Policy and Procedure: SDM Guidance for HIPAA Business Associates

Similar documents
HIPAA Security Rule Policy Map

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

HIPAA Security Checklist

HIPAA Security Checklist

HIPAA Security and Privacy Policies & Procedures

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Compliance Checklist

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Federal Security Rule H I P A A

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

Healthcare Privacy and Security:

Summary Analysis: The Final HIPAA Security Rule

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

A Security Risk Analysis is More Than Meaningful Use

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Support for the HIPAA Security Rule

HIPAA Security Manual

HIPAA COMPLIANCE FOR VOYANCE

Meaningful Use & Security Protecting Electronic Health Information in Accordance with the HIPAA Security Rule

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Putting It All Together:

HIPAA Privacy, Security and Breach Notification 2018

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Security and Privacy Breach Notification

HIPAA Regulatory Compliance

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Integrating HIPAA into Your Managed Care Compliance Program

HIPAA Privacy, Security and Breach Notification 2017

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

SECURITY & PRIVACY DOCUMENTATION

How Managed File Transfer Addresses HIPAA Requirements for ephi

Employee Security Awareness Training Program

HIPAA Compliance and OBS Online Backup

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

The simplified guide to. HIPAA compliance

HIPAA Security Compliance for Konica Minolta bizhub MFPs

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Guide: HIPAA. GoToMeeting and HIPAA Compliance. Privacy, productivity and remote support. gotomeeting.com

Implementing an Audit Program for HIPAA Compliance

Privacy Breach Policy

Data Backup and Contingency Planning Procedure

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

HIPAA Privacy, Security and Breach Notification

Red Flags/Identity Theft Prevention Policy: Purpose

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

NMHC HIPAA Security Training Version

HIPAA FOR BROKERS. revised 10/17

HIPAA Controls. Powered by Auditor Mapping.

Checklist: Credit Union Information Security and Privacy Policies

HIPAA & Privacy Compliance Update

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security Policy

HIPAA / HITECH Overview of Capabilities and Protected Health Information

HIPAA For Assisted Living WALA iii

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Vendor Security Questionnaire

The ABCs of HIPAA Security

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

What is a Breach? 8/28/2017

PRIVACY-SECURITY INCIDENT REPORT

HIPAA-HITECH: Privacy & Security Updates for 2015

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

What s New with HIPAA? Policy and Enforcement Update

HIPAA RISK ADVISOR SAMPLE REPORT

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Start the Security Walkthrough

HIPAA Enforcement Training for State Attorneys General

Ferrous Metal Transfer Privacy Policy

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA Cloud Computing Guidance

Subject: University Information Technology Resource Security Policy: OUTDATED

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

01.0 Policy Responsibilities and Oversight

Security Policies and Procedures Principles and Practices

Data Privacy Breach Policy and Procedure

A Panel Discussion. Nancy Davis

Security Audit What Why

University of Wisconsin-Madison Policy and Procedure

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

efolder White Paper: HIPAA Compliance

Department of Public Health O F S A N F R A N C I S C O

The Common Controls Framework BY ADOBE

Transcription:

Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective: 03/30/2012 Created: 03/21/2012 Last updated: 5/12/2012 SDM Guidance for HIPAA Business This SDM Guidance for HIPAA Business document is intended to overview the School of Dental Medicine (SDM) s expectations, as well as to provide additional resources and information, to SDM s HIPAA business associates. In general, as a business associate, it is expected that appropriate steps are taken in order to protect SDM PHI data from the risk of unauthorized disclosure. OVERVIEW As a business associate to SDM, SDM expects you to comply with SDM s business associate terms and conditions found at: http://www.dental.pitt.edu/hipaa/documents/prc_sdm%20hipaa%20terms%20and%20conditions%20 for%20business%20.pdf BREACH NOTIFICATION You shall report to SDM any breach of SDM s patient information immediately upon becoming aware of such breach. The report shall include the name of each individual whose protected health information was or is reasonably believed by your organization to have been inappropriately accessed, acquired or disclosed, as well as who SDM should contact from your organization. You shall also provide such assistance and further information as requested by SDM. You shall immediately report any situation where you believe that your organization may have violated the BAA Terms. The report should be to the SDM HIPAA Officer or the University Privacy Officer. 5/24/2012 1

SECURITY: APPLICABILITY OF HIPAA SECURITY STANDARDS Generally, SDM expects that you will properly secure all SDM patient information. This includes such steps as: o Encrypting hard disks, removable media, remote access and information sent via the Internet. o Securing workstations and servers. o Employing effective passwords. o Maintaining effective antivirus software. o Patching your systems. o Performing backups of your systems and data. o Ensuring that your data center is physically secure, and that you have an effective contingency plan. o Limit staff access to systems and information on a need to know basis. o Destroying data when you no longer need to keep it. The following provisions from the HIPAA Security Standards (45 CFR Section 164) apply directly to you in your capacity as a business associate: Administrative Safeguards (164.308) Physical Safeguards (164.310) Technical Safeguards (164.312) Policies & Procedures and Documentation Requirements (164.316) More information on these requirements is included in Attachment A. BUSINESS ASSOCIATE SUBCONTRACTORS AND AGENTS Any agent or subcontractor that you utilize and whom you provide SDM s patient information to must agree to the BAA Terms as well as any other terms and conditions you and SDM agree to. ACCOUNTING OF DISCLOSURES Under the terms of the American Recovery & Reinvestment Act (ARRA), patients have a right to an accounting of who electronically accessed their information. This includes access by staff of business associates and their subcontractors and agents. Accordingly, you shall maintain logs of such access in order that SDM can comply with this provision. IDENTITY THEFT You may receive or have access to SDM information that could be used to commit identity theft, such as names, SSNs, account numbers and birth dates. Accordingly, you shall implemented appropriate precautions, as well as policies and procedures, to prevent, detect and mitigate identity theft. 5/24/2012 2

