|Access controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).|
|Have you assigned a unique name and/or number for identifying and tracking user identity? (R)|
|Have you established (and implemented as needed) procedures for obtaining necessary EPHI during an emergency? (R)|
|164.312(a)(2)(iii)||Have you implemented procedures that terminate an electronic session after a|
|predetermined time of inactivity? (A)|
|Have you implemented a mechanism to encrypt and decrypt EPHI? (A)|
|Have you implemented audit controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI? (R)|
|Integrity: Implement policies and procedures to protect EPHI from improper alteration or destruction.|
|Have you implemented electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner? (A)|
|164.312(d)||Have you implemented person or entity authentication procedures to verify a person or entity seeking access EPHI is the one claimed? (R)|
|164.312(e)(1)||Transmission security: Implement technical security measures to guard against
unauthorized access to EPHI being transmitted over an electronic communications network.
|164.312(e)(2)(i)||Have you implemented security measures to ensure electronically transmitted EPHI is not improperly modified without detection until disposed of? (A)|
|164.312(e)(2)(ii)||Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate?