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 [Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: § 164.508(a)(2) Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: § 164.508(a)(2)] | Privacy protection for information and data | Data and Information Management | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 [Material misrepresentations. If, during the course of using or disclosing protected health information in reasonable reliance on a facially valid attestation, a covered entity or business associate discovers information reasonably showing that any representation made in the attestation was materially false, leading to a use or disclosure for a purpose prohibited under § 164.502(a)(5)(iii), the covered entity or business associate must cease such use or disclosure. § 164.509(d)] | Privacy protection for information and data | Business Processes | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 [{may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(1) {may not disclose} {reproductive health care} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To identify any person for any purpose described in paragraphs (a)(5)(iii)(A)(1) or (2) of this section. § 164.502(a)(5)(iii)(A)(3) {may not disclose} Subject to paragraphs (a)(5)(iii)(B) and (C) of this section, a covered entity or business associate may not use or disclose protected health information for any of the following activities: To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. § 164.502(a)(5)(iii)(A)(2) {may not disclose} A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part. § 164.509(a)(1)] | Privacy protection for information and data | Business Processes | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made pursuant to an authorization under §164.508; § 164.502(b)(2)(iii) {data subject}A covered entity is permitted to use or disclose protected health information as follows: Pursuant to an agreement under, or as otherwise permitted by, §164.510; and § 164.502(a)(1)(v) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Obtains the individual's agreement; § 164.510(b)(2)(i) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required for compliance with applicable requirements of this subchapter. § 164.502(b)(2)(vi)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or § 164.512(j)(1)(i)(B)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or § 164.512(b)(1)(iv)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) {protected health information}Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may: Use or disclose for directory purposes such information: § 164.510(a)(1)(ii) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a) Medical suitability determinations. A covered entity that is a component of the Department of State may use protected health information to make medical suitability determinations and may disclose whether or not the individual was determined to be medically suitable to the officials in the Department of State who need access to such information for the following purposes: § 164.512(k)(4) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: An employer, about an individual who is a member of the workforce of the employer, if: § 164.512(b)(1)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A school, about an individual who is a student or prospective student of the school, if: § 164.512(b)(1)(vi) Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph. § 164.512(g)(1) National Instant Criminal Background Check System. A covered entity may use or disclose protected health information for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm under 18 U.S.C. 922(g)(4), provided the covered entity: § 164.512(k)(7) Foreign military personnel. A covered entity may use and disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph (k)(1)(i) of this section. § 164.512(k)(1)(iv) {protected health information} Exercise of professional judgment. The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in making a use or disclosure in accordance with §164.510 or acts on a good faith belief in making a disclosure in accordance with §164.512(j). § 164.514(h)(2)(iv)] | Privacy protection for information and data | Data and Information Management | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [Standard: Uses and disclosures for underwriting and related purposes. If a health plan receives protected health information for the purpose of underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at §164.502(a)(5)(i) with respect to genetic information included in the protected health information. § 164.514(g) Veterans. A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs. § 164.512(k)(1)(iii)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for debt collection or benefit payments. CC ID 00190 [{external requirement}Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; § 164.502(a)(1)(ii) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. § 164.506(c)(1) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a)(2) through (4) or that are prohibited under §164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. § 164.506(a)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: § 164.512(i)(1)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
| Follow legal obligations while processing personal data. CC ID 04794 [{external requirement} Standard: Waiver of rights. A covered entity may not require individuals to waive their rights under §160.306 of this subchapter, this subpart, or subpart D of this part, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. § 164.530(h)] | Privacy protection for information and data | Data and Information Management | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
| Process restricted data absent consent for specific and well-documented circumstances. CC ID 13537 [Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508: § 164.514(f)(1) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include: § 164.512(b)(1)(iii) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. § 164.510(a)(3)(i)(B)] | Privacy protection for information and data | Process or Activity | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 [{refrain from disclosing} A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity's notice of privacy practices. § 164.514(f)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; § 164.512(i)(1)(ii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: The protected health information for which use or access is sought is necessary for the research purposes. § 164.512(i)(1)(ii)(C) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Representation that the use or disclosure sought is solely for research on the protected health information of decedents; § 164.512(i)(1)(iii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Research on decedent's information. The covered entity obtains from the researcher: Documentation, at the request of the covered entity, of the death of such individuals; and § 164.512(i)(1)(iii)(B)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from disclosing}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; § 164.504(f)(2)(ii)(A) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required by law, as described by §164.512(a); and § 164.502(b)(2)(v) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; § 164.512(b)(1)(ii) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. § 164.512(a)(1) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary for law enforcement authorities to identify or apprehend an individual: § 164.512(j)(1)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Permitted uses. A covered entity that is a correctional institution may use protected health information of individuals who are inmates for any purpose for which such protected health information may be disclosed. § 164.512(k)(5)(ii) Armed Forces personnel. A covered entity may use and disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information: The purposes for which the protected health information may be used or disclosed. § 164.512(k)(1)(i)(B)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 [Uses and disclosures for disaster relief purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section. The requirements in paragraphs (b)(2), (b)(3), or (b)(5) of this section apply to such uses and disclosures to the extent that the covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. § 164.510(b)(4) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and § 164.512(j)(1)(i)(A)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 {protected health information} The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so. § 164.510(a)(3)(ii) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi)] | Privacy protection for information and data | Behavior | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{may not disclose} Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. § 164.502(a) {refrain from disclosing}{employment}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; § 164.504(f)(2)(ii)(C) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) {refrain from disclosing} Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: § 164.502(a)(5)(i) {refrain from disclosing} Authorization required: General rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. § 164.508(a)(1) {protected health information}{refrain from using}{refrain from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section. § 164.512(j)(2)(ii) {applicable requirement}A covered entity is permitted to use or disclose protected health information as follows: Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508; § 164.502(a)(1)(iv) {refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5) Implementation specifications: Uses and disclosures. A group health plan may: Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and § 164.504(f)(3)(iii) {protected health information}{refrain from using}{refraining from disclosing}Use or disclosure not permitted. A use or disclosure pursuant to paragraph (j)(1)(ii)(A) of this section may not be made if the information described in paragraph (j)(1)(ii)(A) of this section is learned by the covered entity: In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or § 164.512(j)(2)(i) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue. § 164.512(f)(2)(ii) {refrain from disclosing}{be inconsistent}{Notice of Privacy Practices} Standard: Uses and disclosures consistent with notice. A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. § 164.502(i)] | Privacy protection for information and data | Records Management | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made pursuant to an authorization under §164.508; § 164.502(b)(2)(iii) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Obtains the individual's agreement; § 164.510(b)(2)(i) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. § 164.506(b)(1) Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in §164.501 of this subpart. § 164.508(a)(4)(i) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: If the individual agrees to the disclosure; or § 164.512(c)(1)(ii) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The individual agrees to the disclosure; or § 164.512(f)(3)(i) {oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [{protected health information}{use}{disclosure}Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or § 164.508(c)(2)(i)(A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Communicate | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 [{oral agreement} {without authorization} Except as provided by § 164.502(a)(5)(iii), a covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section and § 164.509. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given verbally. § 164.512 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 [{refrain from disclosing} A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity's notice of privacy practices. § 164.514(f)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 [Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph. § 164.512(g)(1) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter; § 164.502(b)(2)(iv) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of: § 164.512(d)(1) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 [A business associate is required to disclose protected health information: When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate's compliance with this subchapter. § 164.502(a)(4)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 [Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: n compliance with and as limited by the relevant requirements of: An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: § 164.512(f)(1)(ii)(C)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's health care or payment related to the individual's health care. § 164.510(b)(1)(i) Uses and disclosures when the individual is deceased. If the individual is deceased, a covered entity may disclose to a family member, or other persons identified in paragraph (b)(1) of this section who were involved in the individual's care or payment for health care prior to the individual's death, protected health information of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. § 164.510(b)(5) {requirement} A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. § 164.510(b)(1)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [Funeral directors. A covered entity may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the covered entity may disclose the protected health information prior to, and in reasonable anticipation of, the individual's death. § 164.512(g)(2) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another; § 164.512(k)(5)(i)(D)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 [Uses and disclosures for disaster relief purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section. The requirements in paragraphs (b)(2), (b)(3), or (b)(5) of this section apply to such uses and disclosures to the extent that the covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. § 164.510(b)(4) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: The health and safety of the officers or employees of or others at the correctional institution; § 164.512(k)(5)(i)(C)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; § 164.512(i)(1)(ii)(A) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: Reviews preparatory to research. The covered entity obtains from the researcher representations that: The protected health information for which use or access is sought is necessary for the research purposes. § 164.512(i)(1)(ii)(C)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [National security and intelligence activities. A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333). § 164.512(k)(2) Protective services for the President and others. A covered entity may disclose protected health information to authorized Federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056 or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879. § 164.512(k)(3)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Data and Information Management | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. § 164.510(a)(3)(i)(B) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. § 164.512(f)(3)(ii)(C)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and § 164.512(j)(1)(i)(A) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is expressly authorized by statute or regulation and: The covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or § 164.512(c)(1)(iii)(A) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or § 164.512(j)(1)(i)(B) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: § 164.512(e)(1)(ii) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or § 164.512(e)(1)(i) {law enforcement activity}Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: To the extent the disclosure is expressly authorized by statute or regulation and: If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. § 164.512(c)(1)(iii)(B) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: In compliance with and as limited by the relevant requirements of: A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer; § 164.512(f)(1)(ii)(A) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: In compliance with and as limited by the relevant requirements of: A grand jury subpoena; or § 164.512(f)(1)(ii)(B) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim; § 164.512(f)(3)(ii)(A) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: § 164.512(f)(3)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 [{refrain from disclosing}Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; § 164.504(f)(2)(ii)(A) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required for compliance with applicable requirements of this subchapter. § 164.502(b)(2)(vi) A covered entity is required to disclose protected health information: When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter. § 164.502(a)(2)(ii) {protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures that are required by law, as described by §164.512(a); and § 164.502(b)(2)(v) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information: As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or § 164.512(f)(1)(i) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. § 164.512(a)(1) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: § 164.512(k)(5)(i) Standard: Disclosures for law enforcement purposes. A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this section are met, as applicable. § 164.512(f) {secretary}{law}{health oversight agency}{coroner}{deceased person}{prevent}{threat}{health}{safety}{person}Authorization required: Psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by §164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i). § 164.508(a)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: Is necessary for law enforcement authorities to identify or apprehend an individual: § 164.512(j)(1)(ii) Permitted disclosure: Decedents. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct. § 164.512(f)(4) Permitted disclosure: Crime on premises. A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. § 164.512(f)(5) Permitted disclosures. A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual protected health information about such inmate or individual, if the correctional institution or such law enforcement official represents that such protected health information is necessary for: Law enforcement on the premises of the correctional institution; or § 164.512(k)(5)(i)(E) {be necessary} A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to: § 164.512(f)(6)(i) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if: The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that: The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and § 164.512(f)(3)(ii)(B)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 [Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: To the individual; § 164.502(a)(1)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 [Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that: § 164.502(d)(2)] | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and § 164.504(f)(2)(ii)(I) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and § 164.512(i)(2)(ii)(A)(2) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. § 164.310(d)(2)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Communicate | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Records Management | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Business Processes | |
| Refrain from selling restricted data, as necessary. CC ID 17165 | Privacy protection for information and data | Data and Information Management | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 [{refrain from using}{refrain from disclosing} If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information. § 164.522(a)(1)(iv) {refrain from receiving} Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section. § 164.512(e)(1)(vi)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 [{written form}{refrain from disclosing}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; § 164.512(i)(2)(ii)(A)(3) {written form}{refrain from disclosing}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; § 164.512(i)(2)(ii)(A)(3)] | Privacy protection for information and data | Data and Information Management | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual's oral agreement or objection to a use or disclosure permitted by this section. § 164.510 ¶ 1 A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. § 164.506(b)(1)] | Privacy protection for information and data | Data and Information Management | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Data and Information Management | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 [Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. § 164.510(a)(2) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or § 164.510(b)(2)(ii) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if: The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full. § 164.522(a)(1)(vi)(B) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if: The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and § 164.522(a)(1)(vi)(A) {family member}{friend}{relative}A covered entity must permit an individual to request that the covered entity restrict: Disclosures permitted under §164.510(b). § 164.522(a)(1)(i)(B) A covered entity must permit an individual to request that the covered entity