HIPAA Policy References:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

HIPAA Policies


The section provides templates for an Information Security Program Charter and supporting policies that define the specific objectives required to create, implement, and maintain an Information Security Program that complies with HIPAA (Subpart C Sections 164.308, 164.310, 164.312, and 164.316). Policies provide the necessary authority to establish and implement technology- and solution-specific standards.

1. Sample HIPAA Information Security Program Charter
The Information Security Program Charter is required to comply with HIPAA (Subpart C Section 164.308(a)1,2,5 and Section 164.316(a)), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.


2. Sample HIPAA Asset Identification and Classification Policy
The Asset Identification and Classification Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label sensitive information assets such as all electronic protected health information.


3. Sample HIPAA Asset Protection Policy
The Asset Protection Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2-4,5B-D,7, Section 164.310(a)1,b-d, Section 164.312a-e, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, integrity, and availability of sensitive information, such as all electronic protected health information, as well as protect against threats or unauthorized access to such information.


4. Sample HIPAA Asset Management Policy
The Asset Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(d)1, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information such as all electronic protected health information throughout the entire life cycle.


5. Sample HIPAA Acceptable Use Policy
The Acceptable Use Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.


6. Sample HIPAA Vulnerability Assessment and Management Policy
The Vulnerability Assessment and Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-C,2,5B,8 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.


7. Sample HIPAA Threat Assessment and Monitoring Policy
The Threat Assessment and Monitoring Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-D,2,6-8, Section 164.310(a)1, Section 164.312(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.


8. Sample HIPAA Security Awareness Policy
The Security Awareness Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2,5 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.