Skip Navigation
Oklahoma State University

Policy Crosswalk

OSU Policy # Standards Sections Implementation Specifications (R) = Required (A) = Addressable Last Revised



Part 160 Subpart A - General Provisions §160.101-104

PRV-00.01 Definitions 160.103 Definitions 7/1/2013

Part 160 Subpart B - Preemption of State Law § 160.201-205

PRV-00.01 Definitions 160.202 Definitions 7/1/2013



Part 160 Subpart C - Compliance and Investigations §160.300-316

ENF-00.01 Complaints to the Secretary 160.306 Complaints to the Secretary 5/1/2013
ENF-00.02 Responsibilities Of Covered Entities 160.310 Provide Records and Compliance Reports 5/1/2013
ENF-00.03 Refraining from Intimidation or Retaliation 160.316 Refraining from Intimidation or Retaliation 5/1/2013

Part 160 Subpart D - Imposition of Civil Money Penalties §160.400-426


Part 160 Subpart E - Procedures for Hearings §160.500-552



Part 162 Subpart A - General Provisions §162.100-103

PRV-00.01 Definitions 162.103 Definitions 7/1/2013

Part 162 Subpart D - Standard Unique Health Identifier for Health Care Providers §162.402-414

TRN-00.01 Standard Unique Health Identifier for Health Care Providers 162.410 Health Care Providers 6/15/2013

Part 162 Subpart E - Standard Unique Health Identifier for Health Plans §162.502-514


Part 162 Subpart F - Standard Unique Employer Identifier §162.600-610


Part 162 Subpart I - General Provisions for Transactions §162.910-940


Part 162 Subpart J - Code Sets §162.1000-1011


Part 162 Subpart K - Health Care Claims or Equivalent Encounter Information §162.1101-1102


Part 162 Subpart M - Referral Certification and Authorization §162.1301-1302


Part 162 Subpart N - Health Care Claim Status §162.1401-1403


Part 162 Subpart O - Enrollment and Disenrollment in a Health Plan §162.1501-1502


Part 162 Subpart P - Health Care Electronic Funds Transfers (EFT) and Remittance Advice §162.1601-1603


Part 162 Subpart Q - Health Plan Premium Payments §162.1701-1702


Part 162 Subpart R - Coordination of Benefits §162.1801-1802


Part 162 Subpart S - Medicaid Pharmacy Subrogation §162.1901-1902




Part 164 Subpart A - General Provisions §164.102-106

PRV-00.01 General Provisions 164.103 Definitions 7/1/2013
SEC-00.01   164.104 Applicability 5/2/2013
SEC-00.02 Organizational Requirement 164.105(a)(1) Health Care Component 7/29/2013
SEC-00.02   164.105(2)(i) Application of Other Provisions 5/28/2013
SEC-00.02   164.105(2)(ii) Safeguard Requirements 5/28/2013
SEC-00.02   164.105(2)(iii) Responsibilities of the Covered Entity 5/28/2013

Part 164 Subpart C - Security Standards for the Protection of Electronic Protected Health Information §164.302-318 & Appendix A

PRV-00.01 Definitions 164.304 Definitions 7/1/2013
SEC-00.03 Security Standards: General Rules 164.306(a) General Requirements 6/13/2013
SEC-00.04   164.306(d) Implementation Specifications 5/28/2013
SEC-00.04   164.306( e) Implementation Specifications (Maintenance) 5/28/2013

