HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Similar documents
HIPAA Security Checklist

HIPAA Security Checklist

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

HIPAA Security Rule Policy Map

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security and Privacy Policies & Procedures

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Federal Security Rule H I P A A

EXHIBIT A. - HIPAA Security Assessment Template -

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA Compliance Checklist

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Healthcare Privacy and Security:

HIPAA Security Manual

A Security Risk Analysis is More Than Meaningful Use

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Summary Analysis: The Final HIPAA Security Rule

SECURITY & PRIVACY DOCUMENTATION

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA COMPLIANCE FOR VOYANCE

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Red Flags/Identity Theft Prevention Policy: Purpose

Checklist: Credit Union Information Security and Privacy Policies

Security and Privacy Breach Notification

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

HIPAA FOR BROKERS. revised 10/17

Putting It All Together:

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

HIPAA For Assisted Living WALA iii

HIPAA Compliance and OBS Online Backup

Data Backup and Contingency Planning Procedure

HIPAA & Privacy Compliance Update

Information Security Policy

Support for the HIPAA Security Rule

NMHC HIPAA Security Training Version

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Meaningful Use & Security Protecting Electronic Health Information in Accordance with the HIPAA Security Rule

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

How Managed File Transfer Addresses HIPAA Requirements for ephi

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

What s New with HIPAA? Policy and Enforcement Update

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Integrating HIPAA into Your Managed Care Compliance Program

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA Controls. Powered by Auditor Mapping.

HIPAA Regulatory Compliance

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Regulation P & GLBA Training

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Table of Contents. PCI Information Security Policy

University of North Texas System Administration Identity Theft Prevention Program

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

HIPAA Requirements. and Netwrix Auditor Mapping. Toll-free:

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Employee Security Awareness Training Program

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Reference Architecture Assessment Report Cisco Healthcare Solution

University of Wisconsin-Madison Policy and Procedure

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

The HIPAA Omnibus Rule

Identity Theft Prevention Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Information Technology Update

HIPAA Privacy, Security and Breach Notification 2018

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

Data Processing Agreement

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA Privacy, Security and Breach Notification 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

The ABCs of HIPAA Security

HPE DATA PRIVACY AND SECURITY

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

The Common Controls Framework BY ADOBE

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Implementing an Audit Program for HIPAA Compliance

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA COMPLIANCE AND

Transcription:

164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine disclosures 17 Exempts information that is required to comply with the electronic transaction standards from the above: minimum necessary standard. 164.502: 15, 17, 19, 27, 30, 37, 38, 39, 40 164.514: 2, 3, 15, 16, 19, 24, 25 - Non-routine disclosures 19 Generally, covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose. However, covered entities are not required to make a minimum necessary determination for public health disclosures that are made pursuant to an individual s authorization, or for disclosures that are required by other law. See 45 CFR 164.502(b). For disclosures to a public health authority, covered entities may reasonably rely on a minimum necessary determination made by the public health authority in requesting the protected health information. See 45 CFR 164.514(d)(3)(iii)(A). For routine and recurring public health disclosures, covered entities may develop standard protocols, as part of their minimum necessary policies and procedures, that address the types and amount of protected health information that may be disclosed for such purposes. See 45 CFR 164.514(d)(3)(i). - Limit request to minimum necessary 16 Staff must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose by, to the extent possible, limiting use/disclosure to limited data set for which the request is made. For all other requests, staff must review the request on an individual basis to determine that the protected health information sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made. Staff may not use, discloses or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. - Ability to rely on request for minimum necessary 65 Form PF-4000 Tracking of Request for Access, Amend or Disclosure of PHI Version Date: 10/24/2013 1/18

