Important to have in the case of an audit.

164.308(a)(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

164.308(A) Risk analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

164.308(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

Make sure it is documented!

164.308(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

164.308(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. (6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents. (ii) Implementation specification: Response and reporting. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

164.308(a)(B) Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data.