Administrative Safeguards  §164.308

SEC-01.01 Security Management Process 164.308(a)(1)(i) Risk Analysis-R 5/28/2013
SEC-01.02   164.308(a)(1)(ii)(B) Risk Management-R 5/28/2013
SEC-01.03   164.308(a)(1)(ii)(C) Sanction Policy-R 7/3/2013
SEC-01.04   164.308(a)(1)(ii)(D) Information System Activity Review-R 6/13/2013
SEC-02.00 Assigned Security Responsibility 164.308(a)(2)  Designation of Security Official-R  
SEC-02.01 Workforce Security 164.308(a)(3)(ii)(A) Authorization and/or Supervision-A 6/13/2013
SEC-02.02   164.308(a)(3)(ii)(B) Workforce Clearance Procedure-A 6/13/2013
SEC-02.03   164.308(a)(3)(ii)( c) Termination Procedures-A 6/13/2013
SEC-03.01 Information Access Management 164.308(a)(4)(ii)(A) Isolating Health care Clearinghouse Function-R 7/9/2013
SEC-03.02   164.308(a)(4)(ii)(B) Access Authorization-A 6/17/2013
SEC-03.03   164.308(a)(4)(ii)( C) Access Establishment and Modification-A 6/17/2013
SEC-04.01 Security Awareness and Training 164.308(a)(5)(ii)(A) Security Reminders-A 6/17/2013
SEC-04.02   164.308(a)(5)(ii)(B) Protection from Malicious Software-A 6/17/2013
SEC-04.03   164.308(a)(5)(ii)( C) Log-In Monitoring-A 6/17/2013
SEC-04.04   164.308(a)(5)(ii)(D) Password Management-A 6/17/2013
SEC-04.05   164.308(a)(5)(i) Training (OSU Extra policy) 6/17/2013
SEC-05.01 Security Incident Procedures 164.308(a)(6)(ii) Response and Reporting-A 6/17/2013
SEC-06.01 Contingency Plan 164.308(a)(7)(ii)(A) Data Backup Plan-R 6/17/2013
SEC-06.02   164.308(a)(7)(ii)(B) Disaster Recovery Plan-R 6/17/2013
SEC-06.03   164.308(a)(7)(ii)( C) Emergency Mode Operation Plan-R 6/25/2013
SEC-06.04   164.308(a)(7)(ii)(D) Testing and Revision Procedure-A 6/18/2013
SEC-06.05   164.308(a)(7)(ii)( E) Applications and Data Criticality Analysis-A 6/18/2013
SEC-07.01 Evaluation 164.308(a)(8) Periodic Evaluation of Standards-R 6/18/2013
SEC-08.01 Business Assoc. Contracts and other Arrangement 164.308(b)(1) Business Associate Written Contract and Other Arrangement-R 6/24/2013

Physical Safeguards  §164.310

SEC-09.00 Facility Access Controls 164.310(a)(1) Facility Access Controls 6/20/2013
SEC-09.01   164.310(a)(2)(i) Contigency Operations-A 6/20/2013
SEC-09.02   164.310(a)(2)(ii) Facility Security Plan-A 6/20/2013
SEC-09.03   164.310(a)(2)(iii) Access Control and Validation Procedures-A 6/20/2013
SEC-09.04   164.310(a)(2)(iv) Maintenance Records-A 6/24/2013
SEC-10.01 Workstation Use 164.310(b) Workstation Use-R 6/20/2013
SEC-10.02 Workstation Security 164.310( c) Workstation Security-R 6/20/2013
SEC-11.01 Device and Media Controls 164.310(d)(2)(i) Electronic Media Disposal & Re-use-R 6/20/2013
SEC-11.01   164.310(d)(2)(ii) Media Re-Use-R 6/20/2013
SEC-11.02   164.310(d)(2)(iii) Accountability-A 6/20/2013
SEC-11.03   164.310(d)(2)(iv) Data Backup and Storage-A 6/20/2013
SEC-11.04     Electronic Portable Media (OSU Extra Policy) 6/20/2013

Technical Safeguards  §164.312

SEC-12.01 Access Control 164.312(a)(2)(i) Unique User Identification-R 6/20/2013
SEC-12.02   164.312(a)(2)(ii) Emergency Access Procedure-R 6/20/2013
SEC-12.03   164.312(a)(2)(iii) Automatic Logoff-A 6/20/2013
SEC-12.04   164.312(a)(2)(iv) Encryption and Decryption-A 6/20/2013
SEC-12.05     Temporary Staff Access (OSU Extra Policy) 6/20/2013
SEC-13.01 Audit Control 164.312(b) Audit Controls-R 6/21/2013
SEC-14.01 Integrity 164.312( c)(1) Mechanism to Authenticate EPHI-A 6/24/2013
SEC-15.01 Person or Entity Authentication 164.312(d) Person or entity authentication-R 6/24/2013
SEC-16.01 Transmission Security 164.312( e)(2)(i) Integrity Controls-A 6/24/2013
SEC-16.02   164.312( e)(2)(ii) Encryption-A 6/24/2013

