verification-layer 0.20.0 → 0.22.0

package/templates/physical-safeguards-checklist.md

@@ -0,0 +1,247 @@
+# HIPAA Physical Safeguards Checklist
+
+**Organization:** [ORGANIZATION NAME]
+**Completed By:** [NAME & TITLE]
+**Date:** [DATE]
+**Review Period:** [PERIOD]
+
+---
+
+## Overview
+
+This checklist addresses the Physical Safeguards requirements under HIPAA Security Rule 45 CFR §164.310. Physical safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.
+
+**Instructions:** Check all boxes that apply to your organization's setup. Not all controls may be applicable depending on your operating model (fully remote vs. physical office).
+
+---
+
+## SECTION A - Equipment 100% Remoto/Cloud
+
+**Applicable to:** All organizations, including fully remote teams
+
+These controls apply to all workforce members working remotely or with cloud-based systems containing electronic Protected Health Information (ePHI).
+
+### Device Security (§164.310(d)(1) - Device and Media Controls)
+
+- ☐ **Laptops con encriptación de disco completo**
+  - FileVault (macOS) enabled and enforced
+  - BitLocker (Windows) enabled and enforced
+  - Linux: LUKS or dm-crypt full disk encryption
+  - Recovery keys backed up securely
+  - Verification: _________________________
+
+- ☐ **VPN requerida para acceso a sistemas con PHI**
+  - Corporate VPN configured for all workforce members
+  - VPN mandatory for accessing ePHI systems
+  - Split tunneling disabled for ePHI access
+  - VPN provider: _________________________
+
+- ☐ **Política de no-PHI en dispositivos personales**
+  - Written policy prohibiting ePHI on personal devices
+  - Policy communicated to all workforce members
+  - Alternative provided (company-issued devices or secure access methods)
+  - Policy acknowledgment on file
+
+- ☐ **Screen lock automático ≤5 minutos de inactividad**
+  - Automatic screen lock configured: _____ minutes
+  - Password/biometric required to unlock
+  - Enforced via MDM or Group Policy
+  - Verification method: _________________________
+
+- ☐ **Antivirus/anti-malware actualizado en todos los dispositivos**
+  - Antivirus solution: _________________________
+  - Auto-update enabled
+  - Real-time protection active
+  - Regular scans scheduled
+  - Last verification date: _________________________
+
+- ☐ **Backups encriptados de dispositivos**
+  - Backup solution: _________________________
+  - Encryption method: _________________________
+  - Backup frequency: _________________________
+  - Backup tested within last 90 days: Yes ☐ No ☐
+
+- ☐ **Conexión WiFi segura (WPA3 o WPA2 mínimo)**
+  - Home WiFi policy requires WPA2 minimum
+  - WPA3 recommended and documented
+  - Default router passwords changed
+  - Guest networks separated from work networks
+  - Workforce educated on WiFi security
+
+### Additional Remote Controls
+
+- ☐ **Remote device management (MDM) implemented**
+  - MDM solution: _________________________
+  - Remote wipe capability enabled
+  - Device compliance monitoring active
+
+- ☐ **Lost/stolen device reporting procedure**
+  - Documented procedure in place
+  - 24/7 reporting contact: _________________________
+  - Remote wipe process tested
+
+---
+
+## SECTION B - Oficina Física (adicional a Sección A)
+
+**Applicable to:** Organizations with physical office locations where ePHI is accessed, stored, or processed
+
+These controls are **in addition to** all Section A requirements. Physical offices require both remote security controls (Section A) and physical security controls (Section B).
+
+### Facility Access Controls (§164.310(a)(1))
+
+- ☐ **Control de acceso a la oficina (llave, badge, o biométrico)**
+  - Access control system type: _________________________
+  - Access restricted to authorized workforce members only
+  - Access logs maintained and reviewed
+  - Lost/stolen key/badge procedure documented
+  - After-hours access requires authorization
+
+- ☐ **Visitantes escoltados y registrados**
+  - Visitor log maintained (name, date, time in/out, purpose)
+  - All visitors escorted by authorized workforce member
+  - Visitor badges issued and collected
+  - Log retention: 6 years minimum
+  - Log location: _________________________
+
+### Workstation Security (§164.310(c))
+
+- ☐ **Monitores posicionados para evitar shoulder surfing**
+  - Workstations positioned away from windows/public view
+  - Privacy screens installed where necessary
+  - Hot-desking/shared workspace policy addresses ePHI security
+  - Desk arrangement reviewed: _________________________
+
+- ☐ **Política de escritorio limpio (clean desk policy)**
+  - Written clean desk policy in place
+  - No ePHI left visible when unattended
+  - Documents secured at end of day
+  - Policy communicated and enforced
+  - Random compliance checks conducted
+
+### Device and Media Controls (§164.310(d)(1))
+
+- ☐ **Documentos físicos con PHI bajo llave**
+  - Locked file cabinets for ePHI documents
+  - Keys restricted to authorized personnel
+  - File cabinet locations: _________________________
+  - Access log maintained
+
+- ☐ **Destrucción segura de documentos (shredder cross-cut)**
+  - Cross-cut shredder available (DIN P-4 or higher)
+  - Shredder location: _________________________
+  - Secure disposal bins for ePHI documents
+  - Shredding log maintained
+  - Certificate of destruction obtained (if using service)
+
+### Additional Physical Controls
+
+- ☐ **Cámaras de seguridad en áreas con acceso a PHI**
+  - Camera coverage of: _________________________
+  - Recording retention period: _____ days
+  - Footage access restricted to: _________________________
+  - Camera system tested and maintained
+
+- ☐ **Server/network equipment physically secured**
+  - Server room/closet locked
+  - Key access restricted to: _________________________
+  - Environmental controls (temperature, humidity, fire suppression)
+  - Equipment maintenance logs maintained
+
+- ☐ **Alarm system installed and monitored**
+  - Alarm type: _________________________
+  - Monitoring service: _________________________
+  - After-hours intrusion alerts configured
+
+---
+
+## Contingency Operations (§164.310(a)(2))
+
+Applicable to all organizations:
+
+- ☐ **Disaster recovery plan documented**
+  - Plan addresses facility access during emergency
+  - Alternative work site identified (if applicable)
+  - Plan tested within last 12 months
+
+- ☐ **Emergency power (if applicable)**
+  - UPS for critical systems
+  - Generator backup (if applicable)
+  - Last test date: _________________________
+
+---
+
+## Device Disposal and Media Re-use (§164.310(d)(2))
+
+- ☐ **Secure device disposal procedure**
+  - Hard drives physically destroyed or wiped (DoD 5220.22-M or NIST 800-88)
+  - Certificate of destruction obtained
+  - Disposal log maintained
+  - Last disposal date: _________________________
+
+- ☐ **Media sanitization before re-use**
+  - Procedure documented
+  - Verification process in place
+  - Re-use log maintained
+
+---
+
+## Accountability (§164.310(d)(1))
+
+- ☐ **Hardware inventory maintained**
+  - All devices containing ePHI tracked
+  - Inventory updated quarterly
+  - Last update: _________________________
+
+- ☐ **Device check-in/check-out log**
+  - Portable devices tracked
+  - Checkout authorization required
+  - Return inspection process
+
+---
+
+## Annual Review & Attestation
+
+### Findings Summary
+
+**Compliant Items:** _____ / _____
+**Items Requiring Remediation:** _____
+**Target Remediation Date:** _________________________
+
+### Remediation Plan
+
+| Item | Priority | Responsible Party | Target Date | Status |
+|------|----------|-------------------|-------------|--------|
+|      |          |                   |             |        |
+|      |          |                   |             |        |
+|      |          |                   |             |        |
+
+### Attestation
+
+I certify that this checklist accurately reflects the physical safeguards in place for our organization as of the date above. I understand that physical safeguards must be maintained continuously and reviewed at least annually per HIPAA requirements.
+
+**Signature:** \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
+
+**Name:** [NAME]
+
+**Title:** [TITLE]
+
+**Date:** \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
+
+---
+
+## References
+
+- **45 CFR §164.310(a)(1)** - Facility Access Controls
+- **45 CFR §164.310(a)(2)(i)** - Contingency Operations
+- **45 CFR §164.310(b)** - Workstation Use
+- **45 CFR §164.310(c)** - Workstation Security
+- **45 CFR §164.310(d)(1)** - Device and Media Controls
+- **45 CFR §164.310(d)(2)** - Data Backup and Storage
+
+**Retention:** This checklist must be retained for a minimum of six (6) years from the date of its creation or the date when it last was in effect, whichever is later (45 CFR §164.316(b)(2)).
