← Frameworks / HIPAA Security Rule / Control Mappings

HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C)

US federal regulation establishing national standards for protecting electronic protected health information (ePHI). 63 specifications across administrative safeguards (security management, workforce security, information access, awareness training, security incident procedures, contingency planning), physical safeguards (facility access, workstation use, device controls), and technical safeguards (access control, audit controls, integrity, authentication, transmission security). Covers all HIPAA covered entities and business associates.

Controls: 161

Total Mappings: 396

Publisher: U.S. Department of Health and Human Services (HHS) Version: 2013 (Omnibus Rule)

HIPAA Security Rule → SP 800-53 SP 800-53 → HIPAA Security Rule Coverage Analysis

AC (14) AT (5) AU (14) CA (5) CM (4) CP (12) IA (11) IR (9) MA (5) MP (7) PE (13) PL (5) PM (11) PS (8) PT (1) RA (6) SA (4) SC (15) SI (8) SR (4)

AC Access Control

Control	Name	HIPAA Security Rule References
AC-01	Access Control Policies and Procedures	§164.308(a)(3)(i)§164.308(a)(4)(i)§164.310(b)§164.312(a)(1)§164.316(a)
AC-02	Account Management	§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(3)(ii)(B)§164.308(a)(3)(ii)(C)§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.308(a)(4)(ii)(C)§164.312(a)(1)§164.312(a)(2)(i)§164.312(a)(2)(ii)
AC-03	Access Enforcement	§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.308(a)(4)(ii)(C)§164.312(a)(1)§164.314(b)(2)
AC-04	Information Flow Enforcement	§164.308(a)(4)(i)§164.308(a)(4)(ii)(A)§164.314(b)(1)§164.314(b)(2)
AC-05	Separation Of Duties	§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(4)(ii)(C)
AC-06	Least Privilege	§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(3)(ii)(B)§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.308(a)(4)(ii)(C)§164.312(a)(1)§164.314(b)(2)
AC-07	Unsuccessful Login Attempts	§164.308(a)(5)(ii)(C)§164.312(a)(1)
AC-11	Session Lock	§164.310(b)§164.310(c)§164.312(a)(1)§164.312(a)(2)(iii)
AC-12	Session Termination	§164.312(a)(2)(iii)
AC-14	Permitted Actions Without Identification Or Authentication	§164.312(a)(2)(ii)
AC-17	Remote Access	§164.310(b)§164.312(a)(1)§164.312(e)(1)
AC-18	Wireless Access Restrictions	§164.312(e)(1)
AC-20	Use Of External Information Systems	§164.310(b)
AC-24	Access Control Decisions	§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.312(a)(1)

AT Awareness and Training

Control	Name	HIPAA Security Rule References
AT-01	Security Awareness And Training Policy And Procedures	§164.308(a)(5)(i)§164.316(a)
AT-02	Security Awareness	§164.308(a)(5)(i)§164.308(a)(5)(ii)(A)§164.308(a)(5)(ii)(B)
AT-03	Security Training	§164.308(a)(5)(i)
AT-04	Security Training Records	§164.308(a)(5)(i)
AT-06	Training Feedback	§164.308(a)(5)(i)§164.308(a)(5)(ii)(A)

AU Audit and Accountability

Control	Name	HIPAA Security Rule References
AU-01	Audit And Accountability Policy And Procedures	§164.308(a)(1)(ii)(D)§164.312(b)§164.316(a)§164.316(b)(1)
AU-02	Auditable Events	§164.308(a)(1)(ii)(D)§164.308(a)(5)(ii)(C)§164.312(b)
AU-03	Content Of Audit Records	§164.308(a)(1)(ii)(D)§164.312(b)
AU-04	Audit Storage Capacity	§164.312(b)
AU-05	Response To Audit Processing Failures	§164.312(b)
AU-06	Audit Monitoring, Analysis, And Reporting	§164.308(a)(1)(ii)(D)§164.308(a)(5)(ii)(C)§164.308(a)(6)(ii)§164.312(b)
AU-07	Audit Reduction And Report Generation	§164.308(a)(1)(ii)(D)§164.312(b)
AU-08	Time Stamps	§164.312(b)
AU-09	Protection Of Audit Information	§164.308(a)(1)(ii)(D)§164.312(b)
AU-10	Non-Repudiation	§164.312(c)(2)§164.312(e)(2)(i)
AU-11	Audit Record Retention	§164.308(a)(1)(ii)(D)§164.312(b)§164.316(b)(2)(i)
AU-12	Audit Record Generation	§164.308(a)(1)(ii)(D)§164.308(a)(5)(ii)(C)§164.312(b)
AU-13	Monitoring for Information Disclosure	§164.308(a)(1)(ii)(D)
AU-14	Session Audit	§164.308(a)(1)(ii)(D)§164.312(b)

CA Security Assessment and Authorization

Control	Name	HIPAA Security Rule References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	§164.308(a)(8)§164.316(a)§164.316(b)(1)
CA-02	Security Assessments	§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(7)(ii)(D)§164.308(a)(8)
CA-03	Information System Connections	§164.308(b)(1)§164.308(b)(3)§164.314(a)(1)§164.314(a)(2)
CA-05	Plan Of Action And Milestones	§164.308(a)(1)(i)§164.308(a)(1)(ii)(B)§164.308(a)(8)
CA-07	Continuous Monitoring	§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)§164.308(a)(1)(ii)(D)§164.308(a)(7)(ii)(D)§164.308(a)(8)§164.316(b)(2)(iii)

CM Configuration Management

Control	Name	HIPAA Security Rule References
CM-01	Configuration Management Policy And Procedures	§164.316(a)§164.316(b)(1)
CM-03	Configuration Change Control	§164.316(b)(2)(iii)
CM-06	Configuration Settings	§164.316(b)(2)(ii)
CM-08	Information System Component Inventory	§164.310(d)(2)(iii)

CP Contingency Planning

Control	Name	HIPAA Security Rule References
CP-01	Contingency Planning Policy And Procedures	§164.308(a)(7)(i)§164.316(a)
CP-02	Contingency Plan	§164.308(a)(7)(i)§164.308(a)(7)(ii)(B)§164.308(a)(7)(ii)(C)§164.308(a)(7)(ii)(E)§164.310(a)(2)(i)§164.312(a)(2)(ii)
CP-03	Contingency Training	§164.308(a)(7)(i)§164.308(a)(7)(ii)(D)
CP-04	Contingency Plan Testing And Exercises	§164.308(a)(7)(i)§164.308(a)(7)(ii)(D)
CP-06	Alternate Storage Site	§164.308(a)(7)(i)§164.308(a)(7)(ii)(A)§164.308(a)(7)(ii)(B)§164.310(d)(2)(iv)
CP-07	Alternate Processing Site	§164.308(a)(7)(i)§164.308(a)(7)(ii)(B)§164.310(a)(2)(i)
CP-08	Telecommunications Services	§164.308(a)(7)(i)§164.308(a)(7)(ii)(B)
CP-09	Information System Backup	§164.308(a)(7)(i)§164.308(a)(7)(ii)(A)§164.310(d)(2)(iv)
CP-10	Information System Recovery And Reconstitution	§164.308(a)(7)(i)§164.308(a)(7)(ii)(B)§164.308(a)(7)(ii)(C)§164.312(a)(2)(ii)
CP-11	Alternate Communications Protocols	§164.308(a)(7)(ii)(C)
CP-12	Safe Mode	§164.308(a)(7)(ii)(C)
CP-13	Alternative Security Mechanisms	§164.308(a)(7)(ii)(C)

IA Identification and Authentication

Control	Name	HIPAA Security Rule References
IA-01	Identification And Authentication Policy And Procedures	§164.308(a)(5)(ii)(D)§164.312(a)(2)(i)§164.312(d)§164.316(a)
IA-02	User Identification And Authentication	§164.310(a)(2)(iii)§164.312(a)(2)(i)§164.312(d)
IA-03	Device Identification And Authentication	§164.312(d)
IA-04	Identifier Management	§164.308(a)(3)(ii)(C)§164.308(a)(4)(ii)(C)§164.308(a)(5)(ii)(D)§164.312(a)(2)(i)§164.312(d)
IA-05	Authenticator Management	§164.308(a)(4)(ii)(C)§164.308(a)(5)(ii)(D)§164.312(d)
IA-06	Authenticator Feedback	§164.308(a)(5)(ii)(D)§164.312(d)
IA-07	Cryptographic Module Authentication	§164.312(d)
IA-08	Identification and Authentication (Non-Organizational Users)	§164.310(a)(2)(iii)§164.312(a)(2)(i)§164.312(d)
IA-09	Service Identification and Authentication	§164.312(d)
IA-11	Re-authentication	§164.308(a)(5)(ii)(D)§164.312(d)
IA-12	Identity Proofing	§164.312(d)

IR Incident Response

Control	Name	HIPAA Security Rule References
IR-01	Incident Response Policy And Procedures	§164.308(a)(6)(i)§164.316(a)
IR-02	Incident Response Training	§164.308(a)(6)(i)
IR-03	Incident Response Testing And Exercises	§164.308(a)(6)(i)
IR-04	Incident Handling	§164.308(a)(6)(i)§164.308(a)(6)(ii)
IR-05	Incident Monitoring	§164.308(a)(6)(i)§164.308(a)(6)(ii)
IR-06	Incident Reporting	§164.308(a)(6)(i)§164.308(a)(6)(ii)
IR-07	Incident Response Assistance	§164.308(a)(6)(i)§164.308(a)(6)(ii)
IR-08	Incident Response Plan	§164.308(a)(6)(i)
IR-09	Information Spillage Response	§164.308(a)(6)(i)

MA Maintenance

Control	Name	HIPAA Security Rule References
MA-01	System Maintenance Policy And Procedures	§164.310(a)(2)(iv)§164.316(a)
MA-02	Controlled Maintenance	§164.310(a)(2)(iv)
MA-03	Maintenance Tools	§164.310(a)(2)(iv)
MA-05	Maintenance Personnel	§164.310(a)(2)(iv)
MA-06	Timely Maintenance	§164.310(a)(2)(iv)

MP Media Protection

Control	Name	HIPAA Security Rule References
MP-01	Media Protection Policy And Procedures	§164.310(d)(1)§164.310(d)(2)(i)§164.316(a)
MP-02	Media Access	§164.310(c)§164.310(d)(1)
MP-03	Media Labeling	§164.310(d)(1)
MP-04	Media Storage	§164.308(a)(7)(ii)(A)§164.310(d)(1)§164.310(d)(2)(iii)§164.310(d)(2)(iv)
MP-05	Media Transport	§164.308(a)(7)(ii)(A)§164.310(d)(1)§164.310(d)(2)(iii)
MP-06	Media Sanitization And Disposal	§164.310(d)(1)§164.310(d)(2)(i)§164.310(d)(2)(ii)
MP-07	Media Use	§164.310(d)(1)§164.310(d)(2)(ii)

PE Physical and Environmental Protection

Control	Name	HIPAA Security Rule References
PE-01	Physical And Environmental Protection Policy And Procedures	§164.310(a)(1)§164.310(a)(2)(i)§164.310(a)(2)(ii)§164.310(c)§164.316(a)
PE-02	Physical Access Authorizations	§164.310(a)(1)§164.310(a)(2)(ii)§164.310(a)(2)(iii)§164.310(c)
PE-03	Physical Access Control	§164.310(a)(1)§164.310(a)(2)(i)§164.310(a)(2)(ii)§164.310(a)(2)(iii)§164.310(c)
PE-04	Access Control For Transmission Medium	§164.310(a)(1)
PE-05	Access Control For Display Medium	§164.310(a)(1)
PE-06	Monitoring Physical Access	§164.310(a)(1)§164.310(a)(2)(ii)§164.310(a)(2)(iii)
PE-07	Visitor Control	§164.310(a)(1)
PE-08	Access Records	§164.310(a)(1)§164.310(a)(2)(iii)
PE-10	Emergency Shutoff	§164.308(a)(7)(ii)(C)§164.310(a)(2)(i)
PE-11	Emergency Power	§164.308(a)(7)(ii)(C)§164.310(a)(2)(i)
PE-16	Delivery And Removal	§164.310(d)(2)(iii)
PE-18	Location Of Information System Components	§164.310(a)(1)§164.310(b)
PE-20	Asset Monitoring and Tracking	§164.310(d)(2)(iii)

PL Planning

Control	Name	HIPAA Security Rule References
PL-01	Security Planning Policy And Procedures	§164.308(a)(1)(i)§164.308(a)(2)§164.316(a)
PL-02	System Security Plan	§164.308(a)(1)(i)§164.308(a)(1)(ii)(B)§164.310(a)(2)(ii)§164.316(a)§164.316(b)(1)§164.316(b)(2)(ii)§164.316(b)(2)(iii)
PL-04	Rules Of Behavior	§164.308(a)(1)(ii)(C)§164.310(b)§164.316(a)
PL-10	Baseline Selection	§164.308(a)(1)(ii)(B)
PL-11	Baseline Tailoring	§164.308(a)(1)(ii)(B)

PM Program Management

Control	Name	HIPAA Security Rule References
PM-01	Information Security Program Plan	§164.308(a)(1)(i)§164.308(a)(2)§164.316(a)§164.316(b)(1)§164.316(b)(2)(ii)§164.316(b)(2)(iii)
PM-02	Information Security Program Leadership Role	§164.308(a)(2)
PM-03	Information Security and Privacy Resources	§164.308(a)(1)(i)§164.316(a)
PM-06	Measures of Performance	§164.308(a)(8)
PM-08	Critical Infrastructure Plan	§164.308(b)(1)§164.314(a)(1)§164.314(b)(1)
PM-09	Risk Management Strategy	§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)§164.316(a)
PM-10	Authorization Process	§164.308(a)(1)(i)§164.308(a)(1)(ii)(B)§164.308(a)(2)
PM-11	Mission and Business Process Definition	§164.308(a)(1)(i)§164.308(a)(7)(ii)(E)
PM-13	Security and Privacy Workforce	§164.308(a)(5)(i)§164.308(a)(5)(ii)(A)
PM-14	Testing, Training, and Monitoring	§164.308(a)(5)(i)§164.308(a)(8)
PM-24	Data Integrity Board	§164.308(a)(2)

PS Personnel Security

Control	Name	HIPAA Security Rule References
PS-01	Personnel Security Policy And Procedures	§164.308(a)(1)(ii)(C)§164.308(a)(2)§164.308(a)(3)(i)§164.316(a)
PS-02	Position Categorization	§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(3)(ii)(B)
PS-03	Personnel Screening	§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(3)(ii)(B)
PS-04	Personnel Termination	§164.308(a)(3)(i)§164.308(a)(3)(ii)(C)
PS-05	Personnel Transfer	§164.308(a)(3)(i)§164.308(a)(3)(ii)(C)
PS-06	Access Agreements	§164.308(a)(1)(ii)(C)§164.308(a)(3)(i)§164.308(a)(3)(ii)(B)§164.308(a)(4)(ii)(B)
PS-07	Third-Party Personnel Security	§164.308(a)(3)(i)§164.308(b)(1)§164.308(b)(3)§164.314(a)(1)§164.314(a)(2)
PS-08	Personnel Sanctions	§164.308(a)(1)(ii)(C)§164.308(a)(3)(ii)(C)

PT Personally Identifiable Information Processing and Transparency

Control	Name	HIPAA Security Rule References
PT-01	Policy and Procedures	§164.308(b)(1)§164.316(a)

RA Risk Assessment

Control	Name	HIPAA Security Rule References
RA-01	Risk Assessment Policy And Procedures	§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.316(a)
RA-02	Security Categorization	§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(7)(ii)(E)
RA-03	Risk Assessment	§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)§164.308(a)(8)
RA-05	Vulnerability Scanning	§164.308(a)(1)(ii)(A)§164.308(a)(8)
RA-07	Risk Response	§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)
RA-09	Criticality Analysis	§164.308(a)(1)(ii)(A)§164.308(a)(7)(ii)(E)

SA System and Services Acquisition

Control	Name	HIPAA Security Rule References
SA-01	System And Services Acquisition Policy And Procedures	§164.316(a)
SA-04	Acquisitions	§164.308(b)(1)§164.308(b)(3)§164.314(a)(1)§164.314(a)(2)
SA-05	Information System Documentation	§164.316(b)(1)§164.316(b)(2)(ii)
SA-09	External Information System Services	§164.308(b)(1)§164.308(b)(3)§164.314(a)(1)§164.314(a)(2)§164.314(b)(1)

SC System and Communications Protection

Control	Name	HIPAA Security Rule References
SC-01	System And Communications Protection Policy And Procedures	§164.312(e)(1)§164.316(a)
SC-02	Application Partitioning	§164.308(a)(4)(ii)(A)
SC-03	Security Function Isolation	§164.308(a)(4)(ii)(A)
SC-04	Information Remnance	§164.308(a)(4)(i)
SC-07	Boundary Protection	§164.308(a)(4)(ii)(A)§164.312(e)(1)§164.314(b)(1)§164.314(b)(2)
SC-08	Transmission Integrity	§164.312(c)(1)§164.312(c)(2)§164.312(e)(1)§164.312(e)(2)(i)§164.312(e)(2)(ii)
SC-10	Network Disconnect	§164.312(a)(2)(iii)
SC-12	Cryptographic Key Establishment And Management	§164.312(a)(2)(iv)§164.312(e)(1)§164.312(e)(2)(ii)
SC-13	Use Of Cryptography	§164.312(a)(1)§164.312(a)(2)(iv)§164.312(e)(1)§164.312(e)(2)(ii)
SC-15	Collaborative Computing	§164.310(b)
SC-17	Public Key Infrastructure Certificates	§164.312(e)(2)(ii)
SC-23	Session Authenticity	§164.312(e)(1)
SC-28	Protection of Information at Rest	§164.310(c)§164.310(d)(2)(iv)§164.312(a)(1)§164.312(a)(2)(iv)§164.312(c)(1)§164.312(c)(2)
SC-32	System Partitioning	§164.308(a)(4)(ii)(A)§164.314(b)(2)
SC-44	Detonation Chambers	§164.308(a)(5)(ii)(B)

SI System and Information Integrity

Control	Name	HIPAA Security Rule References
SI-01	System And Information Integrity Policy And Procedures	§164.312(c)(1)§164.316(a)
SI-03	Malicious Code Protection	§164.308(a)(5)(ii)(B)
SI-04	Information System Monitoring Tools And Techniques	§164.308(a)(1)(ii)(D)§164.308(a)(5)(ii)(B)§164.308(a)(5)(ii)(C)§164.308(a)(6)(ii)
SI-05	Security Alerts And Advisories	§164.308(a)(5)(ii)(A)§164.308(a)(6)(ii)
SI-07	Software And Information Integrity	§164.312(c)(1)§164.312(c)(2)§164.312(e)(2)(i)
SI-08	Spam Protection	§164.308(a)(5)(ii)(B)
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	§164.312(c)(1)
SI-12	Information Output Handling And Retention	§164.316(b)(2)(i)

SR Supply Chain Risk Management

Control	Name	HIPAA Security Rule References
SR-01	Policy and Procedures	§164.314(a)(1)§164.316(a)
SR-02	Supply Chain Risk Management Plan	§164.314(a)(1)
SR-03	Supply Chain Controls and Processes	§164.314(a)(1)§164.314(a)(2)
SR-12	Component Disposal	§164.310(d)(2)(i)