HIPAA Policy References:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
No edit summary
Line 3: Line 3:
The section provides templates for an Information Security Program Charter and supporting policies that define the specific objectives required to create, implement, and maintain an Information Security Program that complies with HIPAA (Subpart C Sections 164.308, 164.310, 164.312, and 164.316). Policies provide the necessary authority to establish and implement technology- and solution-specific standards.<br>
The section provides templates for an Information Security Program Charter and supporting policies that define the specific objectives required to create, implement, and maintain an Information Security Program that complies with HIPAA (Subpart C Sections 164.308, 164.310, 164.312, and 164.316). Policies provide the necessary authority to establish and implement technology- and solution-specific standards.<br>
<br>
<br>
:1. [[Sample HIPAA Information Security Program Charter:|'''Sample HIPAA Information Security Program Charter''']]<br>
:1. [[Sample_Information_Security_Program_Charter:|'''Sample HIPAA Information Security Program Charter''']]<br>
:The Information Security Program Charter is required to comply with HIPAA (Subpart C Section 164.308(a)1,2,5 and Section 164.316(a)), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.<br>
:The Information Security Program Charter is required to comply with HIPAA (Subpart C Section 164.308(a)1,2,5 and Section 164.316(a)), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.<br>
<br>
<br>

Revision as of 16:42, 25 July 2006

HIPAA Policies


The section provides templates for an Information Security Program Charter and supporting policies that define the specific objectives required to create, implement, and maintain an Information Security Program that complies with HIPAA (Subpart C Sections 164.308, 164.310, 164.312, and 164.316). Policies provide the necessary authority to establish and implement technology- and solution-specific standards.

1. Sample HIPAA Information Security Program Charter
The Information Security Program Charter is required to comply with HIPAA (Subpart C Section 164.308(a)1,2,5 and Section 164.316(a)), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.


2. Sample HIPAA Asset Identification and Classification Policy
The Asset Identification and Classification Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label sensitive information assets such as all electronic protected health information.


3. Sample HIPAA Asset Protection Policy
The Asset Protection Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2-4,5B-D,7, Section 164.310(a)1,b-d, Section 164.312a-e, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, integrity, and availability of sensitive information, such as all electronic protected health information, as well as protect against threats or unauthorized access to such information.


4. Sample HIPAA Asset Management Policy
The Asset Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(d)1, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information such as all electronic protected health information throughout the entire life cycle.


5. Sample HIPAA Acceptable Use Policy
The Acceptable Use Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.


6. Sample HIPAA Vulnerability Assessment and Management Policy
The Vulnerability Assessment and Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-C,2,5B,8 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.


7. Sample HIPAA Threat Assessment and Monitoring Policy
The Threat Assessment and Monitoring Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-D,2,6-8, Section 164.310(a)1, Section 164.312(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.


8. Sample HIPAA Security Awareness Policy
The Security Awareness Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2,5 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.