Policy & Procedures

advertisement
POLICY AND PROCEDURE STANDARDS
TABLE OF CONTENTS
SECURITY MANAGEMENT PROCESS .............................................................. P1-P4
ASSIGNED SECURITY RESPONSIBILITY ........................................................ P5-P7
WORKFORCE SECURITY .................................................................................... P8-P9
INFORMATION ACCESS MANAGEMENT .................................................... P10-P11
SECURITY AWARENESS AND TRAINING .................................................... P13-P15
SECURITY INCIDENT PROCEDURES...................................................................P17
CONTINGENCY PLAN ..................................................................................... P18-P20
EVALUATION ...........................................................................................................P22
BUSINESS ASSOCIATE CONTRACTS AND OTHER
ARRANGEMENTS............................................................................................ P23-P24
FACILITY ACCESS CONTROLS...................................................................... P29-P30
WORKSTATION USE ....................................................................................... P31-P34
WORKSTATION SECURITY ....................................................................................P35
DEVICE AND MEDIA CONTROLS .................................................................. P36-P37
ACCESS CONTROL ..................................................................................................P38
AUDIT CONTROLS ...................................................................................................P39
INTEGRITY ...............................................................................................................P40
PERSON OR ENTITY AUTHENTICATION ............................................................P41
TRANSMISSION SECURITY ...................................................................................P42
SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES
Implementation Specifications covered under this standard:

Risk Analysis

Risk Management

Sanction Policy

Information System Activity Review
Purpose
The purpose of this policy is to establish a process to identify the risks to the organization and to
manage those risks. The practice is committed to ensure the confidentiality, integrity, and
availability of its information systems containing EPHI by implementing policies and procedures
to prevent, detect, contain, and correct security violations.
Policy
1. The Practice will ensure the confidentiality, integrity, and availability of its information
systems containing EPHI by implementing appropriate and reasonable policies,
procedures and controls to prevent, detect, contain, and correct security violations.
2. All Practice workforce members are responsible for appropriately protecting EPHI from
unauthorized access, modification, destruction and disclosure.
Risk Analysis
The organization will conduct a survey of all computer and information systems in order to
determine where electronic protected health information is stored, how it is transmitted, and
which employees currently have access. The organization will also identify the type of
information contained on each system and the impact to daily activities that would be caused by
a loss of this information. (See Risk Analysis, Worksheet 1). This process will be repeated for all
new equipment, information systems or computer systems that are installed.
The identification, definition and prioritization of risks to the Practice information systems
containing EPHI is based on a formal, documented risk analysis process. At a minimum, the
Practice’s risk analysis process will include the following:

Identification and prioritization of the threats to the Practice information systems containing
EPHI.

Identification and prioritization of the vulnerabilities of the Practice information systems
containing EPHI.

Identification and definition of security measures used to protect the confidentiality,
integrity, and availability of the Practice information systems containing EPHI.

Identification of the likelihood that a given threat will exploit a specific vulnerability on a
Practice information system containing EPHI.
P1
SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES
Policy

Identification of the potential impacts to the confidentiality, integrity, and availability of the
Practice information systems containing EPHI if a given threat exploits a specific
vulnerability.