restrict: Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and § 164.522(a)(1)(i)(A) {disclosure}{use}{protected health information} Except as provided in paragraph (a)(1)(vi) of this section, a covered entity is not required to agree to a restriction. § 164.522(a)(1)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. § 164.504(f)(1)(i) {protected health information}The plan documents of the group health plan must be amended to incorporate provisions to: Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. § 164.504(f)(2)(i) Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart. § 164.514(h)(1)(ii) If the individual has not submitted a written statement of disagreement, the covered entity must include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the protected health information only if the individual has requested such action in accordance with paragraph (d)(1)(iii) of this section. § 164.526(d)(5)(ii) {request}{denial}{amendment} If a statement of disagreement has been submitted by the individual, the covered entity must include the material appended in accordance with paragraph (d)(4) of this section, or, at the election of the covered entity, an accurate summary of any such information, with any subsequent disclosure of the protected health information to which the disagreement relates. § 164.526(d)(5)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Communicate | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 [{protected health information} Review requests for disclosure on an individual basis in accordance with such criteria. § 164.514(d)(3)(ii)(B) {protected health information} Review requests for disclosure on an individual basis in accordance with such criteria. § 164.514(d)(4)(iii)(B)] | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{protected health information} Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section. § 164.524(a)(4) {written form}{timely manner}{access}{protected health information} Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: § 164.524(d)(2) {civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii) Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Psychotherapy notes; and § 164.524(a)(1)(i) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.524(d)(2)(iii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: As part of a limited data set in accordance with §164.514(e); or § 164.528(a)(1)(viii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: Pursuant to an authorization as provided in §164.508; § 164.528(a)(1)(iv) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To carry out treatment, payment and health care operations as provided in §164.506; § 164.528(a)(1)(i) The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; and § 164.526(d)(1)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. § 164.524(a)(2)(v)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: For national security or intelligence purposes as provided in §164.512(k)(2); § 164.528(a)(1)(vi)] | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate. § 164.524(a)(2)(ii) {protected health information}A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person; § 164.524(a)(3)(i) {protected health information}A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person. § 164.524(a)(3)(iii)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 [A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or § 164.524(a)(3)(ii) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To individuals of protected health information about them as provided in §164.502; § 164.528(a)(1)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: That occurred prior to the compliance date for the covered entity. § 164.528(a)(1)(ix)] | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access to protected health information created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research. § 164.524(a)(2)(iii)] | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 [The covered entity must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official, as provided in §164.512(d) or (f), respectively, for the time specified by such agency or official, if such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities and specifying the time for which such a suspension is required. § 164.528(a)(2)(i) {spoken communication}{impede}{health oversight agency}{law enforcement}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; and § 164.528(a)(2)(ii)(B) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: To correctional institutions or law enforcement officials as provided in §164.512(k)(5); § 164.528(a)(1)(vii)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [{civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii) {civil action}{criminal proceeding}Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. § 164.524(a)(1)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 [A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances. An individual's access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law. § 164.524(a)(2)(iv) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in §164.502; § 164.528(a)(1)(iii)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{protected health information}{written form} If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (d) of this section. § 164.524(b)(2)(i)(B) {written form}{timely manner}{access}{protected health information} Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: § 164.524(d)(2) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: The basis for the denial; § 164.524(d)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 [{protected health information} Reviewable grounds for denial. A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances: § 164.524(a)(3) {protected health information} Review of a denial of access. If access is denied on a ground permitted under paragraph (a)(3) of this section, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (d)(4) of this section. § 164.524(a)(4) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: If applicable, a statement of the individual's review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and § 164.524(d)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 [An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: For the facility's directory or to persons involved in the individual's care or other notification purposes as provided in §164.510; § 164.528(a)(1)(v)] | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; § 164.502(b)(2)(ii) {access}{disclosure accounting}A covered entity is required to disclose protected health information: To an individual, when requested under, and required by §164.524 or §164.528; and § 164.502(a)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 [{representative} If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information. § 164.524(c)(3)(ii) Standard: Verification requirements. Prior to any disclosure permitted by this subpart, a covered entity must: Except with respect to disclosures under §164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and § 164.514(h)(1)(i)] | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 [The covered entity must provide the access as requested