164.504 Page 9 Develop polices for business associate (BA) relationships and 9 Written contracts or agreements must be negotiated between a medical practice and any business associate that will handle protected health information it receives from or creates for the practice. A business associate that creates, receives, maintains, or transmits PHI or electronic PHI for the medical practice must provide satisfactory assurances that it will appropriately safeguard the information. These assurances must be included in a written contract or other arrangement with the business associate. This contract or agreement must include provisions that: Page references for amend business associate contracts or above: agreements: 9, 10, 11 9 See above. - Obtain satisfactory assurances in contract 9 Satisfactory Assurances (see above) 164.502 (see above) 164.504 (See above) - Document sanctions for non-compliance Limit disclosures to those that are authorized by the client, or that are required or allowed by the privacy regulations and state law 11 The business associate should be notified by the practice s legal counsel that action will be taken to terminate the contract if the violation of contract provisions is not immediately corrected. Includes "The information to be maintained includes:... Records of actions taken to enforce compliance with contract provisions by business associates." 4 Obtaining authorization, when required, for use and disclosure of protected information (see Forms PF- 1000 Notice of Privacy Practices and PF-3000 Authorization For Use and/or Disclosure of Protected Health Information) Referenced on pages listed in Column A 164.506 (14, 16, 18 The policies in this section address the disclosure of protected health information to various 164.508 (27, 30, government entities. In general, disclosure to government entities is mandated by law and 164.510 (27, 40) does not require the consent or advance authorization of the patient. 164.512 (18, 19, Version Date: 10/24/2013 2/18

164.520 (15, 17, 27, 49, 41, 53) Develop and disseminate notice of privacy practice. 27 P-3000 Notice and Authorization The policies in this section establish procedures for developing the Notice of Privacy Practices form and obtaining patient authorization for use and disclosure of protected health information. 164.522 (34, 35, 36, 37) Develop policies for alternative means of communication requests 4 Providing the Notice of Privacy Practices to all patients and obtaining a written acknowledgment of receipt 58-61 Form PF-1000 NOTICE OF PRIVACY PRACTICES 36 The patient should be informed that his or her request will be accommodated if he or she provides an alternative means of making confidential communications 164.524 (40, 41, 42, 43, 44, ) Develop policies for access to designated record sets: 66 See Form PF-5000 Authorization To Communicate Patient's Medical Information 40 A patient or a patient s representative may, subject to approval under policy P-5120, inspect and obtain a copy of his or her information maintained in medical records or other information systems of ProHealth Partners. 164.526 (40, 45, 46, 47, 48, 49) 44, 45 The designated record sets for which a patient may request amendment include: - Providing access The patient s medical records - Denying access The patient s billing records Other records that contain protected health information that is used to direct treatment Develop policies for amendment requests: 45 See pages 45 through 49 for Policies for amendment requests - Accepting an amendment - Denying an amendment - Actions on notice of an amendment - Documentation Version Date: 10/24/2013 3/18

164.528 Develop policies for accounting of disclosures. 49, 50, 51 Any disclosure, other than a disclosure covered by the patient s consent to the use and disclosure for purposes of treatment, payment, or health care operations, will be documented by completing a disclosure accounting form. See pages 49, 50, 51, 52 164.530 Implementation of Privacy Rule Administrative requirements, including: 65 See Form PF-4000 Tracking of Request for Access, Amend or Disclosure of PHI 2 Establishes requirements for administrative measures to implement the policy standards. Privacy Officer is responsible for the development and implementation of policies and procedures to safeguard the privacy of patients health information consistent with federal and state laws and regulations See pages 2, 4, 5, 6, 7, 8, 13, 54, 55, 56 - Appoint of a HIP AA privacy officer. 2 Privacy Officer is responsible for the development and implementation of policies and procedures to safeguard the privacy of patients health information consistent with federal and state laws and regulations. - Training of workforce 3 This section establishes the responsibility for the development and updating of staff training programs and materials on privacy policies and procedures. It also establishes the responsibility of all staff members to complete privacy training. - Sanctions for non-compliance 5 P-1300 Staff Compliance and Sanctions - The policies in this section of the privacy manual establish disciplinary procedures for employees whose actions are out of compliance with ProHealth Partners privacy policies and procedures. - Develop compliance policies. 2 The policies in this section establish the organizational responsibility for compliance with the privacy standards and for overseeing the efforts of ProHealth Partners to safeguard the privacy of patient information. - Develop anti-retaliation policies. 8 No action shall be taken against a staff member who reports violation of privacy standards to the secretary of HHS or to law enforcement agencies. - Policies and Procedures 2 The policies in this section (P-1000) of the ProHealth Partners policy and procedure manual establish the medical practice s administrative policies and procedures for safeguarding the privacy of protected health information. Version Date: 10/24/2013 4/18

Security Management Process: Implement policies and procedures to prevent, detect, contain, and correct security violations. 164.308(a)(1)(i) See page 80 164.308(a)(I )(ii)(a) Has a Risk Analysis been completed in accordance with NIST Guidelines? (Required) HIPAA SECURITY RULE - Administrative Safeguards R = Required, A = Addressable 102 The Privacy Officer will act as the security official who will implement policies and procedures to assess, analyze, prevent, detect, contain, and correct security violations. Conduct an accurate and thorough risk analysis assessment in accordance with NIST Guidelines of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). See page 102 164.308(a)(I )(ii)(b) Has the Risk Management process been 103 completed in accordance with NIST Guidelines? (R) Page 103 The Privacy Officer implements a comprehensive risk-management program based on the results of the risk analysis. The risk-management program includes the security measures identified by the risk analysis. Risk analysis will be done every three years or as necessary. The purpose of these security measures is to reduce risks and vulnerabilities to a reasonable and appropriate level. 164.308(a)(I )(ii)(c) Page 103 Do you have formal sanctions against employees who fail to comply with security policies and procedures? (R) 104 Employees and other members of the medical practice s workforce are subject to sanctions for violating the medical practice's security policies and procedures. Violations of security measures and the penalties associated with them include the following. S-1470 Minor Security Breaches, S-1480 Significant Security Breaches, S-1490 Severe Security Breaches See Sanction and examples on page 95 for each type of violation. 164.308(a)(I )(ii)(d) Have you implemented procedures to 98 regularly review records of IS activity such as audit logs, access reports, and security incident tracking? (R) Page 98 The security official regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports and ensures that any breaches in security have been corrected. Version Date: 10/24/2013 5/18

164.308(a)(2) Page 87 Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. (R) 87 The Privacy Officer will serve as the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. The Privacy Officer will oversee a team of security officials including but not limited to officers assigned from the following departments: Information Technology (IT), Systems Management, Systems Support, EMR Specialists. 164.308(a)(3)(i) Page 80 Workforce Security: Implemeut policies aud procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under paragraph (a)(4) ofthis section, and to prevent those workforce members who do not have access under paragraph (a)(4) ofthis section from obtaining access to electronic protected health information (EPHI). 164.308(a)(3)(ii)(A) Have you implemented procedures for the Page 80 authorization and/or supervision of employees who work with EPHI or in locations where it might be accessed? (A) 80 The security official will implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. 164.308(a)(3)(ii)(B) Page 80 Have you implemented procedures to determine that the access of an employee to EPHI is appropriate? (A) 80 The Security official will implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. 164.308(a)(3)(ii)(C) Page 80, 107 Have you implemented procedures for terminating access to EPHI when an employee leaves your organization? (A) 80, 107 (80) The security official will implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section. (107)The security official should be notified of the effective date of any employee termination or of the date on which a staff member s authorization to use the medical practice's information resources will terminate. The staff member's user account on the medical practice's information system will be disabled or deleted upon termination of the relationship with the medical practice. Version Date: 10/24/2013 6/18

164.308(a)(4)(i) Page 80 164.308(a)(4 ) (ii)(a)not Applicable Information Access Management: Implement policies and procedures for authorizing access to EPHI that are consistent with the applicable requirements of subpart E of this part. If you are a clearinghouse that is part of a larger organization, have you implemented policies and procedures to protect EPHI Not Applicable 164.308(a)(4)(ii)(B) Page 81 from the larger organization? (A) Have you implemented policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, or process? (A) 81 Security Official will implement policies and procedures that, based upon the medical practice s access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. 164.308(a)(4)(ii)(C) Page 81 Have you implemented policies and procedures that are based upon your access authorization policies to establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process? (A) 81 Security official will implement and manage the creation and modification of access privileges to workstations, transactions, programs or processes and be responsible for terminating access privileges for workforce members. All additions and changes will be documented and reviewed for validity Version Date: 10/24/2013 7/18

164.308(a)(5)(i) Page 106 164.308(a)(5)(ii)(A) Do you provide periodic information security reminders? (A) Page 106 Security Awareness and Training: Implement a security awareness and training program for all members of its workforce (including management). 107 The medical practice publishes periodic notices and security updates to maintain awareness of security procedures and sound security practices. Notices are prepared whenever significant new security threats are identified, whenever security features of computer hardware and software are revised or updated, and whenever the security official believes that a security incident warrants calling the attention of staff members to security policies and procedures 164.308(a)(5)(ii) (B) Do you have policies and procedures for guarding against, detecting, and reporting 101 malicious software? (A) Page 101 Anti-virus software is installed on all computer workstations and servers to protect the medical practice and its information from attack by malicious software such as computer viruses, worms, and Trojan horses. Procedure The security official is responsible for ensuring that anti-virus software has been installed on all workstations and on network servers. The security official also ensures that anti-virus software is regularly updated. 164.308(a)(5)(ii)(C) Do you have procedures for monitoring login attempts and reporting discrepancies? (A) Page 99 164.308(a)(5)(ii)(D) Do you have procedures for creating, changing, and safeguarding passwords? (A) Page 100 99 100 The security official reviews log-in monitoring records and investigates patterns that suggest the possibility of security breaches or attempted penetration of security measures by unauthorized users. All users must select a password conforming to the following guidelines: * Passwords should be between six and 10 characters. * Passwords should not be the name of a pet, spouse, child, or parent. * Passwords should be a word or sequence of letters and numbers that the user can remember but could not be easily guessed by even a close friend of the user. * Passwords should never be written down. * Passwords should never be given to other staff members. * A new password should be selected every six months, and current or previous passwords should not be re-used. Version Date: 10/24/2013 8/18

164.308(a)(6)(i) Page 105 164.308(a)(6)(ii) Do you have procedures to identify and 105 Page 105 respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of known security incidents; and document incidents and their outcomes? (Required) Security Incident Procedures: Implement policies and procedures to address security incidents. The Security Official will develop, implement and update as needed, procedures to identify and respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of known security incidents; and document incidents and their outcome. Security incidents are to be reported promptly to the security official. Incidents should be reported by the staff members responsible for the incident or staff members who identify the incident. 164.308(a)(7)(i) Page 90 Contingency Plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI. 164.308(a)(7)(ii)(A) Have you established and implemented procedures to create and maintain retrievable exact copies of EPHI? Page 90 164.308(a)(7)(ii)(B) Have you established (and implemented as needed) procedures to restore any loss of EPHI data that is stored electronically? Page 90 91, 92 164.308(a)(7)(ii)(C) Have you established (and implemented as 95 needed) procedures to enable continuation of critical business processes and for protection Page 95 of EPHI while operating in the emergency mode? 93 (91) The security official will develop and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (92) Detailed back-up procedures are documented in the medical practice's contingency plan. These procedures create an exact copy of PHI at a given point in time. Technical staff members responsible for preparing back-up data sets test the back-up copies to ensure that they: * Contain an exact copy of the information they back up * Can be restored when needed The security official determines when a back-up data set should be used to re-create or restore lost data. The security official develops detailed emergency-mode operating procedures as part of the comprehensive contingency plan. These procedures safeguard the medical practice's information resources and PHI during emergencies that disrupt normal security measures. Version Date: 10/24/2013 9/18

164.308(a)(7)(ii)(D) Have you implemented procedures for 107 periodic testing and revision of contingency plans? (A) Page 107 164.308(a)(7)(ii)(E) Have you assessed the relative criticality of 86 specific applications and data in support of Page 86 other contingency plan components? (A) Contingency plans are to be reviewed with staff members, tested, evaluated, and revised as necessary at least once every 12 months. As part of the development of a comprehensive contingency plan, the security official assesses the relative criticality of specific applications and data. Arrangements are made to ensure that critical applications and equipment are replaced within one work day in the event of failure. Critical data are backed up as provided in the back-up plan. 164.308(a)(8) Have you established a plan for periodic 91 Page 91 technical and non technical evaluation of the standards under this rule in response to environmental or operational changes affecting the security of EPHI? Required Subsequent periodic evaluations must be performed in response to environmental or operational changes that affect the security of EPHI. The on-going evaluation should also be performed on a scheduled basis annually. The evaluation must include reviews of the technical and non-technical aspects of the security program. 164.308(b )(1) Page 89 Business Associate Contracts and Other Arrangements: A covered Entity (CE), in accordance with Sec. 164.306, may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity's behalf only if the CE obtains satisfactory assurances, in accordance with Sec. 164.314(a) that the business associate appropriately safeguard the information. Page 89 Have you established written contracts or other arrangements with your trading partners that documents assurances that the BA will appropriately safeguard thesatisfactory information? (R) 89 Business associate agreements must include the following provisions or provisions with an equivalent effect. The business associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of the covered entity. These safeguards shall be equivalent or identical to the administrative, physical, and technical safeguards that the covered entity is required to implement under the federal security and privacy regulations. Version Date: 10/24/2013 10/18

164.310(a)(1) Page 97 164.310(a)(2)(i) Page 94 HIPAA SECURITY RULE - PHYSICAL SAFEGUARDS R = Required A = Addressable Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Have you established (and implemented as needed) procedures that allow facility access in support of restoration oflost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency? (A) 164.310(a)(2)(ii) Have you implemented policies and Page 97 procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft? (A) 164.310(a)(2)(iii) Have you implemented procedures to control and validate a Page 79 person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision? (A) 94 97 79 The medical practice's computer equipment is configured to allow only staff members with appropriate authorization to access information stored on the computer and to configure software installed on the equipment. Staff members responsible for implementing contingency plans must have authorization that enables them to repair equipment and implement emergency procedures. All computer equipment and devices that are used to access, transmit, or store PHI are protected from unauthorized physical access, tampering, and theft All components of the medical practice's information system are housed in secure locations. Visitors to the medical practice are accompanied by a staff member when in a position to access the practice's information resources. Consultants and contractors whose access has been validated as responsible for installing, maintaining, or testing computer equipment and software are authorized to access the medical practice's information systems in the same manner as though they were staff members authorized to perform similar tasks or functions. Version Date: 10/24/2013 11/18

164.310(a)(2)(iv) Page 100 Have you implemented policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, 100 All repairs and modifications to the physical components of the medical practice s facilities that are related to security (hardware, walls, doors, and locks, for example) are documented in the practice's riskassessment and risk-management plan walls, doors, and locks)? (A) 164.310(b) Page 109 164.310 C Page 110 Have you implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI? (R) Have you implemented physical safeguards for all workstations 109 110 The security official will implement policies and procedures that specify the proper functions to be performed by electronic computing devices to prevent inappropriate use of computer workstations which could compromise information systems, and risk breaches of confidentiality. Users must observe the guidelines on use of workstations: S-1591 Guidelines Pages 109 and 110) Physical safeguards will be implemented for all workstations that access EPHI, to restrict access to authorized users that access EPHI to restrict access to authorized users? (R) Version Date: 10/24/2013 12/18

164.310(d)(1) Page 84 164.310(d)(2)(i) Page 93 Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored? 93 All storage devices and media are to be given to the authorized IT staff for disposal. Storage devices and media may be disposed of only by an authorized IT staff member. Prior to disposal, the storage media are sanitized either by means of degaussing, triple overwriting, or physically dismantling and destroying the storage media. 164.310(d)(2)(ii) Page 93 Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse? (R) 94 Prior to reuse, the storage devices and electronic media are sanitized either by means of degaussing, triple overwriting, or physically dismantling and destroying the storage media. All software and data are removed from all computer equipment prior to reuse of the equipment. Disk drives are sanitized by degaussing or triple overwriting. Logs are maintained of all computer equipment and storage media that have been prepared for reuse. These logs include the date on which storage media were sanitized and a description of the sanitizing method used. 164.310(d)(2)(iii) Page 85 Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement? (A) 85 Log entries are made in the inventory of computer hardware for all equipment that is moved within or from the medical practice s facilities. The log entry includes: * The date on which the equipment was moved * The destination of the equipment * The reason for moving, such as relocation, repair, reuse or disposal * The person responsible for preparing the equipment for movement including any sanitizing of storage devices * The date on which the equipment was moved 164.310(d)(2)(iv) Page 92 Do you create a retrievable, exact copy of EPHI, when needed, before movement of equipment? (A) 92 Before computer equipment is relocated within or removed from the medical practice's facilities, a retrievable, exact copy of EPHI, back-up copy is created of any information that is contained on storage devices that are integral parts of a piece of computer equipment. Version Date: 10/24/2013 13/18

164.312(a)(i) Page 80 HIPAA SECURITY RULE - TECHNICAL SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE Access Controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). 164.312(a)(2)(i) Page 108 Unique user identification. Have you assigned a unique name and/or number for identifying and tracking user identity? (R) 108 Every staff member authorized to use the medical practice's information systems is given a unique user name and selects a password known only to the staff member. The unique user identifier can be used to track user activity within information systems that contain EPHI. Staff members must use their user name and password when using the information system and accessing PHI. 164.312(a)(2)(ii) Page 95 Emergency Access Procedure Have you established (and implemented as needed) procedures for obtaining necessary EPHI during an emergency? (R) 95 In the event of loss of power, or damage to equipment due to fire, water, earthquake, or any other natural or manmade disaster, battery powered portable devices with wireless access may be used to access the web based system which contains necessary EPHI. 164.312(a)(2)(iii) Page 88 Automatic Log Off Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity? (A) 88 All workstations are configured to log users off 10 minutes of inactivity. After being automatically logged off, a user must re-enter his or her user name and password to resume the interrupted activity. Users may not disable this automatic log-off feature. 164.312(a)(2)(iv) Page 96 Encryption and Decryption 164.312(b) Page 87 Audit Controls Have you implemented a mechanism to encrypt and decrypt EPHI? (A) Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI? (R) 96 87 Data should be encrypted when it is transmitted over a network that might be accessible by unauthorized individuals. Information that can be used to alter or defeat the medical practice s security measures also should be encrypted. The technical methods used to implement encryption and decryption are determined by the security official. The security official implements technical measures to create a record of information system activity, including user log-on/log-off and start-up/shut-down of technical security measures. Security official will regularly review records of system activity such as audit logs, access reports, and security incident tracking. This policy and procedure will adhere to policy and procedures developed to comply with the required implementation specification at 164.308(a)(1)(ii)(D) for Information System Activity Review Version Date: 10/24/2013 14/18

164.312(c)(1) Page 98 Integrity 164.312(c)(2) Page 98 MECHANISM TO AUTHENTICATE ELECTRONIC PROTECTED HEALTH INFORMATION 164.312(d) Page 101 Person or Entity Authentication 164.312(e)(1) Page 108 164.312(e)(2)(i) Page 108 INTEGRITY CONTROLS Integrity: Implement policies and procedures to protect EPHI from improper alteration or destruction. Have you implemented electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner? (A) Have you implemented Person or Entity Authentication procedures to verity that a person or entity seeking access to EPHI is the one claimed? (R) 99 101 The security official implements procedures and technical measures to guard electronic health information from improper alteration or destruction. Staff members must follow these procedures and may not take any action to evade the technical measures. All users must use their passwords when logging on to the medical practice's information system. Passwords should not be written down or disclosed to other members of the staff, friends, family, or anyone else. A staff member may not use another staff member s user name and password to access the medical practice s information system. Staff members may not give their passwords to other staff members. Passwords should comply with the following guidelines. Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. Have you implemented security measures to ensure that 108 Security official will implement security measures to monitor and ensure that electronically transmitted EPHI is not modified in transmission. electronically transmitted EPHI is not improperly modified without detection until disposed of? (A) 164.312( e )(2)(ii) Page 96 ENCRYPTION Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate? (A) 96 The security official identifies any circumstances under which information transmitted by the practice must be encrypted to prevent its use by unauthorized recipients. The security official ensures that staff members responsible for transmitting information are familiar with encryption requirements and the use of encryption software. Staff responsible for transmitting information must encrypt it when directed to do so by the security official. Version Date: 10/24/2013 15/18