The organization will use good faith efforts to identify all known and/or anticipated threats to
electronic protected health information and any vulnerability that would cause a program or
system to be impacted by threats.
Risk Management
The Practice will implement security measures that reduce the risks to its information systems
containing EPHI to reasonable and appropriate levels.
It will be the responsibility of the Security Officer to gather information and present this
information to the appropriate decision-making authorities within the organization so that
determinations can by made based upon the risks to the organization and the costs associated
with mitigating these risks.
Employee Sanctions
Employees will be sanctioned appropriately for breaching security policies and procedures. All
sanctions will be in accordance with the organization’s disciplinary policies, and, at a minimum,
will take into account the severity of the violation, whether the violation was intentional or
unintentional, and whether the violation indicates a pattern or practice of improper use or
disclosure of protected health information.
The Practice will have a formal, documented process for applying appropriate sanctions against
workforce members who do not comply with its security policies and procedures.
Sanctions may include, but will not be limited to: (1) a verbal warning; (2) a written reprimand;
(3) re-education; (4) suspension; and/or (5) termination. The sanction policy, however, does not
alter the at-will status of employees.
Information System Activity Review
The Practice is committed to conducting periodic internal system reviews of records to minimize
security violations to electronic protected health information. As such, the Practice will
continually assess potential risks and vulnerabilities to protected health information in its
possession, and develop, implement, and maintain appropriate administrative, physical, and
technical security measures.
The organization will determine which reports the organization’s information systems and
software programs are capable of generating, including, but not limited to audit logs, access
reports, and security incident tracking reports.
The organization will run such reports at intervals as determined by the security officer based
upon the usefulness of the report.
P2
SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES
Procedure
1. The Security Officer will be responsible for completing a Comprehensive Risk Analysis
(either by personally completing the form or delegating the responsibility) and will be
responsible for overseeing the updating of this analysis as new systems or software
programs are added. See Risk Analysis Worksheets 1-4.
2. The risk analysis shall demonstrate, at a minimum, the following information:
a. The level of risk and the steps to be taken to reduce the risk of vulnerability;
b. Processes for maintaining no more than the acceptable level of risk.
3. The Security Officer will be responsible either personally or by delegation for the
completion of a Threat Assessment (Risk Analysis Worksheet 2). This assessment will be
updated as needed or any time that a new threat or vulnerability is identified or any time
that a new system or software program is added.
4. The Security Officer will be responsible for completing a Risk Management Analysis (Risk
Analysis Worksheet 3-4). The Security Officer will be responsible for identifying and
including administrative personnel who have authority to make decisions with respect to
which security solutions may be implemented (based upon a cost/benefit analysis).
5. The Practice’s risk management process will be based on the following steps:
a. Inventory. The Practice will conduct an inventory of its information systems
containing EPHI and the security measures protecting those systems. The
Practice must be able to identify its information systems and the relative value and
importance of those systems. (See Risk Analysis, Worksheet 1)
b. Risk prioritization. Based on the risks defined by the Practice’s risk analysis, all
risks will be prioritized on a scale from 1 to 9 based on the potential impact to
information systems containing EPHI and the probability of occurrence. When
deciding what Practice resources will be allocated to identified risks, highest
priority must be given to those risks with unacceptably high risk rankings.
c. Cost-benefit analysis. The Practice will identify and define the costs and benefits of
implementing or not implementing specific security methods.
d. Security method selection. Based on the cost-benefit of each solution, the Practice
will determine the most appropriate, reasonable and cost-effective security
method(s) for reducing identified risks to each system containing EPHI.
P3
SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES
Procedure (continued)
6. The Security Officer will be responsible for bringing employee breaches of security policies
and procedures to the attention of the employee’s supervisor who shall be responsible for
disciplining the employee in accordance with this policy and with the organization’s
general disciplinary policies.
7. The Security Officer will be responsible for reviewing all informational reports and the
frequency with which each report should be routinely run, as well as any events that will
trigger the running of the report(s). Currently, such reports will be run as needed and
monitored on an exception basis.
8. If the Security Officer identifies suspicious activity based upon the reports, it will be
investigated and the results of such investigation documented. If the investigation
identifies an employee breach, the employee will be disciplined in accordance with the
guidelines set forth in the organizations disciplinary policies.
9. The Security Officer will be responsible for reviewing reports and maintaining all reports
for a period of six years (either personally or delegating the responsibility).
P4
ASSIGNED SECURITY RESPONSIBILITY POLICY AND PROCEDURES
Purpose
The purpose of this policy is to assign a single employee overall final responsibility for the
confidentiality, integrity, and availability of EPHI.
Policy
The Practice Security Officer will be responsible for the Security of PHI and EPHI at the
Practice. The Security Officer is responsible for the development and implementation of all
policies and procedures necessary to appropriately protect the confidentiality, integrity, and
availability of the Practice’s information systems and EPHI.
Procedures
1. The Security Officer will conduct himself/herself in a manner appropriate for this position
and as outlined in their job description.
2. The Practice’s Security Officer’s responsibilities include, but are not limited to:
a. Ensure that Practice’s information systems comply with all applicable federal, state,
and local laws and regulations.
b. Develop, document, and ensure dissemination of appropriate security policies,
procedures, and standards for the users and administrators of Practice’s information
systems and the data contained within them.
c. Ensure that newly acquired Practice information systems have features that support
required and/or addressable security Implementation Specifications.
d. Coordinate the selection, implementation, and administration of significant Practice
security controls.
e. Ensure Practice workforce members receive regular security awareness and training.
f.
Conduct periodic risk analysis of Practice information systems and security processes.
g. Conduct regular evaluations of the Practice’s security controls and processes.
h. Develop and implement an effective risk management program.
i.
Regularly monitor and evaluate threats and risks to Practice information systems’
activity to identify inappropriate activity.
j.
Create an effective security incident response policy and related procedures.
k. Ensure adequate physical security controls exist to protect Practice’s EPHI.
l.
Coordinate with Practice’s Privacy Officer to ensure that security policies, procedures
and controls support compliance with the HIPAA Privacy Rule.
P5
SECURITY OFFICER – JOB DESCRIPTION
The Practice is committed to ensuring the privacy and security of protected health information.
In order to manage the facilitation and implementation of activities related to the privacy and
security of protected health information, The Practice will appoint and maintain a Security
Officer position.
The Security Officer will serve as the focal point for security compliance-related activities and
responsibilities, as listed below. In general, the Security Officer is charged with developing,
maintaining, and implementing organizational policies and procedures, conducting educational
programs, reviewing conduct of those assigned security responsibilities, and administering
reviews relating to the company’s security program.
The Security Officer must demonstrate familiarity with the legal requirements relating to
privacy, security and health care operations, as well as the ability to communicate effectively
with and coordinate the efforts of technology and non-technology personnel.
The current Security Officer is:
Bonnie Rondot
419-991-7805 (work) or 419-999-6344 (home)
2875 W. Elm St., Lima, OH 45805
e-mail address: famdox@yahoo.com
Responsibilities
The Security Officer has the following job responsibilities:
1. Lead in the development and enforcement of information security policies and procedures,
measures and mechanisms to ensure the prevention, detection, containment, and
correction of security incidents. Ensure that security standards comply with statutory
and regulatory requirements regarding health information.
2. Maintain security policies that include:
a. Administrative security: Formal mechanisms for risk analysis and
management, information access controls, and appropriate sanctions for failure
to comply.
b. Physical safeguards: Ensure assigned security responsibilities, control access to
media (e.g., diskettes, tapes, backups, disposal of data), protect against hazards
and unauthorized access to computer systems, and secure workstation locations
and use.
c. Technical security: Establish access controls, emergency
authorization controls, and data/entry access and authentication.
P6
procedures,
SECURITY OFFICER – JOB DESCRIPTION
Responsibilities (continued)
3. Maintain security procedures that include:
a. Evaluation of compliance with security measures.
b. Contingency plans for emergencies and disaster recovery.
c. Security incident response process and protocols.
d. Testing of security procedures, measures and mechanisms, and continuous
improvement.
e. Security incident reporting mechanisms and sanction policy.
4. Maintain appropriate security measures to guard against unauthorized access to
electronically stored and transmitted patient data and protect against reasonably
anticipated threats and hazards, including:
a. Integrity controls.
b. Authentication controls.
c. Access controls.
5. Oversee and/or perform on-going security monitoring of organization information systems.
a. Perform periodic information security risk evaluations and assessments.
b. Evaluate and recommend new information security technologies and counter-measures
against threats to information or privacy.
6. Ensure compliance through adequate training programs and periodic security audits.
P7
WORKFORCE SECURITY POLICY AND PROCEDURES
Implementation Specifications covered under this standard

Authorization and/or Supervision

Workforce Clearance Procedures

Termination Procedures
Purpose
This policy reflects Practice’s commitment to allow access to information systems containing
EPHI only to workforce members who have been appropriately authorized.
Policy
1. Practice will protect the confidentiality, integrity, and availability of its information
systems containing EPHI by preventing unauthorized access while ensuring that properly
authorized workforce member access is allowed.
2. Access to Practice information systems containing EPHI will be granted to only workforce
members who have been properly authorized.
3. Access to Practice information systems containing EPHI will be authorized only for
properly trained Practice workforce members having a legitimate need for specific
information in order to accomplish job responsibilities. Such access will be regularly
reviewed and revised as necessary.
Procedures
1. Authorization and/or Supervision

Practice will ensure that all workforce members who can access Practice information
systems containing EPHI are appropriately authorized to access the system or
supervised when they do so.

Practice workforce members will not be allowed access to information systems
containing EPHI until properly authorized.

