Effective Date: 10/01/13, 07/01/16 Page 21 of 21

ACOM POLICY 108, ATTACHMENT A, AHCCCS SECURITY RULE COMPLIANCE SUMMARY CHECKLIST

CONTRACTOR NAME: DATE:

NAME OF THIRD PARTY AUDITING FIRM:

HIPAA SECURITY STANDARD 164.308 - ADMINISTRATIVE SAFEGUARDS

COMPLIANCE STATUS IMPLEMENTATION R= REQUIRED STANDARDS C = COMPLIANT COMPLIANCE DOCUMENTATION SPECIFICATIONS A=ADDRESSABLE NC = NON-COMPLIANT Security Management Risk Analysis Process 164.308(a)(1)(1)(i) Conduct an accurate and thorough Standard: Security assessment of the potential risks management process. and vulnerabilities to the R Implement policies and confidentiality, integrity, and procedures to prevent, availability of electronic detect, contain, and correct protected health information held security violations. by the covered entity.

Risk Management

Implement security measures sufficient to reduce risks and R vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).

EFFECTIVE DATE: 10/01/13, 07/01/16 Page 1 of 20 HIPAA SECURITY STANDARD 164.308 - ADMINISTRATIVE SAFEGUARDS

COMPLIANCE STATUS IMPLEMENTATION R= REQUIRED STANDARDS C = COMPLIANT COMPLIANCE DOCUMENTATION SPECIFICATIONS A=ADDRESSABLE NC = NON-COMPLIANT

Corrective Action Plan (CAP)

Security Management Apply appropriate CAP including Process sanctions against workforce R 164.308(a)(1) members who fail to comply with the security policies and procedures of the covered entity.

Information System Activity Review Security Management Implement procedures to Process R regularly review records of 164.308(a)(1) information system activity, such as audit logs, access reports, and security incident tracking reports.

Assigned Security Responsibility 164.308(a)(2)

Identify the security official who is responsible for the R development and implementation of the policies and procedures required by this subpart for the entity.

EFFECTIVE DATE: 10/01/13, 07/01/16 Page 2 of 20

Workforce Security . 164.308(a)(3)

(3)(i) Standard: Workforce security. Implement policies and procedures to ensure Authorization and/or Supervision that all members of its workforce have appropriate Implement procedures for the access to electronic authorization and/or supervision protected health of workforce members who work A information, as provided with electronic protected health under paragraph (a)(4) of information or in locations where this section, and to prevent it might be accessed. those workforce members who do not have access under paragraph (a)(4) or this section from obtaining access to electronic protected health information.

Workforce Clearance Procedures

Workforce Security Implement procedures to 164.308(a)(3) determine that the access of a A workforce member to electronic protected health information is appropriate.

Termination Procedures .

Implement procedures for terminating access to electronic Workforce Security protected health information 164.308(a)(3) A when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii) (B) of this section.

Information Access Management Isolating Health Care 164.308(a)(4) Clearinghouse Function

(4)(i) Standard: Information If a health care clearinghouse is access management. part of a larger organization, the Implement policies and clearinghouse must implement R procedures for authorizing policies and procedures that access to electronic protect the electronic protected protected health information health information of the that are consistent with the clearinghouse from unauthorized applicable requirements of access by the larger organization. subpart E of this part.

Access Authorization

Implement policies and Information Access procedures for granting access to Management electronic protected health A 164.308(a)(4) information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Access Establishment and Modification .

Information Access Implement policies and Management procedures that, based upon the A 164.308(a)(4) entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Security Awareness and Training 164.308(a)(5) Security Reminders (5)(i) Standard: Security awareness and training. Periodic security updates. A Implement a security awareness and training program for all members of its workforce (including management).

Protection from Malicious Security Awareness Software Training A 164.308(a)(5) Procedures for guarding against, detecting, and reporting malicious software.

Log-in Monitoring Security Awareness Training Procedures for monitoring log-in A 164.308(a)(5) attempts and reporting discrepancies.

Password Management Security Awareness Training Procedures for creating, A 164.308(a)(5) changing, and safeguarding passwords.

Response and Reporting Security Incident Procedures Identify and respond to suspected 164.308(a)(6) or known security incidents; mitigate, to the extent practicable, (6)(i) Standard: Security R harmful effects of security incident procedures. incidents that are known to the Implement policies and covered entity; and document procedures to address security incidents and their security incidents. outcomes.

Contingency Plan 164.308(a)(7) Data Backup Plan (7)(i) Standard: Contingency plan. Establish (and implement as needed) Establish and implement policies and procedures for procedures to create and maintain responding to an emergency R retrievable exact copies of or other occurrence (for electronic protected health example, fire, vandalism, information. system failure, and natural disaster) that damages systems that contain electronic protected health information.

Disaster Recovery Plan Contingency Plan 164.308(a)(7) Establish (and implement as R needed) procedures to restore any loss of data.

Emergency Mode Operation Plan

Establish (and implement as needed) procedures to enable continuation of critical business R processes for protection of the security of electronic protected health information while operating in emergency mode.

Testing and Revision Procedure

Implement procedures for A periodic testing and revision of contingency plans.

Applications and Data Criticality Analysis

Assess the relative criticality of A specific applications and data in support of other contingency plan components.

Evaluation 164.308(a)(8)

(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to A environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

COMPLIANCE STATUS IMPLEMENTATION R= REQUIRED STANDARDS C = COMPLIANT COMPLIANCE DOCUMENTATION SPECIFICATIONS A=ADDRESSABLE NC = NON-COMPLIANT Business Associate Contracts 164.308(b)(1)

(b)(1) Standard: Business Written Contract or Other Associate Contracts and Arrangement Other Arrangements. A covered entity, in accordance with 164.306, Document the satisfactory may permit a business assurances required by paragraph associate to create, receive, (b)(1) of this section through a R maintain, or transmit written contract or other electronic protected health arrangement with the business information on the covered associate that meets the entity’s behalf only if the applicable requirements of covered entity obtains 164.314(a). satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information.

Facility Access Controls 164.310(a) Contingency Operations. (a)(1) Standard: Facility access controls. Implement Establish (and implement as policies and procedures to needed) procedures that allow limit physical access to its facility access in support of A electronic information restoration of lost data under the systems and the facility or disaster recovery plan and facilities in which they are emergency mode operations plan housed, while ensuring that in the event of an emergency. properly authorized access is allowed.

Facility Security Plan.

Implement policies and procedures to safeguard the A facility and the equipment therein from unauthorized physical access, tampering, and theft.

Access Control and Validation Procedures.

Implement procedures to control Facility Access Controls and validate a person’s access to A 164.310(a) facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Maintenance Records.

Implement policies and procedures to document repairs Facility Access Controls and modifications to the physical A 164.310(a) components of a facility which are related to security (for example, hardware, walls, doors, and locks).

COMPLIANCE STATUS IMPLEMENTATION R= REQUIRED STANDARDS C = COMPLIANT COMPLIANCE DOCUMENTATION SPECIFICATIONS A=ADDRESSABLE NC = NON-COMPLIANT Workstation Use 164.310(b)

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to R be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Workstation Security 164.310(c)

Implement physical R safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

COMPLIANCE STATUS IMPLEMENTATION R= REQUIRED STANDARDS C = COMPLIANT COMPLIANCE DOCUMENTATION SPECIFICATIONS A=ADDRESSABLE NC = NON-COMPLIANT Device and Media Controls 164.310(d) Disposal. (d)(1) Standard: Device and media controls. Implement Implement policies and policies and procedures that procedures to address the final govern the receipt and disposition of electronic protected R removal of hardware and health information, and/or the electronic media that hardware or electronic media on contain electronic protected which it is stored. health information into and out of a facility, and the movement of these items within the facility.

Media Re-Use.

Implement procedures for Device and Media Controls removal of electronic protected R 164.310(d) health information from electronic media before the media are made available for re-use.

Accountability. Device and Media Controls Maintain a record of the 164.310(d) A movements of hardware and electronic media and any person responsible therefore.

Data Backup and Storage.

Device and Media Controls Create a retrievable, exact copy of A 164.310(d) electronic protected health information, when needed, before movement of equipment.

Access Control 164.312(a)

(a)(1) Standard: Access control. Implement technical policies and Unique User Identification. procedures for electronic information systems that Assign a unique name and/or R maintain electronic number for identifying and protected health information tracking user identity. to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).

Emergency Access Procedure.

Establish (and implement as needed) procedures for obtaining R necessary electronic protected health information during an emergency.

Automatic Logoff.

Implement electronic procedures A that terminate an electronic session after a predetermined time of inactivity. Encryption and Decryption. Access Control 164.312(a) Implement a mechanism to A encrypt and decrypt electronic protected health information.

Audit Controls 164.312(b)

Implement hardware, software, and/or procedural A mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Integrity Mechanism to Authenticate 164.312(c) electronic PHI.

(c)(1) Standard: Integrity. Implement electronic mechanisms Implement policies and to corroborate that electronic A procedures to protect protected health information has electronic protected health not been altered or destroyed in information from improper an unauthorized manner. alteration or destruction.

COMPLIANCE STATUS IMPLEMENTATION R= REQUIRED STANDARDS C = COMPLIANT COMPLIANCE DOCUMENTATION SPECIFICATIONS A=ADDRESSABLE NC = NON-COMPLIANT Person or Entity Authentication 164.312(d)

(d) Implement procedures to A verify that a person or entity seeking access to electronic protected health information is the one claimed.

Transmission Security 164.312(e)(1) Integrity Controls. (e)(1) Standard: Implement security measures to Transmission security. ensure that electronically Implement technical transmitted electronic protected security measures to guard A health information is not against unauthorized access improperly modified without to electronic protected detection until disposed of. health information that is being transmitted over an electronic communications network.

Encryption.

Transmission Security Implement a mechanism to A 164.312(e) encrypt electronic protected health information whenever deemed appropriate.

SIGNATURE OF AUTHORIZED REPRESENTATIVE DATE

TYPED NAME OF AUTHORIZED REPRESENTATIVE