INAPPROPPRIATE ACCESS BY STAFF You shall only allow your staff to access SDM patient information as is necessary for them to do their job. You shall also implement appropriate procedures to detect if a staff member has inappropriately accessed SDM patient information. You will further investigate each case where you believe that inappropriate access has occurred. EDUCATION You shall train your staff and ensure that they understand their obligations under the BAA Terms. MITIGATION & DSICIPLINE You shall implement processes and procedures to properly address any breach of the BAA Terms that may occur, including disciplining employees, subcontractors and agents. ADDITIONAL INFORMATION Additional information regarding HIPAA and the privacy rule (including the HIPAA regulations and FAQs) can be found at http://www.hhs.gov/ocr/privacy. Guidance specific to business associates can be found at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html. 5/24/2012 3

Attachment A 1. ADMINISTRATIVE SAFEGUARDS a. Security Management Process: i. Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. ii. Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. iii. Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. iv. Information System Activity Review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. b. Assigned Security Responsibility: i. Identify the security official who is responsible for the development and implementation of the facility's information security policies and procedures c. Workforce Security: i. Workforce Security: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. ii. Workforce Clearance Procedure: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. iii. Termination procedure: Implement procedures for terminating access to electronic PHI when the employment of a workforce member. d. Information Access Management: Implement policies and procedures for authorizing access to electronic PHI i. Isolating Health Care Clearinghouse Functions: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. ii. Access Authorization: Implement policies and procedures for granting access to electronic PHI, for example, through access to a workstation, transaction, program, process, or other mechanism. iii. Access Establishment and Modification: Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. e. Security Awareness and Training: Implement a security awareness and training program for all members of its workforce (including management). 5/24/2012 4

i. Security reminders periodic security updates. ii. Protection from malicious software - Procedures for guarding against, detecting, and reporting malicious software. iii. iv. Log in monitoring - Procedures for monitoring log-in attempts and reporting discrepancies. Password Management - Procedures for creating, changing, and safeguarding passwords. f. Security Incident Procedures i. Response and Reporting - Identify and respond to suspected or known security incidents; mitigate, to the extent practical, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. g. Contingency Plan - Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic PHI. i. Data backup plan - Establish and implement procedures to create and maintain retrievable exact copies of electronic PHI. ii. Disaster Recovery Plan - Establish (and implement as needed) procedures to restore any loss of data. iii. Emergency Mode Operation Plan - Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic PHI while operating in emergency mode. iv. Testing and Revision Procedures - Implement procedures for periodic testing and revision of contingency plans. v. Applications and Data Criticality Analysis - Assess the relative criticality of specific applications and data in support of other contingency plan components. h. Evaluation - Perform a periodic self or external evaluation of the facility's compliance with the HIPAA security rule. i. Business Associate Contracts and Other Arrangements 2. PHYSICAL SAFEGUARDS a. Facility Access Controls - Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. i. Contingency Operations - Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. ii. Facility Security Plan - Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. 5/24/2012 5

iii. iv. Access Control and Validation Procedures - Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Maintenance Records - Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks.) b. Workstation Use - Implement procedures that specify appropriate usage, including the physical attributes of workstations which can access ephi c. Workstation Security - Implement physical safeguards for all workstations that access ephi to restrict access to authorized users d. Device and Media Controls - Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic PHI into and out of a facility, and the movement of these items within the facility. i. Disposal - Implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. ii. Media Re-use - Implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. iii. Accountability - Maintain a record of the movements of hardware and electronic media and any person responsible therefore. iv. Data Backup and Storage - Create a retrievable, exact copy of electronic PHI, when needed, before movement of equipment. 3. TECHNICAL SAFEGUARDS a. Access Control i. Unique User Identification - Assign a unique name and/or number for identifying and tracking user identity. ii. Emergency Access Procedure - Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. iii. Automatic Logoff - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. iv. Encryption and Decryption - Implement a mechanism to encrypt and decrypt electronic PHI. b. Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. c. Integrity - Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. d. Person or Entity Authentication- Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. 5/24/2012 6

e. Transmission Security - Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network. i. Integrity Controls - Implement security measures to ensure that electronically transmitted electronic PHI is not improperly modified without detection until disposed of. ii. Encryption - Implement a mechanism to encrypt electronic PHI whenever deemed appropriate. 5/24/2012 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback