nist-sp-800-66-rev2.yaml

urn: urn:intuitem:risk:library:nist-sp-800-66-rev2
locale: en
ref_id: NIST-SP-800-66-rev2
name: NIST SP-800-66 rev2 (HIPAA)
description: 'Implementing the Health Insurance Portability and Accountability Act
  (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0

  Source: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home

  '
copyright: With the exception of material marked as copyrighted, information presented
  on NIST sites are considered public information and may be distributed or copied.
version: 1
publication_date: 2024-04-05
provider: NIST
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:nist-sp-800-66-rev2
    ref_id: nist-sp-800-66-rev2
    name: NIST SP-800-66 rev2 (HIPAA)
    description: 'Implementing the Health Insurance Portability and Accountability
      Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0

      Source: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home

      '
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      assessable: false
      depth: 1
      ref_id: '164.308'
      description: "Administrative Safeguards:\nDefined in the Security Rule as the\
        \ \u201Cadministrative actions and policies, and procedures to manage the\
        \ selection, development, implementation, and maintenance of security measures\
        \ to protect electronic protected health information and to manage the conduct\
        \ of the covered entity's workforce in relation to the protection of that\
        \ information.\u201D"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(1)
      description: 'Security Management Process:

        HIPAA Standard: Implement policies and procedures to prevent, detect, contain,
        and correct security violations.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Identify all ePHI and Relevant Information Systems
      description: 'Identify where ePHI is generated within the organization, where
        it enters the organization, where it moves within the organization, where
        it is stored, and where it leaves the organization.


        Identify all systems  that house ePHI. Be sure to identify mobile devices,
        medical equipment, and medical IoT devices that store, process, or transmit
        ePHI.


        Include all hardware and software that are used to collect, store, process,
        or transmit ePHI.


        Analyze business functions and verify the ownership and control of information
        system elements as necessary.


        Consider the impact of a merger or acquisition on risks to ePHI. During a
        merger or acquisition, new data pathways may be introduced that lead to ePHI
        being stored, processed, or transmitted in previously unanticipated places.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node5
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node4
      name: Sample questions
      description: 'Has all ePHI generated, stored, processed, and transmitted within
        the organization been identified?


        Are all hardware and software for which the organization is responsible periodically
        inventoried?


        Is the hardware and software inventory updated on a regular basis?


        Have hardware and software that maintains or transmits ePHI been identified?
        Does this inventory include removable media and remote access devices?


        Is the current configuration of organizational systems documented, including
        connections to other systems?


        Has a BIA been performed?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Conduct Risk Assessment
      description: Conduct an accurate and thorough assessment of the potential risks
        and vulnerabilities to the confidentiality, integrity, and availability of
        ePHI held by the covered entity or business associate.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node7
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node6
      name: Sample questions
      description: "Are there any prior risk assessments, audit comments, security\
        \ requirements, and/or security test results?\n\nIs there intelligence available\
        \ from agencies, the Office of the Inspector General (OIG), the US-CERT, virus\
        \ alerts, and/or vendors?\n\nWhat are the human, natural, and environmental\
        \ threats to systems that contain, store, process, or transmit ePHI?\n\nWhat\
        \ are the current and planned controls?\n\nHave likelihood and impact been\
        \ determined for relevant threats and vulnerabilities?\n\nHave risk ratings\
        \ been determined for relevant threats and vulnerabilities?\n\nIs the facility\
        \ located in a region prone to any natural disasters, such as earthquakes,\
        \ floods, or fires?\n\nHas responsibility been assigned to check all hardware\
        \ and software \u2013 including hardware and software used for remote access\
        \ \u2013 to determine whether selected security settings are enabled?\n\n\
        Is there an analysis of current safeguards and their effectiveness relative\
        \ to the identified risks?\n\nHave all processes involving ePHI been considered,\
        \ including creating, receiving, maintaining, and transmitting it?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Implementation Specification (Required)
      description: Conduct an accurate and thorough assessment of the potential risks
        and vulnerabilities to the confidentiality, integrity, and availability of
        ePHI held by the covered entity or business associate.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node9
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node8
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Implement a Risk Management Program
      description: "Implement security measures sufficient to reduce risks and vulnerabilities\
        \ to a reasonable and appropriate level to comply with \xA7164.306(a).\n\n\
        Risk management should be performed with regular frequency to examine past\
        \ decisions, reevaluate risk likelihood and impact levels, and assess the\
        \ effectiveness of past remediation efforts\n\nCreate a Risk Management policy\
        \ and program that outlines organizational risk appetite and risk tolerance,\
        \ personnel duties, responsible parties, the frequency of risk management,\
        \ and required documentation.\n\nA risk management methodology is included\
        \ in Section 4.\n\nRisk management resources are also included in Appendix\
        \ F."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node11
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node10
      name: Sample questions
      description: 'Is executive leadership and/or management involved in risk management
        decisions?


        Has a risk management program been created with related policies?


        Does the regulated entity need to engage other resources (e.g., external expertise)
        to assist in risk management?


        Do current safeguards ensure the confidentiality, integrity, and availability
        of all ePHI?


        Do current safeguards protect against reasonably anticipated uses or disclosures
        of ePHI that are not permitted by the Privacy Rule?


        Has the regulated entity used the results of risk assessment and risk management
        processes to guide the selection and implementation of appropriate controls
        to protect ePHI?


        Has the regulated entity protected against all reasonably anticipated threats
        or hazards to the security and integrity of ePHI?


        Has the regulated entity assured compliance with all policies and procedures
        by its workforce?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node12
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Implementation Specification (Required)
      description: "Implement security measures sufficient to reduce risks and vulnerabilities\
        \ to a reasonable and appropriate level to comply with \xA7164.306(a)"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node13
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node12
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node14
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Acquire IT Systems and Services
      description: 'Regulated entities should consider how cloud services and other
        third-party IT system and service offerings can both assist regulated entities
        in protecting ePHI while also potentially introducing new risks to ePHI.


        Although the HIPAA Security Rule does not require purchasing any particular
        technology, adequately protecting information may require additional hardware,
        software, or services. Considerations for their selection should include the
        following:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node15
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node14
      name: Sample questions
      description: 'Will new security controls work with the existing IT architecture?


        Have the security requirements of the organization been compared to the security
        features of existing or proposed hardware and software?


        Has a cost-benefit analysis been conducted to determine the reasonableness
        of the investment given the security risks identified?


        Has a training strategy been developed?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node16
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Create and Deploy Policies and Procedures
      description: 'Implement the decisions concerning the management, operational,
        and technical controls selected to mitigate identified risks.


        Create policies that clearly establish roles and responsibilities, and assign
        ultimate responsibility for the implementation of each control to particular
        individuals or offices.


        Create procedures to be followed to accomplish particular security-related
        tasks.


        Establish a frequency for reviewing policy and procedures'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node17
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node16
      name: Sample questions
      description: 'Has the regulated entity documented an organizational risk assessment/management
        policy that outlines the duties, responsible parties, frequency, and required
        documentation of the risk management program?


        Are policies and procedures in place for security?


        Is there a formal (documented) system security plan?


        Is there a formal contingency plan?


        Is there a process for communicating policies and procedures to the affected
        workforce members?


        Are policies and procedures reviewed and updated as needed?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node18
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Develop and Implement a Sanction Policy
      description: "Apply appropriate sanctions against workforce members who fail\
        \ to comply with the security policies and procedures of the covered entity\
        \ or business associate\n\nDevelop policies and procedures for imposing appropriate\
        \ sanctions (e.g., reprimand, termination) for noncompliance with the organization\u2019\
        s security policies.\n\nImplement sanction policy as cases arise."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node19
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node18
      name: Sample questions
      description: 'Does the regulated entity have existing sanction policies and
        procedures to meet the requirements of this implementation specification?
        If not, can existing sanction policies be modified to include language related
        to violations of these policies and procedures?


        Is there a formal process in place to address system misuse, abuse, and fraudulent
        activity?


        Have workforce members been made aware of policies concerning sanctions for
        inappropriate access, use, and disclosure of ePHI?


        Has the need and appropriateness of a tiered structure of sanctions that accounts
        for the magnitude of harm and possible types of inappropriate disclosures
        been considered?


        How will managers and workforce members be notified regarding suspect activity?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node20
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Implementation Specification (Required)
      description: Apply appropriate sanctions against workforce members who fail
        to comply with the security policies and procedures of the covered entity
        or business associate
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node21
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node20
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node22
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Develop and Deploy the Information System Activity Review Process
      description: 'Implement procedures to regularly review records of information
        system activity, such as audit logs, access reports, and security incident
        tracking reports.


        Implement regular reviews of information system activity, and consider ways
        to automate the review for the protection of ePHI.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node23
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node22
      name: Sample questions
      description: 'Is there a policy that establishes what reviews will be conducted?


        Are there corresponding procedures that describe the specifics of the reviews?


        Who is responsible for the overall process and results?


        How often will reviews take place?


        How often will review results be analyzed?


        Has the regulated entity considered all available capabilities to automate
        the reviews?


        Where will audit information reside (e.g., separate server)?  Will it be stored
        external to the organization (e.g., cloud service provider)?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node24
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Implementation Specification (Required)
      description: Implement procedures to regularly review records of information
        system activity, such as audit logs, access reports, and security incident
        tracking reports.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node25
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node24
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node26
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Develop Appropriate Standard Operating Procedures
      description: Determine the types of audit trail data and monitoring procedures
        that will be needed to derive exception reports.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node27
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node26
      name: Sample questions
      description: 'How will exception reports or logs be reviewed?


        Where will monitoring reports and their reviews be documented and maintained?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node28
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(1)
      name: Implement the Information System Activity Review and Audit Process
      description: 'Activate the necessary review process.


        Begin auditing and logging activity.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node29
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node28
      name: Sample questions
      description: 'What mechanisms will be implemented to assess the effectiveness
        of the review process (measures)?


        What is the plan to revise the review process when needed?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(2)
      description: 'Assigned Security Responsibility:

        HIPAA Standard: Identify the security official who is responsible for the
        development and implementation of the policies and procedures required by
        this subpart for the covered entity or business associate.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node31
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2)
      name: Select a Security Official to be Assigned Responsibility for HIPAA Security
      description: 'Identify the individual who has final responsibility for security.


        Select an individual who is able to assess effective security to serve as
        the point of contact for security policy, implementation, and monitoring.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node32
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node31
      name: Sample questions
      description: 'Who in the organization:


        Does the security official have adequate access and communications with senior
        officials in the organization, such as executives, chief information officers,
        chief compliance officers, and in-house counsel?


        Who in the organization is authorized to accept risks from systems on behalf
        of the organization?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node33
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(2)
      name: "Assign and Document the Individual\u2019s Responsibility"
      description: "Document the assignment to one individual\u2019s responsibilities\
        \ in a job description.\n\nCommunicate this assigned role to the entire organization."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node34
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node33
      name: Sample questions
      description: 'Is there a complete job description that accurately reflects assigned
        security duties and responsibilities?


        Have the staff members in the organization been notified as to whom to call
        in the event of a security problem?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(3)
      description: 'Workforce Security:

        HIPAA Standard: Implement policies and procedures to ensure that all members
        of its workforce have appropriate access to electronic protected health information,
        as provided under paragraph (a)(4) of this section, and to prevent those workforce
        members who do not have access under paragraph (a)(4) of this section from
        obtaining access to electronic protected health information.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node36
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Implement Policies and Procedures for Authorization and/or Supervision
      description: Implement procedures for the authorization and/or supervision of
        workforce members who work with ePHI or in locations where it might be accessed.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node37
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node36
      name: Sample questions
      description: 'Have chains of command and lines of authority been established?


        Have staff members been made aware of the identity and roles of their supervisors?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node38
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Implementation Specification (Addressable)
      description: Implement procedures for the authorization and/or supervision of
        workforce members who work with ePHI or in locations where it might be accessed.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node39
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node38
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node40
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Establish Clear Job Descriptions and Responsibilities
      description: 'Define roles and responsibilities for all job functions.


        Assign appropriate levels of security oversight, training, and access.


        Identify in writing who has the business need and who has been granted permission
        to view, alter, retrieve, and store ePHI and at what times, under what circumstances,
        and for what purposes.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node41
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node40
      name: Sample questions
      description: 'Are there written job descriptions that are correlated with appropriate
        levels of access to ePHI?


        Are these job descriptions reviewed and updated on a regular basis?


        Have staff members been provided copies of their job descriptions and informed
        of the access granted to them, as well as the conditions by which this access
        can be used'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node42
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Establish Criteria and Procedures for Hiring and Assigning Tasks
      description: 'Ensure that staff members have the necessary knowledge, skills,
        and abilities to fulfill particular roles (e.g., positions involving access
        to and use of sensitive information).


