icdev 1.0.0__py3-none-any.whl

icdev/data/context/compliance/hipaa_security_rule.json

@@ -0,0 +1,720 @@
+{
+  "metadata": {
+    "title": "HIPAA Security Rule — 45 CFR Parts 160, 162, and 164",
+    "source": "U.S. Department of Health and Human Services, 45 CFR Part 164 Subpart C (Security Standards for the Protection of Electronic Protected Health Information), as amended through 2024",
+    "classification": "CUI // SP-CTI",
+    "version": "1.0",
+    "last_updated": "2026-02-18",
+    "description": "HIPAA Security Rule standards and implementation specifications catalog covering Administrative, Physical, and Technical safeguards plus Organizational Requirements and Policies/Procedures for protection of electronic protected health information (ePHI). Each standard maps to NIST 800-53 Rev 5 controls via crosswalk."
+  },
+  "safeguard_categories": [
+    {
+      "code": "164.308",
+      "name": "Administrative Safeguards",
+      "standard_count": 22,
+      "description": "Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI"
+    },
+    {
+      "code": "164.310",
+      "name": "Physical Safeguards",
+      "standard_count": 8,
+      "description": "Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion"
+    },
+    {
+      "code": "164.312",
+      "name": "Technical Safeguards",
+      "standard_count": 9,
+      "description": "Technology and the policies and procedures for its use that protect ePHI and control access to it"
+    },
+    {
+      "code": "164.314",
+      "name": "Organizational Requirements",
+      "standard_count": 2,
+      "description": "Business associate contracts and other arrangements, and requirements for group health plans"
+    },
+    {
+      "code": "164.316",
+      "name": "Policies and Procedures and Documentation Requirements",
+      "standard_count": 2,
+      "description": "Requirements for maintaining policies, procedures, and documentation of security measures"
+    }
+  ],
+  "requirements": [
+    {
+      "id": "HIPAA-308-A1-R",
+      "section": "164.308(a)(1)(i)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Management Process",
+      "title": "Security Management Process — Standard",
+      "description": "Implement policies and procedures to prevent, detect, contain, and correct security violations. The covered entity or business associate must establish a comprehensive security management process that forms the foundation for all other administrative safeguards.",
+      "implementation_type": "required",
+      "evidence_required": "Security management program documentation, security policies and procedures manual, and evidence of implementation across the organization.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PL-1", "PM-1", "PM-9"]
+    },
+    {
+      "id": "HIPAA-308-A1-ii-A",
+      "section": "164.308(a)(1)(ii)(A)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Management Process",
+      "title": "Risk Analysis",
+      "description": "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. The risk analysis must identify all ePHI that is created, received, maintained, or transmitted, all reasonably anticipated threats to ePHI, current security measures, and the likelihood and impact of potential threats.",
+      "implementation_type": "required",
+      "evidence_required": "Risk analysis report documenting methodology, identified assets containing ePHI, threat identification, vulnerability assessment, risk level determinations, and recommended remediation actions.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["RA-3", "RA-5", "RA-9"]
+    },
+    {
+      "id": "HIPAA-308-A1-ii-B",
+      "section": "164.308(a)(1)(ii)(B)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Management Process",
+      "title": "Risk Management",
+      "description": "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the Security Rule. Risk management must be an ongoing process that addresses risks identified in the risk analysis through implementing appropriate administrative, physical, and technical safeguards. Security measures must be documented and periodically reviewed.",
+      "implementation_type": "required",
+      "evidence_required": "Risk management plan, evidence of security measures implemented to address identified risks, risk acceptance documentation for residual risks, and periodic review records.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PM-9", "RA-3", "CA-5"]
+    },
+    {
+      "id": "HIPAA-308-A1-ii-C",
+      "section": "164.308(a)(1)(ii)(C)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Management Process",
+      "title": "Sanction Policy",
+      "description": "Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. The sanction policy must describe the range of sanctions, the process for determining violations, the adjudication process, and be communicated to all workforce members. Sanctions must be applied consistently and documented.",
+      "implementation_type": "required",
+      "evidence_required": "Documented sanction policy, evidence of communication to workforce, records of sanctions applied, and consistency review documentation.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PS-8", "PL-4"]
+    },
+    {
+      "id": "HIPAA-308-A1-ii-D",
+      "section": "164.308(a)(1)(ii)(D)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Management Process",
+      "title": "Information System Activity Review",
+      "description": "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Reviews must be conducted at a frequency that enables the organization to detect unauthorized access or activity involving ePHI. Findings must be documented and acted upon through the risk management and incident response processes.",
+      "implementation_type": "required",
+      "evidence_required": "Activity review procedures, audit log review records with dates and reviewer identity, findings documentation, and evidence of corrective actions taken.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AU-6", "AU-6(1)", "CA-7"]
+    },
+    {
+      "id": "HIPAA-308-A2-R",
+      "section": "164.308(a)(2)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Assigned Security Responsibility",
+      "title": "Assigned Security Responsibility",
+      "description": "Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule for the covered entity or business associate. This individual serves as the HIPAA Security Officer and must have sufficient authority, knowledge, and resources to fulfill the role. The designation must be documented and communicated to the workforce.",
+      "implementation_type": "required",
+      "evidence_required": "Documented designation of HIPAA Security Officer with name, title, and contact information, and evidence of communication to the workforce.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PM-2", "PL-1"]
+    },
+    {
+      "id": "HIPAA-308-A3-i-R",
+      "section": "164.308(a)(3)(i)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Workforce Security",
+      "title": "Workforce Security — Standard",
+      "description": "Implement policies and procedures to ensure that all members of the workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access under the information access management standard from obtaining access to ePHI.",
+      "implementation_type": "required",
+      "evidence_required": "Workforce security policies and procedures, workforce roster with ePHI access designations, and evidence of access restriction enforcement.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AC-1", "PS-1", "PS-2"]
+    },
+    {
+      "id": "HIPAA-308-A3-ii-A",
+      "section": "164.308(a)(3)(ii)(A)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Workforce Security",
+      "title": "Authorization and/or Supervision",
+      "description": "Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Authorization procedures must ensure that workforce members are granted ePHI access only when required for their job functions and that supervisory mechanisms are in place for workforce members with access to ePHI.",
+      "implementation_type": "addressable",
+      "evidence_required": "Authorization procedures, access request and approval records, and supervisory structure documentation for ePHI access areas.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["AC-2", "AC-6", "PS-2"]
+    },
+    {
+      "id": "HIPAA-308-A3-ii-B",
+      "section": "164.308(a)(3)(ii)(B)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Workforce Security",
+      "title": "Workforce Clearance Procedure",
+      "description": "Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. Clearance procedures must verify that the workforce member's access level is consistent with their role and that appropriate background checks or verifications have been conducted before granting access to ePHI systems.",
+      "implementation_type": "addressable",
+      "evidence_required": "Clearance procedures, access determination records for each workforce member, and background check or verification records.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["PS-3", "AC-2"]
+    },
+    {
+      "id": "HIPAA-308-A3-ii-C",
+      "section": "164.308(a)(3)(ii)(C)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Workforce Security",
+      "title": "Termination Procedures",
+      "description": "Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made under the workforce clearance procedure. Access must be terminated promptly upon separation. Procedures must address retrieval of access devices, deactivation of accounts, and changing of shared credentials.",
+      "implementation_type": "addressable",
+      "evidence_required": "Termination procedures, evidence of timely access revocation upon separation, device retrieval records, and account deactivation logs.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["PS-4", "PS-5", "AC-2"]
+    },
+    {
+      "id": "HIPAA-308-A4-i-R",
+      "section": "164.308(a)(4)(i)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Information Access Management",
+      "title": "Information Access Management — Standard",
+      "description": "Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the HIPAA Privacy Rule. Access management must ensure that only authorized persons or software programs have been granted access and that access is limited to the minimum necessary for the intended purpose.",
+      "implementation_type": "required",
+      "evidence_required": "Information access management policy, access authorization procedures, and evidence of alignment with Privacy Rule minimum necessary requirements.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AC-1", "AC-2", "AC-3"]
+    },
+    {
+      "id": "HIPAA-308-A4-ii-A",
+      "section": "164.308(a)(4)(ii)(A)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Information Access Management",
+      "title": "Isolating Health Care Clearinghouse Functions",
+      "description": "If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Logical or physical separation must be implemented to isolate clearinghouse ePHI processing and storage.",
+      "implementation_type": "required",
+      "evidence_required": "Network segmentation documentation, access control configurations isolating clearinghouse functions, and separation verification testing results.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["SC-7", "AC-4", "SC-3"]
+    },
+    {
+      "id": "HIPAA-308-A4-ii-B",
+      "section": "164.308(a)(4)(ii)(B)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Information Access Management",
+      "title": "Access Authorization",
+      "description": "Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Access authorization must follow a formal request and approval process, be based on the user's role and minimum necessary requirements, and be documented.",
+      "implementation_type": "addressable",
+      "evidence_required": "Access authorization policy, request and approval workflow documentation, role-to-access mapping, and authorization records.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["AC-2", "AC-3", "AC-6"]
+    },
+    {
+      "id": "HIPAA-308-A4-ii-C",
+      "section": "164.308(a)(4)(ii)(C)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Information Access Management",
+      "title": "Access Establishment and Modification",
+      "description": "Implement policies and procedures that, based upon the covered entity's or business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Access rights must be reviewed periodically and modified when workforce member roles change.",
+      "implementation_type": "addressable",
+      "evidence_required": "Access establishment procedures, user access records, periodic access review documentation, and access modification logs.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["AC-2", "AC-2(1)", "AC-6"]
+    },
+    {
+      "id": "HIPAA-308-A5-i-R",
+      "section": "164.308(a)(5)(i)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Awareness and Training",
+      "title": "Security Awareness and Training — Standard",
+      "description": "Implement a security awareness and training program for all members of the workforce including management. The program must be tailored to the organization's environment and must address the policies and procedures governing ePHI access and protection. Training must be provided to new workforce members upon hire and periodically thereafter.",
+      "implementation_type": "required",
+      "evidence_required": "Security awareness and training program documentation, training curriculum, training completion records for all workforce members, and new hire training timeline evidence.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AT-1", "AT-2", "AT-4"]
+    },
+    {
+      "id": "HIPAA-308-A5-ii-A",
+      "section": "164.308(a)(5)(ii)(A)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Awareness and Training",
+      "title": "Security Reminders",
+      "description": "Implement periodic security updates and reminders to the workforce. Reminders may include email notifications, posters, newsletter articles, or electronic bulletins addressing current threats, policy changes, seasonal security topics, and lessons learned from security incidents. The frequency and format should be appropriate to the organization's risk profile.",
+      "implementation_type": "addressable",
+      "evidence_required": "Security reminder distribution records with dates and content, and evidence of periodic dissemination to workforce.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["AT-2", "AT-2(2)"]
+    },
+    {
+      "id": "HIPAA-308-A5-ii-B",
+      "section": "164.308(a)(5)(ii)(B)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Awareness and Training",
+      "title": "Protection from Malicious Software",
+      "description": "Implement procedures for guarding against, detecting, and reporting malicious software. Training must educate workforce members on recognizing malicious software indicators (phishing emails, suspicious attachments, unusual system behavior), reporting procedures, and the importance of not disabling security software. Technical controls for malicious software protection are addressed in Technical Safeguards.",
+      "implementation_type": "addressable",
+      "evidence_required": "Malicious software awareness training materials, anti-malware procedures, incident reporting procedures for suspected malware, and training completion records.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["AT-2", "SI-3"]
+    },
+    {
+      "id": "HIPAA-308-A5-ii-C",
+      "section": "164.308(a)(5)(ii)(C)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Awareness and Training",
+      "title": "Log-In Monitoring",
+      "description": "Implement procedures for monitoring log-in attempts and reporting discrepancies. Workforce members must be trained to recognize and report suspicious login activity, including unexpected account lockouts, login notifications from unfamiliar locations, and unauthorized access attempts on their accounts.",
+      "implementation_type": "addressable",
+      "evidence_required": "Login monitoring procedures, login attempt review records, discrepancy reporting procedures, and training materials covering login security.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["AC-7", "AU-2", "SI-4"]
+    },
+    {
+      "id": "HIPAA-308-A5-ii-D",
+      "section": "164.308(a)(5)(ii)(D)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Awareness and Training",
+      "title": "Password Management",
+      "description": "Implement procedures for creating, changing, and safeguarding passwords. Training must cover password complexity requirements, prohibition of password sharing, protection of passwords from disclosure, procedures for changing compromised passwords, and the organization's password policy. Multi-factor authentication guidance should be provided where implemented.",
+      "implementation_type": "addressable",
+      "evidence_required": "Password management procedures, password policy documentation, training materials covering password practices, and training completion records.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["IA-5", "IA-5(1)"]
+    },
+    {
+      "id": "HIPAA-308-A6-R",
+      "section": "164.308(a)(6)(i)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Incident Procedures",
+      "title": "Security Incident Procedures — Standard",
+      "description": "Implement policies and procedures to address security incidents. The security incident procedures must define what constitutes a security incident, establish the incident response team, and define response procedures covering identification, reporting, containment, eradication, recovery, and post-incident analysis.",
+      "implementation_type": "required",
+      "evidence_required": "Security incident response policy and procedures, incident definition criteria, response team roster, and incident handling workflow documentation.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["IR-1", "IR-8"]
+    },
+    {
+      "id": "HIPAA-308-A6-ii",
+      "section": "164.308(a)(6)(ii)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Security Incident Procedures",
+      "title": "Response and Reporting",
+      "description": "Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. Security incidents involving ePHI breaches must be reported per the HIPAA Breach Notification Rule (164.400-414). Incident logs must be maintained and reviewed to identify patterns and improve defenses.",
+      "implementation_type": "required",
+      "evidence_required": "Incident response records, mitigation action documentation, breach notification records where applicable, incident outcome reports, and incident trend analysis.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["IR-4", "IR-5", "IR-6"]
+    },
+    {
+      "id": "HIPAA-308-A7-R",
+      "section": "164.308(a)(7)(i)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Contingency Plan",
+      "title": "Contingency Plan — Standard",
+      "description": "Establish and implement as needed policies and procedures for responding to an emergency or other occurrence (fire, vandalism, system failure, natural disaster) that damages systems containing electronic protected health information. The contingency plan must address data backup, disaster recovery, and emergency mode operations.",
+      "implementation_type": "required",
+      "evidence_required": "Contingency plan documentation, evidence of implementation, and plan distribution to responsible personnel.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["CP-1", "CP-2"]
+    },
+    {
+      "id": "HIPAA-308-A7-ii-A",
+      "section": "164.308(a)(7)(ii)(A)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Contingency Plan",
+      "title": "Data Backup Plan",
+      "description": "Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Backups must be performed at a frequency appropriate to the organization's risk analysis, stored in a secure location separate from the primary site, and tested regularly to ensure data can be restored. Backup media must be encrypted if stored offsite.",
+      "implementation_type": "required",
+      "evidence_required": "Data backup procedures, backup schedule, backup verification/testing records, offsite storage documentation, and backup encryption evidence.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["CP-9", "CP-9(1)"]
+    },
+    {
+      "id": "HIPAA-308-A7-ii-B",
+      "section": "164.308(a)(7)(ii)(B)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Contingency Plan",
+      "title": "Disaster Recovery Plan",
+      "description": "Establish and implement as needed procedures to restore any loss of data. The disaster recovery plan must define recovery time objectives (RTO) and recovery point objectives (RPO) for ePHI systems, identify critical systems and data, specify recovery procedures, designate responsible personnel, and identify alternate processing facilities if applicable.",
+      "implementation_type": "required",
+      "evidence_required": "Disaster recovery plan with RTO/RPO definitions, critical system inventory, recovery procedures, responsible personnel designations, and plan testing results.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["CP-2", "CP-10"]
+    },
+    {
+      "id": "HIPAA-308-A7-ii-C",
+      "section": "164.308(a)(7)(ii)(C)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Contingency Plan",
+      "title": "Emergency Mode Operation Plan",
+      "description": "Establish and implement as needed procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Emergency mode procedures must address how to maintain ePHI security during system unavailability, manual processing procedures if needed, and criteria for entering and exiting emergency mode.",
+      "implementation_type": "required",
+      "evidence_required": "Emergency mode operation procedures, critical business process identification, manual processing procedures, and emergency mode entry/exit criteria.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["CP-2(1)", "CP-10"]
+    },
+    {
+      "id": "HIPAA-308-A7-ii-D",
+      "section": "164.308(a)(7)(ii)(D)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Contingency Plan",
+      "title": "Testing and Revision Procedures",
+      "description": "Implement procedures for periodic testing and revision of contingency plans. Testing must validate that backup data can be restored, recovery procedures are effective, emergency mode operations are functional, and responsible personnel understand their roles. Plans must be revised based on test results, organizational changes, or lessons learned from actual incidents.",
+      "implementation_type": "addressable",
+      "evidence_required": "Contingency plan testing schedule, test execution records, test results analysis, and plan revision records based on testing or organizational changes.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["CP-3", "CP-4"]
+    },
+    {
+      "id": "HIPAA-308-A7-ii-E",
+      "section": "164.308(a)(7)(ii)(E)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Contingency Plan",
+      "title": "Applications and Data Criticality Analysis",
+      "description": "Assess the relative criticality of specific applications and data in support of other contingency plan components. The analysis must identify all applications that store, process, or transmit ePHI, rank them by criticality to business operations and patient care, and determine the order and priority for restoration during disaster recovery.",
+      "implementation_type": "addressable",
+      "evidence_required": "Application and data criticality analysis document, criticality rankings, restoration priority sequence, and alignment with disaster recovery plan.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["CP-2", "RA-9"]
+    },
+    {
+      "id": "HIPAA-308-A8-R",
+      "section": "164.308(a)(8)",
+      "safeguard_category": "Administrative Safeguards",
+      "safeguard_code": "164.308",
+      "standard": "Evaluation",
+      "title": "Evaluation",
+      "description": "Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of the Security Rule. Evaluations may be performed internally or by an external organization.",
+      "implementation_type": "required",
+      "evidence_required": "Evaluation reports (internal or external), evaluation schedule, scope documentation, findings and recommendations, and evidence of corrective actions taken based on evaluation results.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["CA-2", "CA-7", "PM-6"]
+    },
+    {
+      "id": "HIPAA-310-A1-R",
+      "section": "164.310(a)(1)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Facility Access Controls",
+      "title": "Facility Access Controls — Standard",
+      "description": "Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Physical access controls must protect against unauthorized physical access, tampering, and theft of ePHI and related equipment.",
+      "implementation_type": "required",
+      "evidence_required": "Facility access control policy, physical security assessment, and evidence of access control mechanisms (locks, badges, guards) at facilities housing ePHI systems.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PE-1", "PE-2", "PE-3"]
+    },
+    {
+      "id": "HIPAA-310-A2-i",
+      "section": "164.310(a)(2)(i)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Facility Access Controls",
+      "title": "Contingency Operations",
+      "description": "Establish and implement as needed procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Procedures must identify authorized personnel for emergency facility access, access methods during facility disruption, and coordination with physical security personnel.",
+      "implementation_type": "addressable",
+      "evidence_required": "Emergency facility access procedures, authorized emergency access personnel list, and coordination documentation with physical security and disaster recovery teams.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["PE-3", "CP-2", "CP-10"]
+    },
+    {
+      "id": "HIPAA-310-A2-ii",
+      "section": "164.310(a)(2)(ii)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Facility Access Controls",
+      "title": "Facility Security Plan",
+      "description": "Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. The facility security plan must document physical security measures, identify high-security areas, specify access control mechanisms for each area, and address protection of portable devices and media containing ePHI.",
+      "implementation_type": "addressable",
+      "evidence_required": "Facility security plan document, floor plans showing security zones, access control mechanism inventory, and evidence of plan implementation.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["PE-3", "PE-5", "PE-18"]
+    },
+    {
+      "id": "HIPAA-310-A2-iii",
+      "section": "164.310(a)(2)(iii)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Facility Access Controls",
+      "title": "Access Control and Validation Procedures",
+      "description": "Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision. Access validation must verify that individuals seeking physical access are authorized for the specific area and purpose. Visitor access must be logged and escorted.",
+      "implementation_type": "addressable",
+      "evidence_required": "Access validation procedures, role-based physical access matrix, visitor logs with escort records, and access control system reports.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["PE-2", "PE-3", "PE-8"]
+    },
+    {
+      "id": "HIPAA-310-A2-iv",
+      "section": "164.310(a)(2)(iv)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Facility Access Controls",
+      "title": "Maintenance Records",
+      "description": "Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security, such as hardware, walls, doors, and locks. Maintenance records must include the date, nature of repair or modification, personnel involved, and impact on security controls.",
+      "implementation_type": "addressable",
+      "evidence_required": "Maintenance records for security-related facility components, maintenance request and completion logs, and documentation of security impact assessments for modifications.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["MA-2", "MA-3", "PE-3"]
+    },
+    {
+      "id": "HIPAA-310-B-R",
+      "section": "164.310(b)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Workstation Use",
+      "title": "Workstation Use",
+      "description": "Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. Policies must address workstation positioning to prevent unauthorized viewing, automatic screen locks, clean desk practices, and restrictions on personal use of workstations accessing ePHI.",
+      "implementation_type": "required",
+      "evidence_required": "Workstation use policy, workstation configuration standards, evidence of screen positioning or privacy screen requirements, and clean desk policy.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AC-11", "PE-5", "PL-4"]
+    },
+    {
+      "id": "HIPAA-310-C-R",
+      "section": "164.310(c)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Workstation Security",
+      "title": "Workstation Security",
+      "description": "Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Physical safeguards may include securing workstations in locked rooms, cable locks, restricting physical access to workstation areas, and implementing measures to prevent theft of portable workstations (laptops, tablets).",
+      "implementation_type": "required",
+      "evidence_required": "Workstation security measures documentation, physical security controls for workstation areas, portable device security measures, and evidence of implementation.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PE-3", "PE-4", "PE-5"]
+    },
+    {
+      "id": "HIPAA-310-D1-R",
+      "section": "164.310(d)(1)",
+      "safeguard_category": "Physical Safeguards",
+      "safeguard_code": "164.310",
+      "standard": "Device and Media Controls",
+      "title": "Device and Media Controls — Standard",
+      "description": "Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Controls must address the entire lifecycle of devices and media from acquisition through disposal.",
+      "implementation_type": "required",
+      "evidence_required": "Device and media control policy, hardware and media inventory, and procedures for receipt, movement, and removal of devices containing ePHI.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["MP-1", "MP-2", "MP-4", "MP-5"]
+    },
+    {
+      "id": "HIPAA-312-A1-R",
+      "section": "164.312(a)(1)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Access Control",
+      "title": "Access Control — Standard",
+      "description": "Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in the information access management standard (164.308(a)(4)).",
+      "implementation_type": "required",
+      "evidence_required": "Access control technical implementation documentation, system access control configurations, and evidence of access restriction enforcement.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AC-1", "AC-3"]
+    },
+    {
+      "id": "HIPAA-312-A2-i",
+      "section": "164.312(a)(2)(i)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Access Control",
+      "title": "Unique User Identification",
+      "description": "Assign a unique name and/or number for identifying and tracking user identity. Each user accessing ePHI must have a unique identifier that enables individual accountability. Shared or group accounts are prohibited for accessing ePHI. Service accounts must be uniquely identified and their use limited to authorized automated processes.",
+      "implementation_type": "required",
+      "evidence_required": "User account registry showing unique identifiers for all users, policy prohibiting shared accounts, and evidence of unique identification enforcement in ePHI systems.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["IA-2", "IA-4", "AC-2"]
+    },
+    {
+      "id": "HIPAA-312-A2-ii",
+      "section": "164.312(a)(2)(ii)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Access Control",
+      "title": "Emergency Access Procedure",
+      "description": "Establish and implement as needed procedures for obtaining necessary electronic protected health information during an emergency. Emergency access procedures must define who can authorize emergency access, what level of access is granted, how emergency access is logged and reviewed, and how normal access controls are restored after the emergency. Emergency access events must be audited and reviewed post-incident.",
+      "implementation_type": "required",
+      "evidence_required": "Emergency access procedures, emergency access authorization process, emergency access audit logs, and post-emergency access review records.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AC-2(2)", "CP-2", "IR-4"]
+    },
+    {
+      "id": "HIPAA-312-A2-iii",
+      "section": "164.312(a)(2)(iii)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Access Control",
+      "title": "Automatic Logoff",
+      "description": "Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Automatic logoff protects against unauthorized access to ePHI on unattended workstations or devices. The inactivity timeout period must be appropriate to the environment and risk level, typically not exceeding 15 minutes for clinical systems or 30 minutes for administrative systems.",
+      "implementation_type": "addressable",
+      "evidence_required": "Automatic logoff configuration showing inactivity timeout settings, system-level session timeout policies, and evidence of enforcement across ePHI systems.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["AC-11", "AC-12", "SC-10"]
+    },
+    {
+      "id": "HIPAA-312-A2-iv",
+      "section": "164.312(a)(2)(iv)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Access Control",
+      "title": "Encryption and Decryption",
+      "description": "Implement a mechanism to encrypt and decrypt electronic protected health information. Encryption must use algorithms that are NIST-recommended (e.g., AES-128, AES-256) and validated under FIPS 140-2 or its successor. Encryption must be applied to ePHI at rest on devices and media, and decryption must be limited to authorized users and processes. Key management procedures must ensure secure key generation, storage, distribution, and destruction.",
+      "implementation_type": "addressable",
+      "evidence_required": "Encryption implementation documentation, FIPS 140-2 validation evidence, key management procedures, and encryption coverage analysis for ePHI storage locations.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["SC-28", "SC-28(1)", "SC-13"]
+    },
+    {
+      "id": "HIPAA-312-B-R",
+      "section": "164.312(b)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Audit Controls",
+      "title": "Audit Controls",
+      "description": "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Audit controls must capture sufficient detail to support after-the-fact investigation of security incidents. Audit logs must record user identity, event type, date/time, success/failure indication, and the identity of the ePHI affected. Logs must be reviewed regularly and protected from unauthorized alteration.",
+      "implementation_type": "required",
+      "evidence_required": "Audit logging configuration, sample audit log entries showing required fields, log review procedures and records, and log protection mechanisms.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["AU-2", "AU-3", "AU-6", "AU-9", "AU-12"]
+    },
+    {
+      "id": "HIPAA-312-C1-R",
+      "section": "164.312(c)(1)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Integrity",
+      "title": "Integrity — Standard",
+      "description": "Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Integrity controls must ensure that ePHI is not modified without authorization, that unauthorized modifications are detectable, and that ePHI can be recovered if integrity is compromised.",
+      "implementation_type": "required",
+      "evidence_required": "Data integrity policy, integrity control mechanisms documentation, and evidence of integrity protection for ePHI in storage and processing.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["SI-7", "SI-7(1)"]
+    },
+    {
+      "id": "HIPAA-312-C2",
+      "section": "164.312(c)(2)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Integrity",
+      "title": "Mechanism to Authenticate Electronic Protected Health Information",
+      "description": "Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Authentication mechanisms may include checksums, hash values, digital signatures, or message authentication codes applied to ePHI to detect unauthorized modifications during storage, processing, or transmission.",
+      "implementation_type": "addressable",
+      "evidence_required": "Data integrity verification mechanisms (checksums, hashes, digital signatures), integrity monitoring configuration, and evidence of integrity verification in data workflows.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["SI-7", "SI-7(1)", "SC-8(1)"]
+    },
+    {
+      "id": "HIPAA-312-D-R",
+      "section": "164.312(d)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Person or Entity Authentication",
+      "title": "Person or Entity Authentication",
+      "description": "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Authentication must verify the identity of users before granting access to ePHI using one or more of the following: something known (password, PIN), something possessed (token, smart card), or something inherent (biometric). Multi-factor authentication is strongly recommended for remote access and privileged accounts.",
+      "implementation_type": "required",
+      "evidence_required": "Authentication mechanism documentation, authentication policy, evidence of identity verification before ePHI access, and MFA implementation for remote and privileged access.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["IA-1", "IA-2", "IA-2(1)", "IA-5"]
+    },
+    {
+      "id": "HIPAA-312-E1-R",
+      "section": "164.312(e)(1)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Transmission Security",
+      "title": "Transmission Security — Standard",
+      "description": "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Transmission security must address all network communications that carry ePHI, including internal networks, external networks, and wireless communications.",
+      "implementation_type": "required",
+      "evidence_required": "Transmission security policy, network security architecture showing ePHI transmission paths, and evidence of security measures on all ePHI transmission channels.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["SC-8", "SC-8(1)"]
+    },
+    {
+      "id": "HIPAA-312-E2-i",
+      "section": "164.312(e)(2)(i)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Transmission Security",
+      "title": "Integrity Controls for Transmission",
+      "description": "Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. Transmission integrity controls may include checksums, hash verification, or digital signatures applied to ePHI during transmission to detect unauthorized modification in transit.",
+      "implementation_type": "addressable",
+      "evidence_required": "Transmission integrity mechanisms (TLS, digital signatures, message authentication), configuration evidence, and testing results showing integrity verification.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["SC-8(1)", "SI-7"]
+    },
+    {
+      "id": "HIPAA-312-E2-ii",
+      "section": "164.312(e)(2)(ii)",
+      "safeguard_category": "Technical Safeguards",
+      "safeguard_code": "164.312",
+      "standard": "Transmission Security",
+      "title": "Encryption for Transmission",
+      "description": "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Encryption of ePHI in transit must use NIST-recommended algorithms such as AES and transport protocols such as TLS 1.2 or higher. Encryption is strongly recommended for all ePHI transmissions over public or untrusted networks and is considered a reasonable safeguard in most circumstances. Unencrypted transmission of ePHI must be documented with a risk-based justification.",
+      "implementation_type": "addressable",
+      "evidence_required": "Transport encryption configuration (TLS 1.2+), encryption algorithm documentation, network architecture showing encrypted paths, and risk justification for any unencrypted ePHI transmission.",
+      "priority": "P2",
+      "nist_800_53_crosswalk": ["SC-8(1)", "SC-13"]
+    },
+    {
+      "id": "HIPAA-314-A-R",
+      "section": "164.314(a)(1)",
+      "safeguard_category": "Organizational Requirements",
+      "safeguard_code": "164.314",
+      "standard": "Business Associate Contracts or Other Arrangements",
+      "title": "Business Associate Contracts",
+      "description": "A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information through a written contract or other arrangement. The contract must require the business associate to implement administrative, physical, and technical safeguards, report security incidents, ensure subcontractor compliance, and make ePHI available for breach notification purposes.",
+      "implementation_type": "required",
+      "evidence_required": "Business associate agreements (BAAs) with all applicable business associates, BAA inventory, evidence of required contract provisions, and periodic BAA review records.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["SA-9", "PS-7", "CA-3"]
+    },
+    {
+      "id": "HIPAA-314-B-R",
+      "section": "164.314(b)(1)",
+      "safeguard_category": "Organizational Requirements",
+      "safeguard_code": "164.314",
+      "standard": "Requirements for Group Health Plans",
+      "title": "Group Health Plan Requirements",
+      "description": "Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to specific permitted exceptions, the plan documents of the group health plan must be amended to incorporate provisions requiring the plan sponsor to implement administrative, physical, and technical safeguards to protect ePHI, ensure that any subcontractors agree to implement reasonable safeguards, report security incidents to the group health plan, and ensure that adequate separation between the group health plan and the plan sponsor is maintained.",
+      "implementation_type": "required",
+      "evidence_required": "Amended plan documents with required security provisions, evidence of safeguard implementation by plan sponsor, and separation documentation.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PM-1", "SA-9", "AC-4"]
+    },
+    {
+      "id": "HIPAA-316-A-R",
+      "section": "164.316(a)",
+      "safeguard_category": "Policies and Procedures and Documentation Requirements",
+      "safeguard_code": "164.316",
+      "standard": "Policies and Procedures",
+      "title": "Policies and Procedures",
+      "description": "Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Rule. Policies and procedures must be tailored to the size, complexity, and technical capabilities of the organization and must take into account the risk analysis and risk management findings. Policies and procedures must be reviewed periodically and updated as needed in response to environmental or operational changes.",
+      "implementation_type": "required",
+      "evidence_required": "Comprehensive security policy and procedure library, evidence of alignment with Security Rule requirements, periodic review records, and update history.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PL-1", "PL-2", "PM-1"]
+    },
+    {
+      "id": "HIPAA-316-B1-R",
+      "section": "164.316(b)(1)",
+      "safeguard_category": "Policies and Procedures and Documentation Requirements",
+      "safeguard_code": "164.316",
+      "standard": "Documentation",
+      "title": "Documentation Requirements",
+      "description": "Maintain the policies and procedures implemented to comply with the Security Rule in written form, which may be electronic. If a communication, action, activity, or assessment is required by the Security Rule to be documented, the covered entity or business associate must maintain a written record of that documentation. Documentation must be retained for at least six years from the date of its creation or the date when it last was in effect, whichever is later. Documentation must be made available to those persons responsible for implementing the procedures to which the documentation pertains and must be reviewed periodically and updated as needed.",
+      "implementation_type": "required",
+      "evidence_required": "Documentation retention policy showing 6-year minimum, evidence of documentation availability to responsible personnel, periodic review records, and documentation inventory.",
+      "priority": "P1",
+      "nist_800_53_crosswalk": ["PL-2", "AU-11", "PM-1"]
+    }
+  ]
+}