Building a Health Information Infrastructure to Support HIPAA (157522956)

8/22/2019 Building a Health Information Infrastructure to Support HIPAA (157522956)

http://slidepdf.com/reader/full/building-a-health-information-infrastructure-to-support-hipaa-157522956 1/20

Contents

Worksheet name What is covered

Contents This sheet.

Overview * The model of a unit of the HCC.

* What are: technical assets, physical sites, and administrative subunits.

* How to identify a HCC unit's physical sites and administrative subunits.

Process * The process of filling out the HIPAA Risk Assessment Inventory.

* The suggested grading scale.

* Desciptive narrative.

* Some criteria for prioritizing risks.

* Delivery instructions.

Instructions * A description of the four sheets which form the actual Risk Assessment Inventory.

* Descriptions of the fields found on each of those four sheets.

* How to score risks on each sheet, which are mitigated by different types of Safeguards.


I. HCC Unit Names of the HCC Unit, Physical Site(s) and Admin Subunit(s)

II. Tech Assets Inventory of technical assets, and assessment of risks mitigated by applicable:

Administrative, Physical and Technical Safeguards.

III. Phys Site(s) Inventory of physical sites, and assessment of risks mitigated by applicable:

Physical Safeguards and Technical Safeguards.

IV. Admin Subunit(s) Inventory of administrative subunits, and assessment of risks mitigated by applicable:

Administrative Safeguards


HIPAA Security Regs * Administrative, Physical and Technical Safeguards,

with language taken directly from the regulation itself.

* Suggested grading scales for the required Safeguards.

* Summary of the process for addressing the "addressable" safeguards.

Contents of the HIPAA Risk Assessment Inventory Workbook

Explanations

The workbook is divided into three parts:

This workbook contains the HIPAA Risk Assessment Inventory instrument for use by the units of the Health Care Component (HCC) at the

University of Wisconsin - Madison. It was designed by the Risk Assessment Subcommittee of the UW-Madison HIPAA Security Committee.

Before learning about the details of the Risk Assessment Inventory, you may find it helpful to read the summary of language from the HIPAA Security

Regulation, which is included in this workbook as the last sheet named 'HIPAA Security Reg'.

The Risk Assessment Inventory

The HIPAA Regulation, and possible grading scalesC.

B.

This risk assessment inventory is intended to assist the units of the HCC in meeting the risk assessment requirement of the HIPAA security regulation

(45 CFR Part 164.308(a)(1)(ii)(A)), and the risk assessment inventory and migration planning process specified in the UW-Madison policy (#8.4 III(A)(i)).

Completing this risk assessment inventory is not by itself sufficient to meet the requirements of either the regulation or the policy, but is an early step in

an ongoing process leading to compliance.

A.

Printed: 8/1/2013

Security Professionals Workshop -- HIPAA Risk Assessment Inventory

Copyright (c) 2003, 2004 University of Wisconsin Board of RegentsPage 1 of 20

http://wiscinfo.doit.wisc.edu/policy/hipaa/inventory.html



Overview

UW-Madison HCC

The Unit of the HCC(has a Security Coordinator)

Other Units

of the HCC

Administrative

Subunits

Physical

Sites

Own and Operate Contain

* Technical assets. These include servers, workstations, network devices, peripherals, portables and applications. See the sheet named 'Instructions' for a more

detailed description of each class of technical assets.

Overview of HIPAA Risk Assessment Inventory

Technical Assets

The HIPAA Risk Assessment Inventory includes three elements:

* Administrative Subunits. The unit of the HCC will consist of one or more administrative subunits that own and operate technical assets. A subunit could be a

distinct department, a sizable research group, a separate service organization, etc. Distinct subunits should have a significant degree of operational autonomy.

Subunits that share the same information technology, human resource, and administrative staff might be treated as one, because most of the relevant policies and

procedures are defined and implemented by those staff members.

* Physical Sites. The unit of the HCC will have one or more physical sites at which technical assets are located. Most technical assets are located at one such

physical site, but a few such as network devices and applications may be distributed among multiple sites. A physical site could be a building complex, a building

wing or floor, a number of rooms scattered around a building or complex, or in some cases an isolated room with distinct security requirements. Distinct sites will

typically be physically isolated from each other, and should have differing security issues. For example: scattered rooms in the same building may share many of

the same security issues and might be treated as a single physical site, while a server room in the same building might be treated as separate physical site because of

its unique security requirements.

