- Classification of health information into Sensitive Normal and Sensitive High categories.
- Secure storage and controlled access to health information.
- Periodic testing of backups and regular reviews of security policies, logs, and practices.
- Incident response plans with a two-hour reporting window for data breaches or cybersecurity incidents.