164.308(a)(1) - Implement policies and procedures to prevent, detect, contain and correct security violations.

164.308(a)(2) - Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.

164.308(a)(3) - Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information.

164.308(a)(4) - Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].

164.308(a)(5) - Implement a security awareness and training program for all members of its workforce (including management).

164.308(a)(6) - Implement policies and procedures to address security incidents.

164.308(a)(7) - Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

164.308(a)(8) - Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].

164.308(b)(1) - A covered entity, in accordance with 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added).