Printed: 8/1/2013






Process

2

3

4

5

b. Physical Site(s)

Establish a team to Assess risks

When intervening to mitigate significant risks, not all D's and F's are equally important. Take into

account the cost of intervention and the business impact of loss of confidentiality, integrity, or

availability of data. Scores may be grouped whenever that seems appropriate. Add the prioritization to

the descriptive narrative.

Deliver to the Security Coordinator

See sheet 'III. Phys Site(s)'.

Suggestion: have IT, HR, and management representative(s).

Deliver the inventory and descriptive narrative your Security Coordinator by October 1st 2003 (or

other date as directed by the Security Coordinator.)

If you are the Security Coordinator, deliver a migration plan and the accompanying risk assessment

inventory to the Security Officer by October 14th.

Process

Score the risk associated with each applicable safeguard.

Write a descriptive narrative.

Prioritize significant risks (high to low) and add that to the

descriptive narrative.

See sheet 'I. HCC Unit'.

Score risk on a five point scale. For example: a scale of A, B, C, D, & F where A (excellent) is low

risk, and F is high risk, and . Risk associated with all applicable safeguards should be assessed, but

spend the most time and attention on the required safeguards. The 'HIPAA Security Regs' sheet in this

workbook includes a possible grading scale for each required safeguard.

The Risk Assessment Inventory is not by itself a complete risk assessment. A descriptive narrative

should accompany the inventory. The narrative should explain "why". Why were those physical sites

and those administrative subunits were selected. Why were various technical assets grouped together.

Why were particular scores given, especially when the score was a "A", "D" or "F". It is important to

explain cases where there is minimal risk as well as cases where there is significant risk. To shorten

the narrative, comments may be added to the cells of sheets II. through IV. When the inventory is

printed the comments will follow each sheet.

See sheet 'II. Tech Assets'.

Process for HIPAA Risk Assessment Survey

Conduct an inventory of the unit of the HCC

a. Technical Assets

1

c. Administrative Subunit(s) See sheet 'IV. Admin Subunit(s)'.

Printed: 8/1/2013






Instructions

Server A computer running the "server" side of client/server applications or services.

Often managed by an assigned system administrator who routinely gives attention to the system.

Network A computer or non-trivial specialized device forming or managing a network, such as a router, switch, wireless network hub or access point, or network monitor. Often managed

by one or more network administrators and/or technicians as a component of the entire network.

Workstation A single-user or shared computer running the "client" side of client/server applications or services; or

A computer attached to instrumentation for the purpose of data acquistion and control. Managed by a single user, administrator, or technician (i.e. "the owner") or managed en

mass by one or more workstation administrators and/or technicians.

Peripheral A printer, plotter, scanner, or other stand-alone I/O device, whether connected to the network or connected directly to a server, workstation, or portable. Managed by a single user

or administrator (i.e. "the owner") or enmass by the workstation administrators and/or technicians.Portable A laptop, PDA or portable computing device, and similarly portable peripherals. Managed by a single user (i.e. "the owner".) Presents unique security challenges because it can

leave the physically secure environment, or might be connected via a public or wireless network.

Application A software application, other than the operating system or embedded applications. It is not necessary to include in this category any applications that are embedded in a device

such as a peripheral, PDA, network router, etc., because such applications an integral part of the device.

Other Critical or Sensitive

Data?

Y/N: Does the technical asset or physical site either store or process critical or sensitive business data other than PHI?

Score the risk as: A B, C, D, & F, where A (excellent) is low risk and F is high risk. Depending upon Asset Category, n/a may be the appropriate value.

The risk factors correspond to specific provisions of the HIPAA security regulation. See the sheet named 'HIPAA Security Regs' for more detail on each provision.

There is some overlap of risk factors. On the sheet 'II. Tech Assets', each technical asset can be assessed as to the extent it is included in the

policies and procedures of selected Administrative or Physical Safeguards. On the sheet 'III. Phys Site(s)', a few Technical Safeguards are

applicable to technological systems used to enhance the physical security of the site. Of particular note: Physical security of a particular technical

asset is assessed on 'II. Tech Assets', but overall physical security of a physical site is assessed on the 'III. Phys Site(s)'.

Similarly, inclusion of a particular technical asset in the policy or procedure of an Administrative Safeguard is assessed on 'II. Tech Assets',

Asset Category

Use these categories. Within the

same category, it is OK to

group multiple assets together if

they are similar, for example:

all office productivity

workstations.

I/E: Is the technical asset Internal or External to the firewall(s) or the physical security permiter. Treat all portable devices as external

because they may leave the physical perimeter and/or might be connected beyond the firewalls. A firewall itself is external.

Operating system (with major version)Major subsystems that have significant security implications, (e.g. IIS or Apache for a webserver, etc., with major version.)

Make/model for peripherals, PDA's and other devices where the operating system and subsystems are integrated.

IP address (numeric or alphanumeric) or IP address pool, if applicable.

Example: Win2000 Server, IIS, www.dept.wisc.edu

Internal or External

to the Firewall?

Name of the asset, an inventory tag, or a descriptive tag, (e.g. server name, "Router #7", "Jane Doe's laptop", "3rd floor printer", etc.)Asset name should be unique among all assets of the HCC entity.

For technical assets ('II. Tech Assets'): the room and building, also the "site" at which it is located (if there are multiple "sites")

and the "subunits" of the which have personnel using or managing the asset ( if there are multiple "subunits".)

For portable assets, the location of the asset's owner. For applications, the location of the server(s). Otherwise whatever seems reasonable.

For physical sites ('III. Phys Site(s)'): the rooms and buildings or other description of what makes up the site.

For administrative subunits ('IV. Admin Subunit(s)'): the list of sites at which the subunit has personnel or equipment.

Description

Stores or Processes PHI? Y/N: Does the technical asset or physical site either store or process PHI?

An asset or site that does not store and process PHI may still create a threat to other assets which do have PHI.

The sheet named 'I. HCC Unit', is a summary of the physical sites and administrative subunits of the unit of the HCC. Enter the name of the HCC unit, and the names of the administrative subunits and physical sites. These are

carried forward on the other sheets for consistency.

The sheets numbered II., III. and IV. are for scoring the risk associated with each technical asset, physical site and administrative subunit respectively. A descriptive narrative should accompany the scores. To shorten the narrative,

comments can be added to the sheets, and when printed will follow each sheet.

There are four sheets in the template, numbered I. through IV.

Filling out sheets I. through IV.

Instructions for the HIPAA Risk Assessment Inventory

Estimate of Risk

(The Risk Factors)

The Fields (Columns) of Sheets II. through IV.

Asset

Location

Printed: 8/1/2013Security Professionals Workshop -- HIPAA Risk Assessment Inventory





HCC Unit

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

A B C

Updated: 2/9/05

Unit Name

Example Unit Name

Site Name

Example site name 1

Example site name 2

Example site name 3

Add more sites here

Unit Name

Example subunit name 1


Add more subunits here

In determining what administrative subunits exist in the unit of the HCC,

consider the degree of autonomy of the subunit. The distribution of

information technology, human resource, and administrative staff is a

possible guide. Units sharing the same IT, HR, and administrative staff

may not be sufficiently autonomous to be considered separate units for

purposes of HIPAA compliance, because most provisions of the HIPAA

security rule have strong IT, HR, or administrative components.

Enter the name of the unit of the HCC, typically a

division or department name. This name will

appear on each inventory sheet.

Enter the names of each physical site at which the

unit of the HCC has personnel or equipment. These

become line items on the sheet named

'III. Phys Site(s)'.

Enter the names of each administrative subunit

within the unit of the HCC which has significantly

different administrative, personnel or technical

policies or policies and procedures. These become

line items on the sheet named

'IV. Admin Subunit(s)'.

Administrative Units of the HCC Entity

Unit of the HCC

Physical Sites of the Unit of the HCC

I. HIPAA Risk Assessment Inventory, The Unit of the HCCThis is the first of four worksheets, numbered I. through IV.

Fill in names below to populate those sheets.

In determining what physical sites exist in the unit of the HCC, consider

not only the degree of physical separation, but also the extent to which

their security needs differ. Scattered rooms in the same building may

have very similar security needs. Facilities in two or three different

buildings may also have similar needs. On the other hand, a single room

(such as a "server room") could have significantly different security

needs, even when located in the same building with other facilities.