by the individual in a timely manner as required by paragraph (b)(2) of this section, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at the individual's request. The covered entity may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access. § 164.524(c)(3)(i) {protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for access. § 164.524(b)(2)(ii)(B) {stipulated time frame}{spoken communication}{accounting of disclosures}If the agency or official statement in paragraph (a)(2)(i) of this section is made orally, the covered entity must: Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement pursuant to paragraph (a)(2)(i) of this section is submitted during that time. § 164.528(a)(2)(ii)(C) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for an accounting. § 164.528(c)(1)(ii)(B)] | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{access}{protected health information}If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.524(b)(2)(ii)(A) {accounting of disclosures}If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (c)(1) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting; and § 164.528(c)(1)(ii)(A) If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and § 164.526(b)(2)(ii)(A)] | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 [{request for access}{protected health information} If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 30 days, provided that: § 164.524(b)(2)(ii) {protected health information}{accounting of disclosures}The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a request, as follows. If the covered entity is unable to provide the accounting within the time required by paragraph (c)(1) of this section, the covered entity may extend the time to provide the accounting by no more than 30 days, provided that: § 164.528(c)(1)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 [Fees. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: § 164.524(c)(4) {stipulated time frame}{be reasonable}{following} The covered entity must provide the first accounting to an individual in any 12 month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. § 164.528(c)(2)] | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 [A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. § 164.522(b)(1)(i) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual. § 164.522(b)(1)(ii) The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual. § 164.524(c)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 [The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: The individual agrees in advance to such a summary or explanation; and § 164.524(c)(2)(iii)(A) Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. § 164.524(c)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from using cookies unless legitimate reasons have been defined. CC ID 16953 | Privacy protection for information and data | Data and Information Management | |
| Include the acceptable uses of cookies in the cookie management procedures. CC ID 16952 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Data and Information Management | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 [{protected health information} A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only for the purposes of research, public health, or health care operations. § 164.514(e)(3)(i) {refrain from using}{refrain from disclosing} A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. § 164.522(a)(1)(iii) {Personally Identifiable Information} If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart. § 164.502(d)(2)(ii) {refrain from disclosing}{be inconsistent}{Notice of Privacy Practices} Standard: Uses and disclosures consistent with notice. A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. § 164.502(i)] | Privacy protection for information and data | Data and Information Management | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Data and Information Management | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 [{protected health information}{disclosure}{use} Plain language requirement. The authorization must be written in plain language. § 164.508(c)(3) Plain language requirement. The attestation must be written in plain language. § 164.509(c)(2)] | Privacy protection for information and data | Data and Information Management | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Data and Information Management | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 [{protected health information}Minimum necessary does not apply. This requirement does not apply to: Disclosures to or requests by a health care provider for treatment; § 164.502(b)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Data and Information Management | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Data and Information Management | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 [{refrain from disclosing}{refrain from requesting} Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. § 164.514(d)(5)] | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Data and Information Management | |
| Validate the business need for maintaining collected restricted data. CC ID 17090 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and § 164.514(d)(3)(ii)(A) {improper disclosure}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to protect the identifiers from improper use and disclosure; § 164.512(i)(2)(ii)(A)(1) {improper disclosure}The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; An adequate plan to protect the identifiers from improper use and disclosure; § 164.512(i)(2)(ii)(A)(1) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. § 164.530(c)(2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart. § 164.530(c)(2)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 [{electronic protected health information} {are not required} Covered entities and business associates must do the following: Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. § 164.306(a)(3) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. § 164.306(b)(1) Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. § 164.314(b)(1) {electronic protected health information} Covered entities and business associates must do the following: le="background-color:#B7D8ED;" class="term_primary-verb">Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. § 164.306(a)(2)] | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 [{incidental disclosure} A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. § 164.530(c)(2)(ii) {incidental disclosure} A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. § 164.530(c)(2)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: § 164.514(c) {protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity. § 164.502(d)(1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity. § 164.502(d)(1)] | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 [{refrain from deriving}{protected health information}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and § 164.514(c)(1)] | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 [{protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) {protected health information}{refrain from disclosing}Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification. § 164.514(c)(2) The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that: Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and § 164.502(d)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Data and Information Management | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Business Processes | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Behavior | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Communicate | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Data and Information Management | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Data and Information Management | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Data and Information Management | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Data and Information Management | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Data and Information Management | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Data and Information Management | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Records Management | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Behavior | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Data and Information Management | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Data and Information Management | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Business Processes | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Communicate | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Data and Information Management | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Process or Activity | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Business Processes | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Communicate | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Behavior | |
| Include supporting documentation in the privacy rights violation complaint. CC ID 16997 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Business Processes | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 [{protected health information}{be responsible} Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). § 164.526(f) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520. § 164.530(a)(1)(ii) {amendment}{protected health information}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.526(d)(1)(iv) {access}{protected health information}The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain: A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii). § 164.524(d)(2)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{protected health information}{be permissible}If the covered entity is unable to act on the amendment within the time required by paragraph (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that: The covered entity may have only one such extension of time for action on a request for an amendment. § 164.526(b)(2)(ii)(B)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 [A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Is not part of the designated record set; § 164.526(a)(2)(ii) {amend}{is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment; § 164.526(a)(2)(i) {be complete}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Is accurate and complete. § 164.526(a)(2)(iv) {is not available}A covered entity may deny an individual's request for amendment, if it determines that the protected health information or record that is the subject of the request: Would not be available for inspection under §164.524; or § 164.526(a)(2)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify individuals of their right to challenge personal data. CC ID 00457 [{be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {protected health information} Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement. § 164.526(d)(2)] | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 [{be in writing} Individual's request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements. § 164.526(b)(1) {amendment}{protected health information}{instruction}The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement; § 164.526(d)(1)(ii)] | Privacy protection for information and data | Data and Information Management | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 [{disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is: § 164.522(a)(2)(iii) {disclosure}{use}{protected health information}Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if: The individual orally agrees to the termination and the oral agreement is documented; or § 164.522(a)(2)(ii) (disclosure}{use}{protected health information}A covered entity may terminate a restriction, if: The individual agrees to or requests the termination in writing; § 164.522(a)(2)(i)] | Privacy protection for information and data | Configuration | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Human Resources Management | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Communicate | |
| Investigate the disputed accuracy of personal data. CC ID 00461 [{stipulated time frame}{protected health information} The covered entity must act on the individual's request for an amendment no later than 60 days after receipt of such a request, as follows. § 164.526(b)(2)(i)] | Privacy protection for information and data | Data and Information Management | |
| Notify third parties of unresolved challenges. CC ID 13559 [{denial}{amendment}{statement of disagreement} When a subsequent disclosure described in paragraph (d)(5)(i) or (ii) of this section is made using a standard transaction under part 162 of this subchapter that does not permit the additional material to be included with the disclosure, the covered entity may separately transmit the material required by paragraph (d)(5)(i) or (ii) of this section, as applicable, to the recipient of the standard transaction. § 164.526(d)(5)(iii)] | Privacy protection for information and data | Communicate | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [{protected health information} Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement. § 164.526(d)(2) {written form} Rebuttal statement. The covered entity may prepare a written rebuttal to the individual's statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement. § 164.526(d)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Behavior | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Behavior | |
| Define the organization's liability based on the applicable law. CC ID 00504 [Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at §164.402. § 164.414(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Communicate | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Communicate | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
| Keep restricted data up-to-date and valid. CC ID 00091 [Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(f)(2)(ii)(F)] | Privacy protection for information and data | Data and Information Management | |
| Structure the language of compliance documents. CC ID 06098 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Establish, implement, and maintain general sentence structure guidelines. CC ID 06131 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Use brevity of language. CC ID 06137 [{written form}{amendment}{protected health information} Denial. The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (b)(2) of this section. The denial must use plain language and contain: § 164.526(d)(1)] | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{be permissible}{business associate contract} The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. § 164.504(e)(3)(iii) A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. § 164.504(e)(1)(ii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. § 164.504(e)(2)(i)(B)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: § 164.504(e)(4)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and § 164.504(e)(2)(i)(A) {business associate contract}Provide that the business associate will: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(e)(2)(ii)(F) {business associate contract}{refrain from disclosing}{protected health information}Provide that the business associate will: Not use or further disclose the information other than as permitted or required by the contract or as required by law; § 164.504(e)(2)(ii)(A) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A) {person}Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish who is permitted to use or receive the limited data set; and § 164.514(e)(4)(ii)(B) {refrain from contacting}Contents. A data use agreement between the covered entity and the limited data set recipient must: Provide that the limited data set recipient will: Not identify the information or contact the individuals. § 164.514(e)(4)(ii)(C)(5)] | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Business associate contracts. The contract must provide that the business associate will— Comply with the applicable requirements of this subpart; § 164.314(a)(2)(i)(A) {business associate contract} The contract or other arrangement required by §164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable. § 164.504(e)(1)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}Provide that the business associate will: To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation. § 164.504(e)(2)(ii)(H) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. § 164.410(a)(1) Business associate contracts. The contract must provide that the business associate will— Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410. § 164.314(a)(2)(i)(C) {protected health information}{business associate contract}Provide that the business associate will: Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410; § 164.504(e)(2)(ii)(C)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 [Business associate contracts. The contract must provide that the business associate will— Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410. § 164.314(a)(2)(i)(C) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to— Report to the group health plan any security incident of which it becomes aware. § 164.314(b)(2)(iv) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware; § 164.504(f)(2)(ii)(D) {protected health information}{business associate contract}Provide that the business associate will: Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410; § 164.504(e)(2)(ii)(C)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information. § 164.308(b)(2) {be the same} Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by §164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 164.314(a)(2)(iii) Business associate contracts. The contract must provide that the business associate will— In accordance with §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and § 164.314(a)(2)(i)(B) {business associate contract}Provide that the business associate will: In accordance with §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; § 164.504(e)(2)(ii)(D) {business associate contract}{remain confidential}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and § 164.504(e)(4)(ii)(B)(1) {business associate contract}{disclosure recipient}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached. § 164.504(e)(4)(ii)(B)(2) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with §164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information. § 164.502(e)(1)(ii) {be equal} Implementation specifications: Business associate contracts with subcontractors. The requirements of §164.504(e)(2) through (e)(4) apply to the contract or other arrangement required by §164.502(e)(1)(ii) between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. § 164.504(e)(5) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and § 164.504(e)(2)(i)(A) {business associate contract}{refrain from disclosing}{protected health information}Provide that the business associate will: Not use or further disclose the information other than as permitted or required by the contract or as required by law; § 164.504(e)(2)(ii)(A) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: To carry out the legal responsibilities of the business associate. § 164.504(e)(4)(i)(B) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: For the proper management and administration of the business associate; or § 164.504(e)(4)(i)(A) {business associate contract}Provide that the business associate will: At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. § 164.504(e)(2)(ii)(J) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3) Contents. A data use agreement between the covered entity and the limited data set recipient must: Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity; § 164.514(e)(4)(ii)(A)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Include disclosure requirements in third party contracts. CC ID 08825 [Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: § 164.504(e)(2)(i) {business associate contract}Provide that the business associate will: Make available protected health information in accordance with §164.524; § 164.504(e)(2)(ii)(E) {business associate contract}Provide that the business associate will: Make available the information required to provide an accounting of disclosures in accordance with §164.528; § 164.504(e)(2)(ii)(G) {business associate contract}Provide that the business associate will: Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; § 164.504(e)(2)(ii)(F) {business associate contract}The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: The disclosure is required by law; or § 164.504(e)(4)(ii)(A) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in §160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and §164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and §164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. § 164.504(e)(3)(ii) {business associate contract}{make available}Provide that the business associate will: Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and § 164.504(e)(2)(ii)(I) A business associate is required to disclose protected health information: To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information. § 164.502(a)(4)(ii) {refrain from disclosing} Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. § 164.502(a)(3)] | Third Party and supply chain oversight | Business Processes | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 | Third Party and supply chain oversight | Establish/Maintain Documentation | |