Organizational Requirements  §164.314

SEC-17.00 Business Associate Contracts and Other Arrangements 164.314(a)(2)(i) Business Associate Contracts 6/25/2013
SEC-18.00 Policies and Procedures and Documentation Requirements 164.316(a) Policies and Procedures 6/26/2013
SEC-18.00   164.316(b)(1)(i) Documentation 6/26/2013
SEC-18.00   164.316(b)(2)(i) Time Limit-R 6/26/2013
SEC-18.00   164.316(b)(2)(ii) Availability-R 6/26/2013
SEC-18.00   164.316(b(2)(iii) Updates-R 6/26/2013

Part 164 Subpart D - Notification in the Case of Breach of Unsecured Protected Health Information §164.400-414

BRE-00.00 Applicability 164.400 Applicability 4/11/2013
BRE-01.00 Definitions 164.402 Definitions (Cross Ref PRV-00.01) 5/28/2013
BRE-02.00 Notification to Individuals 164.404(a) Notification to Individuals General Rule 5/29/2013
BRE-02.01   164.404(b) Timeliness of Notification to Individuals 5/29/2013
BRE-02.02   164.404( c) Content of Notification to Individuals 5/29/2013
BRE-02.03   164.404(d) Methods of Individual Notification 5/29/2013
BRE-03.00 Notification to the Media 164.406(a) Standard of Notification to the Media 5/29/2013
BRE-03.00   164.406(b) Timeliness of Notification to Media 5/29/2013
BRE-03.00   164.406( c) Content of Notification to Media 5/29/2013
BRE-04.00 Notification to the Secretary 164.408(a) Standard of Notification to the Secretary 5/29/2013
BRE-04.00   164.408(b) Breaches Involving 500 or More Individuals 5/29/2013
BRE-04.00   164.408( c) Breaches Involving less than 500 individuals 5/29/2013
BRE-05.00 Notification by a Business Associate 164.410(a) Standard of Notification by a Business Associate 5/29/2013
BRE-05.00   164.410(b) Timeliness of Notification by Business Associate 5/29/2013
BRE-05.00   164.410( c) Content of Notification by Business Associate 5/29/2013
BRE-06.00 Law Enforcement Delay 164.412 Law Enforcement Delay 5/29/2013
BRE-07.00 Administrative Requirements & Burden of Proof 164.414(a) Administrative Requirements 5/29/2013
BRE-07.00   164.414(b) Burden of Proof 5/29/2013

Subpart E Privacy of Individually Identifiable Health Information §164.500-534

PRV-00.00 Applicability 164.500 Applicability 7/1/2013
PRV-00.01 Definitions 164.501 Definitions 7/1/2013
PRV-01.01 Uses and Disclosures of PHI: General Rules 164.502(a)(1) Permitted Uses and Disclosures 7/1/2013
PRV-01.02   164.502(a)(2) Required Disclosures 7/1/2013
PRV-01.03   164.502(a)(3)&(4) Business Associates: Permitted & Required uses and disclosures 7/1/2013
PRV-01.04   164.502(a)(5) Prohibited Uses and Disclosures 7/1/2013
PRV-01.05 Minimum Necessary 164.502(b) Minimum Necessary 7/1/2013
PRV-01.06 Uses and Disclosures of PHI subject to an agreed upon restriction 164.502( c) Uses and Disclosures of PHI subject to an agreed upon restriction 7/1/2013
PRV-01.07 Uses and disclosures to create de-identified information 164.502(d)(1) Uses and disclosures to create de-identified information 7/1/2013
PRV-01.08   164.502(d)(2) Uses and Disclosures of De-Identified Information 7/1/2013
PRV-01.09 Disclosures to Business Associates 164.502( e)(1) Disclosures to Business Associates 7/2/2013
PRV-01.10   164.502( e)(2) Documentation 7/2/2013
PRV-01.11   164.502(f) & (g)(4) Deceased Individuals 7/2/2013
PRV-01.12 Personal Representatives 164.502(g)(2) Adults and Emancipated Minors 7/2/2013
PRV-01.13   164.502(g)(3) Unemancipated Minors 7/2/2013
PRV-01.14   164.502(g)(5) Abuse, Neglect, Endangerment Situations 7/2/2013
PRV-09.03 Confidential communications 164.502(h) Confidential Communications 7/24/2013
PRV-01.15 Uses and disclosures consistent with notice 164.502(i) Uses and Disclosures Consistent With Notice 7/3/2013
PRV-01.16 Disclosures by whistleblowers and workforce member crime victims 164.502(j)(1) Disclosures by Whistleblowers 7/3/2013
PRV-01.17   164.502(j)(2) Disclosures by Workforce Members who are victims of a crime 7/3/2013
PRV-00.01 Uses and disclosures: Organizational Requirements 164.504(a) Definitions 7/1/2013
PRV-02.01   164.504( e)(2) Business Associate Contracts 7/8/2013
PRV-02.02   164.504( e)(3) Other Arrangements 7/9/2013
PRV-02.03   164.504( e)(4) Other Requirements for Contracts and other arrangements 7/9/2013
PRV-02.04   164.504( e)(5) Business associate contracts with subcontractors 7/9/2013
PRV-02.05   164.504(g) Requirements for a Covered Entity with Multiple Covered Functions 7/9/2013
PRV-03.01 Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations 164.506(a) Permitted Uses and Disclosures 7/9/2013
PRV-03.01   164.506(b) Consent for Uses and Disclosures Permitted 7/9/2013
PRV-03.01   164.506( c) Treatment, Payment, or Health Care Operations 7/9/2013
PRV-04.01 Uses and Disclosures for Which an Authorization is Required 164.508(a) Authorization required: General Rule 7/9/2013
PRV-04.02   164.508(a)(2) Authorization Required: Psychotherapy Notes, Marketing, Sale of PHI 7/9/2013
PRV-04.03   164.508(b) General Requirements 7/9/2013
PRV-04.04   164.508( c) Core Elements and Requirements 7/11/2013
PRV-05.01 Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object 164.510(a) Use and Disclosure for Facility Directories 7/11/2013
PRV-05.02   164.510(b) Uses and Disclosures for Involvement in the individual’s care and notification purposes 7/11/2013
PRV-06.01 Uses and Disclosures for Which an Authorization or opportunity to agree or object is not required 164.512(a) Uses and Disclosures Required by Law 7/22/2013
PRV-06.02   164.512(b) Uses and Disclosures for Public Health Activities 7/22/2013
PRV-06.03   164.512( c) Disclosures about victims of Abuse, Neglect or Domestic Violence 7/17/2013
PRV-06.04   164.512(d) Uses and Disclosures for Health Oversight Activities 7/17/2013
PRV-06.05   164.512( e) Disclosures for Judicial and Administrative Proceedings 7/18/2013
PRV-06.06   164.512(f) Disclosures for Law Enforcement Purposes 7/22/2013
PRV-06.07   164.512(g), (h) Uses and Disclosures about Decedents, Cadaveric Organ, Eye, or Tissue Donation Purposes 7/22/2013
PRV-06.08   164.512(i) Uses and Disclosures for Research Purposes-Permitted Uses and Disclosures  
PRV-06.09   164.512(j) Uses and Disclosures to Avert a Serious Threat toHhealth or Safety 7/22/2013
PRV-06.10   164.512(k) Uses and Disclosures for Specialized Government Functions, Military and Veterans Activities 7/22/2013
PRV-06.11   164.512(l) Disclosures for Workers’ Compensation 7/22/2013
PRV-07.01 Other Requirements Relating to Uses and Disclosures of PHI 164.514(b) Requirements for De-Identification of PHI 7/22/2013
PRV-07.02   164.514( c) Re-Identification 7/23/2013
PRV-07.03 Minimum Necessary Requirements 164.514(d)(1) Minimum Necessary Uses of Protected Health Information 7/23/2013
PRV-07.04   164.514(d) & ( e) Minimum Necessary and MyHealth 7/23/2013
PRV-07.05   164.514( e) Limited Data Set 7/23/2013
PRV-07.06 Fundraising Communications 164.514(f)(1) Fundraising Requirements 7/23/2013
PRV-07.07 Uses and Disclosures for Underwriting and Related Purposes 164.514(g) Uses and Disclosures for Underwriting and Related Purposes 7/23/2013
PRV-07.08 Verification Purposes 164.514(h)(1) Verification Purposes 7/23/2013
PRV-08.01 Notice of Privacy Practices for PHI 164.520(a)(1) Right to Notice of Privacy Practices 7/23/2013
PRV-08.02   164.520( c) Provision of Notice 7/24/2013
PRV-09.01 Rights to Request Privacy Protection for PHI 164.522(a)(1) Right of an individual to request restriction of uses and disclosures 7/24/2013
PRV-09.02   164.522(a)(2) Terminating a Restriction & Documentation 7/24/2013
PRV-09.03   164.522(b)(1) Confidential Communications Requirements 7/24/2013
PRV-10.01 Access of Individuals to protected health information 164.524(a) Access to Protected Health Information 7/25/2014
PRV-10.02   164.524(b) Request for Access & Timely Action 7/25/2014
PRV-10.03   164.524( c) Provision of Access 7/25/2013
PRV-10.04   164.524(d) Denial of Access to PHI 7/25/2013
PRV-10.05   164.524( e) Documentation 7/25/2013
PRV-10.06   164.524 Employee’s Own Access to Protected Health Information  
PRV-11.01 Right to Amend 164.526(a) Right to Amend 7/25/2013
PRV-11.02   164.526(b) Request for Amendment and Timely Action 7/25/2013
PRV-11.03   164.526( c) Accepting the Amendment 7/25/2013
PRV-11.04   164.526(d) Denying the Amendment 7/25/2013
PRV-11.05   164.526( e) Actions on Notice of Amendment 7/25/2013
PRV-11.06   164.526(f) Documentation of Request for Amendment 7/25/2013
PRV-12.01 Right to an Accounting of Disclosures of Protected Health Information 164.528(a) Right to Accounting of Disclosures of PHI 7/25/2013
PRV-12.02   164.528(b) Content of the Accounting 7/25/2013
PRV-12.03   164.528( c) Provision of the Accounting of Disclosure 7/25/2013
PRV-12.04   164.528(d) Documentation Requirements of Disclosure 7/25/2013

Administrative Requirements §164.530

PRV-13.01 Personnel Designations 164.530(a) Personnel Designations 7/25/2013
PRV-13.02 Training 164.530(b) Training 7/25/2013
PRV-13.03 Safeguards 164.530( c) Safeguards 7/26/2013
PRV-13.04 Complaints to the Covered Entity 164.530(d) Complaints to the Covered Entity 7/26/2013
PRV-13.05 Sanctions 164.530( e) Sanctions 7/26/2013
PRV-13.06 Mitigation 164.530(f) Mitigation 7/26/2013
PRV-13.07 Refraining from Intimidating or Retaliatory Acts 164.530(g) Refraining from Intimidating or Retaliatory Acts 7/26/2013
PRV-13.08 Waiver of Rights 164.530(h) Waiver of Rights 7/26/2013
PRV-13.09 Polices and Procedures 164.530(i)(1) Polices and Procedures 7/26/2013
PRV-13.10 Documentation of Changes to Policy 164.530(j)(1) Documentation of Changes to Policy 7/26/2013

Transition Provisions §164.532

PRV-14.01 Transition Provisions 164.532(a) Effect of Prior Authorizations 7/26/2013
PRV-14.02   164.532(d) Effect of Prior Contracts or other Arrangements with Business Associates 7/26/2013