45 CFR Appendix A to Subpart C of Part 164
Security Standards: Matrix
April 14, 2021
Open Table
| Standards | Sections | Implementation Specifications (R) = Required, (A) = Addressable |
|---|---|---|
| Administrative Safeguards | ||
| Security Management Process | 164.308(a)(1) | Risk Analysis (R) |
| Risk Management (R) | ||
| Sanction Policy (R) | ||
| Information System Activity Review (R) | ||
| Assigned Security Responsibility | 164.308(a)(2) | (R) |
| Workforce Security | 164.308(a)(3) | Authorization and/or Supervision (A) |
| Workforce Clearance Procedure | ||
| Termination Procedures (A) | ||
| Information Access Management | 164.308(a)(4) | Isolating Health care Clearinghouse Function (R) |
| Access Authorization (A) | ||
| Access Establishment and Modification (A) | ||
| Security Awareness and Training | 164.308(a)(5) | Security Reminders (A) |
| Protection from Malicious Software (A) | ||
| Log-in Monitoring (A) | ||
| Password Management (A) | ||
| Security Incident Procedures | 164.308(a)(6) | Response and Reporting (R) |
| Contingency Plan | 164.308(a)(7) | Data Backup Plan (R) |
| Disaster Recovery Plan (R) | ||
| Emergency Mode Operation Plan (R) | ||
| Testing and Revision Procedure (A) | ||
| Applications and Data Criticality Analysis (A) | ||
| Evaluation | 164.308(a)(8) | (R) |
| Business Associate Contracts and Other Arrangement | 164.308(b)(1) | Written Contract or Other Arrangement (R) |
| Physical Safeguards | ||
| Facility Access Controls | 164.310(a)(1) | Contingency Operations (A) |
| Facility Security Plan (A) | ||
| Access Control and Validation Procedures (A) | ||
| Maintenance Records (A) | ||
| Workstation Use | 164.310(b) | (R) |
| Workstation Security | 164.310(c) | (R) |
| Device and Media Controls | 164.310(d)(1) | Disposal (R) |
| Media Re-use (R) | ||
| Accountability (A) | ||
| Data Backup and Storage (A) | ||
| Technical Safeguards (see §164.312) | ||
| Access Control | 164.312(a)(1) | Unique User Identification (R) |
| Emergency Access Procedure (R) | ||
| Automatic Logoff (A) | ||
| Encryption and Decryption (A) | ||
| Audit Controls | 164.312(b) | (R) |
| Integrity | 164.312(c)(1) | Mechanism to Authenticate Electronic Protected Health Information (A) |
| Person or Entity Authentication | 164.312(d) | (R) |
| Transmission Security | 164.312(e)(1) | Integrity Controls (A) |
| Encryption (A) | ||
Tried the LawStack mobile app?
Join thousands and try LawStack mobile for FREE today.
- Carry the law offline, wherever you go.
- Download CFR, USC, rules, and state law to your mobile device.