        Ensure that these requirements are included as part of the personnel hiring
        process.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node43
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node42
      name: Sample questions
      description: 'Have the qualifications of candidates for specific positions been
        checked against the job description?


        Have determinations been made that candidates for specific positions are able
        to perform the tasks of those positions?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node44
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Establish a Workforce Clearance Procedure
      description: 'Implement procedures to determine that the access of a workforce
        member to ePHI is appropriate.


        Implement appropriate screening of persons who will have access to ePHI.


        Implement a procedure for obtaining clearance from appropriate offices or
        individuals where access is provided or terminated.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node45
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node44
      name: Sample questions
      description: "Is there an implementation strategy that supports the designated\
        \ access authorities?\n\nAre applicants\u2019 employment and educational references\
        \ checked, if reasonable and appropriate?\n\nHave background checks been completed,\
        \ if reasonable and appropriate?\n\nAre there procedures for determining that\
        \ the appropriate workforce members have access to the necessary information?\n\
        \nDo procedures exist for obtaining appropriate sign-offs to grant or terminate\
        \ access to ePHI?\n\nHave clearance and supervision procedures been developed\
        \ for non-US based workforce members that are applicable to their location?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node46
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Implementation Specification (Addressable)
      description: Implement procedures to determine that the access of a workforce
        member to ePHI is appropriate.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node47
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node46
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node48
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Establish Termination Procedures
      description: "Implement procedures for terminating access to ePHI when the employment\
        \ of or other arrangement with a workforce member ends or as required by determinations\
        \ made as specified in \xA7164.308(a)(3)(ii)(B).\n\nDevelop a standard set\
        \ of procedures that should be followed to recover access control devices\
        \ (e.g., identification badges, keys, access cards) when employment ends.\n\
        \nDeactivate computer access accounts (e.g., disable user IDs and passwords)\
        \ and facility access (e.g., change facility security codes/PINs)."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node49
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node48
      name: Sample questions
      description: "Are there separate procedures for voluntary termination (e.g.,\
        \ retirement, promotion, transfer, change of employment) versus involuntary\
        \ termination (e.g., termination for cause, reduction in force, involuntary\
        \ transfer, criminal or disciplinary actions), if reasonable and appropriate?\n\
        \nIs there a standard checklist for all action items that should be completed\
        \ when a workforce member leaves (e.g., return of all access devices, deactivation\
        \ of logon accounts [including remote access], and delivery of any needed\
        \ data solely under the employee\u2019s control)?\n\nDo other organizations\
        \ need to be notified to deactivate accounts that the workforce member had\
        \ access to in the performance of their employment duties?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node50
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(3)
      name: Implementation Specification (Addressable)
      description: "Implement procedures for terminating access to ePHI when the employment\
        \ of or other arrangement with a workforce member ends or as required by determinations\
        \ made as specified in \xA7164.308(a)(3)(ii)(B)."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node51
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node50
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(4)
      description: 'Information Access Management:

        HIPAA Standard: Implement policies and procedures for authorizing access to
        electronic protected health information that are consistent with the applicable
        requirements of subpart E of this part.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node53
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      name: Isolate Healthcare Clearinghouse Functions
      description: 'If a healthcare clearinghouse is part of a larger organization,
        the clearinghouse must implement policies and procedures that protect the
        ePHI of the clearinghouse from unauthorized access by the larger organization.


        Determine whether a component of the regulated entity constitutes a healthcare
        clearinghouse under the HIPAA Security Rule.


        If no clearinghouse functions exist, document this finding. If a clearinghouse
        exists within the organization, implement procedures for access that are consistent
        with the HIPAA Privacy Rule.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node54
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node53
      name: Sample questions
      description: 'If healthcare clearinghouse functions are performed, are policies
        and procedures implemented to protect ePHI from the other functions of the
        larger organization?


        Does the healthcare clearinghouse share hardware or software with a larger
        organization of which it is a part?


        Does the healthcare clearinghouse share staff or physical space with staff
        from a larger organization?


        Has a separate network or subsystem been established for the healthcare clearinghouse,
        if reasonable and appropriate?


        Has staff of the healthcare clearinghouse been trained to safeguard ePHI from
        disclosure to the larger organization, if required for compliance with the
        HIPAA Privacy Rule?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node55
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      name: Implementation Specification (Required)
      description: If a healthcare clearinghouse is part of a larger organization,
        the clearinghouse must implement policies and procedures that protect the
        ePHI of the clearinghouse from unauthorized access by the larger organization.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node56
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node55
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node57
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      name: Implement Policies and Procedures for Authorizing Access
      description: 'Implement policies and procedures for granting access to ePHI,
        such as through access to a workstation, transaction, program, process, or
        other mechanism.


        Decide and document procedures for how access to ePHI will be granted to workforce
        members within the organization.


        Select the basis for restricting access to ePHI.


        Select an access control method (e.g., identity-based, role-based, or other
        reasonable and appropriate means of access.)


        Decide and document how access to ePHI will be granted for privileged functions.


        Ensure that there is a list of personnel with authority to approve user requests
        to access ePHI and systems with ePHI.


        Identify authorized users with access to ePHI, including data owners and data
        custodians.


        Consider whether multiple access control methods are needed to protect ePHI
        according to the results of the risk assessment.


        Determine whether direct access to ePHI will ever be appropriate for individuals
        external to the organization (e.g., business partners or patients seeking
        access to their own ePHI).'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node58
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node57
      name: Sample questions
      description: "Have appropriate authorization and clearance procedures, as specified\
        \ in Workforce Security (\xA7 164.308(a)(3)), been performed prior to granting\
        \ access?\n\nDo the organization\u2019s systems have the capacity to set access\
        \ controls?\n\nAre there documented job descriptions that accurately reflect\
        \ assigned duties and responsibilities and enforce segregation of duties?\n\
        \nHas the organization documented procedures that specify how authorized personnel\
        \ will be granted access to ePHI?\n\nDoes the organization grant remote access\
        \ to ePHI?\n\nWhat methods of access control are used (e.g., identity-based,\
        \ role-based, location-based, or a combination) to protect ePHI?\n\nAre there\
        \ additional access control requirements for users who will be accessing privileged\
        \ functions?\n\nHave organizational personnel been explicitly authorized to\
        \ approve user requests to access ePHI and/or systems with ePHI?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node59
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      name: Implementation Specification (Addressable)
      description: Implement policies and procedures for granting access to ePHI,
        such as through access to a workstation, transaction, program, process, or
        other mechanism.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node60
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node59
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node61
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      name: Implement Policies and Procedures for Access Establishment and Modification
      description: "Implement policies and procedures that \u2013 based on the covered\
        \ entity or business associate\u2019s access authorization policies \u2013\
        \ establish, document, review, and modify a user's right of access to a workstation,\
        \ transaction, program, or process.\n\nEstablish standards for granting access\
        \ to ePHI.\n\nProvide formal authorization from the appropriate authority\
        \ before granting access to ePHI.\n\nRegularly review personnel access to\
        \ ePHI to ensure that access is still authorized and needed.\n\nModify personnel\
        \ access to ePHI, as needed, based on review activities."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node62
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node61
      name: Sample questions
      description: 'Are duties separated such that only the minimum necessary ePHI
        is made available to each workforce member based on their job requirements?


        Are access decisions justified, approved, logged, and retained?


        Is personnel access to ePHI regularly reviewed to ensure that access is still
        authorized and needed?


        Are activities that review access to ePHI logged and retained, including decisions
        that arise from review activities?


        Are decisions related to the establishment and modification of workforce member
        authorization to access ePHI documented?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node63
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      name: Implementation Specification (Addressable)
      description: "Implement policies and procedures that \u2013 based on the covered\
        \ entity or business associate\u2019s access authorization policies \u2013\
        \ establish, document, review, and modify a user's right of access to a workstation,\
        \ transaction, program, or process."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node64
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node63
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node65
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(4)
      name: Evaluate Existing Security Measures Related to Access Controls
      description: 'Evaluate the security features of access controls that are already
        in place or those of any planned for implementation, as appropriate.


        Determine whether these security features involve alignment with other existing
        management, operational, and technical controls, such as policy standards,
        personnel procedures, the maintenance and review of audit trails, the identification
        and authentication of users, and physical access controls.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node66
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node65
      name: Sample questions
      description: 'Are there policies and procedures related to the security of access
        controls? If so, are they updated regularly?


        Are authentication mechanisms used to verify the identity of those accessing
        systems protected from inappropriate manipulation?


        Does management regularly review the list of access authorizations, including
        remote access authorizations, to verify that the list is accurate and has
        not been inappropriately altered?[1]'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(5)
      description: 'Security Awareness and Training:

        HIPAA Standard: Implement a security awareness and training program for all
        members of its workforce (including management).'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node68
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Conduct a Training Needs Assessment
      description: 'Determine the training needs of the organization.


        Interview and involve key personnel in assessing security training needs.


        Use feedback and analysis of past events to help determine training needs


        Review organizational behavior issues, past incidents, and/or breaches to
        determine what training is missing or needs reinforcement, improvement, or
        periodic reminders.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node69
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node68
      name: Sample questions
      description: 'What awareness, training, and education programs are needed? Which
        are required?


        Is the organization monitoring current threats to determine possible areas
        of training needs?


        Are there current, relevant threats (e.g., phishing, ransomware) about which
        personnel need training?


        Do workforce members need training on any particular organization devices
        (e.g., medical IoT) or technology that pose a risk to ePHI?


        What is the current status regarding how these needs are being addressed (e.g.,
        how well are current efforts working)?


        Where are the gaps between the needs and what is being done (e.g., what more
        needs to be done)?


        What are the training priorities in terms of content and audience?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node70
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Develop and Approve a Training Strategy and a Plan
      description: "Address the specific HIPAA policies that require security awareness\
        \ and training in the security awareness and training program.\n\nSet organizational\
        \ expectations for protecting ePHI.\n\nIn the security awareness and training\
        \ program, outline the program\u2019s scope, goals, target audiences, learning\
        \ objectives, deployment methods, and evaluation and measurement techniques,\
        \ as well as the frequency of training"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node71
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node70
      name: Sample questions
      description: 'Is there a procedure in place to ensure that everyone in the organization
        receives security awareness training, including teleworkers and remote personnel?


        What type of security training is needed to address specific technical topics
        based on job responsibility?


        When should training be scheduled to ensure that compliance deadlines are
        met?


        Has the organization considered the training needs of non-employees (e.g.,
        contractors, interns)?


        Is there a need to implement information security training tailored to individual
        roles?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node72
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Protection from Malicious Software, Login Monitoring, and Password Management
      description: "As reasonable and appropriate, train workforce members regarding\
        \ procedures for:\n\nIncorporate information concerning workforce members\u2019\
        \ roles and responsibilities in implementing these implementation specifications\
        \ into training and awareness efforts."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node73
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node72
      name: Sample questions
      description: 'Do workforce members know the importance of the timely application
        of system patches to protect against malicious software and the exploitation
        of vulnerabilities?


        Are workforce members aware that login attempts may be monitored?


        Do workforce members who monitor login attempts know to whom to report discrepancies?


        Do workforce members understand their roles and responsibilities in selecting
        a password of appropriate strength, safeguarding their password, and changing
        a password when it has been compromised or is suspected of being compromised?


        Are there policies in place that prohibit workforce members from sharing passwords
        with others?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node74
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Implementation Specification (Protection from Malicious Software)
      description: 'As reasonable and appropriate, train workforce members regarding
        procedures for:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node75
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node74
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node76
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Implementation Specification (Log-in Monitoring)
      description: 'As reasonable and appropriate, train workforce members regarding
        procedures for:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node77
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node76
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node78
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Implementation Specification (Password Management)
      description: 'As reasonable and appropriate, train workforce members regarding
        procedures for:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node79
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node78
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node80
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Develop Appropriate Awareness and Training Content, Materials, and Methods
      description: 'Select topics to be included in the training materials, and consider
        current and relevant topics (e.g., phishing, email security) for the protection
        of ePHI.


        Incorporate new information from email advisories, online IT security daily
        news websites, and periodicals, as reasonable and appropriate.


        Consider using a variety of media and avenues according to what is appropriate
        for the organization based on workforce size, location, level of education,
        and other factors.


