6.4 STEP TWO: ASSESSMENT

Your assessment process should be conducted in a manner that allows you to evaluate your organizations security practices through fully understanding of how your staff conducts their day-to-day operations in relation to known security practices and, as a result, how the proposed HIPAA security standards would impact those operations. The assessment process includes:

Establishing your approach : This part of the gap analysis is interactive. You are validating what is on paper (i.e., the documentation gathered during the information audit). You and your team will be interviewing key staff within your organization to clarify and establish your information management and technology baselines as related to security. You also need to determine how you should present your final results to help guide you in the format of the tools you will be using for data collection. Your end objective is not an in-depth network and system assessment, but rather a preliminary summary of the state of automation within your organization.
Conducting background interviews: Surveying key stakeholders to establish organizational goal and directions, frame the corporate culture as it relates to security, and determine the organizational investment for HIPAA security compliance. This information will be used to modify and refine your detailed results in your final presentation of the gap analysis results.
HIPAA Security Questionnaire: A security questionnaire, based on industry best practices but related to the areas in the rule, will avoid any gaps in your questions. A commercial tool can be purchased and used or, if you outsource, you may have to use the questionnaire provided by your vendor. Remember to review any tool for completeness and complete a test run with a limited number of your workforce if you are a large organization. You should also review this tool with management as part your conducting background interviews.
Analysis of Policies and Procedures (P&Ps): Policies and procedures are a cornerstone of your security program. They need to be complete and compliant with both the HIPAA Security AND Privacy Regulations, and most importantly clear, concise , and usable by your workforce.

6.4.1 Establishing Your Approach

Although this section spells out the steps in the information gathering process, your organization will need to determine what is the best approach to actually conducting the actual gap analysis. You should conduct a brainstorming session with the appropriate personnel in your organization to answer the following set of questions.

What are our objectives relative to HIPAA security compliance and how does this affect the objectives of the HIPAA gap analysis? This question is key because it will provide the scope and direction of your efforts.

What is management buy-in to establishing a security management program? This is key. A good security program will be pervasive through out the organization. Without management support, there is very little chance it will ever be effective. The results of the gap analysis and remediation plan will sit on the shelf and gather dust until the organization is confronted with an incident that is extremely costly to their reputation, operation, or both.
Is the organization looking to establish a comprehensive program or just remediate the key areas they feel are important? Should you start with a wide scope and narrow it as you go through the discovery and data collection process?
Most importantly, what type of security program does your organization envision that is consistent with their business needs? Obviously, the needs for a small provider's office of, say, 5 staff members will be completely different from a large health system that spans the nation. You need to adjust your objectives to fit your organization.

Should we use an internal team and do a self-assessment or should we outsource to a consultant who specializes in HIPAA? This question is key. In making your decision, you should answer the following questions before you even consider the costs:

How honest can your organization be with itself?
How well do internal teams fare in facilitating discussion among their peers?
Do you have anyone on your staff that can be relied on to convey a maturing vision or direction as how HIPAA will affect your organizational security posture ?

Have you planned for the resources to conduct the gap analysis? Outsourcing the gap analysis to a vendor is only part of the cost. Your organization still needs to dedicate resources to answering the questions that will be asked by the vendor. Otherwise this effort will simply be a paper study with little organizational input or buy-in. Prior to starting the program, you need to answer the following:

What are the expectations as to the outcome of the gap analysis project?
How much time and money can we really afford to spend on this project, considering ALL the costs? (Note: Costs can include management and staff time, facilities for meetings, materials, an external consultant, if used.)
Has a budget already been established for the gap analysis and is it realistic?

How should the results of the gap analysis be organized and presented to be the most useful? We have tried in this section to suggest an approach that leads into remediation and provide the basis for project planning and budgeting. Each organization, however, will have specific needs and requirements in this area. The gap analysis team should be aware of process to present information to the organizational decision makers and the level of background detail needed to support their decisions.

