POLICY AND PROCEDURE STANDARDS TABLE OF CONTENTS SECURITY MANAGEMENT PROCESS .............................................................. P1-P4 ASSIGNED SECURITY RESPONSIBILITY ........................................................ P5-P7 WORKFORCE SECURITY .................................................................................... P8-P9 INFORMATION ACCESS MANAGEMENT .................................................... P10-P11 SECURITY AWARENESS AND TRAINING .................................................... P13-P15 SECURITY INCIDENT PROCEDURES...................................................................P17 CONTINGENCY PLAN ..................................................................................... P18-P20 EVALUATION ...........................................................................................................P22 BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS............................................................................................ P23-P24 FACILITY ACCESS CONTROLS...................................................................... P29-P30 WORKSTATION USE ....................................................................................... P31-P34 WORKSTATION SECURITY ....................................................................................P35 DEVICE AND MEDIA CONTROLS .................................................................. P36-P37 ACCESS CONTROL ..................................................................................................P38 AUDIT CONTROLS ...................................................................................................P39 INTEGRITY ...............................................................................................................P40 PERSON OR ENTITY AUTHENTICATION ............................................................P41 TRANSMISSION SECURITY ...................................................................................P42 SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES Implementation Specifications covered under this standard: Risk Analysis Risk Management Sanction Policy Information System Activity Review Purpose The purpose of this policy is to establish a process to identify the risks to the organization and to manage those risks. The practice is committed to ensure the confidentiality, integrity, and availability of its information systems containing EPHI by implementing policies and procedures to prevent, detect, contain, and correct security violations. Policy 1. The Practice will ensure the confidentiality, integrity, and availability of its information systems containing EPHI by implementing appropriate and reasonable policies, procedures and controls to prevent, detect, contain, and correct security violations. 2. All Practice workforce members are responsible for appropriately protecting EPHI from unauthorized access, modification, destruction and disclosure. Risk Analysis The organization will conduct a survey of all computer and information systems in order to determine where electronic protected health information is stored, how it is transmitted, and which employees currently have access. The organization will also identify the type of information contained on each system and the impact to daily activities that would be caused by a loss of this information. (See Risk Analysis, Worksheet 1). This process will be repeated for all new equipment, information systems or computer systems that are installed. The identification, definition and prioritization of risks to the Practice information systems containing EPHI is based on a formal, documented risk analysis process. At a minimum, the Practice’s risk analysis process will include the following: Identification and prioritization of the threats to the Practice information systems containing EPHI. Identification and prioritization of the vulnerabilities of the Practice information systems containing EPHI. Identification and definition of security measures used to protect the confidentiality, integrity, and availability of the Practice information systems containing EPHI. Identification of the likelihood that a given threat will exploit a specific vulnerability on a Practice information system containing EPHI. P1 SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES Policy Identification of the potential impacts to the confidentiality, integrity, and availability of the Practice information systems containing EPHI if a given threat exploits a specific vulnerability. The organization will use good faith efforts to identify all known and/or anticipated threats to electronic protected health information and any vulnerability that would cause a program or system to be impacted by threats. Risk Management The Practice will implement security measures that reduce the risks to its information systems containing EPHI to reasonable and appropriate levels. It will be the responsibility of the Security Officer to gather information and present this information to the appropriate decision-making authorities within the organization so that determinations can by made based upon the risks to the organization and the costs associated with mitigating these risks. Employee Sanctions Employees will be sanctioned appropriately for breaching security policies and procedures. All sanctions will be in accordance with the organization’s disciplinary policies, and, at a minimum, will take into account the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicates a pattern or practice of improper use or disclosure of protected health information. The Practice will have a formal, documented process for applying appropriate sanctions against workforce members who do not comply with its security policies and procedures. Sanctions may include, but will not be limited to: (1) a verbal warning; (2) a written reprimand; (3) re-education; (4) suspension; and/or (5) termination. The sanction policy, however, does not alter the at-will status of employees. Information System Activity Review The Practice is committed to conducting periodic internal system reviews of records to minimize security violations to electronic protected health information. As such, the Practice will continually assess potential risks and vulnerabilities to protected health information in its possession, and develop, implement, and maintain appropriate administrative, physical, and technical security measures. The organization will determine which reports the organization’s information systems and software programs are capable of generating, including, but not limited to audit logs, access reports, and security incident tracking reports. The organization will run such reports at intervals as determined by the security officer based upon the usefulness of the report. P2 SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES Procedure 1. The Security Officer will be responsible for completing a Comprehensive Risk Analysis (either by personally completing the form or delegating the responsibility) and will be responsible for overseeing the updating of this analysis as new systems or software programs are added. See Risk Analysis Worksheets 1-4. 2. The risk analysis shall demonstrate, at a minimum, the following information: a. The level of risk and the steps to be taken to reduce the risk of vulnerability; b. Processes for maintaining no more than the acceptable level of risk. 3. The Security Officer will be responsible either personally or by delegation for the completion of a Threat Assessment (Risk Analysis Worksheet 2). This assessment will be updated as needed or any time that a new threat or vulnerability is identified or any time that a new system or software program is added. 4. The Security Officer will be responsible for completing a Risk Management Analysis (Risk Analysis Worksheet 3-4). The Security Officer will be responsible for identifying and including administrative personnel who have authority to make decisions with respect to which security solutions may be implemented (based upon a cost/benefit analysis). 5. The Practice’s risk management process will be based on the following steps: a. Inventory. The Practice will conduct an inventory of its information systems containing EPHI and the security measures protecting those systems. The Practice must be able to identify its information systems and the relative value and importance of those systems. (See Risk Analysis, Worksheet 1) b. Risk prioritization. Based on the risks defined by the Practice’s risk analysis, all risks will be prioritized on a scale from 1 to 9 based on the potential impact to information systems containing EPHI and the probability of occurrence. When deciding what Practice resources will be allocated to identified risks, highest priority must be given to those risks with unacceptably high risk rankings. c. Cost-benefit analysis. The Practice will identify and define the costs and benefits of implementing or not implementing specific security methods. d. Security method selection. Based on the cost-benefit of each solution, the Practice will determine the most appropriate, reasonable and cost-effective security method(s) for reducing identified risks to each system containing EPHI. P3 SECURITY MANAGEMENT PROCESS POLICY AND PROCEDURES Procedure (continued) 6. The Security Officer will be responsible for bringing employee breaches of security policies and procedures to the attention of the employee’s supervisor who shall be responsible for disciplining the employee in accordance with this policy and with the organization’s general disciplinary policies. 7. The Security Officer will be responsible for reviewing all informational reports and the frequency with which each report should be routinely run, as well as any events that will trigger the running of the report(s). Currently, such reports will be run as needed and monitored on an exception basis. 8. If the Security Officer identifies suspicious activity based upon the reports, it will be investigated and the results of such investigation documented. If the investigation identifies an employee breach, the employee will be disciplined in accordance with the guidelines set forth in the organizations disciplinary policies. 9. The Security Officer will be responsible for reviewing reports and maintaining all reports for a period of six years (either personally or delegating the responsibility). P4 ASSIGNED SECURITY RESPONSIBILITY POLICY AND PROCEDURES Purpose The purpose of this policy is to assign a single employee overall final responsibility for the confidentiality, integrity, and availability of EPHI. Policy The Practice Security Officer will be responsible for the Security of PHI and EPHI at the Practice. The Security Officer is responsible for the development and implementation of all policies and procedures necessary to appropriately protect the confidentiality, integrity, and availability of the Practice’s information systems and EPHI. Procedures 1. The Security Officer will conduct himself/herself in a manner appropriate for this position and as outlined in their job description. 2. The Practice’s Security Officer’s responsibilities include, but are not limited to: a. Ensure that Practice’s information systems comply with all applicable federal, state, and local laws and regulations. b. Develop, document, and ensure dissemination of appropriate security policies, procedures, and standards for the users and administrators of Practice’s information systems and the data contained within them. c. Ensure that newly acquired Practice information systems have features that support required and/or addressable security Implementation Specifications. d. Coordinate the selection, implementation, and administration of significant Practice security controls. e. Ensure Practice workforce members receive regular security awareness and training. f. Conduct periodic risk analysis of Practice information systems and security processes. g. Conduct regular evaluations of the Practice’s security controls and processes. h. Develop and implement an effective risk management program. i. Regularly monitor and evaluate threats and risks to Practice information systems’ activity to identify inappropriate activity. j. Create an effective security incident response policy and related procedures. k. Ensure adequate physical security controls exist to protect Practice’s EPHI. l. Coordinate with Practice’s Privacy Officer to ensure that security policies, procedures and controls support compliance with the HIPAA Privacy Rule. P5 SECURITY OFFICER – JOB DESCRIPTION The Practice is committed to ensuring the privacy and security of protected health information. In order to manage the facilitation and implementation of activities related to the privacy and security of protected health information, The Practice will appoint and maintain a Security Officer position. The Security Officer will serve as the focal point for security compliance-related activities and responsibilities, as listed below. In general, the Security Officer is charged with developing, maintaining, and implementing organizational policies and procedures, conducting educational programs, reviewing conduct of those assigned security responsibilities, and administering reviews relating to the company’s security program. The Security Officer must demonstrate familiarity with the legal requirements relating to privacy, security and health care operations, as well as the ability to communicate effectively with and coordinate the efforts of technology and non-technology personnel. The current Security Officer is: Bonnie Rondot 419-991-7805 (work) or 419-999-6344 (home) 2875 W. Elm St., Lima, OH 45805 e-mail address: famdox@yahoo.com Responsibilities The Security Officer has the following job responsibilities: 1. Lead in the development and enforcement of information security policies and procedures, measures and mechanisms to ensure the prevention, detection, containment, and correction of security incidents. Ensure that security standards comply with statutory and regulatory requirements regarding health information. 2. Maintain security policies that include: a. Administrative security: Formal mechanisms for risk analysis and management, information access controls, and appropriate sanctions for failure to comply. b. Physical safeguards: Ensure assigned security responsibilities, control access to media (e.g., diskettes, tapes, backups, disposal of data), protect against hazards and unauthorized access to computer systems, and secure workstation locations and use. c. Technical security: Establish access controls, emergency authorization controls, and data/entry access and authentication. P6 procedures, SECURITY OFFICER – JOB DESCRIPTION Responsibilities (continued) 3. Maintain security procedures that include: a. Evaluation of compliance with security measures. b. Contingency plans for emergencies and disaster recovery. c. Security incident response process and protocols. d. Testing of security procedures, measures and mechanisms, and continuous improvement. e. Security incident reporting mechanisms and sanction policy. 4. Maintain appropriate security measures to guard against unauthorized access to electronically stored and transmitted patient data and protect against reasonably anticipated threats and hazards, including: a. Integrity controls. b. Authentication controls. c. Access controls. 5. Oversee and/or perform on-going security monitoring of organization information systems. a. Perform periodic information security risk evaluations and assessments. b. Evaluate and recommend new information security technologies and counter-measures against threats to information or privacy. 6. Ensure compliance through adequate training programs and periodic security audits. P7 WORKFORCE SECURITY POLICY AND PROCEDURES Implementation Specifications covered under this standard Authorization and/or Supervision Workforce Clearance Procedures Termination Procedures Purpose This policy reflects Practice’s commitment to allow access to information systems containing EPHI only to workforce members who have been appropriately authorized. Policy 1. Practice will protect the confidentiality, integrity, and availability of its information systems containing EPHI by preventing unauthorized access while ensuring that properly authorized workforce member access is allowed. 2. Access to Practice information systems containing EPHI will be granted to only workforce members who have been properly authorized. 3. Access to Practice information systems containing EPHI will be authorized only for properly trained Practice workforce members having a legitimate need for specific information in order to accomplish job responsibilities. Such access will be regularly reviewed and revised as necessary. Procedures 1. Authorization and/or Supervision Practice will ensure that all workforce members who can access Practice information systems containing EPHI are appropriately authorized to access the system or supervised when they do so. Practice workforce members will not be allowed access to information systems containing EPHI until properly authorized. Where appropriate, third party persons will be supervised by an appropriate employee when they are accessing information systems containing EPHI or in a Practice location where EPHI might be accessed. 2. Currently, because of the size of the Practice and the nature of our operations, almost all staff members and workforce employees need access to all information systems containing EPHI. In conjunction with the Minimum Necessary Provision in the Privacy Rule, the Practice will continually monitor each employee to ensure they are accessing only the amount of information necessary to his or her job. Please see Access Authorization Worksheet. P8 WORKFORCE SECURITY POLICY AND PROCEDURES Procedure (continued) 3. Workforce Clearance Procedures The background of all Practice workforce members will be adequately reviewed during the hiring process. Verification checks will be made, as appropriate. Clearance to EPHI and to locations where EPHI can be accessed will be granted upon hiring and will be reviewed as necessary. 4. Termination Procedures The Practice will create and implement a formal process for terminating access to electronic protected health information (EPHI) when employment ends. When the employment of Practice workforce members ends, their information systems privileges, both internal and remote, will be disabled or removed. Practice information system privileges include, but are not limited to, workstation and server access, data access, network access, email accounts, and inclusion on bulk e-mail lists. When employees depart from Practice, they must return all supplied equipment by the time of departure. 5. As appropriate, all physical security access codes used to protect Practice information systems that are known by a departing workforce member will be deactivated or changed. P9 INFORMATION ACCESS MANAGEMENT POLICY AND PROCEDURES Implementation Specifications covered under this standard: Isolating Healthcare Clearinghouse Function Access Authorization Access Establishment and Modification Purpose The Practice is committed to maintaining formal practices to define levels of access for all workforce members and other users authorized to access electronic protected health information, how access is granted and is modified. Policy 1. Access to Practice information systems containing EPHI will be managed in order to protect the confidentiality, integrity and availability of EPHI. 2. Employees, contractors, and other users will be granted access only to that health information to which they are authorized, in order to perform the particular job functions. 3. Workforce members and other users shall use careful consideration to access and obtain only the type and amount of health information necessary to carry out the specified purpose. 4. Practice’s Security Officer is responsible for determining and granting the appropriate access to electronic protected health information. 5. All workforce members’ employees shall be trained regarding appropriate access to electronic protected health information, including the awareness of information access controls. Procedure 1. Isolating Healthcare Clearinghouse Function a. We are contracted with Misys Healthcare Systems who contracts the clearinghouses that we are obligated to use, due to their regulations. 2. Access Authorization a. The documented process for granting access to the Practice’s information systems that contain EPHI includes: 1. Procedures for granting different levels of access to the practices information systems containing EPHI. (See Access Authorization Worksheet) P10 INFORMATION ACCESS MANAGEMENT POLICY AND PROCEDURE Procedure (continued) 2. The Practice will regularly review and revise, as necessary, authorization of access to information systems containing EPHI. 3. Based on the employee’s job description, the employee will be assigned by the Security Officers an appropriate access control and authorization. 4. Access to the Practice’s information systems containing EPHI will be authorized only for workforce members having a need for specific information in order to accomplish a legitimate task. 5. If a person’s duties, role, function, or responsibilities change, the access permissions of that person will be re-evaluated. 3. Access Establishment and Modification a. The Practice will review and modify access authorization to its workforce members when changes occur and as otherwise deemed necessary. b. Only properly authorized and trained workforce members may access information systems containing EPHI. c. Access to Practice’s information systems containing EPHI is limited to workforce members who have a need for specific EPHI in order to perform their job responsibilities. P11 HIPAA SECURITY ACCESS AUTHORIZATION Employee Name User Providers Nursing staff Medical assistants Front office Billing department Collections department Medical records Billing/Office mgr. List employee name Karri L. Krendl Tracy L. Sharp Elise D. Clark Diana Wurst Brenda Alt Robbin Clark Trina Miller Sharon Kleman Angela Hefner Kelly Ward Rene Matthiu Bonnie Rondot Megan Anspach Complete Access X Patients Records X X X X Billing X X Accounts Receivable Scheduling X X X Transcript X X X X Ltrs and documents X X X X n/a X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Megan Berelsman X X X X Hannah Hobbler X X X X P12 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Implementation Specifications covered under this standard: Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Purpose This policy reflects the Practice’s commitment to provide regular security awareness and training to its workforce members. Policy 1. All Practice workforce members will be provided with sufficient regular training and supporting reference materials to enable them to appropriately protect Practice information systems. 2. System users shall receive training regarding: a. b. c. d. Protection from malicious software use (including virus protection); Periodic security updates; Log-in; and Password management. 3. The Practice’s Security Official is responsible for the development and delivery of security training. 4. The Practice’s Security Official will periodically send out security reminders to make workforce members, as well as agents and contractors, if necessary, aware of security concerns and initiatives on an ongoing basis. 5. Security training policies and procedures may be amended from time to time as necessary to comply with all applicable laws and regulations as well as business associate agreements. P13 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Policy (continued) 6. At a minimum, the Practice’s malicious software prevention, detection and reporting process will include: a. Installation and regular updating of anti-virus software on all internet information systems. b. Examination of data on electronic media and data received over networks to ensure that it does not contain malicious software. c. The examination of all electronic mail attachments and data downloads for malicious software before use on facility information systems. d. Procedures for members of the workforce to report suspected or known malicious software. e. An appropriate disaster recovery plan for recovering from malicious software attacks. f. Procedures to verify that all information relating to malicious software is accurate and informative. g. Procedures to ensure that the Practice’s workforce members do not modify web browser security settings without appropriate authorization. h. Procedures to ensure that unauthorized software is not installed on the Practice’s information systems. 7. Access to all the Practice’s information systems must be via a secure log-in process. Procedures 1. Security training will be based on workforce member’s job responsibilities, and be applicable to member’s daily tasks. 2. On a regular basis, the Practice will provide all of it workforce members information and reminders on topics including, but not limited to: a. b. c. d. Information security policies. Significant information security controls and processes. Significant risks to the Practice’s information systems and data. Security legal and business responsibilities (e.g. HIPAA, business associate contracts). e. Overall discussion of threats and vulnerabilities specific to electronic protected f. Information access control e. Personnel clearance levels f. Incident reporting g. Viruses and other forms of malicious software; h. User log-in i. HIPAA and organizational privacy and security rules, policies and procedures, and the sanctions, and civil and criminal penalties prescribed for wrongful actions. P14 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Procedure (continued) 3. The Practice’s Security Office is responsible for ensuring that workforce members receive regular security information and awareness. 4. Practice information system’s log-in process includes the following: a. Record unsuccessful log-in attempts. b. After a specific number of failed log-in attempts, enforce a time delay before further log-in attempts are allowed or reject any further attempts without authorization from an appropriate Practice employee. c. Limit the maximum time allowed for the log-in procedure. 5. The Practice’s password management system: a. Requires that use of individual passwords to maintain accountability. b. Where appropriate, allows workforce members to select and change their own passwords. c. Requires unique passwords that meet the standards defined by the practice d. Requires regular password changes. e. Not display passwords in clear text when they are being input into an application. f. Requires the changing of default vendor passwords following installation of software. 6. The Practice’s password creation standards require the following: a. Passwords must have a minimum length of six characters. b. Passwords must not be based on something that can be easily guessed or obtained using personal information (e.g. names, favorite sports team, etc.) c. Passwords must be composed of a mix of numeric and alphabetical characters. 7. The Practice’s password management training and awareness includes the following information: a. The importance of keeping passwords confidential and not sharing them with those who ask. b. The need to avoid maintaining a paper record of passwords, unless the record can be stored securely. c. Changing passwords whenever there is any indication of possible information system or password compromise. d. The importance of not using the same password for personal and business accounts. e. The importance of changing passwords at regular intervals and avoiding re-using old passwords. f. Changing temporary passwords at the first log-in. g. Not including passwords in any automated log-on process. h. Ensuring that all employees understand that all activities involving their user identification and password will be attributed to them. See Practice Password Policy. P15 PASSWORD POLICY The following Procedure has been adopted by the Practice concerning Passwords: 1. All computer systems will require each user to have a unique user ID and password. 2. Inactive accounts will be deleted immediately upon an employee’s termination or when their job function no longer requires that system access. 3. Passwords will be stored securely. 4. Employees may not disclose their password to any one else and permit any one else to access information through their password. All user defined passwords must adhere to the following company password procedures: 1. 2. 3. 4. 5. Changed at minimum every 180 days. Not be one of the last four passwords previously used. Be between 6 and 9 characters long, of which at least one must be a numeric character. Not be commonly used words, names, initials, birthdays, or phone numbers. All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed. 6. Passwords must not be displayed on system entry or recorded in audit trails. Passwords should not be any of the following: 1. 2. 3. 4. 5. 6. 7. 8. 9. Dictionary words (including foreign and technical dictionaries). Anyone’s or anything’s name. A place. A proper noun. A phone number. Passwords of the same character. Simple pattern of letters on keyboards. Any of the above reversed or concatenated. Any of the above with digits pre-pended or appended. P16 SECURITY INCIDENT PROCEDURES POLICY AND PROCEDURES Purpose The Practice’s commitment to implementing policies and procedures for detecting and responding to security incidents. Policy The Practice has and will apply appropriate sanctions against members of it workforce who fail to comply with privacy policies and procedures of the Practice. Procedures 1. The Security Officers in conjunction with the office manager will investigate any allegations of wrongful actions and determine and apply the appropriate sanction(s) in conjunction with the established disciplinary policies of the practice. 2. All investigations and sanctioning actions will be documented by the Security Officers or office manager. 3. All sanctioning of workforce members will be documented and retained for a period of at least 6 years from the date of it creation or the date when it was last in effect, whichever is later. P17 CONTINGENCY PLAN POLICY AND PROCEDURES Implementation Specification Covered Under this Standard: Data Back up Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures Applications and Data Criticality Analysis Purpose The Practice is committed to maintaining formal practices for responding to an emergency or other occurrence that damages systems that contain electronic protected health information. As such, the Practice is committed to effectively prepare for and respond to emergencies or disasters in order to protect the confidentiality, integrity and availability of its information systems. Policy 1. The Contingency Plan serves as the master plan for responding to system emergencies, ensuring continuity of operation during an emergency, and recovering from a disaster. The Process will include: a. Regular analysis of the critically of Practice information systems. b. Development and documentation of a disaster and emergency recovery strategy consistent with the Practice’s business objectives and priorities. c. Development and documentation of an emergency mode operations plan that is in accordance with the above strategy. d. Regular testing and updating of the disaster recovery and emergency mode operations plans. 2. The Contingency plan will be reviewed, tested and updated as necessary. 3. The Security Officer is responsible for reviewing and updating the Contingency Plan and all related policies and procedures. 4. All employees shall be trained regarding the Contingency Plan. 5. Contingency plan policies and procedures may be amended from time to time as necessary to comply with all applicable regulations. P18 CONTINGENCY PLAN POLICY AND PROCEDURES Procedures 1. See the Practice’s Contingency Plan located on page 21 2. The Practice’s backup, disaster recovery and emergency made operations plan includes: a. All Critical information systems and electronic media will be backed up. b. The order in which information systems will be recovered is as follows: Power and utilities All communication devices and software EMR systems Scheduling Billing and Collections All other Systems c. The procedure(s) for allowing appropriate employee’s physical access to Practice facilities so that they can implement recovery procedures in the event of a disaster have been directly communicated to those affected employees. Any questions or concerns during such events should be directed toward the office manager. d. Based on the risk analysis, the responsible person(s) will manually backup the data sets as determined. The backups will be inspected to ensure that their contents are exact copies of the information archived, and that they are functioning properly (the back up report indicates if the back up was done successfully). e. The responsible person(s), as identified by the Security Officer or Office Manager will store and secure the backups in a suitable container and location for such purpose. f. In the event of data loss, the authorized person(s) will retrieve the latest copy of the Practice’s backed up data from the secure location. In the event that the necessary data set(s) have not been archived; efforts will be made through formal channels to collect the data. g. In the order of pre-determined criticality, these person(s) will call our tech support and they will assist us in the retrieval of backed up information. P19 CONTINGENCY PLAN POLICY AND PROCEDURES Procedures (continued) 3. The Practice will conduct regular testing of its contingency plan to ensure that it is current and operative. a. The Contingency Plan will be revised to address any deficiencies discovered during the testing activities. Focus on improvements to role and responsibility definitions, processes, practices and strategies. b. Testing and revisions will be performed as needed or when there is significant changes to the environment. P20 Task/Systems Criticality Rating List Individual to 1-10 Notify Person Responsible for Follow up Data Backup Restoration/Emergency Procedures to Follow All back up tapes to be kept in locked box, which is by main server Performance of daily backup Tape rotation Off site storage 1 1 1 Check out Check out Check out Check out Check out Check out Disaster Recovery Restoration Strategy Scheduling Medical records Telephone system Internet connection Lab results Billing Word processing 3 1 1 10 5 1 10 Check out Clerical Clerical Billing mgr. Clinical Billing mgr. Clerical Office mgr. Office mgr. Office mgr. Office mgr. Office mgr. Office mgr. Office mgr. Call support Call support Call support Call support Call lab Call support Call support Emergency Procedures to Follow When System(s) is Down Emergency Mode Operations Computer system down Scheduling system down Power outage Individual desk top computers down Printer malfunctions Internet connection fails Theft of computer 3 3 3 n/a 2 10 1 Data Criticality See Practice's policies and procedures P21 Clerical Clerical Clerical Office mgr. Office mgr. Office mgr. Call support Call support Call power company Clerical Billing mgr. Office mgr. Office mgr. Office mgr. Dr. Krendl Call support Call support Call police EVALUATION POLICY AND PROCEDURE Purpose The Practice will conduct regular evaluations of its security controls and processes to document compliance with its security policies and the HIPAA Security Rule. Policy 1. The Practice will have a technical and non-technical evaluation performed to establish the extent to which its computer systems and networks meet security requirements. The initial basis for security requirements will be the HIPAA Final Security Rule. 2. The evaluation will be carried out by appropriate Practice Employees that have the appropriate skills and experience. Procedures 1. A system evaluation will be performed on an as needed basis. The decision to conduct an evaluation will be made by the Security Officer, the office manager or Practice physician(s) subject to environmental or operational changes. 2. The evaluation will include: a. A detailed review of the Practice’s security policies, procedures and standards to determine whether they are effective and appropriate. b. Identification of the risks to Practice information systems. c. Assessment of the appropriateness of Practice security controls to the risks to Practice information systems and EPHI. d. Testing of all significant Practice security controls to ensure that hardware and software controls have been correctly implemented. Such testing must be carried out only by authorized and appropriately trained persons. P22 BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENT POLICY AND PROCEDURES Implementations Specifications covered under this standard: Written Contract or Other Arrangement Purpose The purpose of this policy is to outline the requirements for all business associates of the Practice. The Privacy and Security Rule permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of, or provides a service to the covered entity that involves the creation, use, or disclosure of, protected health information, provided that the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. This policy serves to outline the safeguards that will be taken. Policy 1. All business associate agreements must be documented and must follow the standard business associate agreement of the Practice. 2. Business associate agreements will contain assurances from the business associate that it will: a. Not use or disclose protected health information other than as permitted by the agreement or required by law; b. Use appropriate safeguards to protect the confidentiality of the information; c. Report to the Practice any use or disclosure not permitted by the agreement; d. Ensure that any of its agents or subcontractors will agree to the same restrictions and conditions as the business associate; e. Make available to the Practice any information necessary for the Practice to comply with the patients’ rights to access, amend and receive an accounting of disclosures of their protected health information; f. Make available to the secretary of DHHS the business associate’s internal practices, books and records relating to the use and disclosure of the protected health information; and P23 BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENT POLICY AND PROCEDURES Policy (continued) g. Return or destroy the information once the contract is terminated, if feasible. If it is not possible to return or destroy the information because of other obligations or legal requirements, the protections of the agreement must apply until the information is returned or destroyed, and no other uses or disclosures may be made except for the purposes that prevented the return or destruction of the information. 3. Satisfactory assurances will be obtained from the business associate in the form of a written contract; and 4. Where the Practice knows of a material breach or violation by the business associate of the contract or agreement, the Practice will take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or arrangement is not feasible, the Practice will report the problem to the US Secretary of Health and Human Services Additionally, 5. Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI that it creates, receives, maintains, or transmits on behalf of the Practice. 6. Ensures that any agent or subcontractor to whom it provides such information agrees to implement reasonable and appropriate safeguards. 7. Report to the Practice any security incidents of which it becomes aware. Procedures 1. The Practice will identify all business associates using the forms located under the Forms tab. 2. The Practice will obtain a signed document from all business associates as outlined in 25 to 28. P24 April 10, 2005 VENDOR: OFFICE ADDRESS: Dear VENDOR: In an effort to comply with the business associate contract requirements of the Privacy and Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we have enclosed a supplement to our agreement as outlined by the Department of Health and Human Services in the Final HIPAA privacy and security standards. This supplement serves as an addendum to agreements currently in place or any agreements that may be signed in the future. During the terms of our agreements, VENDOR may receive from Family Physicians of Lima or may create on behalf of the Practice, certain confidential health information (PHI) that is protected under state or federal law including the Health Insurance Portability and Accountability Act. Through this addendum, VENDOR represents that you have policies and procedures in place that will adequately safeguard any PHI you receive or create, consistent with applicable laws and regulations, specifically HIPAA. If you have any questions, please feel free to contact us at (419) 991-7805. Sincerely, Bonnie Spiers, HIPAA Security Officer P25 Obligations and Activities of VENDOR, Related to Electronic Protected Health Information (PHI) 1. VENDOR agrees to not use or disclose Protected Health Information (PHI) other than as permitted or required under our Agreement(s) or as required by Law. 2. VENDOR agrees to use appropriate safeguards to prevent use or disclosure of PHI other than provided for by our Agreement(s). 3. VENDOR agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability to the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity. 4. VENDOR agrees to mitigate, to the extent practicable, any harmful effect that is known by VENDOR of a use of disclosure of PHI by us in violation of the requirements of our Agreement(s), and report any security incidents of which it becomes aware. 5. VENDOR agrees to report to the Practice any use or disclosure of the PHI not provided for by our Agreement(s). 6. VENDOR agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by VENDOR on behalf of the Practice, agrees to the same restrictions and conditions that apply through our Agreement(s) to VENDOR including implementing reasonable and appropriate safeguards with respect to such information. 7. VENDOR agrees to provide access, at the request of the Practice, and in the time and manner designated by the Practice, to PHI in a Designated Record Set, to the Practice. 8. VENDOR agrees to make any amendment(s) to PHI in a Designated Record Set that the Practice directs or agrees to at the request of the Practice or an Individual, and in the time and manner designated by the Practice. 9. VENDOR agrees to make internal practices, books and records relating to the use and disclosure or PHI received from, or created or received by VENDOR on behalf of, the Practice available to the Practice, or at the request of the Practice to the Department of Health and Human Service’s Secretary, in a time and manner designated by the Practice or the Secretary, for purposes of the Secretary determining the Practice’s compliance with the Privacy Rule. 10. VENDOR agrees to document such disclosures of PHI and information related to such disclosures as would be required by the Practice to respond to a request by an Individual for an accounting of disclosures of PHI. 11. VENDOR agrees to provide to the Practice, in time and manner designated by the Practice, information collected to permit the Practice to respond to a request by an Individual for an accounting of disclosures for PHI. 12. To the extent possible, upon termination of this agreement, VENDOR shall return or destroy all PHI received from the Practice, or created or received by VENDOR on behalf of the Practice. This provision shall apply to PHI that is in the possession of subcontractors or agents of VENDOR. P26 Obligations and Activities of VENDOR, Related to Electronic Protected Health Information (PHI) However, VENDOR may determine that returning or destroying the PHI is infeasible due to professional requirements. Therefore, VENDOR extends the protections of our Agreement(s) to such PHI and limits further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as VENDOR maintains such PHI. The Practice may terminate the contract if we determine that the vendor has violated a material term of the contract Permitted Uses and Disclosures by VENDOR: 1. Except as otherwise limited in this Agreement, VENDOR may use PHI for the proper management and administration of VENDOR or to carry out the legal responsibilities of VENDOR. 2. Except as otherwise limited in our Agreement(s), VENDOR may use or disclose PHI to perform functions, activities, or services for, or on behalf of, the Covered Entity as specified in our Agreement(s) provided that such use or disclosure would not violate the Privacy Rule if done by the Practice. 3. Except as otherwise limited in our Agreement(s), VENDOR may disclose PHI for the proper management and administration of VENDOR, provided that disclosures are required by law, or VENDOR obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies VENDOR of any instances which it is aware in which the confidentiality of the information has been breached. Signed: ___________________________________________________ Date: _________________________ P27 Business Associate Worksheet Service Provided Lab pick up Do they receive PHI? Yes Contract Addendum mailed? Yes 877-292-3051 Copier/printer No Yes John Zerante 419-234-4963 Copier No Yes Y n/a 419-991-4694 Copier No Yes DR Management N Ton Nelson 877-490-8187 Hardware support No Yes DR Management N Chloe Jeffers 260-437-0045 Practice auditor Yes Yes Clayton Scroggins Y Paula Badovick 800-488-5742 Financial advisor No Yes Midwest Phys GPO N Byron Selden 614-863-0989 Brace supplier No Yes Lighthouse Digital N Mike Mitchell 419-339-0022 Phone system No Yes USPS N 419-224-5801 Postal delivery No Yes Fed Ex N 800-463-3339 Delivery No Yes UPS N 419-227-3600 Delivery No Yes Washam N 419-549-0882 Utilities No Yes Business Associate Lima Pathology Contract: Y/N? Y Contact Name Lola Youngpeter Contact Phone 419-226-9595 Xerox Y Jill James Perry Corp. Y Office World John Freund P28 Contract Addendum signed? FACILITY ACCESS CONTROLS POLICY AND PROCEDURES Implementation Specifications covered under this Standard: Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Purpose The Practice is committed to maintaining formal procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Policy 1. The Practice will protect the confidentiality, integrity, and availability of its information systems by preventing unauthorized physical access, tampering, and theft to the systems and to the facilities in which they are located, while ensuring that properly authorized access is allowed. 2. The Facility information systems containing EPHI will be physically located in areas where unauthorized access is minimized. 3. The Practice Security Officer is responsible for reviewing and updating the Facility Security Plan and all related policies and procedures. Procedures 1. The Practice will ensure that, in the event of a disaster or emergency, appropriate persons can enter its facility to take necessary actions defined in its contingency Disaster Recovery and Emergency Mode Operations Plans. 2. All access rights to the Practice processes and controls which protect EPHI are clearly defined. Such rights are provided only to Practice employees having a need for specific access in order to accomplish a legitimate task related to contingency operations. 3. The Practice security plan is based on the Practice’s risk assessment, that assesses the risks to the Practice facilities and the information systems contained within. 4. As part of that risk assessment, we have evaluated and addressed: Unauthorized access to information systems Tampering or theft of information systems Exterior premises of Facility site (doors, windows, locks and alarms) Reception area/waiting room access Interior premises of Practice P29 FACILITY ACCESS CONTROLS POLICY AND PROCEDURES Procedure (continued) Access controls Equipment security including, workstations, servers and PDA’s Smoke detectors and fire alarms Power surge protectors 5. The Practice will determine and document all areas considered sensitive due to the nature of the EPHI that is stored or available within them, for example Medical Records. 6. After documenting sensitive areas, access rights to such areas will be given only to workforce members who have a need for specific physical access in order to accomplish a legitimate task. 7. Receiving visitors: The Practice will ensure that each visitor is appropriately greeted and identified. If appropriate, the Practice will notify the applicable personnel that a visitor has arrived. If an escort is required for the visitor, the appropriate personnel will accompany the visitor to the desired destination. 8. Escorting Visitors: The appropriate personnel will escort the visitor to the appropriate destination, ensuring that personnel are alerted to the visitor’s presence as appropriate. During the escort process, the appropriate personnel will make sure that all protected health information (e.g., documents, workstation screens) is not in view of visitors unauthorized to read such protected health information. The appropriate personnel will remain with the visitor throughout the visit until departure, or escort the visitor from point to point within the facility as required until departure. The Practice will document all repairs and modifications to the physical components of its facilities that are related to security of EPHIO. The Practice will conduct a periodic inventory of all the physical components of its facilities that are related to the protection of EPHI. Inventory results must be documented and stored in a secure manner. P30 WORKSTATION USE POLICY AND PROCEDURES Purpose This policy reflects the Practice’s commitment to appropriately use and protect its workstations. Policy 1. Workforce members shall use workstations in the appropriate manner as to consider the sensitivity of the information contained therein and minimize the possibility of unauthorized access to such information. 2. Workstations will only be used for authorized purposes. 3. All workforce members who use the Practice workstations must take all reasonable precautions to protect the confidentiality, integrity, and availability of EPHI contained on the workstations. 4. Workforce members must not use the Practice’s workstations to engage in any activity that is either illegal under local, state, federal, or international law or is in violation of Practice policy. 5. Activities that workforce members must not perform while using Practice workstations include, but are not limited to: a. Violations of the rights to privacy of protected healthcare information of The Practice’s patients. b. Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property by similar laws or regulations. This includes, but is no limited to, inappropriately licensed software products. c. Unauthorized copying of copyrighted material, including but not limited to digitization and distribution of photographs from magazines, books, or other copyrighted sources and copyrighted music. d. Purposeful introduction of malicious software onto a workstation or network (e.g., viruses, worms, Trojan horses). e. Actively engaging in procuring or transmitting material that is in violation of The Practice’s sexual harassment or hostile workplace policies. f. Making fraudulent offers of products, items, or services. g. Purposefully causing security breaches. Security breaches include, but are not limited to, accessing electronic data that the workforce member is not authorized to access or logging into an account that he or she is not authorized to access. P31 WORKSTATION USE POLICY AND PROCEDURES Policy (continued) h. Performing any form of network monitoring that will intercept electronic data not intended for the workforce member. i. Circumvent or attempt to avoid the user authentication or security of any Practice workstation or account. 6. Access to all Practice workstations containing EPHI must be controlled with a username and password. 7. Practice workforce members must not share passwords with others. If a Practice workforce member believes that someone else is inappropriately using a user-ID or password, they must immediately notify the office manager. 8. Where possible, the initial password(s) issued to a new Practice workforce member are to be valid only for the new user’s first logon to a workstation. At initial logon, the user should be required to choose another password. Where possible, this same process must be used when a workforce member’s workstation password is reset. 9. Practice workstations containing EPHI must be physically located in such a manner as to minimize the risk that unauthorized individuals can gain access to them. 10. The display screens of all Practice workstations containing EPHI must be positioned such that information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception, public, or other related areas. 11. Security officer approved anti-virus software must be installed on workstations to prevent transmission of malicious software. Such software must be regularly updated. 12. Workstations removed from Practice premises must be protected with security controls equivalent to those for on-site workstations Procedures 1. All employees are to be trained regarding workstation use. 2. All employees are to sign the workstation use policy. P32 EMPLOYEE WORKSTATION USE POLICY 1. All workforce members who use the Practice’s workstations must take all reasonable precautions to protect the confidentiality, integrity, and availability of EPHI contained on the workstations. 2. Workforce members must not use the Practice’s workstations to engage in any activity that is either illegal under local, state, federal, or international law or is in violation of the Practice policy. 3. Activities that workforce members must not perform while using the Practice’s workstations include, but are not limited to: a. Violations of the rights to privacy of protected healthcare information of the Practice’s patients. b. Violations of the rights of any person or company protected any copyright, trade secret, patent, or other intellectual property or similar laws or regulations. This includes, but is not limited to, the installation or distribution of “pirated” or other inappropriately licensed software products. c. Unauthorized copying of copyrighted material, including but not limited to digitization and distribution of photographs from magazines, books, or other copyrighted sources and copyrighted music. d. Purposeful introduction of malicious software onto a workstation or network (e.g., viruses, worms, Trojan horses). e. Actively engaging in procuring or transmitting material that is in violation of the Practice’s sexual harassment or hostile workplace policies. f. Making fraudulent offers of products, items, or services. g. Purposefully causing security breaches. Security breaches include, but are not limited to, accessing electronic data that the workforce member is not authorized to access. h. Performing any form of network monitoring that will intercept electronic data not intended for the workforce member. i. Circumvent or attempt to avoid the user authentication or security of any Practice workstation or account. 4. Access to all Practice workstations containing EPHI must be controlled with a username and password or an access device such as a token. 5. Practice workforce members must not share passwords with others. If a Practice workforce member believes that someone else is inappropriately using a user-ID or password, they must immediately notify their manager. 6. Where possible, the initial password(s) issued to a new Practice workforce member must be valid only for the new user’s first logon to a workstation. At initial logon, the user must be required to choose another password. Where possible, this same process must be used when a workforce member’s workstation password is reset. 7. Practice workstations containing EPHI must be physically located in such a manner as to minimize the risk that unauthorized individuals can gain access to them. P33 EMPLOYEE WORKSTATION USE POLICY 8. The display screens of all Practice workstations containing EPHI must be positioned such that information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception, public, or other related areas. 9. Security officer approved anti-virus software must be installed on workstations to prevent transmission of malicious software. Such software must be regularly updated. 10. Workstation removed from the Practice’s premises must be protected with security controls equivalent to those for on-site workstations. Signed ________________________________________________ Date _____________________ P34 WORKSTATION SECURITY POLICY AND PROCEDURE Purpose This policy reflects Practice’s commitment to prevent unauthorized physical access to workstations that can access EPHI. Policy 1. Physical safeguards will be implemented for all workstations that access electronic protected health information, to restrict access to authorized users. 2. All persons who engage in the use of workstations shall be trained on the proper functions to be performed and the manner in which those functions are to be performed, in accordance with Practice policies and procedures. Procedures 1. Practice workstations containing EPHI are to be located in locations that minimize the risk of unauthorized access to them. 2. Practice workforce members must take reasonable measures to prevent viewing EPHI on workstations by unauthorized persons. Such measures include but are not limited to: a. Locating workstations and peripheral devices (printer, modem, scanner, etc.) in secured areas not accessible to unauthorized persons. b. Positioning monitors or shielding workstations so that data shown on the screen is not visible to unauthorized persons. 3. Practice workforce members must immediately report loss or theft of any access device (such as pass card or ID number) that allows them physical access to Practice areas having workforce workstations that can access EPHI. 4. All Practice portable workstations (laptops) must be securely maintained when in the possession of employees. P35 DEVICE AND MEDIA CONTROLS POLICY AND PROCEDURE Implementation Specifications covered under this standard: Disposal Media Re-use Accountability Data Backup and Storage Purpose The Practice will maintain formal practices to monitor the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of the Practice, and the movement of these items within the Practice. Policy 1. Information systems for which this policy applies includes: computers (both desktop and laptop), floppy disks, backup tapes, CD-ROMS, zip drives, portable hard drives and PDAs. 2. Access to information systems contain EPHI must be provided only to authorized Practice workforce members who have a need for specific access in order to accomplish a legitimate task. 3. All hardware and other media containing EPHI will be properly cleansed prior to disposal or reuse. 4. Practice workforce members must not attempt to access, duplicate or transmit electronic media containing EPHI for which they have not been given appropriate authorization. 5. All Practice information systems containing EPHI must be located and stored in secure environments that are protected by appropriate security barriers and entry controls. The levels of these controls are commensurate with identified risks as outlined in the Risk Assessment. Procedure 1. An inventory record will be maintained by the Security Officer documenting all hardware and software received into the facility that contains electronic protected health information. (See Risk Analysis worksheet 1) 2. All Practice information systems and electronic media containing EPHI will be disposed of properly when no longer needed for legitimate use. P36 DEVICE AND MEDIA CONTROLS POLICY AND PROCEDURE Procedure (continued) 3. Prior to disposal, the Practice will securely overwrite and/or physically destroy components on which sensitive data is stored. The office manager, Security Officer or their designee will verify and document that such sanitization steps have been completed. 4. An information system or electronic medium containing EPHI that is to be disposed of permanently must be physically destroyed. 5. All EPHI on Practice electronic media must be removed before such media can be re-used. Failure to remove EPHI could result in it being revealed to unauthorized persons. This includes both EPHI received by the Practice and created with the Practice. 6. Practice employees and affiliates who move electronic media or information systems containing EPHI are responsible for the subsequent use of such items and must take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized access. 7. Backup copies of all EPHI on Practice electronic media and information systems must be made regularly. 8. Backup of EPHI on the Practice information systems and electronic media, together with accurate and complete records of the backup copies and documented restoration procedures, will be stored in a secure remote location, at a sufficient distance from the Practice facilities to escape damage from a disaster at the Practice. P37 ACCESS CONTROL POLICY AND PROCEDURE Implementation Specifications covered under this standard: Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Purpose The Practice will maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. Policy 1. Access for employees, agents, and contractors will only be given to those that have been granted access rights as specified by the Security Officer. 2. Only authorized personnel shall access electronic data, including the hardware and/or software on which the electronic PHI is stored. 3. Emergency Access procedures, if necessary, will be coordinated by the Office Manager. 4. Practice workforce members must end electronic sessions on information systems that contain or can access EPHI when such sessions are completed, unless the information system is secured by an appropriate locking method. 5. Based on the risk assessment, encryption of electronic protected health information is not warranted. Procedures 1. All individuals have access to electronic protected health information will be given a unique name and/or number. 2. The procedure(s) for allowing appropriate employee’s physical access to Practice facilities so that they can implement recovery procedures in the event of a disaster have been directly communicated to those affected employees. Any questions or concerns during such events should be directed toward the Office Manager. 3. All Practice computers will have automatic log offs that will terminate computer sessions after a specified length of time. P38 AUDIT CONTROLS POLICY AND PROCEDURES Purpose To maintain hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Policy The Facility will record and examine significant activity on its information systems that contain or use EPHI. The appropriate level and type of auditing that will be implemented has been determined by the Practice’s risk analysis process. Procedures 1. The Practice has implemented sufficient measures to assist in the monitoring and examination process and to reduce the risk of misuse of EPHI. Some of these steps include: the use of passwords, auto log offs, access controls, end-of-day reports, backup of media devices, etc. P39 INTEGRITY POLICY AND PROCEDURES Implementation Specification covered under this standard: Mechanism to Authenticate Electronic Protected Health Information Purpose The Practice will maintain formal policies and procedures to protect electronic protected health information from improper alteration or destruction. This includes mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Policy 1. The Practice has systems, including hardware, software, documentation and people that are designed to be conducive to maintaining data integrity. The Practice will examine workflow, reliability, and correctness of system components, on an as needed basis, to guard against unauthorized modification or destruction of data. The Practice will also protect against environmental threats that would harm data, including air temperature and humidity, fire suppression systems, or weather-related events. 2. The Practice will provide a means for employees to report suspected unauthorized data modification or destructions. Procedures 1. Based on the Practice’s risk assessment and other security action taken by the Practice including the use of passwords, logins, and outside IT technical assistance, the integrity of the information systems and the data within the information systems are of low risk value for alteration or destruction. 2. Based on the risk assessment, the Practice will continue to monitor the performance of the information systems, continue to utilize other security controls including passwords, firewalls and access controls and continue to utilize outside vendors as necessary to establish a secure environment. P40 PERSON OR ENTITY AUTHENTICATION POLICY AND PROCEDURE Purpose The Practice will ensure that all persons or entities seeking access to Practice EPHI are appropriately approved before access is granted. Policy The Practice will maintain a documented process for verifying the identity of a person or entity before granting them access to EPHI. Procedures 1. The practice will utilize the following authentication mechanism for individuals to corroborate that an individual is whom they claim: a. Use of Individual Passwords P41 TRANSMISSION SECURITY POLICY AND PROCEDURE Implementation Specifications covered under this standard: Integrity Controls Encryption Purpose The Practice will appropriately protect the confidentiality, integrity, and availability of all data that it transmits over electronic communications networks. Policy 1. The Practice will maintain Integrity Controls to ensure the validity of information transmitted or stored electronically over a communications network. 2. The Practice will utilize adequate access controls to protect sensitive communications transmissions over open and private networks to ensure that such transmissions cannot be easily intercepted and interpreted by parties other than the intended recipient. 3. The Practice’s risk analysis has indicated that it is not necessary to utilize encryption software to protect the confidentiality, integrity and availability of Practice data transmitted over electronic communications networks. Procedures When data that contains EPHI is transmitted, several precautions will be taken to ensure its integrity, including: a. Password protect Word files b. Confirm receipt by telephone P42 DOCUMENTATION POLICY AND PROCEDURES Policy The Practice will maintain security policies and procedures it implements to comply with the HIPAA Security Rule in written or electronic form. Procedures 1. The Practice will retain the documentation required by the security regulation for 6 years from the date of its creation or the date when it last was in effect, whichever is later. 2. The Practice will make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. 3. The Practice will review the documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. P43