        Training should be an ongoing, evolving process in response to environmental
        and operational changes that affect the security of ePHI.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node81
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node80
      name: Sample questions
      description: "Are the topics selected for training and awareness the most relevant\
        \ to the threats, vulnerabilities, and risks identified during the risk assessment?\n\
        \nDoes the organization periodically review the topics covered in training\
        \ and awareness in light of updates to the risk assessment and current threats?\n\
        \nHave workforce members received a copy of and do they have ready access\
        \ to the organization\u2019s security procedures and policies?\n\nDo workforce\
        \ members know whom to contact and how to handle a security incident?\n\n\
        Do workforce members understand the consequences of noncompliance with the\
        \ stated security policies?\n\nDo workforce members who travel, telework,\
        \ or work remotely know how to handle physical laptop security issues and\
        \ information security issues?\n\nHas the regulated entity researched available\
        \ training resources?\n\nIs dedicated training staff available for the delivery\
        \ of security training? If not, who will deliver the training?\n\nWhat is\
        \ the security training budget?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node82
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Implement the Training
      description: 'Schedule and conduct the training outlined in the strategy and
        plan.


        Implement any reasonable technique to disseminate the security messages in
        an organization, including newsletters, screensavers, video recordings, email
        messages, teleconferencing sessions, staff meetings, and computer-based training.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node83
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node82
      name: Sample questions
      description: 'Have all workforce members received adequate training to fulfill
        their security responsibilities?


        Are there sanctions if workforce members do not complete the required training?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node84
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Implement Security Reminders
      description: 'Implement periodic security updates.


        Provide periodic security updates to staff, business associates, and contractors.


        Consider the benefits of ongoing communication with staff (e.g., emails, newsletters)
        on training topics to achieve HIPAA compliance and protect ePHI.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node85
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node84
      name: Sample questions
      description: 'What methods are available or already in use to make or keep workforce
        members aware of security (e.g., posters, booklets, anti-phishing training)?


        Is the organization making use of existing resources (e.g., from the 405(d)
        program or other resources listed in Appendix F) to remind staff of important
        security topics?


        Is security refresher training performed on a periodic basis (e.g., annually)?


        Is security awareness discussed with all new hires?


        Are security topics reinforced during routine staff meetings?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node86
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Implementation Specification (Addressable)
      description: Implement periodic security updates.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node87
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node86
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node88
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(5)
      name: Monitor and Evaluate the Training Plan
      description: 'Keep the security awareness and training program current.


        Solicit trainee feedback to determine whether the training and awareness are
        successfully reaching the intended audience.


        Conduct training whenever changes occur in the technology and practices as
        appropriate.


        Monitor the training program implementation to ensure that all workforce members
        participate.


        Implement corrective actions when problems arise.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node89
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node88
      name: Sample questions
      description: 'Are the workforce members'' training and professional development
        programs documented and monitored, if reasonable and appropriate?


        How are new workforce members trained on security?


        Are new non-employees (e.g., contractors, interns) trained on security?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(6)
      description: 'Security Incident Procedures:

        HIPAA Standard: Implement policies and procedures to address security incidents.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node91
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6)
      name: Determine the Goals of Incident Response
      description: "Gain an understanding as to what constitutes a true security incident.\
        \ Under the HIPAA Security Rule, a security incident is the attempted or successful\
        \ unauthorized access, use, disclosure, modification, or destruction of information\
        \ or interference with system operations in an information system (45 CFR\
        \ \xA7 164.304).\n\nEnsure that the incident response program covers all parts\
        \ of the organization in which ePHI is created, stored, processed, or transmitted.\n\
        \nDetermine how the organization will respond to a security incident.\n\n\
        Establish a reporting mechanism and a process to coordinate responses to the\
        \ security incident.\n\nProvide direct technical assistance, advise vendors\
        \ to address product-related problems, and provide liaisons to legal and criminal\
        \ investigative groups as needed."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node92
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node91
      name: Sample questions
      description: 'Has the HIPAA-required security risk assessment resulted in a
        list of potential physical or technological events that could lead to a breach
        of security?


        Is there a procedure in place for reporting and handling incidents?


        Has an analysis been conducted that relates reasonably anticipated organizational
        threats (that could result in a security incident) to the methods that would
        be used for mitigation?


        Have the key functions of the organization been prioritized to determine what
        would need to be restored first in the event of a disruption?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node93
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6)
      name: Develop and Deploy an Incident Response Team or Other Reasonable and Appropriate
        Response Mechanism
      description: 'Determine whether the size, scope, mission, and other aspects
        of the organization justify the reasonableness and appropriateness of maintaining
        a standing incident response team.


        Identify appropriate individuals to be part of a formal incident response
        team if the organization has determined that implementing an incident response
        team is reasonable and appropriate.


        Consider assigning secondary personnel to be part of the incident response
        team in the event that primary personnel are unavailable.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node94
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node93
      name: Sample questions
      description: "Do members of the team have adequate knowledge of the organization\u2019\
        s hardware and software?\n\nDo members of the team have the authority to speak\
        \ for the organization to the media, law enforcement, and clients or business\
        \ partners?\n\nHas the incident response team received appropriate training\
        \ in incident response activities?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node95
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6)
      name: Develop and Implement Policy and Procedures to Respond to and Report Security
        Incidents
      description: 'Identify and respond to suspected or known security incidents;
        mitigate, to the extent practicable, harmful effects of security incidents
        that are known to the covered entity or business associate; and document security
        incidents and their outcomes.


        Ensure that an organizational incident response policy is in place that addresses
        all parts of the organization in which ePHI is created, stored, processed,
        or transmitted.


        Document incident response procedures that can provide a single point of reference
        to guide the day-to-day operations of the incident response team.


        Review incident response procedures with staff who have roles and responsibilities
        related to incident response; solicit suggestions for improvements; and make
        changes to reflect input if reasonable and appropriate.


        Consider conducting tests of the incident response plan.


        Update the procedures as required based on changing organizational needs.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node96
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node95
      name: Sample questions
      description: 'Has the organization determined that maintaining a staffed security
        incident hotline would be reasonable and appropriate?


        Has the organization developed processes for documenting and tracking incidents?


        Has the organization determined reasonable and appropriate mitigation options
        for security incidents?


        Has the organization developed standardized incident report templates to record
        necessary information related to incidents?


        Has the organization determined that information captured in the reporting
        templates is reasonable and appropriate to investigate an incident?


        Has the organization determined the conditions under which information related
        to a security breach will be disclosed to the media?


        Have appropriate (internal and external) persons who should be informed of
        a security breach been identified? Has a contact information list been prepared?


        Has a written incident response plan been developed and provided to the incident
        response team?


        Has the incident response plan been tested?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node97
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6)
      name: Implementation Specification (Required)
      description: Identify and respond to suspected or known security incidents;
        mitigate, to the extent practicable, harmful effects of security incidents
        that are known to the covered entity or business associate; and document security
        incidents and their outcomes.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node98
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node97
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node99
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(6)
      name: Incorporate Post-Incident Analysis into Updates and Revisions
      description: 'Measure effectiveness and update security incident response procedures
        to reflect lessons learned, and identify actions to take that will improve
        security controls after a security incident.


        Incidents caused by or influenced by known risks should feed back into the
        risk assessment process for a reevaluation of impact and/or likelihood.


        Remediation and corrective action plans that arise from incidents should serve
        as input to the risk assessment/management process.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node100
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node99
      name: Sample questions
      description: 'Has the organization analyzed records (e.g., log files, malware)
        to understand the nature, extent, and scope of the incident?


        Does the organization reassess risk to ePHI based on findings from this analysis?


        Does the incident response team keep adequate documentation of security incidents
        and their outcomes, which may include what weaknesses were exploited and how
        access to the information was gained?


        Do records reflect the new contacts and resources identified for responding
        to an incident?


        Does the organization consider whether current procedures were adequate for
        responding to a particular security incident?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(7)
      description: 'Contingency Plan:

        HIPAA Standard: Establish (and implement as needed) policies and procedures
        for responding to an emergency or other occurrence (for example, fire, vandalism,
        system failure, and natural disaster) that damages systems that contain electronic
        protected health information'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node102
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Develop a Contingency Planning Policy
      description: "Define the organization\u2019s overall contingency objectives.\n\
        \nEstablish the organizational framework, roles, and responsibilities for\
        \ this area.\n\nAddress scope, resource requirements, training, testing, plan\
        \ maintenance, and backup requirements."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node103
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node102
      name: Sample questions
      description: 'What critical services must be provided within specified time
        frames?


        Have cross-functional dependencies been identified to determine how a failure
        in one system may negatively impact another one?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node104
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Conduct an Applications and Data Criticality Analysis
      description: 'Assess the relative criticality of specific applications and data
        in support of other Contingency Plan components.


        Identify the activities and material involving ePHI that are critical to business
        operations.


        Identify the critical services or operations and the manual and automated
        processes that support them involving ePHI.


        Determine the amount of time that the organization can tolerate disruptions
        to these operations, materials, or services (e.g., due to power outages).


        Evaluate the current and available levels of redundancy and geographic distribution
        of any storage service providers to identify risks to service availability
        and determine restoration times.


        Consider whether any vendor/service provider arrangements are critical to
        operations and address them as appropriate to ensure availability and reliability.


        Establish cost-effective strategies for recovering these critical services
        or processes.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node105
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node104
      name: Sample questions
      description: 'What hardware, software, and personnel are critical to daily operations?


        What is the impact on desired service levels if these critical assets are
        not available?


        What, if any, support is provided by external providers (e.g., cloud service
        providers, internet service providers, utilities, or contractors)?


        What is the nature and degree of impact on the operation if any of the critical
        resources or service providers are not available?


        Has the organization identified vendors or service providers that are critical
        to business operations?


        Has the organization sufficiently addressed the availability and reliability
        of these services (e.g., via service level agreements, contracts)?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node106
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Implementation Specification (Addressable)
      description: Assess the relative criticality of specific applications and data
        in support of other Contingency Plan components.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node107
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node106
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node108
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Identify Preventive Measures
      description: 'Identify preventive measures for each defined scenario that could
        result in the loss of a critical service operation involving the use of ePHI.


        Ensure that identified preventive measures are practical and feasible in terms
        of their applicability in a given environment.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node109
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node108
      name: Sample questions
      description: 'What alternatives for continuing operations of the organization
        are available in case of the loss of any critical function or resource?


        What is the cost associated with the preventive measures that may be considered?


        Are the preventive measures feasible (i.e., affordable and practical for the
        environment)?


        What plans, procedures, or agreements need to be initiated to enable the implementation
        of the preventive measures if they are necessary?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node110
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Develop Recovery Strategy
      description: 'Finalize the set of contingency procedures that should be invoked
        for all identified impacts, including emergency mode operation. The strategy
        must be adaptable to the existing operating environment and address allowable
        outage times and the associated priorities identified in Key Activity 2.


        If part of the strategy depends on external organizations for support, ensure
        that formal agreements are in place with specific requirements stated.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node111
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node110
      name: Sample questions
      description: 'Have procedures related to recovery from emergency or disastrous
        events been documented?


        Has a coordinator who manages, maintains, and updates the plan been designated?


        Has an emergency call list been distributed to all workforce members? Have
        recovery procedures been documented?


        Has a determination been made regarding when the plan needs to be activated
        (e.g., anticipated duration of outage, tolerances for outage or loss of capability,
        impact on service delivery, etc.)?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node112
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Data Backup Plan and Disaster Recovery Plan
      description: 'Establish and implement procedures to create and maintain retrievable
        exact copies of ePHI.


        Establish (and implement as needed) procedures to restore any loss of data.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node113
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node112
      name: Sample questions
      description: 'Is there a formal, written contingency plan? Does it address disaster
        recovery and data backup?


        Does the disaster recovery plan address what data is to be restored and in
        what order?


        Do data backup procedures exist that include all ePHI?


        Is the frequency of backups appropriate for the environment?


        Are responsibilities assigned to conduct backup activities?


        Are data backup procedures documented and available to other staff?


        Are backup logs reviewed and data restoration tests conducted to ensure the
        integrity of data backups?


        Is at least one copy of the data backup stored offline to protect against
        corruption due to ransomware or other similar attacks?


        Are backups or images of operating systems, devices, software, and configuration
        files necessary to support the confidentiality, integrity, and availability
        of ePHI included in the data backup plan?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node114
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Implementation Specification (Required)
      description: Establish and implement procedures to create and maintain retrievable
        exact copies of ePHI.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node115
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node114
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node116
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Implementation Specification (Required)
      description: Establish (and implement as needed) procedures to restore any loss
        of data.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node117
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node116
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node118
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Develop and Implement an Emergency Mode Operation Plan
      description: "Establish (and implement as needed) procedures to enable the continuation\
        \ of critical business processes to protect the security of ePHI while operating\
        \ in emergency mode.\n\n\u201CEmergency mode\u201D operation involves only\
        \ those critical business processes that must occur to protect the security\
        \ of ePHI during and immediately after a crisis situation."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node119
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node118
      name: Sample questions
      description: 'Have procedures been developed to continue the critical functions
        identified in Key Activity 2?


