{"frameworkId":"hipaa","label":"HIPAA","version":"Administrative Simplification (Security + Privacy + Breach Notification Rules)","description":"Health Insurance Portability and Accountability Act \u2014 US law governing the protection of protected health information (PHI) across healthcare entities and their business associates. CheckID covers the Administrative Simplification rules in 45 CFR Part 164: Subpart C (Security Rule), Subpart D (Breach Notification Rule), and Subpart E (Privacy Rule).","homepageUrl":"https://www.hhs.gov/hipaa/index.html","css":"fw-hipaa","totalControls":59,"registryKey":"hipaa","csvColumn":"Hipaa","displayOrder":8,"scoring":{"method":"criteria-coverage","criteria":{"\u00a7164.306":{"label":"Security Standards: General Rules","description":"General requirements for the Security Rule \u2014 duty to protect electronic PHI confidentiality, integrity, and availability; flexibility of approach; standards and implementation specifications","subpart":"C \u2014 Security Rule"},"\u00a7164.308":{"label":"Administrative Safeguards","description":"Security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, and evaluation","subpart":"C \u2014 Security Rule"},"\u00a7164.310":{"label":"Physical Safeguards","description":"Facility access controls, workstation use and security, and device and media controls","subpart":"C \u2014 Security Rule"},"\u00a7164.312":{"label":"Technical Safeguards","description":"Access control, audit controls, integrity controls, person or entity authentication, and transmission security","subpart":"C \u2014 Security Rule"},"\u00a7164.314":{"label":"Organizational Requirements","description":"Business associate contracts and other arrangements; requirements for group health plans","subpart":"C \u2014 Security Rule"},"\u00a7164.316":{"label":"Policies and Procedures and Documentation Requirements","description":"Implement reasonable and appropriate policies and procedures; documentation retention, availability, and updates","subpart":"C \u2014 Security Rule"},"\u00a7164.404":{"label":"Notification to Individuals","description":"Covered entity must notify each affected individual following discovery of a breach of unsecured PHI; timing, content, and method requirements","subpart":"D \u2014 Breach Notification Rule"},"\u00a7164.408":{"label":"Notification to the Secretary","description":"Covered entity must notify the HHS Secretary of breaches of unsecured PHI; immediate notification for breaches affecting 500+ individuals, annual log for smaller breaches","subpart":"D \u2014 Breach Notification Rule"},"\u00a7164.412":{"label":"Law Enforcement Delay","description":"Permits delay of breach notification when a law enforcement official states notice would impede a criminal investigation or cause damage to national security","subpart":"D \u2014 Breach Notification Rule"},"\u00a7164.506":{"label":"Uses and Disclosures for Treatment, Payment, and Health Care Operations","description":"Permitted uses and disclosures of PHI for treatment, payment, and health care operations without authorization","subpart":"E \u2014 Privacy Rule"},"\u00a7164.508":{"label":"Uses and Disclosures Requiring Authorization","description":"Required individual authorization for uses and disclosures of PHI not otherwise permitted; authorization content, validity, and revocation","subpart":"E \u2014 Privacy Rule"},"\u00a7164.510":{"label":"Uses and Disclosures Requiring Opportunity to Agree or Object","description":"Uses and disclosures (e.g., facility directory, notification of family members) where the individual must be given an opportunity to agree or object","subpart":"E \u2014 Privacy Rule"},"\u00a7164.512":{"label":"Uses and Disclosures for Which Authorization or Opportunity to Agree Is Not Required","description":"Permitted uses and disclosures without authorization (e.g., required by law, public health, judicial proceedings, law enforcement, decedents, research, threats to safety)","subpart":"E \u2014 Privacy Rule"},"\u00a7164.514":{"label":"Other Requirements Relating to Uses and Disclosures of PHI","description":"De-identification standards, minimum necessary requirements, marketing and fundraising, verification, and other supplemental requirements for uses and disclosures","subpart":"E \u2014 Privacy Rule"},"\u00a7164.530":{"label":"Administrative Requirements","description":"Privacy Rule administrative requirements: privacy officer, training, safeguards, complaints process, sanctions, mitigation, refraining from intimidating or retaliatory acts, waiver of rights, and policies and procedures","subpart":"E \u2014 Privacy Rule"},"\u00a7164.532":{"label":"Transition Provisions","description":"Effect of prior consents and authorizations under HIPAA-predecessor regulations and the transition to current Privacy Rule requirements","subpart":"E \u2014 Privacy Rule"}}},"colors":{"light":{"background":"#fdf2f8","color":"#9d174d"},"dark":{"background":"#831843","color":"#F9A8D4"}},"groupBy":"hipaa-section","groupLabel":"safeguard","groups":{"306":"General Rules","308":"Administrative Safeguards","310":"Physical Safeguards","312":"Technical Safeguards","314":"Organizational Requirements","316":"Policies, Procedures & Documentation"}}
|