How should the gap analysis be managed? For a large organization, the gap analysis should be treated as a project. The above questions have already touched on many of the reasons for this. For smaller organizations, where a single person may actually be responsible for the gap analysis, self-imposed rigor on the process and resulting documentation will not go unrewarded in generating useful security products. Some of the considerations here include:

How many interviews are needed, with whom, how long, and when can they be scheduled? How many members of the team should be present at each interview? Are facilitated group meetings more effective than individual interviews, least in some instances such as gathering all inputs from a specific department when reviewing the HIPAA Security Assessment Questionnaire?
Who is responsible for managing the project? For example, should this be the Chief Information Officer, the Chief Security Officer, the head of Information Management Department, or the HIPAA Steering Committee that is comprised of members of the executive management team?
If an external consultant is used, does someone fully understand their statement and scope of work and the deliverables that are needed (versus what they might normally provide)?
What should be the reporting process to upper management and who on the gap analysis is responsible for seeing that this gets done in s timely and accurate fashion?

6.4.2 Background Interviews

Background interviews should be conducted with the key stakeholders that affect the information management and technology decisions within your organization. The following are candidates for this process.

The executive management team, including the heads of human resources, facilities, and finance as well as operations, information management and key programs or services within the organization
The HIPAA Steering Committee (if one exists)
The Chief Information Officer
The Chief Privacy Officer and members of the privacy team
The Chief Security Officer (if appointed) and members of the security team
Information Systems management staff

These interviews should be guided to help identify network topology and interconnections, information access policies, and other documented procedures. You will be examining system and application security mechanisms to determine the current state of policy support and the technical controls available for each system and application as part of the later interviews.

Topics you should cover include:

Information management and technology organizational issues
Any infrastructure updates, both systems and network, from what was presented in the information audit
Effectiveness of the policies and practices related to information management and technology
Satisfaction with the organization used to provide information system support to end-users
Current plans and initiatives for information management and technology

This is your opportunity to pinpoint overall problems, such as the lack of training or system support that, while directly related to security, would impact it from an awareness or user access perspective. Be prepared, as you conduct these interviews, that especially in larger organizations, you will come across gaps in organizational knowledge. One program will not be aware that another internal business unit may have implemented exactly what they need and are planning to do themselves or that informal and fragmented approaches to handling sensitive information may have been cultivated through out your organization because of the lack of a central policy or one weakly enforced.

These background interviews should be used to validate assumptions, confirm information that you have gathered in the information audit, and draw out responses to potential corporate issues surrounding security.

You should schedule each background interview for at least 30 minutes. Depending on how effective your interview team is in guiding a discussion, you may find that your interviewee will warm to the topic and you can easily fill an hour with a useful discussion. You should warn your interviewee that this may be the case and that they should be prepared to either extend the interview to an hour or schedule a follow-up session, either in-person or on the phone, to complete the discussion. Encourage the interviewee to invite additional staff if they feel that it would be beneficial, but remind them that this is not intended to be a group interview. You are very much focused on their inputs.

If possible, you should also use at least two individuals from your team for each interview, one primarily to lead the discussion, the other to take notes. Both, however, should participate in the discussion and individually note the highlights and issues. The two should meet as soon after the interview as practical to compare notes and flag key issues.

This interview should not necessarily be form driven. You may, however, want to establish some general questions from the information audit and expand on these as you go. In larger organizations, you should provide a short background of the project, the objectives for the interview and the questions as ˜read-ahead' material to the interviewee. Even if they look at the material for the first time 5 minutes before your session, you will be surprised at how much more efficient and effective the interview will be. The responses should also be factored into the detailed questionnaire. The size of the organization and the detail in the responses are used to determine whether you want to conduct further individual interviews at the department or program level.

A set of representative questions might include:

Do you understand the potential impacts of HIPAA security and how do we inform our organization about it? You might want to prepare a short discourse on the first part of this question and then let them expand on it when discussing the second half.
Do you have an idea of how much work will be involved in establishing a HIPAA security program? Here you might provide background on the fact that, ultimately, a project plan will be developed from the results of the gap analysis, the work will be broken down into individual tasks , the level and duration of effort will be estimated and responsibilities assigned, and a schedule and final budget established. Remind them that they are part of this process and their inputs here are key drivers.
What systems do you know that capture and exchange PHI? Since you have already completed the information audit, you should be aware of what systems have been documented. Come prepared with a sketch and description of the existing systems you know about. You are looking for confirmation or additional information. Be prepared, for example, to find that there may be dial-up systems that the IM department doesn't know about! One example that has turned up in my interviewing agencies is the dial-up access to the kitchen system that is used to manage nutrition for the patients in the institution.
Are you aware of any updates being planned for these systems that may affect security? The interviewee may or may not be aware of the technical aspects of this depending on their role in the organization. However, perception can be as critical as actual knowledge!
What are the current policies, procedures, and notes? Again, come prepared. The information audit should have provided a list of what the organization had formally documented. You are looking for confirmation and additional information.
Are there any requirements related to security and privacy specific to your business unit? Listen for processes or procedures that have been developed at the ˜grass roots' level. Listen for whether the current P&Ps have been effective and, if not, where the gaps may lie. This information will also help steer you in developing the HIPAA Security Assessment Questionnaire.
Does the gap analysis team need to contact any outside groups for additional information? Again, you should have developed a list from the information audit. This question will confirm or expand on this list. The list can include software vendors , clearinghouses, EDI trading partners , health care arrangements, payers, accreditation organizations, and other business associates .
Have you any concerns as to how HIPAA security compliance will affect the organization, your role, or the contributions of your business unit?
Is there anyone else you recommend we should contact for a background interview?
Who is the lead person in your business unit we should contact regarding completion of the HIPAA Security Assessment Questionnaire and the Security P&P Review Matrix?

6.4.3 Development of a Standard Questionnaire for Data Collection

Armed with the understanding of the organization from the background interviews and the information audit, you should now employ a HIPAA Security Assessment Questionnaire as your tool for collecting information relative to the HIPAA security regulation. You can either develop your own or tailor an existing one. If your organization plans to outsource the gap analysis, you may have little choice but use what the consultant provides. However, you should review their tool and their approach, confirm that the questionnaire covers all the elements of the security regulation as well as the needs of your organization, and understand how the results it provides translate to a remediation plan that you control.

The questionnaire reflects the current state of the regulation. Smaller organizations may conduct a group interview with all relevant parties, especially if the agency is organizationally compact with many elements of the business operations centralized. For larger enterprises , the answers to questions should be oriented to address the entire organization, not individual sites. Discrepancies between sites, however, should be noted whenever needed. The analysis process will then be able to identify gaps that reflect the lowest denominator across the entire agency.

The questionnaire should be organized into the main categories of the rule:

Administrative Safeguards: This part calls for the risk analysis, risk management, and sanction policies to be defined. The questions in the administrative section should concentrate on current work processes and flows within your organization, documentation, and organization. You should also incorporate the requirements established under the General Section (164.306) regarding flexibility of approach in gauging how to ask specific questions relative to risk analysis and risk management. Pay careful attention as to whether your organization involves a healthcare clearinghouse operation. Specific questions should be asked relative to the policies and procedures that protect the electronic health information handled by the clearinghouse from unauthorized access by the larger organization.
Physical Safeguards: This part concentrates on the environment that houses your electronic systems. However, as has been discussed earlier, you security program needs to address all forms of media containing PHI to be compliant with both the HIPAA Privacy and Security Rules. Therefore, as a best practice, you should plan your questionnaire to address physical security in general, including protection of your paper records.
Technical Safeguards: This is where you will address all aspects of your technical infrastructure, including access methods , authentication, and authorization. Make sure your questions in this section are consistent with the corresponding areas in the Administrative Safeguards section. For example, you have implemented role-based access via username and password. You have developed policies to address the guidelines as to password structure and update. These questions can be asked in the Administrative Safeguard section. The complementary set of questions in the Technical Safeguard section should concentrate on how you have implemented policy driven features: What techniques does each system use to encrypt passwords? Are there tools that electronically enforce your password policy? How do you audit your use access? How do you detect possible incidents from your system logs?
Organizational Requirements: These questions should address your contracting approach, what are your standard terms and agreements with your business associates including contractors, vendors, and suppliers; accreditation organizations; trading partners; governmental organizations, and payers. The list should be comprehensive and include all parties that you exchange information with electronically, not just PHI, since each link into your system could be a possible compromise to your information security.
Policies and Procedures and Documentation Requirements: The questions in this section should address your P&Ps, although the P&P review that you will also conduct should identify the content of what you have. Questions in this section should focus on your organization's documentation procedures, such as whether you have an established incident reporting system and whether the incident reporting process deals with information security. It should also include your records retention process and policy, whether you have a defined practice for policy development, availability, and update as well as supporting guidance and procedures. Finally, the questions should target how you have implemented your policies, guidance, and procedures, the metrics your organization uses to judge their effectiveness and compliance, and finally, based on these measures, how compliant your organization really is with their P&Ps.

As part of this section, we are not providing a survey tool. Depending on your organization, they can be quite lengthy and involved. Rather we have provided a series of links in the table below that can help you prepare your survey tool. This list is not exhaustive but intended as a starting point the development of your questionnaire.

Table 5: Sources for Development of HIPAA Security Assessment Tool
Source	Links	Comments
Resources Directly Applicable to Developing Gap Analysis Tools
CERT Coordination Center (CERT/CC)	http://www.cert.org For reference material related to the OCTAVE method: http://www.cert.org/octave/pubs.html	Established in 1988 as a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. SEI is the developer of OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation ^SM ), a risk-based strategic assessment and planning technique for security. Note! OCTAVE is intended to be self-directed and focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology. It is an excellent starting point for developing your own materials for a HIPAA security gap analysis.
SANS (SysAdmin, Audit, Network, Security) Institute	http://www.sans.org http://www.sans.org/resources/policies (SANS Security Policy Project)	SANS is also an excellent source of information, both from the resources in the SANS Reading Room as well as the SANS Security Policy Project. A review of the sample policies available should give you a firm grounding in the types of questions you need to ask during your detailed interviews.
Microsoft	http://www.microsoft.com/technet/default.asp	The Microsoft Technet home page links to Microsoft security resources, including several white papers worth reviewing even if your infrastructure is not Microsoft based. These include entries under Best Practices, Tools & Checklist, and Security Tips.
TechRepublic	http://techrepublic.com	Registration is required to access this site but it is free. The site contains helpful downloads, white papers, and news articles. You can also access books and CDs at reasonable cost that can help establish your gap analysis strategy and serve as templates for your data collection.
Healthcare Information Management and Systems Society (HIMSS)	http://www.himss.org http://www.himss.org/hipaasource/hip	This should be an initial stopping place along with the sites powered by Phoenix Health Systems
	aasource.asp
Phoenix Health Systems	http://www.phoenixhealth.com/ http://www.hipaadvisory.com/	Phoenix Health Systems has been selected by HIMSS as its HIPAA knowledge partner, providing HIMSS' HIPAAsource web content and HIPAA 'Flash' eConferences
American Health Information Management Association (AHIMA)	http://www.ahima.org http://library.ahima.org	Besides searching AHMIA's main site, check AHMIA's HIM Body of Knowledge (BoK) at the second link. Note: You may have to be a member of AHMIA to access some of the B0K content.
*Organizations Involved in Establishing HIPAA and Related Security Requirements (e.g., Standards Bodies, Accreditation Organizations, Industry Groups)*
American Medical Association (AMA)	http://www.ama-assn.org	Some interesting perspectives on gap analysis/risk assessment from the provider's view
Joint Commission on Accreditation of Healthcare Organizations (JACHO)	http://www.jcaho.org	An independent, not-for-profit organization, JCAHO is the nation's predominant standards-setting and accrediting body in health care. Since 1951, JCAHO has developed state-of-the-art, professionally based standards and evaluated the compliance of health care organizations against these benchmarks.
National Institute of Standards and Technology	http://www.nist.gov	Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. NIST's mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST's responsibilities include setting standards that impact information security. A cooperative effort with URAC is reviewing the application of NIST Special Publications 800-37 and 800-53 for possible use in the healthcare sector.
URAC (Utilization Review Accreditation Commission)	http://www.urac.org http://www.urac.org/committees_sworkgroup.asp?navid=committeespagename=committees_workgroups	URAC, an independent, nonprofit organization, is a leader in promoting health care quality through accreditation and certification programs. URAC and NIST have formed a Health Care Industry Workgroup with participation from both the federal and private sectors to develop a common set of health care security standards that will cover security policies, procedures, controls and auditing practices.
Workgroup for Electronic Data Interchange (WEDI) and Strategic National Implementation Process (SNIP)	http://www.wedi.org	This is the Workgroup for Electronic Data Interchange web site. This site includes information on EDI in the health care industry, lists of conferences, and the availability of resources for standard transactions
Consultant/Vendor Resources (Note: This is intended as a starting point. The list is almost endless.)
FOX Systems Inc.	http://www.hipaaconsulting.com	FOX Systems is a healthcare consulting company who has established a good reference Web site for all things considered HIPAA.
Practical Solutions Group LLC	http://hipaakit.com/~hippakit/index.php	Tools to support various aspects of HIPAA compliance. Their ˜toolkits' can be a good starting point, include a book and CD-ROM, but are not free. Their manual and CD targeted for security cost $200.
Center for Healthcare Information Management	http://www.chim.org	CHIM is the strategic information and technology trade association for the health care industry. It includes a 'Portal on HIPAA' site that includes background information, information on specific rules, conferences, and other relevant sites.

Much of the information gathered during your assessment will be subjective in nature. If you need to quantify it, we suggest a relatively simple approach. Frame each question so that it can be easily answered by Yes-Fully compliant, No-Partially compliant, No-Not at all compliant, or Not applicable. Reserve a column for comments or further discussion but make sure that each question is answered by placing a checkmark in one of the four columns .

Make sure the answers address the current state. You can indicate that your organization plans on correcting the problem in six months, but don't count on it in your development of the gap analysis. Many things are ˜planned' and never get done. This is an area where you need to make sure that your organization is honest with itself.

Once you have captured the information, you can then assign a numerical score to each column such as 2 for Yes, 1 for No-Partially compliant, 0 for No-Not compliant. How you handle NA responses depends on your organization. In some cases, you should remove that question from consideration in the final tally of the results. In other cases, such as trying to determine the common denominators across all the sites in an enterprise, you may use it as part of a weighting factor applies to each question. Once you have assigned a numeric value to each question, you can then tally a score for each section of your questionnaire. This can then be translated to an overall numeric score for that section reflecting how fully compliant your organization currently is with HIPAA.

In developing the summary matrix shown at the end of this section, I merely reviewed the results from each section of the survey tool I used and made a broad determination of whether the agency involved was fully, partially, or not at all compliant with the requirements of that section of the rule.

6.4.4 Review of Policies and Procedures

Policies, including those for security, provide a framework within which your organization establishes the necessary levels of information security and privacy to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organizational commitment for a system. Security policies apply to a wide variety of activities within an organization, including human resources, information technology, records management, facilities management, and so forth.

Policies should be designed so that they can be easily compiled and enforced. Procedures and guidelines can then be developed for both compliance with and enforcement of these policies. HIPAA provides some standard guidance as to the contents of the security P&Ps. The matrix shown in Table XX provides a checklist to assess the policies needed for HIPAA compliance by your agency. The current matrix is based on the present version of the rule and is organized as follows :

Policy Area Title. This is a general phrase that may serve as either the policy title or as a section containing several related P&Ps. It is useful to establish cross-references between related policies. This column also elaborates on the contents of the policy and can be used as the basis for the scope section in the policy template. Scope should address at what levels the P&P should be applied, such as enterprise (i.e., agency), group (i.e., program or department), and individual levels.
Policy Contents Checklist: This column contains the relevant topics the policy (ies) in this area should address. The structure of the policy (ies) in an area should be guided by simplicity and enforceability.
HIPAA Security Rule: This column references the area(s) in the HIPAA (Draft) Security Rule the policy area addresses.
Responsible Business Unit: This column describes where the policies may have been developed. Major departments are listed but need to be expanded to include the appropriate business units. This approach should allow the identification of whether one or more grass roots policies for information security or handling may have been developed and implemented in the absence of a corporate policy or a poorly written enterprise policy.
Existing Policy Name and Location: This last completes the inventory. The name of each policy should be listed and its location, such as policy binder in the library or location on the network.

The following steps should be followed to develop a consistent set of security-related policies and procedures:

Step One: Tailor Policy and Procedure (P&P) Checklist: Table 6 outlines possible security P&P areas and contents in a matrix format that can be used as a checklist for compliance. You can adopt this format ˜as is' or tailor it to your needs but, following this presentation, should ensure that your organization will be more than minimally compliant with the HIPAA security rule as well as coordinated with any related Privacy Rule requirements. Accreditation by sanctioning bodies, such as JCAHO, may yield additional, complementary elements to be incorporated into the development of your security P&Ps. This table can also be updated with any prior results from risk assessments that your organization may have performed.
Step Two: Survey of Organizational Policies and Procedures: Most health care entities have developed policies and procedures that address security requirements, although they may not explicitly reference security. Your organization needs to review their current P&Ps against the tailored P&P checklist. This should be done across all relevant business units. A business unit can be a department, a program, or a site. The table below indicates those responsible business units in your organization that are normally be involved in a security program (i.e., IM and IT, HR, facilities, and training). Your organization needs to ensure that ALL relevant business units participate in this survey. Each business unit should review the list and first determine whether or not the particular policy area/content is applicable to them. If the policy area/content is applicable to them, then they should provide the following information according to the following legend:

If a business unit indicates that they have an existing policy, they should also provide the name and location of the policy document on the survey tool. In the case where one policy may cover multiple areas, the policy should be mentioned in each area. For documents available only in hardcopy, a sample should be attached to the survey tool.
Step Three: Summarize and Evaluate Existing P&Ps: From the results of this survey, the list of existing policies can be established and then reviewed for any gaps and a determination of which existing P&Ps should be revised (i.e., updated or expanded) or news one developed. Regardless of the size of the organization, there should be a formal policy and procedure management process that includes P&P review and approval. The date of approval is also the date issued or the date that the policy or procedure is put into effect and will be date tracked in the HIPAA documentation standards (Section 164.316).

Table 6: Security Policy and Procedure Review Matrix
No.	Policy Area Title	Policy Contents Checklist	HIPAA Security Rule Reference	Responsible Business Unit (Department, Program, Site)					Existing Policy
No.	Policy Area Title	Policy Contents Checklist	HIPAA Security Rule Reference	Corporate	HR	MIS	Facilities	Other	Name	Location
1.	Information Classification Guidelines Establish enterprise information classification guidelines and standards to be used throughout the development of P&Ps	Establish appropriate information sensitivity classifications Define the handling of each classification	The final rule is considered to require a 'floor of protection' for all electronic health information. An organization may exceed this floor in how it determines it should handle its PHI. Therefore, this policy area depends on the organization's business rules but is included here as a 'best' or 'recommended' practice.					N
2.	Compliance with Legal and Policy Requirements Provide guidelines that outline how and why compliance should be managed	Comply with Legal Obligations Comply with Policies Avoid Litigation Vendor Agreements Service Level Agreements Data Sharing & Trading Partner Agreements Other Legal Issues	164.302 164.306(a) 164.308(b)(1) 164.314
3.	Policy Standards Establish procedures for formal documentation and maintenance of P&Ps	P&P Sources of Authority and Management Approval Process Policy Maintenance Processes (Creation, Revision, Retirement)	164.316
4.	Access Control and Authorization Establish guidelines for controlling access to information and systems including: Role based access Access criteria Access controls including authorization and authentication Access procedures to include authorization and authentication	Address physical and electronic processes in a manner consistent with classification guidelines Define access controls, physical and electronic Procedures should address: Access Authorization (i.e., rules to grant access) Access Establishment (i.e., rules to enable access) Access Modification (i.e., rules to allow changes to access) Access Authorization Record Keeping, Review and Update Policies should address: Passwords LAN, WAN, Wireless Remote Access (Dial-in, VPN) Email and Internet Secure Workstation Location Authorization Control	164.308(a)(4) 164.310(a)(1)(iii) 164.312(a)(1) 164.312(d)
5.	Audit / Certification Establish methods to effectively and proactively audit for security related issues and incidents. The audit should provide a logical means for leading to entity certification and formal accreditation by the appropriate sanctioning bodies.	Role and Responsibilities (Internal/External) Processes and Controls (Preventative, Detection, Corrective) Testing Requirements Areas of Focus: Asset Management Physical and Electronic Information, Data, and Documentation to Include PHI and the Implementation of and Compliance with P&Ps Acquisition and Outsourcing Service Level Agreements Trading Partner Agreements Other Information Systems Stand-Alone Workgroup (Limited Networking) Enterprise Network Infrastructure and Services LAN, WAN, Gateways Remote Access (Modems, VPN) Internet, Intranet, Messaging	164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(C) 164.308(a)(8) 164.310(a)(2)(iv) 164.310(d)(2)(iii) 164.312(b)
6.	Information Handling and Processing Establish procedural guidelines for the processing and handling of information, data, and documents, in accordance with information security and policy classifications	Staff / End Users E-mail and the Worldwide Web Telephones & Fax Mailroom Processing Data Management Document Handling Securing Data, Information, Documents Workstation Use Procedures System Operations and Administration Backup, Recovery and Archiving Virus Checking Networks Other Information Handling & Processing	164.308(a)(4)(i) Note: Refer to HIPAA Privacy Regulation for further thoughts in this area.