        If so, have those critical functions that also involve the use of ePHI been
        identified?


        Would different staff, facilities, or systems be needed to perform those functions?


        Has the security of ePHI in that alternative mode of operation been assured?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node120
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Implementation Specification (Required)
      description: Establish (and implement as needed) procedures to enable the continuation
        of critical business processes to protect the security of ePHI while operating
        in emergency mode.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node121
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node120
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node122
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Testing and Revision Procedure
      description: 'Implement procedures for the periodic testing and revision of
        contingency plans.


        Test the contingency plan on a predefined cycle (stated in the policy developed
        under Key Activity 1), if reasonable and appropriate.


        Train those with defined plan responsibilities in their roles.


        If possible, involve external entities (e.g., vendors, alternative site or
        service providers) in testing exercises.


        Make key decisions regarding how the testing is to occur (e.g., tabletop exercise
        versus staging a real operational scenario, including actual loss of capability).


        Decide how to segment the type of testing based on the assessment of business
        impact and the acceptability of a sustained loss of service.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node123
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node122
      name: Sample questions
      description: 'How is the contingency plan to be tested?


        Does testing lend itself to a phased approach?


        Is it feasible to actually take down functions or services for the purposes
        of testing?


        Has the organization conducted backup recovery testing to ensure that critical
        data can be recovered using existing data backups?


        Does the backup recovery testing verify the ability to recover data and operations
        based on identified testing scenarios using actual tests (i.e., not tabletop
        exercises)?


        Can testing be done during normal business hours or must it take place during
        off hours?


        Have the tests included personnel with contingency planning responsibilities?


        Have the results of each test been documented and any problems with the test
        reviewed and corrected?


        If full testing is infeasible, has a tabletop scenario (e.g., a classroom-like
        exercise) been considered?


        How frequently will the plan be tested (e.g., annually)?


        When should the plan be revised?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node124
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(7)
      name: Implementation Specification (Addressable)
      description: Implement procedures for the periodic testing and revision of contingency
        plans.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node125
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node124
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(a)(8)
      description: "Evaluation:\nHIPAA Standard: Perform a periodic technical and\
        \ nontechnical evaluation, based initially upon the standards implemented\
        \ under this rule and subsequently, in response to environmental or operational\
        \ changes affecting the security of electronic protected health information,\
        \ that establishes the extent to which a covered entity\u2019s or business\
        \ associate\u2019s security policies and procedures meet the requirements\
        \ of this subpart."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node127
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8)
      name: Determine Whether Internal or External Evaluation is Most Appropriate
      description: 'Decide whether the evaluation will be conducted with internal
        staff resources or external consultants.


        Engage external expertise to assist the internal evaluation team where additional
        skills and expertise are determined to be reasonable and appropriate.


        Use internal resources to supplement an external source of help because these
        internal resources can provide the best institutional knowledge and history
        of internal policies and practices.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node128
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node127
      name: Sample questions
      description: 'Which staff has the technical experience and expertise to evaluate
        the systems?


        Are the evaluators sufficiently independent to provide objective reporting?


        How much training will staff need on security-related technical and non-technical
        issues?


        If an outside vendor is used, what factors should be considered when selecting
        the vendor, such as credentials and experience?


        What is the budget for internal resources to assist with an evaluation?


        What is the budget for external services to assist with an evaluation?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node129
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8)
      name: Develop Standards and Measurements for Reviewing All Standards and Implementation
        Specifications of the Security Rule
      description: "Develop and document organizational policies and procedures for\
        \ conducting evaluation.\n\nOnce security controls have been implemented in\
        \ response to the organization\u2019s risk assessment and management processes,\
        \ periodically review these implemented security measures to ensure their\
        \ continued effectiveness in protecting ePHI.\n\nConsider determining any\
        \ specific evaluation metrics and/or measurements to be captured during evaluation.\
        \ Metrics and/or measurements can assist in tracking progress over time.\n\
        \nUse an evaluation strategy and tool that considers all elements of the HIPAA\
        \ Security Rule and can be tracked, such as a questionnaire or checklist.\n\
        \nImplement tools that can provide reports on the level of compliance, integration,\
        \ or maturity of a particular security safeguard deployed to protect ePHI.\n\
        \nIf available, consider engaging corporate, legal, or regulatory compliance\
        \ staff when conducting the analysis.\n\nLeverage any existing reports or\
        \ documentation that may already be prepared by the organization addressing\
        \ the compliance, integration, or maturity of a particular security safeguard\
        \ deployed to protect ePHI."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node130
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node129
      name: Sample questions
      description: 'Has the organization documented policies and procedures for conducting
        the evaluation of security controls?


        Have management, operational, and technical issues been considered?


        Do the elements of each evaluation procedure (e.g., questions, statements,
        or other components) address individual, measurable security safeguards for
        ePHI?


        Has the organization developed evaluation procedures that capture any desired
        metrics or measurements?


        Has the organization determined that the procedure must be tested in a few
        areas or systems?


        Does the evaluation tool consider all standards and implementation specifications
        of the HIPAA Security Rule?


        Does the evaluation tool address the protection of ePHI that is collected,
        used, or disclosed?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node131
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8)
      name: Conduct Evaluation
      description: 'Determine in advance what departments and/or staff will participate
        in the evaluation.


        Determine what constitutes an environmental or operational change that affects
        the security of ePHI.


        Determine when evaluations are conducted in response to an environmental or
        operational change that affects the security of ePHI (e.g., prior to the change,
        contemporaneous with the change, after the change).


        Secure management support for the evaluation process to ensure participation.


        Collect and document all needed information. Collection methods may include
        the use of interviews, surveys, and the outputs of automated tools, such as
        access control auditing tools, system logs, and the results of penetration
        testing.


        Conduct penetration testing (where testers attempt to compromise system security
        for the sole purpose of testing the effectiveness of security controls), if
        reasonable and appropriate.


        Evaluation may include reviewing organizational policies and procedures, assessing
        the implementation of security controls, collecting evidence of security control
        implementation, and performing physical walk- throughs.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node132
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node131
      name: Sample questions
      description: 'If available, have staff members with knowledge of IT security
        been consulted and included in the evaluation team?


        Are appropriate personnel notified of planned environmental or operational
        changes that could affect the security of ePHI?


        Is a change management process in place that includes identification and communication
        of environmental and operational changes that could affect the security of
        ePHI?


        If penetration testing has been determined to be reasonable and appropriate,
        has specifically worded, written approval from senior management been received
        for any planned penetration testing?


        Has the process been formally communicated to those who have been assigned
        roles and responsibilities in the evaluation process?


        Has the organization explored the use of automated tools to support the evaluation
        process?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node133
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8)
      name: Document Results
      description: 'Document each evaluation finding, as well as remediation options,
        recommendations, and decisions.


        Document known gaps between identified risks, mitigating security controls,
        and any acceptance of risk, including justification.


        Develop security program priorities, and establish targets for continuous
        improvement.


        Utilize the results of evaluations to inform impactful security changes to
        protect ePHI.


        Communicate evaluation results, metrics, and/or measurements to relevant organizational
        personnel.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node134
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node133
      name: Sample questions
      description: 'Does the process support the development of security recommendations?


        When determining how best to display evaluation results, have written reports
        that highlight key findings and recommendations been considered?


        If a written final report is to be circulated among key staff, have steps
        been taken to ensure that it is made available only to those persons designated
        to receive it?


        Does the organization use evaluation results to enhance the protection of
        ePHI rather than for the sake of compliance?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node135
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(a)(8)
      name: Repeat Evaluations Periodically
      description: 'Establish the frequency of evaluations, and consider the sensitivity
        of the ePHI controlled by the organization as well as the organization''s
        size, complexity, and environmental and/or operational changes (e.g., other
        relevant laws or accreditation requirements).


        In addition to periodic reevaluations, consider repeating evaluations when
        environmental and operational changes that affect the security of ePHI are
        made to the organization (e.g., if new technology is adopted or if there are
        newly recognized risks to the security of ePHI).'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node136
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node135
      name: Sample questions
      description: 'Do security policies specify that evaluations will be repeated
        when environmental and operational changes are made that affect the security
        of ePHI?


        Do policies on the frequency of security evaluations reflect any and all relevant
        federal or state laws that bear on environmental or operational changes affecting
        the security of ePHI?


        Has the organization explored the use of automated tools to support periodic
        evaluations?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308
      ref_id: 164.308(b)(1)
      description: "Business Associate Contracts and Other Arrangements:\nHIPAA Standard:\
        \ A covered entity may permit a business associate to create, receive, maintain,\
        \ or transmit electronic protected health information on the covered entity\u2019\
        s behalf only if the covered entity obtains satisfactory assurances, in accordance\
        \ with \xA7 164.314(a), that the business associate will appropriately safeguard\
        \ the information. A covered entity is not required to obtain such satisfactory\
        \ assurances from a business associate that is a subcontractor."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node138
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1)
      name: Identify Entities that are Business Associates Under the HIPAA Security
        Rule
      description: 'Identify the individual or department who will be responsible
        for coordinating the execution of business associate agreements or other arrangements.


        Reevaluate the list of business associates to determine who has access to
        ePHI in order to assess whether the list is complete and current.


        Identify systems covered by the contract/agreement.


        Business associates must have a BAA in place with each of their subcontractor
        business associates. Subcontractor business associates are also directly liable
        for their own Security Rule violations.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node139
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node138
      name: Sample questions
      description: 'Does each written and executed BAA contain sufficient language
        to ensure that ePHI and any other required information types will be protected?


        Have all organizations or vendors that provide a service or function on behalf
        of the organization been identified?  Such services may include:


        Have outsourced functions that involve the use of ePHI been considered? Such
        functions may include:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node140
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1)
      name: Establish a Process for Measuring Contract Performance and Terminating
        the Contract if Security Requirements Are Not Being Met
      description: 'Maintain clear lines of communication between covered entities
        and business associates regarding the protection of ePHI as per the BAA or
        contract.


        Establish criteria for measuring contract performance.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node141
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node140
      name: Sample questions
      description: 'What is the service being performed?


        What is the expected outcome?


        Is there a process for reporting security incidents related to the agreement?


        Are additional assurances of protections for ePHI from the business associate
        necessary? If so, where will such additional assurances be documented (e.g.,
        in the BAA, service-level agreement, or other documentation), and how will
        they be met (e.g., providing documentation of implemented safeguards, audits,
        certifications)?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node142
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1)
      name: Written Contract or Other Arrangement
      description: "Document the satisfactory assurances required by this standard\
        \ through a written contract or other arrangement with the business associate\
        \ that meets the applicable requirements of \xA7164.314(a). Readers may find\
        \ useful resources in Appendix F, including OCR BAA guidance and/or templates\
        \ that include applicable language.\n\nExecute new or update existing agreements\
        \ or arrangements as appropriate.\n\nIdentify roles and responsibilities.\n\
        \nInclude security requirements in business associate contracts and agreements\
        \ to address the confidentiality, integrity, and availability of ePHI.\n\n\
        Specify any training requirements associated with the contract/agreement or\
        \ arrangement, if reasonable and appropriate."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node143
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node142
      name: Sample questions
      description: 'Who is responsible for coordinating and preparing the final agreement
        or arrangement?


        Does the agreement or arrangement specify how information is to be transmitted
        to and from the business associate?


        Have security controls been specified for the business associate?


        Are clear responsibilities identified and established regarding potentially
        overlapping HIPAA obligations (e.g., if hosting ePHI in the cloud, will the
        CE, BA, or both address encryption)?


        Have appropriate organizational personnel been trained in the process of initiating
        and maintaining a business associate agreement (BAA)?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node144
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.308(b)(1)
      name: Implementation Specification (Required)
      description: "Document the satisfactory assurances required by this standard\
        \ through a written contract or other arrangement with the business associate\
        \ that meets the applicable requirements of \xA7164.314(a). Readers may find\
        \ useful resources in Appendix F, including OCR BAA guidance and/or templates\
        \ that include applicable language."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node145
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node144
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310
      assessable: false
      depth: 1
      ref_id: '164.310'
      description: "Physical Safeguards:\nDefined as the \u201Cphysical measures,\
        \ policies, and procedures to protect a covered entity\u2019s electronic information\
        \ systems and related buildings and equipment, from natural and environmental\
        \ hazards, and unauthorized intrusion.\u201D"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310
      ref_id: 164.310(a)
      description: 'Facility Access Controls:

        HIPAA Standard: Implement policies and procedures to limit physical access
        to its electronic information systems and the facility or facilities in which
        they are housed, while ensuring that properly authorized access is allowed.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node148
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Conduct an Analysis of Existing Physical Security Vulnerabilities
      description: 'Inventory facilities and identify shortfalls and/or vulnerabilities
        in current physical security capabilities.


        Assign degrees of significance to each vulnerability identified and ensure
        that proper access is allowed.


        Determine which types of facilities require access controls to safeguard ePHI,
        such as:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node149
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node148
      name: Sample questions
      description: 'If reasonable and appropriate, do non-public areas have locks
        and cameras?


        Are computing devices protected from public access or viewing?


        Are entrances and exits that lead to locations with ePHI secured?


        Do policies and procedures already exist regarding access to and use of facilities
        and equipment?


        Are there possible natural or human-made disasters that could happen in the
        environment?


        Do normal physical protections exist (e.g., locks on doors, windows, and other
        means of preventing unauthorized access)?


        Are network wiring cables protected and not exposed to unauthorized personnel?


        Is there a list of workforce members who can access the facility after hours
        via the use of keys, badge access, and knowledge of the security or alarm
        system?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node150
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Identify Corrective Measures
      description: 'Identify and assign responsibility for the measures and activities
        necessary to correct deficiencies, and ensure that proper physical access
        is allowed.


        Develop and deploy policies and procedures to ensure that repairs, upgrades,
        and/or modifications are made to the appropriate physical areas of the facility
        while ensuring that proper access is allowed.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node151
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node150
      name: Sample questions
      description: 'Who is responsible for security?


        Is a workforce member other than the security official responsible for facility/physical
        security?


        Are facility access control policies and procedures already in place? Do they
        need to be revised?


        What training will be needed for workforce members to understand the policies
        and procedures?


        How will decisions and actions be documented?


        Is a property owner or external party (e.g., cloud service provider) required
        to make physical changes to meet the requirements?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node152
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Develop a Facility Security Plan
      description: "Implement policies and procedures to safeguard the facility and\
        \ the equipment therein from unauthorized physical access, tampering, and\
        \ theft.\n\nImplement appropriate measures to provide physical security protection\
        \ for ePHI in a regulated entity\u2019s possession.\n\nInclude documentation\
        \ of the facility inventory, physical maintenance records, and a history of\
        \ changes, upgrades, and other modifications.\n\nIdentify points of access\
        \ to the facility and existing security controls."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node153
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node152
      name: Sample questions
      description: 'Is there an inventory of facilities and existing security practices?


        What are the current procedures for securing the facilities (e.g., exterior,
        interior, equipment, access controls, maintenance records)?


        Is a workforce member other than the security official responsible for the
        facility plan?


        Is there a contingency plan already in place, under revision, or under development?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node154
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Implementation Specification (Addressable)
      description: Implement policies and procedures to safeguard the facility and
        the equipment therein from unauthorized physical access, tampering, and theft.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node155
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node154
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node156
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Develop Access Control and Validation Procedures
      description: 'Implement procedures to control and validate a person''s access
        to facilities based on their role or function, including visitor control and
        control of access to software programs for testing and revision.


        Implement procedures to provide facility access to authorized personnel and
        visitors and exclude unauthorized persons.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node157
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node156
      name: Sample questions
      description: 'What are the policies and procedures in place for controlling
        access by staff, contractors, visitors, and probationary workforce members?


        Do the procedures identify individuals, roles, or job functions that are authorized
        to access software programs for testing and revision?


        How many access points exist in each facility? Is there an inventory?


        Is monitoring equipment necessary?


        Is there a periodic review of personnel with physical access?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node158
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Implementation Specification (Addressable)
      description: Implement procedures to control and validate a person's access
        to facilities based on their role or function, including visitor control and
        control of access to software programs for testing and revision.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node159
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node158
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node160
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Establish Contingency Operations Procedures
      description: Establish (and implement as needed) procedures that allow facility
        access in support of the restoration of lost data under the Disaster Recovery
        Plan and Emergency Mode Operations Plan in the event of an emergency.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node161
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node160
      name: Sample questions
      description: 'Are there procedures to allow facility access while restoring
        lost data in the event of an emergency?


        Who needs access to ePHI in the event of a disaster?


        What is the backup plan for access to the facility and/or ePHI?


        Who is responsible for the contingency plan for access to ePHI?


        Who is responsible for implementing the contingency plan for access to ePHI
        in each department or unit?


        Will the contingency plan be appropriate in the event of all types of potential
        disasters (e.g., fire, flood, earthquake, etc.)?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node162
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Implementation Specification (Addressable)
      description: Establish (and implement as needed) procedures that allow facility
        access in support of the restoration of lost data under the Disaster Recovery
        Plan and Emergency Mode Operations Plan in the event of an emergency.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node163
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node162
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node164
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Maintain Maintenance Records
      description: Implement policies and procedures to document repairs and modifications
        to the physical components of a facility that are related to security (e.g.,
        hardware, walls, doors, and locks).
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node165
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node164
      name: Sample questions
      description: 'Are policies and procedures developed and implemented that specify
        how to document repairs and modifications to the physical components of a
        facility that are related to security?


        Are records of repairs to hardware, walls, doors, and locks maintained?


        Has responsibility for maintaining these records been assigned?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node166
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(a)
      name: Implementation Specification (Addressable)
      description: Implement policies and procedures to document repairs and modifications
        to the physical components of a facility that are related to security (e.g.,
        hardware, walls, doors, and locks).
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node167
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node166
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310
      ref_id: 164.310(b)
      description: 'Workstation Use:

        HIPAA Standard: Implement policies and procedures that specify the proper
        functions to be performed, the manner in which those functions are to be performed,
        and the physical attributes of the surroundings of a specific workstation
        or class of workstation that can access electronic protected health information.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node169
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b)
      name: Identify Workstation and Device Types and Functions or Uses
      description: "Inventory workstations and devices that create, store, process\
        \ or transmit ePHI. Be sure to consider the multitude of computing devices\
        \ (e.g., medical equipment, medical IoT devices, tablets, smart phones, etc.).\n\
        \nDevelop policies and procedures for each type of device and identify and\
        \ accommodate their unique issues.\n\nClassify devices based on the capabilities,\
        \ connections, and allowable activities for each device used.\n\nDetermine\
        \ the proper function and manner by which specific workstations or classes\
        \ of workstations are permitted to access ePHI (e.g., applications permitting\
        \ access to ePHI that are allowed on workstations used by a hospital\u2019\
        s customer service call center or its radiology department)."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node170
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node169
      name: Sample questions
      description: 'Do the policies and procedures identify devices that access ePHI
        and those that do not?


        Is there an inventory of device types and locations in the organization?


        Who is responsible for this inventory and its maintenance?


        What tasks are commonly performed on a given device or type of device?


        Are all types of computing devices used as workstations identified along with
        the use of these devices?


        Are all devices that create, store, process, or transmit ePHI owned by the
        regulated entity?


        Are some devices personally owned or owned by another party?


        Has the organization considered the use of automation to manage device inventory?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node171
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b)
      name: Identify the Expected Performance of Each Type of Workstation and Device
      description: Develop and document policies and procedures related to the proper
        use and performance of devices that create, store, process, or transmit ePHI.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node172
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node171
      name: Sample questions
      description: 'How are these devices used in day-to-day operations?


        Which devices are involved in various work activities?


        What are key operational risks that could result in a breach of security?


        Do the policies and procedures address the use of these devices for any personal
        use?


        Has the organization updated training and awareness content to include the
        proper use and performance of these devices?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node173
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(b)
      name: Analyze Physical Surroundings for Physical Attributes
      description: "Ensure that any risks associated with a device\u2019s surroundings\
        \ are known and analyzed for possible negative impacts.\n\nDevelop policies\
        \ and procedures that will prevent or preclude the unauthorized access of\
        \ unattended devices, limit the ability of unauthorized persons to view sensitive\
        \ information, and dispose of sensitive information as needed."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node174
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node173
      name: Sample questions
      description: 'Do the policies and procedures specify where to place devices
        to only allow viewing by authorized personnel?


        Where are devices located?


        Where does work on ePHI occur?


        Are some devices stationary?


        Are some devices mobile and leave the physical facility?


        Is viewing by unauthorized individuals restricted or limited on these devices?


        Do changes need to be made in the space configuration?


        Do workforce members understand the security requirements for the data they
        use in their day-to-day jobs?


        Are any computing components (e.g., servers, workstations, medical devices)
        kept in locations that put the confidentiality, integrity, and availability
        of ePHI at risk?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310
      ref_id: 164.310(c)
      description: 'Workstation Security:

        HIPAA Standard: Implement physical safeguards for all workstations that access
        electronic protected health information, to restrict access to authorized
        users.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node176
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c)
      name: Identify All Methods of Physical Access to Workstations and Devices
      description: 'Document the different ways that users access workstations and
        other devices that create, store, process, or transmit ePHI. Be sure to consider
        the multitude of computing devices (e.g., medical equipment, medical IoT devices,
        tablets, smart phones, etc.).


        Consider any mobile devices that leave the physical facility as well as remote
        workers who access devices that create, store, process, or transmit ePHI.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node177
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node176
      name: Sample questions
      description: 'Is there an inventory of all current device locations?


        Are any devices located in public areas?


        Are laptops or other computing devices used as workstations to create, access,
        store, process, or transmit ePHI?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node178
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c)
      name: Analyze the Risks Associated with Each Type of Access
      description: Determine which type of access identified in Key Activity 1 poses
        the greatest threat to the security of ePHI.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node179
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node178
      name: Sample questions
      description: 'Do any devices leave the facility?


        Are any devices housed in areas that are more vulnerable to unauthorized use,
        theft, or viewing of the data they contain?


        What are the options for modifying the current access configuration to protect
        ePHI?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node180
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(c)
      name: Identify and Implement Physical Safeguards for Workstations and Devices
      description: 'Implement physical safeguards and other security measures to minimize
        the possibility of inappropriate access to ePHI through computing devices.


        If there are impediments to physically securing devices and/or the facilities
        where devices are located, additional safeguards should be considered, such
        as:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node181
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node180
      name: Sample questions
      description: 'Are physical safeguards implemented for all devices that access
        ePHI to restrict access to authorized users?


        Are devices and other tools used in the provisioning of treatment, payment
        and operations protected from unauthorized access, viewing, modification,
        and/or theft within mobile healthcare environments?


        What safeguards are in place,(e.g., locked doors, screen barriers, cameras,
        guards)?


        Are additional physical safeguards needed to protect devices with ePHI?


        Do any devices need to be relocated to enhance physical security?


        Are safeguards such as anti-theft devices, physical privacy screens, or other
        procedures used to help prevent unauthorized audio and video recording


        Have workforce members been trained on security?


        Are some devices not owned by the organization? Do these ownership considerations
        preclude the use of any physical security controls on the device?


        Do the policies and procedures specify the use of additional security measures
        to protect devices with ePHI, such as using privacy screens, enabling password-protected
        screen savers, or logging off the device?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310
      ref_id: 164.310(d)
      description: 'Device and Media Controls:

        HIPAA Standard: Implement policies and procedures that govern the receipt
        and removal of hardware and electronic media that contain electronic protected
        health information into and out of a facility, and the movement of these items
        within the facility.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node183
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Implement Methods for the Final Disposal of ePHI
      description: 'Implement policies and procedures to address the final disposition
        of ePHI and/or the hardware or electronic media on which it is stored.


        Determine and document the appropriate methods to dispose of hardware, software,
        and the data itself.


        Ensure that ePHI is properly destroyed and cannot be recreated.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node184
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node183
      name: Sample questions
      description: 'What ePHI is created, stored, processed, and transmitted by the
        organization? On what media is it located?


        Is data stored on removable, reusable media (e.g., flash drives, Secure Digital
        (SD) memory cards)?


        Are policies and procedures developed and implemented that address the disposal
        of ePHI and/or the hardware and media on which ePHI is stored?


        Is there a process for destroying data on all media?


        What are the options for disposing of data on hardware? What are the costs?


        Prior to disposal, have media and devices containing ePHI been sanitized  in
        accordance with SP 800-88?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node185
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Implementation Specification (Required)
      description: Implement policies and procedures to address the final disposition
        of ePHI and/or the hardware or electronic media on which it is stored.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node186
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node185
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node187
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Develop and Implement Procedures for the Reuse of Electronic Media
      description: 'Implement procedures for the removal of ePHI from electronic media
        before the media become available for reuse.


        Ensure that ePHI previously stored on any electronic media cannot be accessed
        and reused.


        Identify removable media and their uses.


        Ensure that ePHI is removed from reusable media before they are used to record
        new information.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node188
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node187
      name: Sample questions
      description: 'Do policies and procedures already exist regarding the reuse of
        electronic media (i.e., hardware and software)?


        Have reused media been erased to the point where previous ePHI is neither
        readily available nor recoverable?


        Is one individual and/or department responsible for coordinating the disposal
        of data and the reuse of the hardware and software?


        Are workforce members appropriately trained on the security risks to ePHI
        when reusing software and hardware?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node189
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Implementation Specification (Required)
      description: Implement procedures for the removal of ePHI from electronic media
        before the media become available for reuse.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node190
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node189
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node191
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Maintain Accountability for Hardware and Electronic Media
      description: 'Maintain a record of the movements of hardware and electronic
        media and any person responsible for them.


        Ensure that ePHI is not inadvertently released or shared with any unauthorized
        party.


        Ensure that an individual is responsible for and records the receipt and removal
        of hardware and software with ePHI.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node192
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node191
      name: Sample questions
      description: 'Have policies and procedures been implemented that govern the
        receipt and removal of hardware and electronic media that contain ePHI into
        and out of a facility, and the movement of these items within the facility?


        Has a process been implemented to maintain a record of the movements of and
        persons responsible for hardware and electronic media that contain ePHI?


        Where is data stored (i.e., what type of media)?


        What procedures already exist to track hardware and software within the organization
        (e.g., an enterprise inventory management system)?


        If workforce members are allowed to remove electronic media that contain or
        may be used to access ePHI, do procedures exist to track the media externally?


        Who is responsible for maintaining records of hardware and software?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node193
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Implementation Specification (Addressable)
      description: Maintain a record of the movements of hardware and electronic media
        and any person responsible for them.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node194
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node193
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node195
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Develop Data Backup and Storage Procedures
      description: 'Create a retrievable exact copy of ePHI, when needed, before movement
        of equipment.


        Ensure that an exact retrievable copy of the data is retained and protected
        to maintain the integrity of ePHI during equipment relocation.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node196
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node195
      name: Sample questions
      description: 'Has a process been implemented to create a retrievable, exact
        copy of ePHI when needed and before the movement of equipment?


        Are backup files maintained offsite to ensure data availability in the event
        that data is lost while transporting or moving electronic media that contain
        ePHI?


        If data were to be unavailable while media are transported or moved for a
        period of time, what would the business impact be?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node197
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.310(d)
      name: Implementation Specification (Addressable)
      description: Create a retrievable exact copy of ePHI, when needed, before movement
        of equipment.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node198
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node197
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312
      assessable: false
      depth: 1
      ref_id: '164.312'
      description: "Technical Safeguards:\nDefined as the \u201Cthe technology and\
        \ the policy and procedures for its use that protect electronic protected\
        \ health information and control access to it.\u201D"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312
      ref_id: 164.312(a)
      description: "Access Control:\nHIPAA Standard: Implement technical policies\
        \ and procedures for electronic information systems that maintain electronic\
        \ protected health information to allow access only to those persons or software\
        \ programs that have been granted access rights as specified in \xA7 164.308(a)(4)."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node201
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Analyze Workloads and Operations to Identify the Access Needs of All Users
      description: 'Identify an approach for access control.


        Consider all applications and systems containing ePHI that should only be
        available to authorized users, processes, and services.


        Integrate these activities into the access granting and management process.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node202
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node201
      name: Sample questions
      description: "Have all applications and systems with ePHI been identified?\n\
        \nWhat user roles are defined for those applications and systems?\n\nIs access\
        \ to systems containing ePHI only granted to authorized processes and services?\n\
        \nWhere is the ePHI supporting those applications and systems currently housed\
        \ (e.g., stand-alone computer, network storage, database)?\n\nAre data and/or\
        \ systems being accessed remotely?\n\nHave access decisions been based on\
        \ determinations from \xA7 164.308(a)(4) Information Access Management?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node203
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Identify Technical Access Control Capabilities
      description: "Determine the access control capabilities of all systems with\
        \ ePHI.\n\nDetermine whether network infrastructure can limit access to systems\
        \ with ePHI (e.g., network segmentation).\n\nImplement technical access controls\
        \ to limit access to ePHI to only that which has been granted in accordance\
        \ with the regulated entity\u2019s information access management policies\
        \ and procedures (see 45 CFR 164.308(a)(4))."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node204
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node203
      name: Sample questions
      description: "How are the systems accessed for viewing, modifying, or creating\
        \ data?\n\nCan identified technical access controls limit access to ePHI to\
        \ only what is authorized in accordance with the regulated entity\u2019s information\
        \ access management policies and procedures (see 45 CFR 164.308(a)(4))?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node205
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Ensure that All System Users Have Been Assigned a Unique Identifier
      description: 'Assign a unique name and/or number for identifying and tracking
        user identity.


        Ensure that system activity can be traced to a specific user.


        Ensure that the necessary data is available in the system logs to support
        audit and other related business functions.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node206
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node205
      name: Sample questions
      description: 'How should the identifier be established (e.g., length and content)?


        Should the identifier be self-selected, organizationally selected, or randomly
        generated?


        Are logs associated with access events created?


        Are these access logs regularly reviewed?


        Can the unique user identifier be used to track user access to ePHI?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node207
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Implementation Specification (Required)
      description: Assign a unique name and/or number for identifying and tracking
        user identity.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node208
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node207
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node209
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Develop Access Control Policy  and Procedures
      description: 'Establish a formal policy for access control that will guide the
        development of procedures.


        Specify requirements for access control that are both feasible and cost-effective.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node210
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node209
      name: Sample questions
      description: 'Have rules of behavior been established and communicated to system
        users?


        How will rules of behavior be enforced?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node211
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Implement Access Control Procedures Using Selected Hardware and Software
      description: Implement the policy and procedures using existing or additional
        hardware or software solutions.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node212
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node211
      name: Sample questions
      description: 'Who will manage the access control procedures?


        Are current users trained in access control management?


        Will user training be needed to implement access control procedures?


        Do the medical devices in use by the organization support user authentication?
        Are there processes in place to manage this authentication?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node213
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Review and Update Access for Users and Processes
      description: "Enforce the policy and procedures as a matter of ongoing operations.\n\
        \nDetermine whether any changes are needed for access control mechanisms.\n\
        \nEnsure that the modification of technical controls that affect a user\u2019\
        s access to ePHI continue to limit access to ePHI to that which has been granted\
        \ in accordance with the regulated entity\u2019s information access management\
        \ policies and procedures (see 45 CFR 164.308(a)(4)).\n\nEstablish procedures\
        \ for updating access when users require the following:"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node214
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node213
      name: Sample questions
      description: 'Have new workforce members/users been given proper instructions
        for protecting data and systems?


        What are the procedures for new employee/user access to data and systems?


        Are there procedures for reviewing and, if appropriate, modifying access authorizations
        for existing users, services, and processes?


        Do users and processes have the appropriate set of permissions to ePHI to
        which they were granted access and to the appropriate systems that create,
        store, process, or transmit ePHI?


        Has the regulated entity considered the use of automation for reviewing the
        access needs of users and processes?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node215
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Establish an Emergency Access Procedure
      description: 'Establish (and implement as needed) procedures for obtaining necessary
        electronic protected health information during an emergency.


        Identify a method for supporting continuity of operations should the normal
        access procedures be disabled or unavailable due to system problems.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node216
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node215
      name: Sample questions
      description: 'Are there policies and procedures in place to provide appropriate
        access to ePHI in emergency situations?


        When should the emergency access procedure be activated?


        Who is authorized to make the decision?


        Who has assigned roles in the process?


        Will systems automatically default to settings and functionalities that will
        enable the emergency access procedure or will the mode be activated by the
        system administrator or other authorized individual?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node217
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Implementation Specification (Required)
      description: Establish (and implement as needed) procedures for obtaining necessary
        electronic protected health information during an emergency.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node218
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node217
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node219
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Automatic Logoff and Encryption and Decryption
      description: 'Consider whether the addressable implementation specifications
        of this standard are reasonable and appropriate:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node220
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node219
      name: Sample questions
      description: "Are automatic logoff features available for any of the regulated\
        \ entity\u2019s operating systems or other major applications?\n\nIf applications\
        \ have been created or developed in-house, is it reasonable and appropriate\
        \ to modify them to feature an automatic logoff capability?\n\nWhat period\
        \ of inactivity prior to automatic logoff is reasonable and appropriate for\
        \ the regulated entity?\n\nWhat encryption capabilities are available for\
        \ the regulated entity\u2019s ePHI?\n\nIs encryption appropriate for storing\
        \ and maintaining ePHI (i.e., at rest)?\n\nBased on the risk assessment, is\
        \ encryption needed to effectively protect ePHI at rest from unauthorized\
        \ access?\n\nIs email encryption necessary for the organization to protect\
        \ ePHI?\n\nAre automated confidentiality statements needed for email leaving\
        \ the organization?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node221
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Implementation Specification (Automatic Logoff)
      description: 'Consider whether the addressable implementation specifications
        of this standard are reasonable and appropriate:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node222
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node221
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node223
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Implementation Specification (Encryption and Decryption)
      description: 'Consider whether the addressable implementation specifications
        of this standard are reasonable and appropriate:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node224
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node223
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node225
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(a)
      name: Terminate Access if it is No Longer Required
      description: 'Ensure that access to ePHI is terminated if the access is no longer
        authorized.


        Consider implementing a user recertification process to ensure that least
        privilege is enforced.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node226
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node225
      name: Sample questions
      description: 'Are rules being enforced to remove access by staff members who
        no longer have a need to know because they have changed assignments or have
        stopped working for the organization?


        Does the organization revisit user access requirements regularly to ensure
        least privilege?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312
      ref_id: 164.312(b)
      description: 'Audit Controls:

        HIPAA Standard: Implement hardware, software, and/or procedural mechanisms
        that record and examine activity in information systems that contain or use
        electronic protected health information.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node228
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b)
      name: Determine the Activities that Will Be Tracked or Audited
      description: "Determine the appropriate scope of audit controls that will be\
        \ necessary in information systems that contain or use ePHI based on the regulated\
        \ entity\u2019s risk assessment and other organizational factors.\n\nDetermine\
        \ what activities need to be captured using the results of the risk assessment\
        \ and risk management processes."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node229
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node228
      name: Sample questions
      description: 'Where is ePHI at risk in the organization?


        What systems, applications, or processes make ePHI vulnerable to unauthorized
        or inappropriate tampering, uses, or disclosures?


        What activities will be audited (e.g., creating ePHI, accessing ePHI, modifying
        ePHI, transmitting ePHI, and/or deleting files or records that contain ePHI)?


        What should the audit record include (e.g., user responsible for the activity;
        event type, date, or time)?


        Are audit records generated for all systems/devices that create, store, process,
        or transmit ePHI?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node230
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b)
      name: Select the Tools that Will Be Deployed for Auditing and System Activity
        Reviews
      description: Evaluate existing system capabilities and determine whether any
        changes or upgrades are necessary.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node231
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node230
      name: Sample questions
      description: 'What tools are in place?


        What are the most appropriate monitoring tools for the organization (e.g.,
        third party, freeware, or operating system-provided)?


        Are changes/upgrades to information systems reasonable and appropriate?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node232
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b)
      name: Develop and Deploy the Information System Activity Review/Audit Policy
      description: "Document and communicate to the workforce the organization\u2019\
        s decisions on audits and reviews."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node233
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node232
      name: Sample questions
      description: "Who is responsible for the overall audit process and results?\n\
        \nHow often will audits take place?\n\nHow often will audit results be analyzed?\n\
        \nWhat is the organization\u2019s sanction policy for employee violations?\n\
        \nWhere will audit information reside (e.g., separate server)?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node234
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b)
      name: Develop Appropriate Standard Operating Procedures
      description: 'Determine the types of audit trail data and monitoring procedures
        that will be needed to derive exception reports.


        Determine the frequency of audit log reviews based on the risk assessment
        and risk management processes.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node235
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node234
      name: Sample questions
      description: "How will exception reports or logs be reviewed?\n\nHas the organization\
        \ considered the use of automation to assist in the monitoring and review\
        \ of system activity?\n\nAre the organization\u2019s monitoring system activity\
        \ and logs reviewed frequently enough to sufficiently protect ePHI?\n\nWhere\
        \ will monitoring reports be filed and maintained?\n\nIs there a formal process\
        \ in place to address system misuse, abuse, and fraudulent activity?\n\nHow\
        \ will managers and workforce members be notified, when appropriate, regarding\
        \ suspect activity?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node236
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(b)
      name: Implement the Audit/System Activity Review Process
      description: 'Activate the necessary audit system.

        Begin logging and auditing procedures.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node237
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node236
      name: Sample questions
      description: 'What mechanisms (e.g., metrics) will be implemented to assess
        the effectiveness of the audit process?


        What is the plan to revise the audit process when needed?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312
      ref_id: 164.312(c)
      description: 'Integrity:

        HIPAA Standard: Implement policies and procedures to protect electronic protected
        health information from improper alteration or destruction.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node239
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      name: Identify All Users Who Have Been Authorized to Access ePHI
      description: 'Identify all approved users with the ability to alter or destroy
        ePHI, if reasonable and appropriate.


        Address this Key Activity in conjunction with the identification of unauthorized
        sources in Key Activity 2.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node240
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node239
      name: Sample questions
      description: 'How are users authorized to access the information?


        Is there a sound basis for why they need the access?


        Have they been trained on how to use the information?


        Is there an audit trail established for all accesses to the information?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node241
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      name: Identify Any Possible Unauthorized Sources that May Be Able to Intercept
        the Information and Modify It
      description: 'Identify scenarios that may result in modification to the ePHI
        by unauthorized sources (e.g., hackers, ransomware, insider threats, business
        competitors, user errors).


        Conduct this activity as part of a risk analysis.


        Consider how the organization will detect unauthorized modification to ePHI'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node242
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node241
      name: Sample questions
      description: 'What are likely sources that could jeopardize information integrity?


        What can be done to protect the integrity of the information when it is residing
        in a system (at rest)?


        What procedures and policies can be established to decrease or prevent alteration
        of the information during transmission?


        What options exist to detect the unauthorized modification of ePHI?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node243
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      name: Develop the Integrity Policy and Requirements
      description: Establish a formal written set of integrity requirements based
        on the results of the analysis completed in Key Activities 1 and 2.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node244
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node243
      name: Sample questions
      description: 'Have the requirements been discussed and agreed to by identified
        key personnel involved in the processes that are affected?


        Have the requirements been documented?


        Has a written policy been developed and communicated to personnel?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node245
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      name: Implement Procedures to Address These Requirements
      description: 'Identify and implement methods that will be used to protect ePHI
        from unauthorized modification.


        Identify and implement tools and techniques to be developed or procured that
        support the assurance of integrity.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node246
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node245
      name: Sample questions
      description: 'Are current audit, logging, and access control techniques sufficient
        to address the integrity of ePHI?


        If not, what additional techniques (e.g., quality control process, transaction
        and output reconstruction) can be utilized to check the integrity of ePHI?


        Are technical solutions in place to prevent and detect the malicious alteration
        or destruction of ePHI (e.g., anti-malware, anti-ransomware, file integrity
        monitoring solutions)?


        Can the additional training of users decrease instances attributable to human
        errors?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node247
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      name: Implement a Mechanism to Authenticate ePHI
      description: 'Implement electronic mechanisms to corroborate that ePHI has not
        been altered or destroyed in an unauthorized manner.


        Consider possible mechanisms for integrity verification, such as:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node248
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node247
      name: Sample questions
      description: 'Are the uses of both electronic and non-electronic mechanisms
        necessary for the protection of ePHI?


        Are appropriate electronic authentication tools available?


        Are available electronic authentication tools interoperable with other applications
        and system components?


        If ePHI is detected as altered by unauthorized users or improperly altered
        by authorized users, is a process in place to respond?


        Is this response process tied to organizational incident management processes?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node249
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      name: Implementation Specification (Addressable)
      description: Implement electronic mechanisms to corroborate that ePHI has not
        been altered or destroyed in an unauthorized manner.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node250
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node249
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node251
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(c)
      name: Establish a Monitoring Process to Assess How the Implemented Process is
        Working
      description: 'Review existing processes to determine whether objectives are
        being addressed.


        Continually reassess integrity processes as technology and operational environments
        change to determine whether they need to be revised.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node252
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node251
      name: Sample questions
      description: 'Are there reported instances of information integrity problems?
        Have they decreased since integrity procedures were implemented?


        Does the process, as implemented, provide a higher level of assurance that
        information integrity is being maintained?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312
      ref_id: 164.312(d)
      description: 'Person or Entity Authentication:

        HIPAA Standard: Implement procedures to verify that a person or entity seeking
        access to electronic protected health information is the one claimed.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node254
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d)
      name: Determine Authentication Applicability to Current Systems/Applications
      description: "Identify the methods available for authentication. Under the HIPAA\
        \ Security Rule, authentication is the corroboration that a person is the\
        \ one claimed (45 CFR \xA7 164.304).\n\nIdentify points of electronic access\
        \ that require or should require authentication. Ensure that the regulated\
        \ entity\u2019s risk analysis properly assesses risks for such access points\
        \ (e.g., risks of unauthorized access from within the enterprise could be\
        \ different than those of remote unauthorized access).\n\nAuthentication requires\
        \ establishing the validity of a transmission source and/or verifying an individual\u2019\
        s claim that they have been authorized for specific access privileges to information\
        \ and information systems."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node255
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node254
      name: Sample questions
      description: 'What authentication methods are available?


        What are the advantages and disadvantages of each method?


        Can risks of unauthorized access be sufficiently reduced for each point of
        electronic access with available authentication methods?


        What will it cost to implement the available methods in the environment?


        Are there trained staff who can maintain the system or should outsourced support
        be considered?


        Are passwords being used? If so, are they unique to the individual?


        Is MFA being used? If so, how and where is it implemented?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node256
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d)
      name: Evaluate Available Authentication Options
      description: 'Weigh the relative advantages and disadvantages of commonly used
        authentication approaches.


        There are three commonly used authentication approaches available:


        MFA utilizes two or more authentication approaches to enforce stronger authentication.


        Consider implementing MFA solutions when the risk to ePHI is sufficiently
        high.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node257
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node256
      name: Sample questions
      description: 'What are the strengths and weaknesses of each available option?


        Which can be best supported with assigned resources (e.g., budget/staffing)?


        What level of authentication is appropriate for each access to ePHI based
        on the assessment of risk?


        Has the organization identified all instances of access to ePHI (including
        by services, vendors, or application programming interfaces [APIs]) and considered
        appropriate authentication requirements based on the risk assessment?


        Has the organization considered MFA for access to ePHI that poses high risk
        (e.g., remote access, access to privileged functions)?


        Has the organization researched available MFA options and made a selection
        based on risk to ePHI?


        Is outside vendor support required to implement the process?


        Are there password-less authentication options (e.g., biometric authentication)
        available that can sufficiently address the risk to ePHI?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node258
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(d)
      name: Select and Implement   Authentication Options
      description: 'Consider the results of the analysis conducted under Key Activity
        2, and select appropriate authentication methods based on the results of the
        risk assessment and risk management processes.


        Implement the methods selected in organizational operations and activities.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node259
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node258
      name: Sample questions
      description: "Has the organization\u2019s selection of authentication methods\
        \ been made based on the results of the risk assessment?\n\nIf passwords are\
        \ being used as an authentication element, are they of sufficient length and\
        \ strength to protect ePHI? Is this enforced by technical policies?\n\nHas\
        \ necessary user and support staff training been completed?\n\nHave a formal\
        \ authentication policy and procedures been established and communicated?\n\
        \nHas necessary testing been completed to ensure that the authentication system\
        \ is working as prescribed?\n\nDo the procedures include ongoing system maintenance\
        \ and updates?\n\nIs the process implemented in such a way that it does not\
        \ compromise the authentication information (e.g., password file encryption,\
        \ etc.)?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312
      ref_id: 164.312(e)(1)
      description: 'Transmission Security:

        HIPAA Standard: Implement technical security measures to guard against unauthorized
        access to electronic protected health information that is being transmitted
        over an electronic communications network.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node261
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1)
      name: Identify Any Possible Unauthorized Sources that May Be Able to Intercept
        and/or Modify the Information
      description: 'Identify all pathways by which ePHI will be transmitted into,
        within, and outside of the organization.


        Identify scenarios (e.g., telehealth, claims processing) that may result in
        access to or modification of the ePHI by unauthorized sources during transmission
        (e.g., hackers, disgruntled workforce members, business competitors).


        Identify scenarios and pathways that may put ePHI at a high level of risk.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node262
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node261
      name: Sample questions
      description: 'Have all pathways by which ePHI will be transmitted (e.g., file
        transfers, email, web portals, mobile apps, communications with servers or
        databases containing ePHI, online tracking) been identified?


        Has a risk assessment been used to determine transmission pathways and scenarios
        that may pose high risk to ePHI?


        What measures exist to protect ePHI in transmission?


        Have appropriate protection mechanisms been identified for all scenarios and
        pathways by which ePHI is transmitted?


        Is there an auditing process in place to verify that ePHI has been protected
        against unauthorized access during transmission?


        Are there trained staff members to monitor transmissions?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node263
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1)
      name: Develop and Implement Transmission Security Policy and Procedures
      description: 'Establish a formal written set of requirements for transmitting
        ePHI.


        Identify methods of transmission that will be used to safeguard ePHI.


        Identify tools and techniques that will be used to support the transmission
        security policy.


        Implement procedures for transmitting ePHI using hardware and/or software,
        if needed.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node264
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node263
      name: Sample questions
      description: 'Have the requirements been discussed and agreed to by identified
        key personnel involved in transmitting ePHI?


        Has a written policy been developed and communicated to system users?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node265
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1)
      name: Implement Integrity Controls
      description: Implement security measures to ensure that electronically transmitted
        ePHI is not improperly modified without detection until disposed of.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node266
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node265
      name: Sample questions
      description: 'What security measures are currently used to protect ePHI during
        transmission?


        What measures are planned to protect ePHI in transmission?


        Is there assurance that information is not altered during transmission?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node267
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1)
      name: Implementation Specification (Addressable)
      description: Implement security measures to ensure that electronically transmitted
        ePHI is not improperly modified without detection until disposed of.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node268
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node267
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node269
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1)
      name: Implement Encryption
      description: Implement a mechanism to encrypt ePHI whenever appropriate.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node270
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node269
      name: Sample questions
      description: 'Is encryption reasonable and appropriate to protect ePHI in transmission?


        Based on the risk assessment, is encryption needed to effectively protect
        the information from unauthorized access during transmission?


        Has the organization considered the use of email encryption and automated
        confidentiality statements when emailing outside of the organization?


        Is encryption feasible and cost-effective in this environment?


        What encryption algorithms and mechanisms are available?


        Are available encryption algorithms and mechanisms of sufficient strength
        to protect electronically transmitted ePHI?


        Is electronic transmission hardware/software configured so that the strength
        of encryption used in transmitting ePHI cannot be weakened?


        Have all applications used on devices  that support the provisioning of health
        services been assessed to verify that strong transmission security is implemented?


        Does the covered entity have the appropriate staff to maintain a process for
        encrypting ePHI during transmission?


        Are workforce members skilled in the use of encryption?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node271
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.312(e)(1)
      name: Implementation Specification (Addressable)
      description: Implement a mechanism to encrypt ePHI whenever appropriate.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node272
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node271
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314
      assessable: false
      depth: 1
      ref_id: '164.314'
      description: 'Organizational Requirements:

        Includes standards for business associate contracts and other arrangements
        between a covered entity and a business associate and between a business associate
        and a subcontractor, as well as requirements for group health plans.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314
      ref_id: 164.314(a)
      description: "Business Associate Contracts or Other Arrangements:\nHIPAA Standard:\
        \ (i) The contract or other arrangement between the covered entity and its\
        \ business associate required by \xA7 164.308(b)(3) must meet the requirements\
        \ of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.\
        \ (ii) A covered entity is in compliance with paragraph (a)(1) of this section\
        \ if it has another arrangement in place that meets the requirements of \xA7\
        \ 164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii)\
        \ of this section apply to the contract or other arrangement between a business\
        \ associate and a subcontractor required by \xA7 164.308(b)(4) in the same\
        \ manner as such requirements apply to contracts or other arrangements between\
        \ a covered entity and business associate."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node275
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Contract Must Provide that Business Associates Will Comply with the Applicable
        Requirements of the Security Rule
      description: 'Contracts between covered entities and business associates must
        provide that business associates will implement administrative, physical,
        and technical safeguards that reasonably and appropriately protect the confidentiality,
        integrity, and availability of the ePHI that the business associate creates,
        receives, maintains, or transmits on behalf of the covered entity.


        Readers may find useful resources in Appendix F, including OCR BAA guidance
        and templates that include applicable language.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node276
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node275
      name: Sample questions
      description: Does the written agreement between the covered entity and the business
        associate address the applicable functions related to creating, receiving,
        maintaining, and transmitting ePHI that the business associate is to perform
        on behalf of the covered entity?
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node277
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Implementation Specification (Required)
      description: Contracts between covered entities and business associates must
        provide that business associates will implement administrative, physical,
        and technical safeguards that reasonably and appropriately protect the confidentiality,
        integrity, and availability of the ePHI that the business associate creates,
        receives, maintains, or transmits on behalf of the covered entity.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node278
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node277
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node279
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Contract Must Provide that the Business Associates Enter into Contracts
        with Subcontractors to Ensure the Protection of ePHI
      description: "In accordance with \xA7 164.308(b)(2), ensure that any subcontractors\
        \ that create, receive, maintain, or transmit ePHI on behalf of the business\
        \ associate agree to comply with the applicable requirements of this subpart\
        \ by entering into a contract or other arrangement that complies with this\
        \ section."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node280
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node279
      name: Sample questions
      description: "Has the business associate identified all of its subcontractors\
        \ that will create, receive, maintain, or transmit ePHI?\n\nHas the business\
        \ associate ensured that contracts in accordance with \xA7 164.314 are in\
        \ place with its subcontractors identified in the previous question?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node281
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Implementation Specification (Required)
      description: "In accordance with \xA7 164.308(b)(2), ensure that any subcontractors\
        \ that create, receive, maintain, or transmit ePHI on behalf of the business\
        \ associate agree to comply with the applicable requirements of this subpart\
        \ by entering into a contract or other arrangement that complies with this\
        \ section."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node282
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node281
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node283
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Contract Must Provide that Business Associates will Report Security Incidents
      description: "Report to the covered entity any security incident of which it\
        \ becomes aware, including breaches of unsecured PHI as required by \xA7 164.410.\n\
        \nMaintain clear lines of communication between covered entities and business\
        \ associates regarding the protection of ePHI as per the BAA or contract.\n\
        \nEstablish a reporting mechanism and a process for the business associate\
        \ to use in the event of a security incident or breach."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node284
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node283
      name: Sample questions
      description: 'Is there a procedure in place for reporting security incidents,
        including breaches of unsecured PHI by business associates?


        Have key business associate staff been identified as points of contact in
        the event of a security incident or breach?


        Does the contract include clear time frames and responsibilities regarding
        the investigation and reporting of security incidents and breaches?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node285
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Implementation Specification (Required)
      description: "Report to the covered entity any security incident of which it\
        \ becomes aware, including breaches of unsecured PHI as required by \xA7 164.410."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node286
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node285
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node287
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Other Arrangements
      description: "The covered entity complies with paragraph (a)(1) of this section\
        \ if it has another arrangement in place that meets the requirements of \xA7\
        \ 164.504(e)(3)."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node288
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node287
      name: Sample questions
      description: 'Has the covered entity made a good faith attempt to obtain satisfactory
        assurances that the security standards required by this section are met?


        Are attempts to obtain satisfactory assurances and the reasons that assurances
        cannot be obtained documented?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node289
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Implementation Specification (Required)
      description: "The covered entity complies with paragraph (a)(1) of this section\
        \ if it has another arrangement in place that meets the requirements of \xA7\
        \ 164.504(e)(3)."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node290
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node289
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node291
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Business Associate Contracts with Subcontractors
      description: The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this
        section apply to the contract or other arrangement between a business associate
        and a subcontractor in the same manner as such requirements apply to contracts
        or other arrangements between a covered entity and business associate.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node292
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node291
      name: Sample questions
      description: Do business associate contracts or other arrangements between the
        business associate and its subcontractors include appropriate language to
        comply with paragraphs (a)(2)(i) and (a)(2)(ii) of this section?
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node293
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(a)
      name: Implementation Specification (Required)
      description: The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this
        section apply to the contract or other arrangement between a business associate
        and a subcontractor in the same manner as such requirements apply to contracts
        or other arrangements between a covered entity and business associate.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node294
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node293
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314
      ref_id: 164.314(b)
      description: "Requirements for Group Health Plans:\nHIPAA Standard: Except when\
        \ the only electronic protected health information disclosed to a plan sponsor\
        \ is disclosed pursuant to \xA7 164.504(f)(1)(ii) or (iii), or as authorized\
        \ under \xA7 164.508, a group health plan must ensure that its plan documents\
        \ provide that the plan sponsor will reasonably and appropriately safeguard\
        \ electronic protected health information created, received, maintained, or\
        \ transmitted to or by the plan sponsor on behalf of the group health plan."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node296
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: "Amend Plan Documents of the Group Health Plan to Address the Plan Sponsor\u2019\
        s Security of ePHI"
      description: Amend the plan documents to incorporate provisions to require the
        plan sponsor to implement administrative, technical, and physical safeguards
        that will reasonably and appropriately protect the confidentiality, integrity,
        and availability of ePHI that it creates, receives, maintains, or transmits
        on behalf of the group health plan.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node297
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node296
      name: Sample questions
      description: 'Does the plan sponsor fall under the exception described in the
        standard?


        Do the plan documents require the plan sponsor to reasonably and appropriately
        safeguard ePHI?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node298
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: Implementation Specification (Required)
      description: Amend the plan documents to incorporate provisions to require the
        plan sponsor to implement administrative, technical, and physical safeguards
        that will reasonably and appropriately protect the confidentiality, integrity,
        and availability of ePHI that it creates, receives, maintains, or transmits
        on behalf of the group health plan.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node299
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node298
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node300
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: Amend Plan Documents of the Group Health Plan to Address Adequate Separation
      description: "Amend the plan documents to incorporate provisions to require\
        \ the plan sponsor to ensure that the adequate separation between the group\
        \ health plan and plan sponsor required by \xA7164.504(f)(2)(iii) is supported\
        \ by reasonable and appropriate security measures."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node301
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node300
      name: Sample questions
      description: "Do plan documents address the obligation to keep ePHI secure with\
        \ respect to the plan sponsor\u2019s workforce members, classes of workforce\
        \ members, or other persons who will be given access to ePHI?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node302
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: Implementation Specification (Required)
      description: "Amend the plan documents to incorporate provisions to require\
        \ the plan sponsor to ensure that the adequate separation between the group\
        \ health plan and plan sponsor required by \xA7164.504(f)(2)(iii) is supported\
        \ by reasonable and appropriate security measures."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node303
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node302
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node304
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: "Amend Plan Documents of the Group Health Plan to Address the Security\
        \ of ePHI Supplied to the Plan Sponsors\u2019 Agents and Subcontractors"
      description: Amend plan documents to incorporate provisions to require the plan
        sponsor to report any security incident of which it becomes aware to the group
        health plan.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node305
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node304
      name: Sample questions
      description: Do the plan documents of the group health plan address the issue
        of subcontractors and other agents of the plan sponsor implementing reasonable
        and appropriate security measures?
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node306
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: Implementation Specification (Required)
      description: Amend plan documents to incorporate provisions to require the plan
        sponsor to ensure that any agent to whom it provides ePHI agrees to implement
        reasonable and appropriate security measures to protect the ePHI.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node307
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node306
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node308
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: Amend Plan Documents of Group Health Plans to Address the Reporting of
        Security Incidents
      description: 'Amend plan documents to incorporate provisions to require the
        plan sponsor to report any security incident of which it becomes aware to
        the group health plan.


        Establish a specific policy for security incident reporting.


        Establish a reporting mechanism and a process for the plan sponsor to use
        in the event of a security incident.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node309
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node308
      name: Sample questions
      description: 'Is there a procedure in place for security incident reporting?


        Are procedures in place for responding to security incidents?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node310
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.314(b)
      name: Implementation Specification (Required)
      description: Amend plan documents to incorporate provisions to require the plan
        sponsor to report any security incident of which it becomes aware to the group
        health plan.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node311
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node310
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316
      assessable: false
      depth: 1
      ref_id: '164.316'
      description: 'Policies and Procedures and Documentation Requirements:

        Requires the implementation of reasonable and appropriate policies and procedures
        to comply with the standards, implementation specifications, and other requirements
        of the Security Rule; the maintenance of written (may be electronic) documentation
        and/or records that include the policies, procedures, actions, activities,
        or assessments required by the Security Rule; and retention, availability,
        and update requirements related to the documentation.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316
      ref_id: 164.316(a)
      description: "Policies and Procedures:\nHIPAA Standard: Implement reasonable\
        \ and appropriate policies and procedures to comply with the standards, implementation\
        \ specifications, or other requirements of this subpart, taking into account\
        \ those factors specified in \xA7 164.306(b)(2)(i), (ii), (iii), and (iv).\
        \ This standard is not to be construed to permit or excuse an action that\
        \ violates any other standard, implementation specification, or other requirements\
        \ of this subpart. A covered entity or business associate may change its policies\
        \ and procedures at any time, provided that the changes are documented and\
        \ are implemented in accordance with this subpart."
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node314
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a)
      name: Create and Deploy Policies and Procedures
      description: 'Implement reasonable and appropriate policies and procedures to
        comply with the standards, implementation specifications, and other requirements
        of the HIPAA Security Rule.


        Consider the importance of documenting processes and procedures for demonstrating
        the adequate implementation of recognized security practices.


        Periodically evaluate written policies and procedures to verify that:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node315
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node314
      name: Sample questions
      description: 'Are reasonable and appropriate policies and procedures to comply
        with each of the standards, applicable implementation specifications, and
        other requirements of the HIPAA Security Rule in place?


        Are policies and procedures reasonable and appropriate given:'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node316
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(a)
      name: Update the Documentation of the Policy and Procedures
      description: Change policies and procedures as is reasonable and appropriate
        at any time, provided that the changes are documented and implemented in accordance
        with the requirements of the HIPAA Security Rule.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node317
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node316
      name: Sample questions
      description: 'Is a process in place for periodically reevaluating the policies
        and procedures and updating them as necessary?


        Should HIPAA documentation be updated in response to periodic evaluations,
        following security incidents, and/or after acquisitions of new technology
        or new procedures?


        As policies and procedures are changed, are new versions made available and
        are workforce members appropriately trained?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316
      ref_id: 164.316(b)
      description: 'Documentation:

        HIPAA Standard: (i) Maintain the policies and procedures implemented to comply
        with this subpart in written (which may be electronic) form; and (ii) if an
        action, activity or assessment is required by this subpart to be documented,
        maintain a written (which may be electronic) record of the action, activity,
        or assessment.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node319
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      name: Draft, Maintain, and Update Required Documentation
      description: 'Document decisions concerning the management, operational, and
        technical controls selected to mitigate identified risks.


        Written documentation may be incorporated into existing manuals, policies,
        and other documents or be created specifically for the purpose of demonstrating
        compliance with the HIPAA Security Rule.


        Consider the importance of documenting the processes and procedures for demonstrating
        the adequate implementation of recognized security practices.


        Use feedback from risk assessments and contingency plan tests to help determine
        when to update documentation.'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node320
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node319
      name: Sample questions
      description: 'Are all required policies and procedures documented?


        Should HIPAA Security Rule documentation be maintained by the individual responsible
        for HIPAA Security Rule implementation?


        Should HIPAA Security Rule documentation be updated in response to periodic
        evaluations, following security incidents, and/or after acquisitions of new
        technology or new procedures?


        Have dates of creation and validity periods been included in all documentation?


        Has appropriate management reviewed and approved all documentation?


        Are actions, activities, and assessments required by the Security Rule documented
        as appropriate?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node321
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      name: Retain Documentation for at Least Six Years
      description: Retain documentation required by paragraph (b)(1) of this section
        for six years from the date of its creation or the date when it last was in
        effect, whichever is later.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node322
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node321
      name: Sample questions
      description: "Have documentation retention requirements under HIPAA been aligned\
        \ with the organization\u2019s other data retention policies?"
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node323
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      name: Implementation Specification (Required)
      description: Retain documentation required by paragraph (b)(1) of this section
        for six years from the date of its creation or the date when it last was in
        effect, whichever is later.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node324
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node323
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node325
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      name: Ensure that Documentation is Available to Those Responsible for Implementation
      description: Make documentation available to those persons responsible for implementing
        the procedures to which the documentation pertains.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node326
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node325
      name: Sample questions
      description: 'Is the location of the documentation known to all staff who need
        to access it?


        Is availability of the documentation made known as part of education, training,
        and awareness activities?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node327
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      name: Implementation Specification (Required)
      description: Make documentation available to those persons responsible for implementing
        the procedures to which the documentation pertains.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node328
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node327
      name: Sample questions
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node329
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      name: Update Documentation as Required
      description: Review documentation periodically and update as needed in response
        to environmental or operational changes that affect the security of the ePHI.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node330
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node329
      name: Sample questions
      description: 'Is there a version control procedure that allows for the verification
        of the timeliness of policies and procedures, if reasonable and appropriate?


        Is there a process for soliciting input on updates of policies and procedures
        from staff, if reasonable and appropriate?


        Are policies and procedures updated in response to environmental or operational
        changes that affect the security of ePHI?


        When were the policies and procedures last updated or reviewed?'
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node331
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:164.316(b)
      name: Implementation Specification (Required)
      description: Review documentation periodically and update as needed in response
        to environmental or operational changes that affect the security of the ePHI.
    - urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node332
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:nist-sp-800-66-rev2:node331
      name: Sample questions