POLICIES AND PROCEDURES FOR
SECURITY
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
POLICY # 53
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement reasonable and appropriate policies and procedures to
comply with the standards, the implementation specifications, or other
requirements of this subpart taking into account those factors specified in
164.306 (b)(2)(i),(ii),(iii), and (iv).
Policy Summary:
Sindecuse Health Center (SHC) must establish and maintain
organizational policies and procedures to address all requirements of the
final HIPAA Security Rule. The SHC’s policies and procedures for
security must be designed to ensure the confidentiality, integrity, and
availability of the organization’s EPHI. SHC’s workforce members
must be informed of all policies and procedures that apply to them in
their individual roles. The policies and procedures should incorporate the
organization’s own specific characteristics related to size and complexity
of the organization, technical infrastructure, cost of implementing
security measures, and risks to EPHI. SHC’s policies and procedures for
organizational security must be established and implemented in
accordance with SHC’s organizational process for policy development
and review. SHC must annually review the organizational security
policies and procedures and update them it as necessary.
Purpose:
This policy reflects SHC’s commitment to appropriately maintain,
distribute and review the security policies and procedures it implements
to comply with the HIPAA Security Rule.
Policy:
1. SHC must establish and maintain organizational policies and
procedures to address all requirements of the final HIPAA Security Rule.
2. SHC must establish and maintain organizational policies and
procedures to ensure and support the confidentiality, integrity, and
availability of the organization’s EPHI.
3. SHC’s workforce members must be informed of all policies and
procedures that apply to them in their individual roles.
4. SHC must establish policies and procedures for organizational
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
POLICIES/PROCEDURES FOR SECURITY
security that incorporate the specific characteristics of SHC with respect
to:




the size, complexity, and capabilities of the organization,
the organization’s technical infrastructure, hardware, and
software capabilities,
the cost of implementing security measures, and
the probability and criticality of potential risks to the
organization’s EPHI.
5. SHC must ensure that its policies and procedures for security are
compatible with the organization’s culture and strategic planning
objectives.
6. SHC must conduct an annual formal review of the policies and
procedures for security and update them as necessary.
Scope/Applicability: This policy is applicable to all departments that use, create or disclose
electronic protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Organizational Requirements
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.316(a)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
POLICIES/PROCEDURES FOR SECURITY
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Responsible
Department:
Leadership Council; Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Documentation
Evaluation
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.