Privacy and Security Toolkit10
| Administrative |
| Routine risk analysis of systems and personnel involved in their processes |
| Security personnel and a designated security officer |
| Implementation of policies and procedures for authorizing role-based access to information |
| Authorization, training, and supervision of workforce members, and application of appropriate sanctions should those procedures be violated |
| Periodic assessment and evaluation of meeting of standards |
| Physical |
| Limited and differentiated facility access and control |
| Development of policies and procedures regarding workstation and device security, including transfer, removal, disposal, and reuse of electronic media containing e-PHI |
| Technical |
| Development of policies and procedures to control access to e-PHI, and to ensure the integrity of e-PHIs |
| Implementation of hardware, software, and/or procedural mechanisms to record and examine activities of e-PHI |
| Implementation of technical security measures that guard against unauthorized access to e-PHI while being transmitted over an electronic network |