Where appropriate, third party persons will be supervised by an appropriate
employee when they are accessing information systems containing EPHI or in a
Practice location where EPHI might be accessed.
2. Currently, because of the size of the Practice and the nature of our operations, almost all
staff members and workforce employees need access to all information systems containing
EPHI. In conjunction with the Minimum Necessary Provision in the Privacy Rule, the
Practice will continually monitor each employee to ensure they are accessing only the
amount of information necessary to his or her job. Please see Access Authorization
Worksheet.
P8
WORKFORCE SECURITY POLICY AND PROCEDURES
Procedure (continued)
3. Workforce Clearance Procedures
 The background of all Practice workforce members will be adequately reviewed during
the hiring process. Verification checks will be made, as appropriate.
 Clearance to EPHI and to locations where EPHI can be accessed will be granted upon
hiring and will be reviewed as necessary.
4. Termination Procedures
 The Practice will create and implement a formal process for terminating access to
electronic protected health information (EPHI) when employment ends.
 When the employment of Practice workforce members ends, their information systems
privileges, both internal and remote, will be disabled or removed. Practice information
system privileges include, but are not limited to, workstation and server access, data
access, network access, email accounts, and inclusion on bulk e-mail lists.
 When employees depart from Practice, they must return all supplied equipment by the
time of departure.
5. As appropriate, all physical security access codes used to protect Practice information
systems that are known by a departing workforce member will be deactivated or changed.
P9
INFORMATION ACCESS MANAGEMENT POLICY AND PROCEDURES
Implementation Specifications covered under this standard:

Isolating Healthcare Clearinghouse Function

Access Authorization

Access Establishment and Modification
Purpose
The Practice is committed to maintaining formal practices to define levels of access for all
workforce members and other users authorized to access electronic protected health information,
how access is granted and is modified.
Policy
1. Access to Practice information systems containing EPHI will be managed in order to
protect the confidentiality, integrity and availability of EPHI.
2. Employees, contractors, and other users will be granted access only to that health
information to which they are authorized, in order to perform the particular job functions.
3. Workforce members and other users shall use careful consideration to access and obtain
only the type and amount of health information necessary to carry out the specified
purpose.
4. Practice’s Security Officer is responsible for determining and granting the appropriate
access to electronic protected health information.
5. All workforce members’ employees shall be trained regarding appropriate access to
electronic protected health information, including the awareness of information access
controls.
Procedure
1. Isolating Healthcare Clearinghouse Function
a. We are contracted with Misys Healthcare Systems who contracts the clearinghouses
that we are obligated to use, due to their regulations.
2. Access Authorization
a. The documented process for granting access to the Practice’s information systems
that contain EPHI includes:
1. Procedures for granting different levels of access to the practices information
systems containing EPHI. (See Access Authorization Worksheet)
P10
INFORMATION ACCESS MANAGEMENT POLICY AND PROCEDURE
Procedure (continued)
2. The Practice will regularly review and revise, as necessary, authorization of
access to information systems containing EPHI.
3. Based on the employee’s job description, the employee will be assigned by the
Security Officers an appropriate access control and authorization.
4. Access to the Practice’s information systems containing EPHI will be
authorized only for workforce members having a need for specific information
in order to accomplish a legitimate task.
5. If a person’s duties, role, function, or responsibilities change, the access
permissions of that person will be re-evaluated.
3. Access Establishment and Modification
a. The Practice will review and modify access authorization to its workforce members
when changes occur and as otherwise deemed necessary.
b. Only properly authorized and trained workforce members may access information
systems containing EPHI.
c. Access to Practice’s information systems containing EPHI is limited to workforce
members who have a need for specific EPHI in order to perform their job
responsibilities.
P11
HIPAA SECURITY
ACCESS AUTHORIZATION
Employee Name
User
Providers
Nursing staff
Medical assistants
Front office
Billing department
Collections
department
Medical records
Billing/Office mgr.
List employee name
Karri L. Krendl
Tracy L. Sharp
Elise D. Clark
Diana Wurst
Brenda Alt
Robbin Clark
Trina Miller
Sharon Kleman
Angela Hefner
Kelly Ward
Rene Matthiu
Bonnie Rondot
Megan Anspach
Complete
Access
X
Patients
Records
X
X
X
X
Billing
X
X
Accounts
Receivable Scheduling
X
X
X
Transcript
X
X
X
X
Ltrs and
documents
X
X
X
X
n/a
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Megan Berelsman
X
X
X
X
Hannah Hobbler
X
X
X
X
P12
SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
Implementation Specifications covered under this standard:

Security Reminders

Protection from Malicious Software

Log-in Monitoring

Password Management
Purpose
This policy reflects the Practice’s commitment to provide regular security awareness and training
to its workforce members.
Policy
1. All Practice workforce members will be provided with sufficient regular training and
supporting reference materials to enable them to appropriately protect Practice
information systems.
2. System users shall receive training regarding:
a.
b.
c.
d.
Protection from malicious software use (including virus protection);
Periodic security updates;
Log-in; and
Password management.
3. The Practice’s Security Official is responsible for the development and delivery of security
training.
4. The Practice’s Security Official will periodically send out security reminders to make
workforce members, as well as agents and contractors, if necessary, aware of security
concerns and initiatives on an ongoing basis.
5. Security training policies and procedures may be amended from time to time as necessary
to comply with all applicable laws and regulations as well as business associate
agreements.
P13
SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
Policy (continued)
6. At a minimum, the Practice’s malicious software prevention, detection and reporting
process will include:
a. Installation and regular updating of anti-virus software on all internet information
systems.
b. Examination of data on electronic media and data received over networks to ensure
that it does not contain malicious software.
c. The examination of all electronic mail attachments and data downloads for malicious
software before use on facility information systems.
d. Procedures for members of the workforce to report suspected or known malicious
software.
e. An appropriate disaster recovery plan for recovering from malicious software attacks.
f. Procedures to verify that all information relating to malicious software is accurate and
informative.
g. Procedures to ensure that the Practice’s workforce members do not modify web
browser security settings without appropriate authorization.
h. Procedures to ensure that unauthorized software is not installed on the Practice’s
information systems.
7. Access to all the Practice’s information systems must be via a secure log-in process.
Procedures
1. Security training will be based on workforce member’s job responsibilities, and be
applicable to member’s daily tasks.
2. On a regular basis, the Practice will provide all of it workforce members information and
reminders on topics including, but not limited to:
a.
b.
c.
d.
Information security policies.
Significant information security controls and processes.
Significant risks to the Practice’s information systems and data.
Security legal and business responsibilities
(e.g. HIPAA, business associate contracts).
e. Overall discussion of threats and vulnerabilities specific to electronic protected
f. Information access control
e. Personnel clearance levels
f. Incident reporting
g. Viruses and other forms of malicious software;
h. User log-in
i. HIPAA and organizational privacy and security rules, policies and procedures, and the
sanctions, and civil and criminal penalties prescribed for wrongful actions.
P14
SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
Procedure (continued)
3. The Practice’s Security Office is responsible for ensuring that workforce members receive
regular security information and awareness.
4. Practice information system’s log-in process includes the following:
a. Record unsuccessful log-in attempts.
b. After a specific number of failed log-in attempts, enforce a time delay before further
log-in attempts are allowed or reject any further attempts without authorization from
an appropriate Practice employee.
c. Limit the maximum time allowed for the log-in procedure.
5. The Practice’s password management system:
a. Requires that use of individual passwords to maintain accountability.
b. Where appropriate, allows workforce members to select and change their own
passwords.
c. Requires unique passwords that meet the standards defined by the practice
d. Requires regular password changes.
e. Not display passwords in clear text when they are being input into an application.
f. Requires the changing of default vendor passwords following installation of software.
6. The Practice’s password creation standards require the following:
a. Passwords must have a minimum length of six characters.
b. Passwords must not be based on something that can be easily guessed or obtained
using personal information (e.g. names, favorite sports team, etc.)
c. Passwords must be composed of a mix of numeric and alphabetical characters.
7. The Practice’s password management training and awareness includes the following
information:
a. The importance of keeping passwords confidential and not sharing them with those
who ask.
b. The need to avoid maintaining a paper record of passwords, unless the record can be
stored securely.
c. Changing passwords whenever there is any indication of possible information system
or password compromise.
d. The importance of not using the same password for personal and business accounts.
e. The importance of changing passwords at regular intervals and avoiding re-using old
passwords.
f. Changing temporary passwords at the first log-in.
g. Not including passwords in any automated log-on process.
h. Ensuring that all employees understand that all activities involving their user
identification and password will be attributed to them.
See Practice Password Policy.
P15
PASSWORD POLICY
The following Procedure has been adopted by the Practice concerning Passwords:
1. All computer systems will require each user to have a unique user ID and password.
2. Inactive accounts will be deleted immediately upon an employee’s termination or when
their job function no longer requires that system access.
3. Passwords will be stored securely.
4. Employees may not disclose their password to any one else and permit any one else to
access information through their password.
All user defined passwords must adhere to the following company password procedures:
1.
2.
3.
4.
5.
Changed at minimum every 180 days.
Not be one of the last four passwords previously used.
Be between 6 and 9 characters long, of which at least one must be a numeric character.
Not be commonly used words, names, initials, birthdays, or phone numbers.
All passwords must be promptly changed if they are suspected of being disclosed, or
known to have been disclosed.
6. Passwords must not be displayed on system entry or recorded in audit trails.
Passwords should not be any of the following:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Dictionary words (including foreign and technical dictionaries).
Anyone’s or anything’s name.
A place.
A proper noun.
A phone number.
Passwords of the same character.
Simple pattern of letters on keyboards.
Any of the above reversed or concatenated.
Any of the above with digits pre-pended or appended.
P16
SECURITY INCIDENT PROCEDURES POLICY AND PROCEDURES
Purpose
The Practice’s commitment to implementing policies and procedures for detecting and responding
to security incidents.
Policy
The Practice has and will apply appropriate sanctions against members of it workforce who fail
to comply with privacy policies and procedures of the Practice.
Procedures
1. The Security Officers in conjunction with the office manager will investigate any
allegations of wrongful actions and determine and apply the appropriate sanction(s) in
conjunction with the established disciplinary policies of the practice.
2. All investigations and sanctioning actions will be documented by the Security Officers or
office manager.
3. All sanctioning of workforce members will be documented and retained for a period of at
least 6 years from the date of it creation or the date when it was last in effect, whichever
is later.
P17
CONTINGENCY PLAN POLICY AND PROCEDURES
Implementation Specification Covered Under this Standard:

Data Back up Plan

Disaster Recovery Plan Emergency Mode Operation Plan

Testing and Revision Procedures

Applications and Data Criticality Analysis
Purpose
The Practice is committed to maintaining formal practices for responding to an emergency
or other occurrence that damages systems that contain electronic protected health
information.
As such, the Practice is committed to effectively prepare for and respond to emergencies or
disasters in order to protect the confidentiality, integrity and availability of its
information systems.
Policy
1. The Contingency Plan serves as the master plan for responding to system emergencies,
ensuring continuity of operation during an emergency, and recovering from a disaster.
The Process will include:
a. Regular analysis of the critically of Practice information systems.
b. Development and documentation of a disaster and emergency recovery strategy
consistent with the Practice’s business objectives and priorities.
c. Development and documentation of an emergency mode operations plan that is in
accordance with the above strategy.
d. Regular testing and updating of the disaster recovery and emergency mode operations
plans.
2. The Contingency plan will be reviewed, tested and updated as necessary.
3. The Security Officer is responsible for reviewing and updating the Contingency Plan and
all related policies and procedures.
4. All employees shall be trained regarding the Contingency Plan.
5. Contingency plan policies and procedures may be amended from time to time as necessary
to comply with all applicable regulations.
P18
CONTINGENCY PLAN POLICY AND PROCEDURES
Procedures
1. See the Practice’s Contingency Plan located on page 21
2. The Practice’s backup, disaster recovery and emergency made operations plan includes:
a. All Critical information systems and electronic media will be backed up.
b. The order in which information systems will be recovered is as follows:






Power and utilities
All communication devices and software
EMR systems
Scheduling
Billing and Collections
All other Systems
c. The procedure(s) for allowing appropriate employee’s physical access to Practice
facilities so that they can implement recovery procedures in the event of a disaster
have been directly communicated to those affected employees. Any questions or
concerns during such events should be directed toward the office manager.
d. Based on the risk analysis, the responsible person(s) will manually backup the data
sets as determined. The backups will be inspected to ensure that their contents are
exact copies of the information archived, and that they are functioning properly (the
back up report indicates if the back up was done successfully).
e. The responsible person(s), as identified by the Security Officer or Office Manager will
store and secure the backups in a suitable container and location for such purpose.
f.
In the event of data loss, the authorized person(s) will retrieve the latest copy of the
Practice’s backed up data from the secure location. In the event that the necessary
data set(s) have not been archived; efforts will be made through formal channels to
collect the data.
g. In the order of pre-determined criticality, these person(s) will call our tech support
and they will assist us in the retrieval of backed up information.
P19
CONTINGENCY PLAN POLICY AND PROCEDURES
Procedures (continued)
3. The Practice will conduct regular testing of its contingency plan to ensure that it is current
and operative.
a. The Contingency Plan will be revised to address any deficiencies discovered during the
testing activities. Focus on improvements to role and responsibility definitions,
processes, practices and strategies.
b. Testing and revisions will be performed as needed or when there is significant changes to
the environment.
P20
Task/Systems
Criticality
Rating
List
Individual to
1-10
Notify
Person
Responsible
for Follow
up
Data Backup
Restoration/Emergency Procedures to Follow
All back up tapes to be kept in locked box, which is by main server
Performance of daily backup
Tape rotation
Off site storage
1
1
1
Check out
Check out
Check out
Check out
Check out
Check out
Disaster Recovery
Restoration Strategy
Scheduling
Medical records
Telephone system
Internet connection
Lab results
Billing
Word processing
3
1
1
10
5
1
10
Check out
Clerical
Clerical
Billing mgr.
Clinical
Billing mgr.
Clerical
Office mgr.
Office mgr.
Office mgr.
Office mgr.
Office mgr.
Office mgr.
Office mgr.
Call support
Call support
Call support
Call support
Call lab
Call support
Call support
Emergency Procedures to
Follow When System(s) is Down
Emergency Mode Operations
Computer system down
Scheduling system down
Power outage
Individual desk top computers down
Printer malfunctions
Internet connection fails
Theft of computer
3
3
3
n/a
2
10
1
Data Criticality
See Practice's policies and procedures
P21
Clerical
Clerical
Clerical
Office mgr.
Office mgr.
Office mgr.
Call support
Call support
Call power company
Clerical
Billing mgr.
Office mgr.
Office mgr.
Office mgr.
Dr. Krendl
Call support
Call support
Call police
EVALUATION POLICY AND PROCEDURE
Purpose
The Practice will conduct regular evaluations of its security controls and processes to document
compliance with its security policies and the HIPAA Security Rule.
Policy
1. The Practice will have a technical and non-technical evaluation performed to establish the
extent to which its computer systems and networks meet security requirements. The initial
basis for security requirements will be the HIPAA Final Security Rule.
2. The evaluation will be carried out by appropriate Practice Employees that have the
appropriate skills and experience.
Procedures
1. A system evaluation will be performed on an as needed basis. The decision to conduct an
evaluation will be made by the Security Officer, the office manager or Practice physician(s)
subject to environmental or operational changes.
2. The evaluation will include:
a. A detailed review of the Practice’s security policies, procedures and standards to
determine whether they are effective and appropriate.
b. Identification of the risks to Practice information systems.
c. Assessment of the appropriateness of Practice security controls to the risks to
Practice information systems and EPHI.
d. Testing of all significant Practice security controls to ensure that hardware and
software controls have been correctly implemented. Such testing must be carried
out only by authorized and appropriately trained persons.
P22
BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENT POLICY AND
PROCEDURES
Implementations Specifications covered under this standard:

Written Contract or Other Arrangement
Purpose
The purpose of this policy is to outline the requirements for all business associates of the
Practice.
The Privacy and Security Rule permits a covered entity to disclose protected health information
to a business associate who performs a function or activity on behalf of, or provides a service to
the covered entity that involves the creation, use, or disclosure of, protected health information,
provided that the covered entity obtains satisfactory assurances that the business associate will
appropriately safeguard the information.
This policy serves to outline the safeguards that will be taken.
Policy
1. All business associate agreements must be documented and must follow the standard
business associate agreement of the Practice.
2. Business associate agreements will contain assurances from the business associate that it
will:
a. Not use or disclose protected health information other than as permitted by the
agreement or required by law;
b. Use appropriate safeguards to protect the confidentiality of the information;
c. Report to the Practice any use or disclosure not permitted by the agreement;
d. Ensure that any of its agents or subcontractors will agree to the same restrictions
and conditions as the business associate;
e. Make available to the Practice any information necessary for the Practice to
comply with the patients’ rights to access, amend and receive an accounting of
disclosures of their protected health information;
f.
Make available to the secretary of DHHS the business associate’s internal
practices, books and records relating to the use and disclosure of the protected
health information; and
P23
BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENT POLICY AND
PROCEDURES
Policy (continued)
g. Return or destroy the information once the contract is terminated, if feasible. If it
is not possible to return or destroy the information because of other obligations or
legal requirements, the protections of the agreement must apply until the
information is returned or destroyed, and no other uses or disclosures may be made
except for the purposes that prevented the return or destruction of the information.
3. Satisfactory assurances will be obtained from the business associate in the form of a
written contract; and
4. Where the Practice knows of a material breach or violation by the business associate of
the contract or agreement, the Practice will take reasonable steps to cure the breach or
end the violation, and if such steps are unsuccessful, to terminate the contract or
arrangement. If termination of the contract or arrangement is not feasible, the Practice
will report the problem to the US Secretary of Health and Human Services
Additionally,
5. Implement administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity and availability of EPHI that it creates,
receives, maintains, or transmits on behalf of the Practice.
6. Ensures that any agent or subcontractor to whom it provides such information agrees to
implement reasonable and appropriate safeguards.
7. Report to the Practice any security incidents of which it becomes aware.
Procedures
1. The Practice will identify all business associates using the forms located under the Forms
tab.
2. The Practice will obtain a signed document from all business associates as outlined in 25
to 28.
P24
April 10, 2005
VENDOR:
OFFICE ADDRESS:
Dear VENDOR:
In an effort to comply with the business associate contract requirements of the Privacy and
Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA),
we have enclosed a supplement to our agreement as outlined by the Department of Health and
Human Services in the Final HIPAA privacy and security standards. This supplement serves as
an addendum to agreements currently in place or any agreements that may be signed in the
future.
During the terms of our agreements, VENDOR may receive from Family Physicians of Lima or
may create on behalf of the Practice, certain confidential health information (PHI) that is
protected under state or federal law including the Health Insurance Portability and
Accountability Act. Through this addendum, VENDOR represents that you have policies and
procedures in place that will adequately safeguard any PHI you receive or create, consistent with
applicable laws and regulations, specifically HIPAA.
If you have any questions, please feel free to contact us at (419) 991-7805.
Sincerely,
Bonnie Spiers,
HIPAA Security Officer
P25
Obligations and Activities of VENDOR, Related to Electronic Protected Health
Information (PHI)
1. VENDOR agrees to not use or disclose Protected Health Information (PHI) other than as
permitted or required under our Agreement(s) or as required by Law.
2. VENDOR agrees to use appropriate safeguards to prevent use or disclosure of PHI other than
provided for by our Agreement(s).
3. VENDOR agrees to implement administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability to the
electronic protected health information that it creates, receives, maintains, or transmits on
behalf of the covered entity.
4. VENDOR agrees to mitigate, to the extent practicable, any harmful effect that is known by
VENDOR of a use of disclosure of PHI by us in violation of the requirements of our
Agreement(s), and report any security incidents of which it becomes aware.
5. VENDOR agrees to report to the Practice any use or disclosure of the PHI not provided for by
our Agreement(s).
6. VENDOR agrees to ensure that any agent, including a subcontractor, to whom it provides
PHI received from, or created or received by VENDOR on behalf of the Practice, agrees to the
same restrictions and conditions that apply through our Agreement(s) to VENDOR including
implementing reasonable and appropriate safeguards with respect to such information.
7. VENDOR agrees to provide access, at the request of the Practice, and in the time and manner
designated by the Practice, to PHI in a Designated Record Set, to the Practice.
8. VENDOR agrees to make any amendment(s) to PHI in a Designated Record Set that the
Practice directs or agrees to at the request of the Practice or an Individual, and in the time
and manner designated by the Practice.
9. VENDOR agrees to make internal practices, books and records relating to the use and
disclosure or PHI received from, or created or received by VENDOR on behalf of, the Practice
available to the Practice, or at the request of the Practice to the Department of Health and
Human Service’s Secretary, in a time and manner designated by the Practice or the
Secretary, for purposes of the Secretary determining the Practice’s compliance with the
Privacy Rule.
10. VENDOR agrees to document such disclosures of PHI and information related to such
disclosures as would be required by the Practice to respond to a request by an Individual for
an accounting of disclosures of PHI.
11. VENDOR agrees to provide to the Practice, in time and manner designated by the Practice,
information collected to permit the Practice to respond to a request by an Individual for an
accounting of disclosures for PHI.
12. To the extent possible, upon termination of this agreement, VENDOR shall return or destroy
all PHI received from the Practice, or created or received by VENDOR on behalf of the
Practice. This provision shall apply to PHI that is in the possession of subcontractors or
agents of VENDOR.
P26
Obligations and Activities of VENDOR, Related to Electronic Protected Health
Information (PHI)
However, VENDOR may determine that returning or destroying the PHI is infeasible due to
professional requirements. Therefore, VENDOR extends the protections of our Agreement(s) to
such PHI and limits further uses and disclosures of such PHI to those purposes that make the
return or destruction infeasible, for so long as VENDOR maintains such PHI.
The Practice may terminate the contract if we determine that the vendor has violated a material
term of the contract
Permitted Uses and Disclosures by VENDOR:
1. Except as otherwise limited in this Agreement, VENDOR may use PHI for the proper
management and administration of VENDOR or to carry out the legal responsibilities of
VENDOR.
2. Except as otherwise limited in our Agreement(s), VENDOR may use or disclose PHI to
perform functions, activities, or services for, or on behalf of, the Covered Entity as specified in
our Agreement(s) provided that such use or disclosure would not violate the Privacy Rule if
done by the Practice.
3. Except as otherwise limited in our Agreement(s), VENDOR may disclose PHI for the proper
management and administration of VENDOR, provided that disclosures are required by law,
or VENDOR obtains reasonable assurances from the person to whom the information is
disclosed that it will remain confidential and used or further disclosed only as required by law
or for the purpose for which it was disclosed to the person, and the person notifies VENDOR
of any instances which it is aware in which the confidentiality of the information has been
breached.
Signed: ___________________________________________________ Date: _________________________
P27
Business Associate Worksheet
Service Provided
Lab pick up
Do they
receive
PHI?
Yes
Contract
Addendum
mailed?
Yes
877-292-3051
Copier/printer
No
Yes
John Zerante
419-234-4963
Copier
No
Yes
Y
n/a
419-991-4694
Copier
No
Yes
DR Management
N
Ton Nelson
877-490-8187
Hardware support
No
Yes
DR Management
N
Chloe Jeffers
260-437-0045
Practice auditor
Yes
Yes
Clayton Scroggins
Y
Paula Badovick
800-488-5742
Financial advisor
No
Yes
Midwest Phys GPO
N
Byron Selden
614-863-0989
Brace supplier
No
Yes
Lighthouse Digital
N
Mike Mitchell
419-339-0022
Phone system
No
Yes
USPS
N
419-224-5801
Postal delivery
No
Yes
Fed Ex
N
800-463-3339
Delivery
No
Yes
UPS
N
419-227-3600
Delivery
No
Yes
Washam
N
419-549-0882
Utilities
No
Yes
Business Associate
Lima Pathology
Contract:
Y/N?
Y
Contact Name
Lola Youngpeter
Contact Phone
419-226-9595
Xerox
Y
Jill James
Perry Corp.
Y
Office World
John Freund
P28
Contract
Addendum
signed?
FACILITY ACCESS CONTROLS POLICY AND PROCEDURES
Implementation Specifications covered under this Standard:




Contingency Operations
Facility Security Plan
Access Control and Validation Procedures
Maintenance Records
Purpose
The Practice is committed to maintaining formal procedures to limit physical access to its
electronic information systems and the facility or facilities in which they are housed, while
ensuring that properly authorized access is allowed.
Policy
1. The Practice will protect the confidentiality, integrity, and availability of its information
systems by preventing unauthorized physical access, tampering, and theft to the systems
and to the facilities in which they are located, while ensuring that properly authorized
access is allowed.
2. The Facility information systems containing EPHI will be physically located in areas
where unauthorized access is minimized.
3. The Practice Security Officer is responsible for reviewing and updating the Facility
Security Plan and all related policies and procedures.
Procedures
1. The Practice will ensure that, in the event of a disaster or emergency, appropriate persons
can enter its facility to take necessary actions defined in its contingency Disaster Recovery
and Emergency Mode Operations Plans.
2. All access rights to the Practice processes and controls which protect EPHI are clearly
defined. Such rights are provided only to Practice employees having a need for specific
access in order to accomplish a legitimate task related to contingency operations.
3. The Practice security plan is based on the Practice’s risk assessment, that assesses the
risks to the Practice facilities and the information systems contained within.
4. As part of that risk assessment, we have evaluated and addressed:

Unauthorized access to information systems

Tampering or theft of information systems

Exterior premises of Facility site (doors, windows, locks and alarms)

Reception area/waiting room access

Interior premises of Practice
P29
FACILITY ACCESS CONTROLS POLICY AND PROCEDURES
Procedure (continued)

Access controls

Equipment security including, workstations, servers and PDA’s

Smoke detectors and fire alarms

Power surge protectors
5. The Practice will determine and document all areas considered sensitive due to the nature
of the EPHI that is stored or available within them, for example Medical Records.
6. After documenting sensitive areas, access rights to such areas will be given only to
workforce members who have a need for specific physical access in order to accomplish a
legitimate task.
7. Receiving visitors:

The Practice will ensure that each visitor is appropriately greeted and identified.

If appropriate, the Practice will notify the applicable personnel that a visitor has
arrived.

If an escort is required for the visitor, the appropriate personnel will accompany the
visitor to the desired destination.
8. Escorting Visitors:

The appropriate personnel will escort the visitor to the appropriate destination,
ensuring that personnel are alerted to the visitor’s presence as appropriate.

During the escort process, the appropriate personnel will make sure that all protected
health information (e.g., documents, workstation screens) is not in view of visitors
unauthorized to read such protected health information.

The appropriate personnel will remain with the visitor throughout the visit until
departure, or escort the visitor from point to point within the facility as required until
departure.

The Practice will document all repairs and modifications to the physical components of
its facilities that are related to security of EPHIO.

The Practice will conduct a periodic inventory of all the physical components of its
facilities that are related to the protection of EPHI. Inventory results must be
documented and stored in a secure manner.
P30
WORKSTATION USE POLICY AND PROCEDURES
Purpose
This policy reflects the Practice’s commitment to appropriately use and protect its workstations.
Policy
1. Workforce members shall use workstations in the appropriate manner as to consider the
sensitivity of the information contained therein and minimize the possibility of
unauthorized access to such information.
2. Workstations will only be used for authorized purposes.
3. All workforce members who use the Practice workstations must take all reasonable
precautions to protect the confidentiality, integrity, and availability of EPHI contained on
the workstations.
4. Workforce members must not use the Practice’s workstations to engage in any activity
that is either illegal under local, state, federal, or international law or is in violation of
Practice policy.
5. Activities that workforce members must not perform while using Practice workstations
include, but are not limited to:
a. Violations of the rights to privacy of protected healthcare information of The
Practice’s patients.
b. Violations of the rights of any person or company protected by copyright, trade
secret, patent, or other intellectual property by similar laws or regulations. This
includes, but is no limited to, inappropriately licensed software products.
c. Unauthorized copying of copyrighted material, including but not limited to
digitization and distribution of photographs from magazines, books, or other
copyrighted sources and copyrighted music.
d. Purposeful introduction of malicious software onto a workstation or network (e.g.,
viruses, worms, Trojan horses).
e. Actively engaging in procuring or transmitting material that is in violation of The
Practice’s sexual harassment or hostile workplace policies.
f.
Making fraudulent offers of products, items, or services.
g. Purposefully causing security breaches. Security breaches include, but are not
limited to, accessing electronic data that the workforce member is not authorized to
access or logging into an account that he or she is not authorized to access.
P31
WORKSTATION USE POLICY AND PROCEDURES
Policy (continued)
h. Performing any form of network monitoring that will intercept electronic data not
intended for the workforce member.
i. Circumvent or attempt to avoid the user authentication or security of any Practice
workstation or account.
6. Access to all Practice workstations containing EPHI must be controlled with a username
and password.
7. Practice workforce members must not share passwords with others. If a Practice
workforce member believes that someone else is inappropriately using a user-ID or
password, they must immediately notify the office manager.
8. Where possible, the initial password(s) issued to a new Practice workforce member are to
be valid only for the new user’s first logon to a workstation. At initial logon, the user
should be required to choose another password. Where possible, this same process must
be used when a workforce member’s workstation password is reset.
9. Practice workstations containing EPHI must be physically located in such a manner as to
minimize the risk that unauthorized individuals can gain access to them.
10. The display screens of all Practice workstations containing EPHI must be positioned such
that information cannot be readily viewed through a window, by persons walking in a
hallway, or by persons waiting in reception, public, or other related areas.
11. Security officer approved anti-virus software must be installed on workstations to prevent
transmission of malicious software. Such software must be regularly updated.
12. Workstations removed from Practice premises must be protected with security controls
equivalent to those for on-site workstations
Procedures
1. All employees are to be trained regarding workstation use.
2. All employees are to sign the workstation use policy.
P32
EMPLOYEE WORKSTATION USE POLICY
1. All workforce members who use the Practice’s workstations must take all reasonable
precautions to protect the confidentiality, integrity, and availability of EPHI contained on
the workstations.
2. Workforce members must not use the Practice’s workstations to engage in any activity
that is either illegal under local, state, federal, or international law or is in violation of the
Practice policy.
3. Activities that workforce members must not perform while using the Practice’s
workstations include, but are not limited to:
a. Violations of the rights to privacy of protected healthcare information of the
Practice’s patients.
b. Violations of the rights of any person or company protected any copyright, trade
secret, patent, or other intellectual property or similar laws or regulations. This
includes, but is not limited to, the installation or distribution of “pirated” or other
inappropriately licensed software products.
c. Unauthorized copying of copyrighted material, including but not limited to
digitization and distribution of photographs from magazines, books, or other
copyrighted sources and copyrighted music.
d. Purposeful introduction of malicious software onto a workstation or network (e.g.,
viruses, worms, Trojan horses).
e. Actively engaging in procuring or transmitting material that is in violation of the
Practice’s sexual harassment or hostile workplace policies.
f. Making fraudulent offers of products, items, or services.
g. Purposefully causing security breaches. Security breaches include, but are not
limited to, accessing electronic data that the workforce member is not authorized to
access.
h. Performing any form of network monitoring that will intercept electronic data not
intended for the workforce member.
i. Circumvent or attempt to avoid the user authentication or security of any Practice
workstation or account.
4. Access to all Practice workstations containing EPHI must be controlled with a username
and password or an access device such as a token.
5. Practice workforce members must not share passwords with others. If a Practice
workforce member believes that someone else is inappropriately using a user-ID or
password, they must immediately notify their manager.
6. Where possible, the initial password(s) issued to a new Practice workforce member must
be valid only for the new user’s first logon to a workstation. At initial logon, the user must
be required to choose another password. Where possible, this same process must be used
when a workforce member’s workstation password is reset.
7. Practice workstations containing EPHI must be physically located in such a manner as to
minimize the risk that unauthorized individuals can gain access to them.
P33
EMPLOYEE WORKSTATION USE POLICY
8. The display screens of all Practice workstations containing EPHI must be positioned such
that information cannot be readily viewed through a window, by persons walking in a
hallway, or by persons waiting in reception, public, or other related areas.
9. Security officer approved anti-virus software must be installed on workstations to prevent
transmission of malicious software. Such software must be regularly updated.
10. Workstation removed from the Practice’s premises must be protected with security
controls equivalent to those for on-site workstations.
Signed ________________________________________________ Date _____________________
P34
WORKSTATION SECURITY POLICY AND PROCEDURE
Purpose
This policy reflects Practice’s commitment to prevent unauthorized physical access to
workstations that can access EPHI.
Policy
1. Physical safeguards will be implemented for all workstations that access electronic
protected health information, to restrict access to authorized users.
2. All persons who engage in the use of workstations shall be trained on the proper functions
to be performed and the manner in which those functions are to be performed, in
accordance with Practice policies and procedures.
Procedures
1. Practice workstations containing EPHI are to be located in locations that minimize the
risk of unauthorized access to them.
2. Practice workforce members must take reasonable measures to prevent viewing EPHI on
workstations by unauthorized persons. Such measures include but are not limited to:
a. Locating workstations and peripheral devices (printer, modem, scanner, etc.) in
secured areas not accessible to unauthorized persons.
b. Positioning monitors or shielding workstations so that data shown on the screen is
not visible to unauthorized persons.
3. Practice workforce members must immediately report loss or theft of any access device
(such as pass card or ID number) that allows them physical access to Practice areas
having workforce workstations that can access EPHI.
4. All Practice portable workstations (laptops) must be securely maintained when in the
possession of employees.
P35
DEVICE AND MEDIA CONTROLS POLICY AND PROCEDURE
Implementation Specifications covered under this standard:




Disposal
Media Re-use
Accountability
Data Backup and Storage
Purpose
The Practice will maintain formal practices to monitor the receipt and removal of hardware and
electronic media that contain electronic protected health information into and out of the Practice,
and the movement of these items within the Practice.
Policy
1. Information systems for which this policy applies includes: computers (both desktop and
laptop), floppy disks, backup tapes, CD-ROMS, zip drives, portable hard drives and PDAs.
2. Access to information systems contain EPHI must be provided only to authorized Practice
workforce members who have a need for specific access in order to accomplish a legitimate
task.
3. All hardware and other media containing EPHI will be properly cleansed prior to disposal
or reuse.
4. Practice workforce members must not attempt to access, duplicate or transmit electronic
media containing EPHI for which they have not been given appropriate authorization.
5. All Practice information systems containing EPHI must be located and stored in secure
environments that are protected by appropriate security barriers and entry controls. The
levels of these controls are commensurate with identified risks as outlined in the Risk
Assessment.
Procedure
1. An inventory record will be maintained by the Security Officer documenting all hardware
and software received into the facility that contains electronic protected health
information. (See Risk Analysis worksheet 1)
2. All Practice information systems and electronic media containing EPHI will be disposed of
properly when no longer needed for legitimate use.
P36
DEVICE AND MEDIA CONTROLS POLICY AND PROCEDURE
Procedure (continued)
3. Prior to disposal, the Practice will securely overwrite and/or physically destroy
components on which sensitive data is stored. The office manager, Security Officer or
their designee will verify and document that such sanitization steps have been completed.
4. An information system or electronic medium containing EPHI that is to be disposed of
permanently must be physically destroyed.
5. All EPHI on Practice electronic media must be removed before such media can be re-used.
Failure to remove EPHI could result in it being revealed to unauthorized persons. This
includes both EPHI received by the Practice and created with the Practice.
6. Practice employees and affiliates who move electronic media or information systems
containing EPHI are responsible for the subsequent use of such items and must take all
appropriate and reasonable actions to protect them against damage, theft, and
unauthorized access.
7. Backup copies of all EPHI on Practice electronic media and information systems must be
made regularly.
8. Backup of EPHI on the Practice information systems and electronic media, together with
accurate and complete records of the backup copies and documented restoration
procedures, will be stored in a secure remote location, at a sufficient distance from the
Practice facilities to escape damage from a disaster at the Practice.
P37
ACCESS CONTROL POLICY AND PROCEDURE
Implementation Specifications covered under this standard:




Unique User Identification
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
Purpose
The Practice will maintain electronic protected health information to allow access only to those
persons or software programs that have been granted access rights.
Policy
1. Access for employees, agents, and contractors will only be given to those that have been
granted access rights as specified by the Security Officer.
2. Only authorized personnel shall access electronic data, including the hardware and/or
software on which the electronic PHI is stored.
3. Emergency Access procedures, if necessary, will be coordinated by the Office Manager.
4. Practice workforce members must end electronic sessions on information systems that
contain or can access EPHI when such sessions are completed, unless the information
system is secured by an appropriate locking method.
5. Based on the risk assessment, encryption of electronic protected health information is not
warranted.
Procedures
1. All individuals have access to electronic protected health information will be given a
unique name and/or number.
2. The procedure(s) for allowing appropriate employee’s physical access to Practice facilities
so that they can implement recovery procedures in the event of a disaster have been
directly communicated to those affected employees. Any questions or concerns during
such events should be directed toward the Office Manager.
3. All Practice computers will have automatic log offs that will terminate computer sessions
after a specified length of time.
P38
AUDIT CONTROLS POLICY AND PROCEDURES
Purpose
To maintain hardware, software, and/or procedural mechanisms that record and examine activity
in information systems that contain or use electronic protected health information.
Policy
The Facility will record and examine significant activity on its information systems that contain
or use EPHI.
The appropriate level and type of auditing that will be implemented has been determined by the
Practice’s risk analysis process.
Procedures
1. The Practice has implemented sufficient measures to assist in the monitoring and
examination process and to reduce the risk of misuse of EPHI. Some of these steps
include: the use of passwords, auto log offs, access controls, end-of-day reports, backup of
media devices, etc.
P39
INTEGRITY POLICY AND PROCEDURES
Implementation Specification covered under this standard:

Mechanism to Authenticate Electronic Protected Health Information
Purpose
The Practice will maintain formal policies and procedures to protect electronic protected health
information from improper alteration or destruction. This includes mechanisms to corroborate
that electronic protected health information has not been altered or destroyed in an unauthorized
manner.
Policy
1. The Practice has systems, including hardware, software, documentation and people that
are designed to be conducive to maintaining data integrity. The Practice will examine
workflow, reliability, and correctness of system components, on an as needed basis, to
guard against unauthorized modification or destruction of data. The Practice will also
protect against environmental threats that would harm data, including air temperature
and humidity, fire suppression systems, or weather-related events.
2. The Practice will provide a means for employees to report suspected unauthorized data
modification or destructions.
Procedures
1. Based on the Practice’s risk assessment and other security action taken by the Practice
including the use of passwords, logins, and outside IT technical assistance, the integrity of
the information systems and the data within the information systems are of low risk value
for alteration or destruction.
2. Based on the risk assessment, the Practice will continue to monitor the performance of the
information systems, continue to utilize other security controls including passwords,
firewalls and access controls and continue to utilize outside vendors as necessary to
establish a secure environment.
P40
PERSON OR ENTITY AUTHENTICATION POLICY AND PROCEDURE
Purpose
The Practice will ensure that all persons or entities seeking access to Practice EPHI are
appropriately approved before access is granted.
Policy
The Practice will maintain a documented process for verifying the identity of a person or entity
before granting them access to EPHI.
Procedures
1.
The practice will utilize the following authentication mechanism for individuals to
corroborate that an individual is whom they claim:
a. Use of Individual Passwords
P41
TRANSMISSION SECURITY POLICY AND PROCEDURE
Implementation Specifications covered under this standard:


Integrity Controls
Encryption
Purpose
The Practice will appropriately protect the confidentiality, integrity, and availability of all data
that it transmits over electronic communications networks.
Policy
1. The Practice will maintain Integrity Controls to ensure the validity of information
transmitted or stored electronically over a communications network.
2. The Practice will utilize adequate access controls to protect sensitive communications
transmissions over open and private networks to ensure that such transmissions cannot
be easily intercepted and interpreted by parties other than the intended recipient.
3. The Practice’s risk analysis has indicated that it is not necessary to utilize encryption
software to protect the confidentiality, integrity and availability of Practice data
transmitted over electronic communications networks.
Procedures
When data that contains EPHI is transmitted, several precautions will be taken to ensure its
integrity, including:
a. Password protect Word files
b. Confirm receipt by telephone
P42
DOCUMENTATION POLICY AND PROCEDURES
Policy
The Practice will maintain security policies and procedures it implements to comply with the
HIPAA Security Rule in written or electronic form.
Procedures
1. The Practice will retain the documentation required by the security regulation for 6 years
from the date of its creation or the date when it last was in effect, whichever is later.
2. The Practice will make documentation available to those persons responsible for
implementing the procedures to which the documentation pertains.
3. The Practice will review the documentation periodically, and update as needed, in
response to environmental or operational changes affecting the security of the electronic
protected health information.
P43
Download