+
+---
+
+*Generated using vlayer - HIPAA Compliance Scanner*
+*https://github.com/Francosimon53/verification-layer*

package/templates/security-officer-designation.md

@@ -0,0 +1,237 @@
+# HIPAA SECURITY OFFICER DESIGNATION
+
+**Organization:** [COMPANY NAME]
+**Date:** [DATE]
+**EIN/Tax ID:** [EIN] *(optional)*
+
+---
+
+## DESIGNATION
+
+Pursuant to **45 CFR §164.308(a)(2)**, [COMPANY NAME] hereby designates the following individual as the **HIPAA Security Officer** responsible for the development, implementation, and maintenance of policies and procedures required by the HIPAA Security Rule to protect electronic protected health information (ePHI).
+
+> **REGULATORY REQUIREMENT**: The HIPAA Security Rule mandates that covered entities and business associates must "identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity." This designation fulfills that requirement.
+
+---
+
+## DESIGNATED SECURITY OFFICER
+
+**Name:** [FULL NAME]
+**Title:** [JOB TITLE]
+**Email:** [EMAIL]
+**Phone:** [PHONE]
+**Start Date:** [DATE]
+
+---
+
+## RESPONSIBILITIES
+
+The Security Officer shall be responsible for:
+
+1. **Overseeing compliance** with the HIPAA Security Rule (45 CFR Part 164, Subpart C)
+
+2. **Conducting and documenting risk analyses** at least annually, identifying threats and vulnerabilities to ePHI
+
+3. **Developing and maintaining** security policies and procedures covering:
+   - Administrative safeguards
+   - Physical safeguards
+   - Technical safeguards
+   - Organizational requirements
+   - Documentation requirements
+
+4. **Managing the security incident response process**, including:
+   - Incident detection and reporting
+   - Investigation and containment
+   - Breach risk assessments
+   - Notification to affected individuals and HHS when required
+   - Post-incident analysis and corrective actions
+
+5. **Ensuring workforce security awareness training** is completed annually for all workforce members with access to ePHI
+
+6. **Reviewing and approving access** to electronic systems containing ePHI, including:
+   - Access authorization procedures
+   - Access establishment and modification
+   - Access termination procedures
+   - Periodic access reviews
+
+7. **Overseeing Business Associate compliance verification**, including:
+   - Reviewing Business Associate Agreements (BAAs)
+   - Monitoring BA security practices
+   - Coordinating incident response with BAs
+
+8. **Maintaining documentation** of security measures for a minimum of **6 years** from creation or when last in effect, whichever is later (45 CFR §164.316(b)(2))
+
+9. **Coordinating penetration testing and vulnerability scanning** to identify security weaknesses
+
+10. **Reporting security matters** to organizational leadership, including:
+    - Annual risk assessment results
+    - Security incidents and breaches
+    - Compliance status updates
+    - Resource needs and budget requests
+
+---
+
+## AUTHORITY
+
+The Security Officer has the authority to:
+
+- ✓ **Approve or deny access** to systems containing ePHI based on job responsibilities and the principle of minimum necessary
+
+- ✓ **Initiate security incident response procedures** immediately upon detection of a security incident
+
+- ✓ **Require workforce members to complete security training** as a condition of maintaining access to ePHI
+
+- ✓ **Recommend disciplinary action** for security policy violations, up to and including termination of access or employment
+
+- ✓ **Engage external security consultants** as needed for assessments, audits, incident response, or specialized expertise
+
+- ✓ **Implement technical and administrative controls** necessary to protect ePHI in accordance with the Security Rule
+
+- ✓ **Suspend or revoke access** to ePHI in emergency situations or when a security threat is identified
+
+- ✓ **Coordinate with legal counsel** on breach determinations and regulatory notifications
+
+---
+
+## REPORTING STRUCTURE
+
+**Reports To:** [EXECUTIVE TITLE, e.g., CEO, CTO, Compliance Officer]
+
+**Collaborates With:**
+- Privacy Officer (HIPAA Privacy Rule compliance)
+- IT Department (technical implementation)
+- Legal/Compliance (regulatory guidance)
+- Human Resources (workforce security)
+
+---
+
+## BACKUP/INTERIM SECURITY OFFICER
+
+In the event the designated Security Officer is unavailable (vacation, leave, resignation), the following individual shall serve as the interim Security Officer:
+
+**Backup Name:** [FULL NAME]
+**Title:** [JOB TITLE]
+**Email:** [EMAIL]
+**Phone:** [PHONE]
+
+---
+
+## TERM
+
+This designation is effective from [START DATE] and continues until:
+- Resignation or termination of the Security Officer
+- Appointment of a successor Security Officer
+- Organizational restructuring requiring reassignment
+
+Any changes to this designation must be documented in writing and retained for **6 years**.
+
+---
+
+## COMPLIANCE OBLIGATIONS
+
+The Security Officer must ensure the organization complies with all applicable HIPAA Security Rule standards:
+
+### Administrative Safeguards (§164.308)
+- Security management process (risk analysis, risk management, sanction policy, information system activity review)
+- Assigned security responsibility *(this designation)*
+- Workforce security (authorization, supervision, termination, clearance)
+- Information access management
+- Security awareness and training
+- Security incident procedures
+- Contingency planning (data backup, disaster recovery, emergency mode, testing, applications and data criticality)
+- Evaluation (periodic technical and non-technical evaluations)
+- Business associate contracts
+
+### Physical Safeguards (§164.310)
+- Facility access controls
+- Workstation use and security
+- Device and media controls
+
+### Technical Safeguards (§164.312)
+- Access control (unique user identification, emergency access, automatic logoff, encryption)
+- Audit controls
+- Integrity controls
+- Transmission security
+
+### Organizational Requirements (§164.314)
+- Business associate contracts and other arrangements
+
+### Policies, Procedures, and Documentation (§164.316)
+- Documentation requirements (time limit, availability, updates)
+
+---
+
+## ACKNOWLEDGED AND APPROVED
+
+By signing below, the authorizing officer confirms the designation of the Security Officer and grants the authority necessary to fulfill the responsibilities outlined in this document.
+
+**Signature:** ___________________________________
+**Name:** [AUTHORIZING OFFICER NAME]
+**Title:** [AUTHORIZING OFFICER TITLE, e.g., CEO, President]
+**Date:** ___________________
+
+---
+
+## ACCEPTED
+
+By signing below, the designated Security Officer acknowledges acceptance of this appointment and the responsibilities, authorities, and obligations outlined in this document.
+
+**Signature:** ___________________________________
+**Name:** [SECURITY OFFICER NAME]
+**Title:** [JOB TITLE]
+**Date:** ___________________
+
+---
+
+## DISTRIBUTION
+
+This designation document should be distributed to:
+
+☐ Designated Security Officer
+☐ Executive Leadership
+☐ Human Resources
+☐ Privacy Officer
+☐ IT Department
+☐ Legal/Compliance Department
+☐ All workforce members (notification of designation)
+
+---
+
+## DOCUMENT CONTROL
+
+**Document ID:** SEC-OFF-[YEAR]-001
+**Version:** 1.0
+**Effective Date:** [DATE]
+**Next Review Date:** [DATE + 1 YEAR]
+**Retention Period:** 6 years from creation or last effective date
+
+### Revision History
+
+| Version | Date | Changes | Approved By |
+|---------|------|---------|-------------|
+| 1.0 | [DATE] | Initial designation | [NAME] |
+|     |        |                     |         |
+
+---
+
+## NOTES
+
+**For Small Organizations:**
+The Security Officer role can be fulfilled by the same individual serving as Privacy Officer, Compliance Officer, or other leadership role. HIPAA does not require this to be a full-time dedicated position, but the responsibilities must be fulfilled regardless of organization size.
+
+**For Remote/Cloud Organizations:**
+Even if your organization operates entirely in the cloud without physical facilities, you must still designate a Security Officer responsible for ePHI security across all cloud services and platforms.
+
+**Annual Review:**
+This designation should be reviewed annually to ensure it remains current and the designated individual has the necessary authority and resources to fulfill their responsibilities.
+
+---
+
+**Retention:** This document must be retained for a minimum of **six (6) years** from the date of its creation or the date when it last was in effect, whichever is later (45 CFR §164.316(b)(2)).
+
+---
+
+*This Security Officer Designation template was generated using vlayer - HIPAA Compliance Scanner*
+*https://github.com/Francosimon53/verification-layer*
+
+*Template complies with 45 CFR §164.308(a)(2) - Security Management Process: Assigned Security Responsibility*