Printed: 8/1/2013






Technical Assets

1

2

3

4

5

6

7

8

9

10

11

12

13

14

1516

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AA AB AC AD AE AF AG AH AI AJ AK AL A

(6) (8) (b) (c) (b) (c

A u t h

o r i z a t i o n a n d / o r S u p e r v i s i o n ( A )

W o r k f o r c e C l e a r a n c e P r o c e d u r e ( A

)

T e r m

i n a t i o n P r o c e d u r e ( A )

I s o l a

t i n g t h e C l e a r i n g h o u s e F u n c t . ( R )

A c c e

s s A u t h o r i z a t i o n ( A )

A c c e

s s E s t a b l i s h m e n t & M o d . ( A )

M a l i

c i o u s S o f t w a r e ( A )

L o g i n M o n i t o r i n g ( A )

P a s s w o r d M a n a g e m e n t ( A )

I n c i d

e n t R e s p o n s e & R e p o r t i n g ( R )

D a t a

B a c k u p P l a n ( R )

D i s a s t e r R e c o v e r y P l a n ( R )

E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )

T e s t i n g a n d R e v i s i o n P r o c e d u r e ( A )

A p p

a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )

P e r i o d i c E v a l u a t i o n ( R )

C o n t i n g e n c y O p e r a t i o n s ( A )

I n c l u

s i o n i n S e c u r i t y P l a n ( A )

A c c e

s s s C o n t r o l & V a l i d a t i o n ( A )

M a i n

t e n a n c e R e c o r d s ( A )

W o r k s t a t i o n U s e ( R )

W o r k s t a t i o n S e c u r i t y ( R )

M e d i a D i s p o s a l ( R )

M e d i a R e - u s e ( R )

M e d i a A c c o u n t a b i l i t y ( A )

D a t a

B a c k u p a n d S t o r a g e ( A )

U n i q

u i e U s e r I d e n t i f i e r ( R )

E m e r g e n c y A c c e s s P r o c e d u r e ( R )

A u t o

m a t i c L o g o f f ( A )

E n c y

r p t i o n ( S t o r e d D a t a ) ( A )

A u d i t C o n t r o l s ( R )

I n t e g r i t y ( S t o r e d D a t a ) ( A )

Examples: DeleteDefault Server Server n/a n/a n/a

Default Network Network n/a n/a n/a n/a n/a n/a n/a n/a n/a n

Default WS Workstation n/a

Default Peripheral Peripheral n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

Default Portable Portable E n/a

Default Application Application n/a

Risk Factor Key

Risk Factor (A) D, F Failure -- High

Risk Factor (R) Excellent -- LoThose marked (R) must be filled out.

Descriptive Information

(a)

Phys 164.310

(a)

I n t e r n a l o r E x t e r n a l t o F i r e w a l l ? ( I

/ E )

(d)

Asset

Category (One of:

Server,

Network,

Workstation,

Peripheral,

Portable,

Application)

Location

(Rm, Bldg, also:

Phys Site

(if multiple), &

Admin Subunit(s)

(if multiple))

(7)

Description

(As Appropriate:

Make/Model,

Operating System,

Major Subsystem(s),

IP number or name)

S t o r

e s o r P r o c e s s e s P H I ? ( Y / N )

O t h e r c r i t i c a l o r s e n s i t i v e d a t a ? ( Y ? N )

A

Tech 164.312

Those marked (A) need to be filled out as time permits.

Intermediate RB, C

n/a Not Applicable

Estimate of Risk:A B, C, D, & F, where A is low risk and F is high Risk

Updated

Color Key Interpretation

Example Unit Name

II. HIPAA Technical Assets Risk Assessment

If desired when adding rows, copy formulas from an existing empy row in order to apply the default values.

Instructions

(3) (4) (5)

Admin 164.308(a)

Expand to multiple sheets as needed. Insert new rows between any two rows above.

