• Data backup plan • Disaster recovery plan • Access authorization • Virus checking • Termination procedures such as removal from access lists and turning in keys and access cards • Physical safeguards to guard data integrity, confidentiality, and availability, such as: • Access controls • Secure workstation location • Need to know procedures • Sign in and escorting visitors, if appropriate • Technical security services to guard data integrity, confidentiality, and availability, such as: • Access controls • Automatic log off • Password or PIN • Unique user identification • Technical security mechanisms to guard against unauthorized access to data that is transmitted over a communications network, such as: • Message authentication • Integrity controls • Encryption • Audit trail • Electronic signature • An agency can use PHI for: o Treatment, payment, and healthcare operations. o Treatment activities of any healthcare provider. o For payment activities of the entity to which PHI is disclosed. o For the healthcare operations of another covered entity if: