Add to collection(s) Add to saved
  1. Business
  2. Management

POLICY # 6 ADMINISTRATIVE MANUAL APPROVED BY:

ASSIGNED SECURITY RESPONSIBILITY
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
POLICY # 6
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
”Identify the security official who is responsible for the development and
implementation of the policies and procedures required by this subpart
for the entity.”
Policy Summary:
The Information Security Officer will be responsible for the security of
EPHI at Sindecuse Health Center (SHC).
Purpose:
This policy reflects SHC’s commitment to assign a single employee
overall final responsibility for the confidentiality, integrity, and
availability of its EPHI.
Policy:
1. The purpose of the SHC Information Security Office is to protect the
confidentiality, integrity, and availability of SHC information systems
and EPHI. SHC’s Information Security Officer leads this office and is
responsible, with the assistance of the HIPAA Compliance Committee,
for the development and implementation of all policies and procedures
necessary to appropriately protect the confidentiality, integrity, and
availability of SHC information systems and EPHI.
2. The SHC Information Security Officer’s responsibilities include, but
are not limited to:





Ensure that SHC information systems comply with all applicable
federal, state, and local laws and regulations.
Ensure that no SHC information system compromises the
confidentiality, integrity, or availability of any other SHC
information system.
Develop, document, and ensure dissemination of appropriate
security policies, procedures, and standards for the users and
administrators of SHC information systems and the data
contained within them.
Ensure that newly acquired SHC information systems have
features that support required and/or addressable security
Implementation Specifications.
Coordinate the selection, implementation, and administration of
significant SHC security controls.
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ASSIGNED SECURITY RESPONSIBILITY










Ensure SHC workforce members receive regular security
awareness and training.
Conduct periodic risk analysis of SHC information systems and
security processes.
Develop and implement an effective risk management program.
Regularly monitor and evaluate threats and risks to SHC
information systems.
Develop and monitor/audit records of SHC information systems’
activity to identify inappropriate activity.
Maintain an inventory of all SHC information systems that
contain EPHI.
Create an effective security incident response policy and related
procedures.
Ensure adequate physical security controls exist to protect SHC’s
EPHI.
Coordinate with SHC’s Privacy Officer to ensure that security
policies, procedures and controls support compliance with the
HIPAA Privacy Rule.
Evaluate new security technologies that may be appropriate for
protecting SHC’s information systems.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.308(a)(2)(i)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ASSIGNED SECURITY RESPONSIBILITY
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Officer is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ASSIGNED SECURITY RESPONSIBILITY
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Arts
Cooperative Innovative High School Curriculum Template Associate in Arts
53. policies and procedures for security
53. policies and procedures for security
ROMAN CATHOLICS IN MINEHEAD
ROMAN CATHOLICS IN MINEHEAD
CONSENT FORM TEMPLATE
CONSENT FORM TEMPLATE
P5-ISAREV
P5-ISAREV
Download