// Level 3 · Controls

Administrative Safeguards

Policies and procedures to manage workforce conduct around ePHI.

Security Management Process

Implement policies and procedures to prevent, detect, contain, and correct security violations. Risk Analysis (Required), Risk Management (R), Sanction Policy (R), Information System Activity Review (R).

164.308(a)(2)High

Assigned Security Responsibility

Identify the security official responsible for the development and implementation of policies and procedures.

164.308(a)(3)High

Workforce Security

Authorization and/or supervision (Addressable), Workforce clearance procedure (A), Termination procedures (A).

164.308(a)(4)High

Information Access Management

Isolating health care clearinghouse function (R), Access authorization (A), Access establishment and modification (A).

164.308(a)(5)Medium

Security Awareness and Training

Security reminders (A), Protection from malicious software (A), Log-in monitoring (A), Password management (A).

164.308(a)(6)High

Security Incident Procedures

Response and Reporting (R) — identify and respond to suspected or known security incidents.

164.308(a)(7)High

Contingency Plan

Data backup plan (R), Disaster recovery plan (R), Emergency mode operation plan (R), Testing and revision (A), Applications and data criticality analysis (A).

164.308(a)(8)Medium

Evaluation

Periodic technical and nontechnical evaluation of security safeguards.

164.308(b)(1)High

Business Associate Contracts

Written contract or other arrangement with business associates that meet requirements.