7.	Security Incident Management Establish the process for detecting and responding to information security incidents	Definition of Security Incidents/Breaches Monitoring/Detection of Security Incidents Reporting Information Security Incidents Investigating Information Security Incidents Corrective Activity Other Information Security Incident Issues	164.308(a)(1) 164.308(a)(6)
8.	Facility Security Establish guidelines that deal with premises related security considerations. The rule emphasizes the security of the facilities where the information systems are housed but, for completeness, the privacy rule also demands attention to the storage of data on physical media (e.g., paper).	Facility/Premises Security to include: Natural Disaster Considerations Unauthorized Human Intrusion Considerations Information System Physical Security Individual Site Security Plan (if required) Facility/Site Emergency Mode Operations Physical Information Storage and Records Retention Other Premises Issues	164.310(a)(1) Cross reference also to HIPAA Privacy Rule
9.	Personnel Security Address personnel issues related to security	Personnel Screening/Clearance of Workforce Members Staff Contractors Vendors Contractual Documentation Requirements Information Related to Security Retained in the HR Record (e.g., receipt of training and security awareness) Handling of Information According to Classification Personnel Information Security Responsibilities Management/Supervision Workforce Voluntary and Involuntary Workforce Termination Disciplinary Actions Related to Security	164.308(a)(3)
10.	Security Training Develop an effective program to deliver security training and on-going security awareness to workforce	User Training Program, Scope, and Practices Orientation/On-Going Security Handbook Staff IT Skill Assessment Awareness Program, Scope, and Practices Training Security Reminders Records Maintenance	164.308(a)(5)
11.	Business Continuity Develop business continuity and disaster recovery plans and procedures.	Business Continuity Plans and Procedures Testing Revision Procedures Incorporation of Related Plans Disaster Recovery Facility and Site Emergency Mode Operations Information Systems Backup and Recovery	164.308(a)(7) 164.310(a)(1) 164.310(d)(1)
12.	Information Systems Security: Hardware Establish security related procedures involving hardware, peripherals, and other equipment	Technical Hardware Standards (Systems, Network) Asset Management / Inventory Procedures Consumables Protection/Destruction (Media, Toner Cartridges, etc) Hardware Configuration Management/Documentation Upgrades, Purchases and Installation Procedures Security Testing Management of ˜Ancillary' Components to Include Cabling, UPS, Printers and Modems Management of Intelligent Multi-Function Devices Mobile Computing Hardware and Wireless Use of Outsourced Processing (i.e., ASP, 3 ^rd party Data Center) Use of Secure Storage Other Hardware Issues	164.308(b)(1) 164.310(a)(1) 164.310(b) 164.310(c) 164.310(d)(1) 164.314
13.	Information Systems Security: Software Establish security related procedures involving software.	Technical Software Standards Software Configuration Management/Documentation In-House Software Development Procedures Third Party Software Acquisition Procedures Installation Procedures (New, Upgrade, Patch) Testing Asset Management / Inventory Controlling Code and Media End-User Training Maintenance / Protection Backup / Recovery Virus Checking	164.308(a)(5)(ii)(B) 164.308(b)(1) 164.310(d) 164.312
14.	Information Systems Security: Information and Data Establish security related procedures to ensure that the integrity of the electronic information is maintained	Information Transmission (Encryption) Data Authentication Physical Methods Periodic Audits/Testing SLA/TPA Review/Testing Physical Protection Backup System Redundant Storage UPS Memory Protection Maintenance / Protection Backup / Recovery Virus Checking	164.308(a)(5)(ii)(B) 164.308(b)(1) 164.310(d) 164.312
15.	E-Commerce Information Security (Optional) Establish and maintain policies and procedures for controlling e-commerce information security if the entity is so involved.	Security, Privacy, and Confidentiality Connectivity Standards and Management Content Management Batch and Real-time Transactions Management Performance Other	Rule reference solution dependant				–	–
16.	Cyber Crime (Optional) Establish proactive approach to the combat of cyber crime (Optional)	Roles and Responsibilities Determination of Threat/Characteristics Monitoring/Detection Investigation/Response	Rule reference scenario dependant				–	–