13401 Page 89 HITECH ACT Application of security provisions and penalties to Business Associates of Covered Entities; Annual guidance on security provisions Are Business Associate Agreements updated appropriately? - The HITECH Act changes applicable to covered entities also apply to business associates for both privacy and security and needs to be incorporated into the BA agreements. 13402 Page 110 Notification in the case of breach Process for notification to the following in the 110, 111 event of a breach of unsecured PHI: - Individuals - Media - Secretary of HHS Page 96 Use of encryption in accordance with HHS guidance. For example, the use of FIPS 140-2 whole disk encryption as 89 96 Instruction: Medical practices must use the current contract/agreement for Business Associates. Business Associate Agreements must be updated appropriately to incorporate changes in order to meet federal guidelines. See pages 110-111 for notification requirements for Individuals, Media, Secretary of HHS and by a Business Associate Staff responsible for storing and or transmitting information must encrypt it when directed to do so by the security official. Use of encryption in accordance with FIPS (Federal Information Processing Standard) 140-2 whole disk encryption as specified in NIST (National Institute of Standards and Technology) will be considered if determined necessary based on a risk analysis specified in NIST 800-111. Version Date: 10/24/2013 16/18

13405 Pages Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain 16, 24, 25, 28, 30, information in electronic format. 32, 33, 34, 35, 36, 49, 50, 51, 59, 60 (NPP pages 3 & 4) Page 34 Process for Handling Individual's Request to Restrict Disclosure 34 A patient may request restrictions on the use and disclosure of protected health information for treatment, payment, and health care operations as provided for in the standard consent form. A patient also may request restrictions on the use and disclosure of protected health information covered by an authorization form. Page 16 Limit disclosure or use of PHI to minimum necessary to accomplish purpose by, to the extent possible, limiting use/disclosure to "limited data set". 16 Staff must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose by, to the extent possible, limiting use/disclosure to limited data set for which the request is made. For all other requests, staff must review the request on an individual basis to determine that the protected health information sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made. Staff may not use, discloses or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. Version Date: 10/24/2013 17/18

13405 c Page Accounting of certain protected health information disclosures required if CE uses electronic health record. 49 Page 49 If Covered Entities use electronic health 49 P-7000 Accounting for Disclosures records, Covered Entities must include disclosures made through an EHR for payment/treatment/health care operation on the accounting and the individual can get an accounting of payment/treatment/health care operation disclosures made during past 3 years. The policies in this section of the privacy manual establish procedures for developing the Notice of Privacy Practices form and obtaining patient consent to, or authorization of, use and disclosure of protected health information. If there is an electronic health record (HER) or electronic medical record (EMR), there must be an accounting of disclosures made through the HER or EMR for payment, treatment, health care operations and accounting must be made available to the patient of disclosures made during the past 3 years. Page 49 49 Process to allow individual to obtain an accounting of disclosures made by Covered Entity and Business Associates or an accounting of disclosures by Covered Entity and a list of Business Associates with contact information. Business Associates must give individuals an accounting of PHI disclosures. Staff will provide patient with a list of Business Associates with contact information. Business Associates must give individuals an accounting of PHI disclosures. Version Date: 10/24/2013 18/18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback