HIPAA Inheritance

2.0 HIPAA Inheritance

Administrative Controls HIPAA RuleiDialogs ControlInherited
Security Management Process - 164.308(a)(1)(i)Risk Management PolicyYes
Assigned Security Responsibility - 164.308(a)(2)Roles PolicyPartially
Workforce Security - 164.308(a)(3)(i)Employee PoliciesPartially
Information Access Management - 164.308(a)(4)(i)System Access PolicyYes
Security Awareness and Training - 164.308(a)(5)(i)Employee PolicyNo
Security Incident Procedures - 164.308(a)(6)(i)IDS PolicyYes
Contingency Plan - 164.308(a)(7)(i)Disaster Recovery PolicyYes
Evaluation - 164.308(a)(8)Auditing PolicyYes

Physical Safeguards HIPAA RuleiDialogs ControlInherited
Facility Access Controls - 164.310(a)(1)Facility and Disaster Recovery PoliciesYes
Workstation Use - 164.310(b)System Access, Approved Tools, and Employee PoliciesPartially
Workstation Security - 164.310(c)System Access, Approved Tools, and Employee PoliciesPartially
Device and Media Controls - 164.310(d)(1)Disposable Media and Data Management PoliciesYes

Technical Safeguards HIPAA RuleiDialogs ControlInherited
Access Control - 164.312(a)(1)System Access PolicyPartially
Audit Controls - 164.312(b)Auditing PolicyYes (optional)
Integrity - 164.312(c)(1)System Access, Auditing, and IDS PoliciesYes (optional)
Person or Entity Authentication - 164.312(d)System Access PolicyYes
Transmission Security - 164.312(e)(1)System Access and Data Management PolicyYes

Organizational Requirements HIPAA RuleiDialogs ControlInherited
Business Associate Contracts or Other Arrangements - 164.314(a)(1)(i)Business Associate Agreements and 3rd Parties PoliciesPartially

Policies and Procedures and Documentation RequirementsHIPAA RuleiDialogs ControlInherited
Policies and Procedures - 164.316(a)Policy Management PolicyPartially
Documentation - 164.316(b)(1)(i)Policy Management PolicyPartially

HITECH Act - Security Provisions HIPAA RuleiDialogs ControlInherited
Notification in the Case of Breach - 13402(a) and (b)Breach PolicyPartially
Timelines of Notification - 13402(d)(1)Breach PolicyPartially
Content of Notification - 13402(f)(1)Breach PolicyPartially