Security Officer, Facility Services Department
advertisement
DRAFT Version 2: 4/19/05 Based on Final Privacy & Security Rules HIPAA COW ADMINISTRATIVE WORKGROUP POLICY/PROCEDURE FACILITY REPAIRS AND MAINTENANCE Disclaimer This document is Copyright 2005 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This document is provided “as is” without any express or implied warranty. This document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state preemption issues related to this document. Therefore, this may need to be modified in order to comply with Wisconsin law. **** Table of Contents Policy …………………………………………………………………………………………….1 Responsible for Implementation ................................................................................................... 2 Applicable To ……………………………………………………………………………………2 Key Definitions ………………………………………………………………………………….2 Procedures ..................................................................................................................................... 2 1. Identify ePHI Security Risk(s) ....................................................................................... 2 2. Reduce or Eliminate the ePHI Security Risks(s) ......................................................... 2 3. Monitor for Additional Risks......................................................................................... 3 4. Documentation of the Project ........................................................................................ 3 Authors .......................................................................................................................................... 4 Reviewed By ................................................................................................................................. 4 Applicable Standards and Regulations …………………………………………………….…….4 Sources …………………………………………………………………………………………..4 Policy: In accordance with the standards set forth in the HIPAA Security Rule, <ORGANIZATION> is committed to ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) it creates, receives, maintains, and/or transmits. To establish documentation guidelines for maintenance, repairs, and modifications to the physical components of its facilities when related to the security of the ePHI [164.310(a)(2)(iv)] as well as limit physical access to electronic information systems and the facility(s) in which they are housed, while ensuring that properly authorized access is allowed [164.310(a)(1)]. ______________________________________________________________________________ Copyright 2005 HIPAA COW 1 DRAFT Version 2: 4/19/05 Based on Final Privacy & Security Rules Responsible for Implementation: Security Officer Applicable To: Security Officer, Facility Services Department, leadership, and workforce members Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including providers, providers' offices, business associates and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations. Key Definitions: Electronic Protected Health Information (ePHI): Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media. Procedures: 1) Identify ePHI Security Risk(s). Prior to approving plans to repair, modify, or schedule maintenance any of <ORGANIZATION’s> owned or leased facilities the Lead Project Coordinator works with the Security Officer, or other designated workforce member, to determine whether or not the scheduled maintenance, repairs, changes, or the construction process itself, increases the security risk of ePHI. These security risks include, but are not limited to, the following and include work completed on the internal and/or external perimeter of the facilities (entryways, external and internal doors, locks, controlled access systems, walls, removing windows, etc.): a) Has the potential to or will limit or remove an authorized user’s ability to access workstations and systems in which ePHI is created, received, stored, or transmitted during regularly scheduled hours and at regularly scheduled locations. b) Increases the potential for unauthorized access to ePHI. c) Otherwise has the potential to decrease the security, confidentiality, and/or integrity of the ePHI in any way. 2) Reduce or Eliminate the ePHI Security Risks(s). If the changes indicate an increased security risk to ePHI, the Lead Project Coordinator amends the plans to contain the following conditions: a) All users that need access to ePHI have access to ePHI during their regularly scheduled hours and at their scheduled locations. i) If, however, any user will not have access to ePHI during their regularly scheduled hours, the Lead Project Coordinator notifies that user’s supervisor “X” days prior to the unavailability of the ePHI. The Lead Project Coordinator, supervisor, and ______________________________________________________________________________ Copyright 2005 HIPAA COW 2 DRAFT Version 2: 4/19/05 Based on Final Privacy & Security Rules Security Officer develop a plan to accommodate necessary changes. Document all decisions made and followed as required in this policy. ii) If any user will not have access to ePHI at their regularly scheduled location, the Lead project person notifies that user’s supervisor “X” days prior to the unavailability of the ePHI. The Lead Project Coordinator, supervisor, and Security Officer develop a plan to accommodate necessary changes. Document all decisions made and followed as required in this policy. iii) If the plans increase the potential for unauthorized access to ePHI, the Lead Project Coordinator works with the Security Officer, or other designated information systems workforce member, to identify ways to secure ePHI throughout the project from unauthorized access. This may include requiring measures such as 24 hour monitoring of the area with security guards or cameras, changing locks and distributing keys to individuals on the project to limit the number of individuals with access, creating new entryways for workforce members and/or patients, etc. Document all decisions made and followed as required in this policy. iv) If the plans otherwise decrease the security, confidentiality, and/or integrity of the ePHI in any way the Lead Project Coordinator works with the Security Officer, or other designated information systems workforce member, to identify ways to secure ePHI throughout the project. Document all decisions made and followed as required in this policy. 3) Monitor for Additional Risks. The Lead Project Coordinator continuously monitors the project and immediately notifies the Security Officer of any increase or change in security risks of ePHI noted during the course of the project. Document all decisions made and followed as required in this policy. If a violation of <ORGANIZATION’s> security policies and procedures is identified, it is reported and investigated according to <ORGANIZATION’s> Security Incident Policy. 4) Documentation of the Project. The Lead Project Coordinator facilitates documentation of all meetings and other efforts made to protect the confidentiality, integrity, and availability of ePHI throughout the project. a) Documentation includes, at a minimum, the following information: i) Description of the repair or modification including a summary of the original plans, any changes made to the plans, and reasons for any changes made to the plans. ii) Reason for the repair or modification. iii) Repair or modification start and end dates. iv) Individual(s) that completed the repair or modification. v) Summary of all steps taken to eliminate or decrease the identified security risk(s) to ePHI (including those identified before, during, and after the work was completed). At a minimum, this summary includes: (1) Description of the identified security risk. (2) Date the security risk was identified. (3) Specifically what was done to eliminate or reduce the security risk(s). (4) Dates and times steps were taken to eliminate or reduce the security risk(s). (5) Individuals involved in eliminating or reducing the security risk(s). ______________________________________________________________________________ Copyright 2005 HIPAA COW 3 DRAFT Version 2: 4/19/05 Based on Final Privacy & Security Rules b) After completion of the project, the Lead Project Coordinator forwards all documentation to the Security Officer. i) The Security Officer maintains all documentation received by the Lead Project Coordinator for a minimum of six years. Authors: HIPAA COW Administrative Workgroup Reviewed By: HIPAA COW Physical Security Workgroup HIPAA COW Privacy Policy & Procedure Workgroup Applicable Standards/Regulations: 45 CFR §164.310(a)(1) – HIPAA Security Facility Access Controls 45 CFR §164.310(a)(2)(iv) – HIPAA Security Rule Maintenance Records Sources: Phoenix Health Systems, Inc. Maintenance Records Policy ______________________________________________________________________________ Copyright 2005 HIPAA COW 4
