**4.5 Organizational control requirements**

At the organizational-level, controls such as policies, procedures, physical security and financial budgeting should be considered during an assessment. However, these components of risk management can be managed by entirely different entities.

#### *4.5.1 Policies and procedures*

Organizations should have policies in place [32] at technical, physical, and administrative levels, which are repetitively and consistently followed to avoid different legal ramifications (e.g., from valid discrimination cases to data breaches). Standard operating procedures (SOPs) should also be in place and specifically in writing [32]. Specific procedures, which must be in place at the federal level, include business continuity and disaster recovery plans.

#### *4.5.2 Physical and environmental security*

This component describes the physical and environmental security aspects of the system, if any, which are requirements in the United States Federal HIPAA laws. Physical security encompasses the physical environment to lower the probability of a threat occurring in spaces such as public, private, and shared. It also includes ways to protect organizations from fire and other environmental concerns affecting risk.

### *4.5.3 Budget for adverse effects*

Risk assessment traditionally includes developing a budget for adverse effects, such as in the Factor Analysis of Information Risk (FAIR) quantitative uncertainty analysis model. Many organizations are not storing-up financial resources in accordance with the uncertain probability being generated to pay for patient identity protections. Digital Guardian [33] has various reports on current costs per record; the costs vary with time. Simply indicating that a system is vulnerable to CSRF may really have no budgetary ramification under certain other conditions. Thus, probability of cost concerns inform on the overall organizational probability of concerns and insurance.

The HHS has historically been responsible for enforcing the Privacy and Security Rules of HIPAA [34]. For most HIPAA covered entities, the HHS OCR enforcement of the Privacy Rule began April 14, 2003, and the Security Rule began on April 20, 2005. The web portal currently lists government corrective action plans detailing the causes of potential violations of the HIPAA Privacy and Security Rules. Notably, in October 2020, the OCR posted four announcements, most with either sub-cases or multi-breaches, of case settlement with potential corrective action plans for violations to the HIPAA Privacy and Security Rules.
