Master HIPPA Security Policy
advertisement
NORTHPOINTE BEHAVIORAL HEALTHCARE SYSTEMS POLICY TITLE: Master HIPPA Security Policy MANUAL: Administrative ORIGINAL EFFECTIVE DATE: 10/1/06 REVIEWED/REVISED ON DATE: 4/19/13 REVISIONS TO POLICY STATEMENT: YES PAGE 1 of 3 SECTION: IS BOARD APPROVAL DATE: 8/29/13 CURRENT EFFECTIVE DATE: 8/29/13 NO OTHER REVISIONS: YES NO APPLICATION: Northpointe Personnel and contract providers POLICY: Northpointe is required to maintain the confidentiality, integrity and availability of electronic protected health information (ePHI) through technical and non-technical mitigation techniques required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), Michigan Mental Health Code and 42 CFR Part 2. PURPOSE This policy outlines expectations to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health Act, Michigan Mental Health Code, 42 CFR Part 2 and any subsequent revisions. DEFINITIONS 1. Computing equipment – refers to computers, laptops, tablets, personal digital assistants (PDA), smart phones or any other device capable of accessing ePHI. 2. Security Incident – An intentional or unintentional event resulting in an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 3. Protected Health Information (PHI) - Any information that identifies an individual and relates to at least one of the following: The individual's past, present or future health care. The provision of health care to the individual. The past, present or future payment for health care. 4. Electronic Protected Health Care Information - Any protected health information (PHI) which is stored, accessed, transmitted or received electronically. 5. Business Associate – A person or entity that creates, receives, maintains, or transmits protected health information on behalf of, or provides services to, a Covered Entity. 6. Network Providers - refers to all providers employed or under contract with Northpointe 7. Covered Entities – Health plans, health care clearinghouses, or health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. 8. Electronic Health Systems – NorthCare sanctioned, supported and recognized systems for creating, storing or transmitting electronic protected health information. NorthCare Electronic Health Systems include, but are not limited to: ELMER, CareNet, CAFAS, iCarol, Michigan Health Information Network (MiHIN) and Upper Peninsula Health Information Exchange (UPHIE). PROCEDURE: 1. Security Management Security Management reflects Northpointe commitment to implement a risk analysis, risk management and information security review process to prevent, detect, contain and correct security violations. Reference: IS Security Management Procedure 2. Assigned Security Responsibility Information Security Officer will be the responsible function for the implementations of ePHI security at Northpointe. The purpose of the Northpointe Information Security Office is to protect the confidentiality, integrity, and availability of Northpointe information systems and ePHI. Northpointe’s Information Security Officer is responsible for the development and implementation of all policies and procedures necessary to appropriately protect the confidentiality, integrity, and availability of Northpointe information systems and ePHI. This function includes the responsibility of NORTHPOINTE BEHAVIORAL HEALTHCARE SYSTEMS POLICY TITLE: Master HIPPA Security Policy PAGE 2 of 3 MANUAL: Administrative SECTION: IS ORIGINAL EFFECTIVE DATE: 10/1/06 BOARD APPROVAL DATE: 8/29/13 REVIEWED/REVISED ON DATE: 4/19/13 CURRENT EFFECTIVE DATE: 8/29/13 investigating all alleged violations of Northpointe security policies and includes appropriate action to mitigate the infraction and recommend sanctions as warranted. 3. Security Awareness and Training Northpointe shall develop, implement, and regularly review a formal, documented program for providing appropriate security training and awareness to its workforce members. All new Northpointe employees must receive appropriate security training before being provided with access or accounts on Northpointe information systems. All non-Northpointe employees must be made aware of the security policies, procedures and must have a confidentiality agreement on file. Reference: IS Security Training Procedure 4. Security Incidents Handling Northpointe shall have a formal, documented process for quickly and effectively detecting and responding to security incidents that may impact the confidentiality, integrity, or availability of Northpointe information systems. The process, as detailed in the Security Incident Response Procedure involves among others the creation of the incident response team (SIRT), an awareness program through regular training and the means for the organization employees to effectively report any potential incidents. Reference: IS Security Incident Response Procedure 5. Contingency Northpointe shall prepare for and be able to effectively respond to emergencies or disasters in order to protect the confidentiality, integrity and availability of its information systems. Reference: IS Contingency Preparedness and Recovery Procedure 6. Business Associates Contracts Northpointe may permit a business associate to create, receive, maintain, or transmit ePHI on its behalf. This agreement provides assurance that the business associate will appropriately safeguard the information. Reference: Business Associate Agreement Policy 7. Facility Access Controls Northpointe must appropriately limit physical access to the information systems contained within its facilities while ensuring that only properly authorized workforce members can physically access such systems. Reference: IS Facility Access Controls Procedure 8. Workstation Use & Security Northpointe workstations and media shall be used only for authorized purposes to support the research, education, clinical, administrative, and other functions of Northpointe. Workforce members shall not use Northpointe workstations to engage in any activity that is either illegal or is in violation of other Northpointe policies. Access to Northpointe workstations with ePHI shall be controlled and authenticated. Northpointe shall regularly conduct a formal, documented process that ensures accountability of all electronic media and information systems containing ePHI. Reference: Internet Use Policy Email Use Policy Workstation Use and Security Policy Device and Media Control Policy 9. Information System Access Controls Northpointe shall develop and implement a formal documented process for authorizing and granting appropriate access to information systems containing ePHI. Reference: IS Systems Access Controls Procedure Password Policy Network Security End User Policy NORTHPOINTE BEHAVIORAL HEALTHCARE SYSTEMS POLICY TITLE: Master HIPPA Security Policy MANUAL: Administrative ORIGINAL EFFECTIVE DATE: 10/1/06 REVIEWED/REVISED ON DATE: 4/19/13 PAGE 3 of 3 SECTION: IS BOARD APPROVAL DATE: 8/29/13 CURRENT EFFECTIVE DATE: 8/29/13 10. Audit Controls Northpointe will record and examine significant activity, as defined by the risk analysis, on its information systems that contain or use ePHI. Audit record shall include user identifications, date/time and description of the event. Northpointe will conduct a technical and non-technical evaluation on annual basis of its security controls and processes to document its compliance with its security policies and the HIPAA Security Rule. The evaluation will be carried out by the Information Security Officer or a third-party organization that has appropriate skills and experience. The evaluation will be documented and recorded to in support of organization’s compliance with HIPAA ePHI standards. 11. Data Integrity Northpointe must appropriately protect the integrity of all ePHI contained on its information systems. Methods used to protect the integrity of ePHI contained on Northpointe information systems must ensure that the value and state of the ePHI is maintained and protected from unauthorized modification and destruction. 12. Transmission Security Northpointe must provide an appropriate protection for confidentiality, integrity and availability of all data it transmits over electronic communications networks. Appropriate protection should include, but not limited to, data encryption as determined by relevant risk analysis. Highly sensitive Northpointe data such as authentication must always use encryption and integrity controls. Northpointe Information Security Officer must approve all encryption and integrity controls prior to their use. When applying risk analysis, consider the following factors when determining whether or not encryption or integrity controls must be used: The sensitivity of the data The risks to the data if they are not encrypted The expected impact functionality and work flow if the data are encrypted Alternative methods available to protect the confidentiality, integrity and availability of the data The ability of the recipient of the data to decrypt and/or check the integrity of the data received Policy Authority/ Enforcement: Northpointe’s Security Officers are responsible for monitoring and enforcement of this policy, in accordance with related policies and procedures. Scope of Legislative Reference: This policy is also intended to act in accordance with the security and privacy safeguards of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), other federal and state laws protecting confidentiality of health information, accreditation requirements and professional ethics. This policy will reference only HIPAA standards directly. All other Federal, State or accreditation requirements are adhered to but not referenced in this policy. REFERENCES: HIPAA SECURITY - CODE OF FEDERAL REGULATIONS, 45 CFR 164 HITECH ACT – PUBLIC LAW 111-5, DIVISION A, TITLE XIII, SUBPART D HIPAA OMNIBUS RULE – FEDERAL REGISTER, 78 FR 17 MICHIGAN MENTAL HEALTH CODE 42 CFR PART 2
