HIPAA - Security Management Process 164.308(a)

Overview:
A covered entity or business associate must in accordance with 164.306: (1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations.

Action Items:
1) Obtain and review policies and procedures related to security violations. Evaluate the content relative to the specified performance criteria for countermeasures or safeguards implemented to prevent, detect, contain and correct security violations.

2) Obtain and review documentation demonstrating that policies and procedures have been implemented to prevent, detect, contain, correct security violations. Evaluate and determine if the process used is in accordance with related policies and procedures.
3) Obtain and review documentation of security violations and remediation actions. Evaluate and determine if security violations where handled in accordance with the related policies and procedures; safeguards or countermeasures to prevent violations from occurring; identify and characterize violations as they happen; limit the extent of any damages caused by violations; have corrective action plan in place to manage risk.

Related Documents:
1) Incident Response Policies and Procedures
2) Policies and procedures related to security violations
3) Documentation outlining the safeguards implemented to prevent, detect, contain, and correct security violations

Additional Guidance:
The purpose of this standard is to establish the administrative processes and procedures that a covered entity will use to implement the security program in its environment. There are four implementation specifications in the Security Management Process standard:
1. Risk Analysis
2. Risk Management
3. Sanction Policy
4. Information System Activity Review