Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

InfoSec Acceptable Use Policy

advertisement 
RIVER HILLS COMMUNITY HEALTH CENTER
POLICY
ON
HIPAA INFORMATION TECHNOLOGY SECURITY:
DATA AUTHENTICATION, PHYSICAL SAFEGUARDS PRIVACY
Submitted by: Curt Meeks, CO
Policy #
Approved By:
Policy Supersedes:
Date:
Revised/Reviewed:
______________________________________________________________________________
Policy
It shall be the policy of River Hills CHC that all workforce members must immediately report
any suspected or known unauthorized data modification or data destruction to the Privacy
Officer.
Purpose
The purpose of this policy is to comply with the HIPAA Privacy Rule and HIPAA Security
Rule’s requirements pertaining to the acceptable use of River Hills CHC IT resources regarding
protected health information (PHI) and electronic protected health information (EPHI).
River Hills CHC policies regarding privacy and security of PHI/EPHI reflect its commitment to
protecting the confidentiality of patients’ medical records, patient accounts, clinical information
from management information systems, confidential conversations, and any other sensitive
material as a result of doing business. While a commitment to privacy and security of PHI/EPHI
is the expectation, there remains a possibility that an inappropriate or unintended disclosure of
PHI/EPHI may result in a privacy breach. This policy outlines the procedure to mitigate
breaches, both willful violations and unintended actions, consistent with guidance described by
the HIPAA and HITECH laws.
Overview
River Hills CHC’s intention for publishing this HIPAA Information Technology Security: Data
Authentication, Physical Safeguards Policy is not to impose restrictions that are contrary to River
Hills CHC’s established culture of openness, trust and integrity. River Hills CHC is committed
to protecting employees, patients, partners and itself from illegal or damaging actions by
individuals, either knowingly or unknowingly.
Effective HIPAA security is a team effort involving the participation and support of every River
Hills CHC employee and affiliate that interacts with information and/or information systems. It
is the responsibility of every computer user to know these guidelines, and to conduct their
activities accordingly.
Any time that protected health information (PHI) is referenced in this policy, it is referencing the
HIPAA Privacy Rule; when electronic protected health information (EPHI) is referenced in this
policy, it is referencing the HIPAA Security Rule.
Scope
This policy applies organization-wide.
Procedure
1. Data Authentication
1.1 EPHI shall be protected by authentication controls on all information technology
(IT) resources
1.2 Authentication controls shall minimally include a unique user logon and password
combination
1.3 EPHI shall be encrypted while stored on IT resources whenever available and
feasible or whenever deemed necessary by the risk analysis or evaluation in
accordance with the HIPAA Security Risk Management, Evaluation and Audit
Policy.
1.4 EPHI shall be encrypted while in transit across an open communications network;
files containing EPHI intended to be transmitted outside the River Hills CHC
Intranet shall be encrypted and transmitted using approved secure messaging
products.
1.5 Mail messages containing EPHI intended to be transmitted outside the River Hills
CHC Intranet shall be encrypted and transmitted using approved secure
messaging product(s).
1.6 All other EPHI transmissions (e.g. client/server connections) shall be encrypted
using approved mechanisms (e.g. virtual private networks) whenever available
and feasible, or whenever deemed necessary by the risk analysis or evaluation in
accordance with HIPAA Security Risk Management, Evaluation and Audit
Policy.
1.7 EPHI integrity shall be sustained using approved mechanisms (e.g. hashing
algorithms, electronic signatures and digital signatures) whenever available and
feasible or whenever deemed necessary by the risk analysis or evaluation in
accordance with HIPAA Security Risk Management, Evaluation and Audit
Policy.
Page 2 of 3
2. Data Physical Safeguards
2.1 IT resources shall be secured using physical safeguards for protection from
unauthorized access; e.g. door locks or locking cabinets.
2.2 Screen locks (e.g., session timeouts, auto logoff) with password controls shall be
activated on all IT resources (e.g. laptops, desktops, consoles)
2.3 Portable IT resources (e.g. laptops, smart phones, personal digital assistants
(PDAs)) shall be physically secured when not in use)
3. Virus protection
3.1 Virus protection shall be installed and activated on all IT resources containing
EPHI.
3.2 Additional mechanisms shall be implemented to further protect IT resources from
malicious software whenever deemed necessary by the risk analysis or evaluation
in accordance with HIPAA Security Risk Management, Evaluation and Audit
Policy.
4. Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
5. Reference(s)
5.1 Health Insurance Portability and Accountability Act of 1996 (HIPAA) at 45
C.F.R. § 164.308; § 164.530
5.2 The American Recovery and Reinvestment Act of 2009 (ARRA) Division A,
Title XIII, Part 2, Subtitle D-Privacy Sec. 13400; Sec. 13402 of the HITECH Act
5.3 HIPAA Security Risk Management, Evaluation and Audit Policy
5.4 Mobile Computing Device Policy
5.5 HIPAA Security Virus Protection Policy
5.6 Data Classification, Sensitivity, Use, and Retention Policy
Page 3 of 3
Related documents
HIPAA Factsheet
HIPAA Factsheet
7.3-Assessment-Key
7.3-Assessment-Key
Confidentiality Policy
Confidentiality Policy
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
“You have the Right”
“You have the Right”
CATS
CATS
UNIVERSITY OF PITTSBURGH POLICY 07-02-06 CATEGORY: SECTION:
UNIVERSITY OF PITTSBURGH POLICY 07-02-06 CATEGORY: SECTION:
Download
advertisement