HIPAA Policy References:: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 6: | Line 6: | ||
:The Information Security Program Charter is required to comply with HIPAA (Subpart C Section 164.308(a)1,2,5 and Section 164.316(a)), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.<br> | :The Information Security Program Charter is required to comply with HIPAA (Subpart C Section 164.308(a)1,2,5 and Section 164.316(a)), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.<br> | ||
<br> | <br> | ||
:2. [[Sample | :2. [[Sample Asset Identification and Classification Policy:|'''Sample HIPAA Asset Identification and Classification Policy''']]<br> | ||
:The Asset Identification and Classification Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label sensitive information assets such as all electronic protected health information.<br> | :The Asset Identification and Classification Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label sensitive information assets such as all electronic protected health information.<br> | ||
<br> | <br> | ||
Line 12: | Line 12: | ||
:The Asset Protection Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2-4,5B-D,7, Section 164.310(a)1,b-d, Section 164.312a-e, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, integrity, and availability of sensitive information, such as all electronic protected health information, as well as protect against threats or unauthorized access to such information.<br> | :The Asset Protection Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2-4,5B-D,7, Section 164.310(a)1,b-d, Section 164.312a-e, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, integrity, and availability of sensitive information, such as all electronic protected health information, as well as protect against threats or unauthorized access to such information.<br> | ||
<br> | <br> | ||
:4. [[Sample | :4. [[Sample Asset Management Policy:|'''Sample HIPAA Asset Management Policy''']]<br> | ||
:The Asset Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(d)1, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information such as all electronic protected health information throughout the entire life cycle.<br> | :The Asset Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(d)1, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information such as all electronic protected health information throughout the entire life cycle.<br> | ||
<br> | <br> | ||
:5. [[Sample | :5. [[Sample Acceptable Use Policy:|'''Sample HIPAA Acceptable Use Policy''']]<br> | ||
:The Acceptable Use Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.<br> | :The Acceptable Use Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.<br> | ||
<br> | <br> | ||
:6. [[Sample | :6. [[Sample Vulnerability Assessment and Management Policy:|'''Sample HIPAA Vulnerability Assessment and Management Policy''']]<br> | ||
:The Vulnerability Assessment and Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-C,2,5B,8 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.<br> | :The Vulnerability Assessment and Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-C,2,5B,8 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.<br> | ||
<br> | <br> | ||
:7. [[Sample | :7. [[Sample Threat Assessment and Monitoring Policy:|'''Sample HIPAA Threat Assessment and Monitoring Policy''']]<br> | ||
:The Threat Assessment and Monitoring Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-D,2,6-8, Section 164.310(a)1, Section 164.312(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.<br> | :The Threat Assessment and Monitoring Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-D,2,6-8, Section 164.310(a)1, Section 164.312(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.<br> | ||
<br> | <br> | ||
:8. [[Sample | :8. [[Sample Security Awareness Policy:|'''Sample HIPAA Security Awareness Policy''']]<br> | ||
:The Security Awareness Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2,5 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.<br> | :The Security Awareness Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2,5 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.<br> | ||
<br> | <br> |
Latest revision as of 16:46, 25 July 2006
HIPAA Policies
The section provides templates for an Information Security Program Charter and supporting policies that define the specific objectives required to create, implement, and maintain an Information Security Program that complies with HIPAA (Subpart C Sections 164.308, 164.310, 164.312, and 164.316). Policies provide the necessary authority to establish and implement technology- and solution-specific standards.
- 1. Sample HIPAA Information Security Program Charter
- The Information Security Program Charter is required to comply with HIPAA (Subpart C Section 164.308(a)1,2,5 and Section 164.316(a)), and serves as the capstone document for the Information Security Program that empowers the Program to manage Information Security-related business risks.
- 2. Sample HIPAA Asset Identification and Classification Policy
- The Asset Identification and Classification Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to properly classify and label sensitive information assets such as all electronic protected health information.
- 3. Sample HIPAA Asset Protection Policy
- The Asset Protection Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2-4,5B-D,7, Section 164.310(a)1,b-d, Section 164.312a-e, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure the security, confidentiality, integrity, and availability of sensitive information, such as all electronic protected health information, as well as protect against threats or unauthorized access to such information.
- 4. Sample HIPAA Asset Management Policy
- The Asset Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(d)1, and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for managing the Information Technology infrastructure, including networks, systems, and applications that store, process and transmit sensitive information such as all electronic protected health information throughout the entire life cycle.
- 5. Sample HIPAA Acceptable Use Policy
- The Acceptable Use Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2, Section 164.310(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring the appropriate business use of electronic communications resources.
- 6. Sample HIPAA Vulnerability Assessment and Management Policy
- The Vulnerability Assessment and Management Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-C,2,5B,8 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring vulnerabilty assessment activities are performed and vulnerabilities mitigation efforts are properly managed.
- 7. Sample HIPAA Threat Assessment and Monitoring Policy
- The Threat Assessment and Monitoring Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1A-D,2,6-8, Section 164.310(a)1, Section 164.312(b), and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for establishing specific standards to ensure periodic threat assessment and ongoing threat monitoring and incident response activities are performed.
- 8. Sample HIPAA Security Awareness Policy
- The Security Awareness Policy is required to comply with HIPAA (Subpart C Section 164.308(a)1C,2,5 and Section 164.316(a)) and builds on the mission statement established in the Information Security Program Charter by defining objectives for ensuring that a formal Security Awareness Program is established, as well ensuring that Information Security objectives and requirements are properly communicated and understood.