Administrative Controls HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Security Management Process - 164.308(a)(1)(i) | Risk Management Policy | Yes |
Assigned Security Responsibility - 164.308(a)(2) | Roles Policy | Partially |
Workforce Security - 164.308(a)(3)(i) | Employee Policies | Partially |
Information Access Management - 164.308(a)(4)(i) | System Access Policy | Yes |
Security Awareness and Training - 164.308(a)(5)(i) | Employee Policy | No |
Security Incident Procedures - 164.308(a)(6)(i) | IDS Policy | Yes |
Contingency Plan - 164.308(a)(7)(i) | Disaster Recovery Policy | Yes |
Evaluation - 164.308(a)(8) | Auditing Policy | Yes |
Physical Safeguards HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Facility Access Controls - 164.310(a)(1) | Facility and Disaster Recovery Policies | Yes |
Workstation Use - 164.310(b) | System Access, Approved Tools, and Employee Policies | Partially |
Workstation Security - 164.310(‘c’) | System Access, Approved Tools, and Employee Policies | Partially |
Device and Media Controls - 164.310(d)(1) | Disposable Media and Data Management Policies | Yes |
Technical Safeguards HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Access Control - 164.312(a)(1) | System Access Policy | Partially |
Audit Controls - 164.312(b) | Auditing Policy | Yes (optional) |
Integrity - 164.312(‘c’)(1) | System Access, Auditing, and IDS Policies | Yes (optional) |
Person or Entity Authentication - 164.312(d) | System Access Policy | Yes |
Transmission Security - 164.312(e)(1) | System Access and Data Management Policy | Yes |
Organizational Requirements HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Business Associate Contracts or Other Arrangements - 164.314(a)(1)(i) | Business Associate Agreements and 3rd Parties Policies | Partially |
Policies and Procedures and Documentation Requirements HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Policies and Procedures - 164.316(a) | Policy Management Policy | Partially |
Documentation - 164.316(b)(1)(i) | Policy Management Policy | Partially |
HITECH Act - Security Provisions HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Notification in the Case of Breach - 13402(a) and (b) | Breach Policy | Partially |
Timelines of Notification - 13402(d)(1) | Breach Policy | Partially |
Content of Notification - 13402(f)(1) | Breach Policy | Partially |
Administrative Controls HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Security Management Process - 164.308(a)(1)(i) | Risk Management Policy | Yes |
Assigned Security Responsibility - 164.308(a)(2) | Roles Policy | Partially |
Workforce Security - 164.308(a)(3)(i) | Employee Policies | Partially |
Information Access Management - 164.308(a)(4)(i) | System Access Policy | Yes |
Security Awareness and Training - 164.308(a)(5)(i) | Employee Policy | No |
Security Incident Procedures - 164.308(a)(6)(i) | IDS Policy | Yes |
Contingency Plan - 164.308(a)(7)(i) | Disaster Recovery Policy | Yes |
Evaluation - 164.308(a)(8) | Auditing Policy | Yes |
Physical Safeguards HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Facility Access Controls - 164.310(a)(1) | Facility and Disaster Recovery Policies | Yes |
Workstation Use - 164.310(b) | System Access, Approved Tools, and Employee Policies | Partially |
Workstation Security - 164.310(‘c’) | System Access, Approved Tools, and Employee Policies | Partially |
Device and Media Controls - 164.310(d)(1) | Disposable Media and Data Management Policies | Yes |
Technical Safeguards HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Access Control - 164.312(a)(1) | System Access Policy | Yes |
Audit Controls - 164.312(b) | Auditing Policy | Yes |
Integrity - 164.312(‘c’)(1) | System Access, Auditing, and IDS Policies | Yes |
Person or Entity Authentication - 164.312(d) | System Access Policy | Yes |
Transmission Security - 164.312(e)(1) | System Access and Data Management Policy | Yes |
Organizational Requirements HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Business Associate Contracts or Other Arrangements - 164.314(a)(1)(i) | Business Associate Agreements and 3rd Parties Policies | Partially |
Policies and Procedures and Documentation Requirements HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Policies and Procedures - 164.316(a) | Policy Management Policy | Partially |
Documentation - 164.316(b)(1)(i) | Policy Management Policy | Partially |
HITECH Act - Security Provisions HIPAA Rule | CIRG Control | Inherited |
---|---|---|
Notification in the Case of Breach - 13402(a) and (b) | Breach Policy | Yes |
Timelines of Notification - 13402(d)(1) | Breach Policy | Yes |
Content of Notification - 13402(f)(1) | Breach Policy | Yes |