Appendix A

Standards	Sections	Implementation Specifications (R)=Required, (A)=Addressable
Security Management Process	[164.308(a)(1)]	Risk Analysis (R)
		Risk Management (R)
		Sanction Policy (R)
		Information System Activity Review (R)
Assigned Security Responsibility	[164.308(a)(2)]	(R)
Workforce Security	[164.308(a)(3)]	Authorization and/or Supervision (A)
		Workforce Clearance Procedure (A)
		Termination Procedures (A)
Information Access Management	[164.308(a)(4)]	Isolating Healthcare Clearinghouse Function (R)
		Access Authorization (A)
		Access Establishment and Modification (A)
Security Awareness and Training	[164.308(a)(5)]	Security Reminders (A)
		Protection from Malicious Software (A)
		Log-in Monitoring (A)
		Password Management (A)
Security Incident Procedures	[164.308(a)(6)]	Response and Reporting (R)
Contingency Plan	[164.308(a)(7)]	Data Backup Plan (R)
		Disaster Recovery Plan (R)
		Emergency Mode Operation Plan (R)
		Testing and Revision Procedure (A)
		Applications and Data Criticality Analysis (A)
Evaluation	[164.308(a)(8)]	(R)
Business Associate Contracts and Other Arrangement.	[164.308(b)(1)]	Written Contract or Other Arrangement (R)
Facility Access Controls	[164.310(a)(1)]	Contingency Operations (A)
		Facility Security Plan (A)
		Access Control and Validation Procedures (A)
		Maintenance Records (A)
Workstation Use	[164.310(b)]	(R)
Workstation Security	[164.310(c)]	(R)
Device and Media Controls	[164.310(d)(1)]	Disposal (R)
		Media Re-use (R)
		Accountability (A)
		Data Backup and Storage (A)
Access Control	[164.312(a)(1)]	Unique User Identification (R)
		Emergency Access Procedure (R)
		Automatic Logoff (A)
		Encryption and Decryption (A)
Audit Controls	[164.312(b)]	(R)
Integrity	[164.312(c)(1)]	Mechanism to Authenticate Electronic Protected Health Information (A)
Person or Entity Authentication	[164.312(d)]	(R)
Transmission Security	[164.312(e)(1)]	Integrity Controls (A)
Transmission Security	[164.312(e)(1)]	Encryption (A)