Technical Asset

(Name or

other tag)



Physical Sites

1

2

3

4

5

6

7

89

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

A B C D E F G H I J K L M N O P Q R

Tech 164.312

(b) (c) (a) (b) (d)

C o n t i n g e n c y O p e r a t i o n s ( A )

F a c i l i t y S e c u r i t y P l a n ( A )

A c c e s s s C o n t r o l & V a l i d a t i o n ( A )

M a i n t e n a n c e R e c o r d s ( A )

W o r k s t a t i o n U s e ( R )

W o r k s t a t i o n S e c u r i t y ( R )

M e d i a D i s p o s a l ( R )

M e d i a R e - u s e ( R )

M e d i a A c c o u n t a b i l i t y ( A )

D a t a B a c k u p a n d S t o r a g e

( A )

E m e r g e n c y A c c e s s P r o c e d

u r e ( R )

A u d i t C o n t r o l s ( R )

P e r s o n o r E n t i t y A u t h e n t i c a t i o n ( R )

Example site name 1

Example site name 2Example site name 3

Add more sites here

Risk Factor Key

Poor or Nothing -- High Risk

n/a Not Applicable

Color Key Interpretation

A

Risk Factor (A)

Risk Factor (R)

Instructions

Excellent -- Low Risk

D, F

O t h e r c r i t i c a l o r s e n s t i v e d a t a ? ( Y ? N )

Physical Site

(Name)

2/9/2005

Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.

Location

(Rm(s) / Bldg(s) or

other description)

Good or Moderate

Updated:

Admin Subunits

(Admin Subunits

with Personnel or

Equipment at the

Physical Site)

S t o r e s o r P r o c e s s e s P H I ? ( Y / N )

Physical 164.310

(a)

Those marked (R) must be filled out.


B, C

III. HIPAA Physical Site Risk Assessment

Example Unit Name

Descriptive Information

(d)

Printed: 8/1/2013






Administrative Subunits

1

2

3

4

5

6

7

8

910

11

12

13

14

15

16

17

18

1920

21

A B C D E F G H I J K L M N O P Q R S T U V W X Y

(2) (6) (8)

R i s k A n a l y s i s ( R )

R i s k M a n a g e m e n t ( R )

S a n c t i o n P o l i c y ( R )

I n f o r m a t i o n S y s t e m A c t i v i t y R e v i e w ( R )

A s s i g n e d S e c u r i t y R e s p o

n s i b i l i t y ( R )

A u t h o r i z a t i o n a n d / o r S u

p e r v i s i o n ( A )

W o r k f o r c e C l e a r a n c e P r

o c e d u r e ( A )

T e r m i n a t i o n P r o c e d u r e ( A )

I s o l a t i n g t h e C l e a r i n g h o u s e F u n c t . ( R )

A c c e s s A u t h o r i z a t i o n ( A )

A c c e s s E s t a b l i s h m e n t &

M o d . ( A )

S e c u r i t y R e m i n d e r s ( A )

M a l i c i o u s S o f t w a r e ( A )

L o g i n M o n i t o r i n g ( A )

P a s s w o r d M a n a g e m e n t ( A )

I n c i d e n t R e s p o n s e & R e p o r t i n g ( R )

D a t a B a c k u p P l a n ( R )

D i s a s t e r R e c o v e r y P l a n ( R )

E m e r g e n c y M o d e O p e r a t i o n P l a n ( R )

T e s t i n g a n d R e v i s i o n P r o c e d u r e ( A )

A p p a n d D a t a C r i t i c a l l i t y A n a l y s i s ( A )

P e r i o d i c E v a l u a t i o n ( R )

B u s i n e s s A s s o c i a t e s ( R )



Add more subunits here

Risk Factor Key

Not Applicable

Instructions

Those marked (R) must be filled out.


Interpretation

Excellent -- Low Risk

Good or Moderate

Poor or Nothing -- High Risk

IV. HIPAA Administrative Subunit Risk Assessment

Descriptive Information Estimate of Risk:A B, C, D, & F, where A is low risk and F is high risk.

2/9/2005Updated:Example Unit Name

Administrative

Subunit

(Name)

Location(s)

(Phys Site(s) at which

the Admin Subunit

has Personnel or

Equipment)

(4)

Risk Factor (A)

Risk Factor (R)

Color Key

n/a

B, C

D, F

A

(7)

(b)Admin 164.308(a)

(5)(1) (3)

Printed: 8/1/2013






HIPAA Security Regulation, and Some Possible Grading Scales for Risk

Standards Sec. Definition

Risk Analysis (R) Conduct an accurate and thorough assessment of the potential risks and

vulnerabilities to the confidentiality, integrity, and availability of

electronic PHI held by the covered entity.

Risk Management (R) Implement security measures sufficient to reduce risks and

vulnerabilities to a reasonable and appropriate level to comply with Sec.

164.306(a).

Sanction Policy (R) Apply appropriate sanctions against workforce members who fail to

comply with the security policies and procedures of the covered entity.

Information

System Activity

Review

(R) Implement procedures to regularly review records of information system

activity, such as audit logs, access reports, and security incident tracking

reports.

Assigned Security Responsibility (R) Identify the security official who is responsible for the development and

implementation of the policies and procedures required by this subpart

for the entity.

Authorization

and/or

Supervision

(A) Implement procedures for the authorization and/or supervision of

workforce members who work with electronic protected health

information or in locations where it might be accessed.

Workforce

Clearance

Procedure

(A) Implement procedures to determine that the access of a workforce

member to electronic protected health information is appropriate.

Termination

Procedures

(A) Implement procedures for terminating access to electronic protected

health information when the employment of a workforce member ends

or as required by determinations made as specified in paragraph

(a)(3)(ii)(B) of this section.

Isolating Health

care

ClearinghouseFunction

(R) If a health care clearinghouse is part of a larger organization, the

clearinghouse must implement policies and procedures that protect the

electronic protected health information of the clearinghouse fromunauthorized access by the larger organization.

Access

Authorization

(A) Implement policies and procedures for granting access to electronic

protected health information, for example, through access to a

workstation, transaction, program, process, or other mechanism.

Access

Establishment

and Modification

(A) Implement policies and procedures that, based upon the entity's access

authorization policies, establish, document, review, and modify a user's

right of access to a workstation, transaction, program, or process.

Implementation

164.308

(a)(2)

Security Management Process

Implement policies and procedures to

prevent, detect, contain, and correct

security violations.

164.308

(a)(1)

Workforce Security


ensure that all members of its workforce

have appropriate access to electronic PHI,

as provided under paragraph (a)(4) of thissection, and to prevent those workforce

members who do not have access under

paragraph (a)(4) of this section from

obtaining access to electronic PHI.

164.308

(a)(3)

Information Access Management

Implement procedures for terminating

access to electronic PHI when theemployment of a workforce member

ends or as required by determinations

made as specified in paragraph

(a)(3)(ii)(B) of this section.

Administrative Safeguards

164.308

(a)(4)

The administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of securit

of the covered entity's workforce in relation to the protection of that information.








Security (A) Periodic security updates.

Protection from

Malicious

(A) Procedures for guarding against, detecting, and reporting malicious

software.

Log-in

Monitoring

(A) Procedures for monitoring log-in attempts and reporting discrepancies.

Password

Management

(A) Procedures for creating, changing, and safeguarding passwords.

Security Incident Procedures

Implement policies and procedures toaddress security incidents.

164.308

(a)(6)

Response and

Reporting

(R) Identify and respond to suspected or known security incidents; mitigate,

to the extent practicable, harmful effects of security incidents that areknown to the covered entity; and document security incidents and their

outcomes.

Data Backup Plan (R) Establish and implement procedures to create and maintain retrievable

exact copies of electronic protected health information.

Disaster Recovery

Plan

(R) Establish (and implement as needed) procedures to restore any loss of

data.

Emergency Mode

Operation Plan

(R) Establish (and implement as needed) procedures to enable continuation

of critical business processes for protection of the security of electronic

PHI while operating in emergency mode.

Testing and

Revision

(A) Implement procedures for periodic testing and revision of contingency

plans.

Applications and

Data Criticality

(A) Assess the relative criticality of specific applications and data in support

of other contingency plan components.

Evaluation (R) Perform a periodic technical and non-technical evaluation, basedinitially upon the standards implemented under this rule and

subsequently, in response to environmental or operational changes

affecting the security of electronic PHI, that establishes the extent to

which an entity's security policies and procedures meet the requirements

of this subpart.

Business Associate Contracts and

Other Arrangement

164.308

(b)

Written Contract or

Other

Arrangements

(R) A covered entity, in accordance with Sec. 164.306, may permit a

business associate to create, receive, maintain, or transmit electronic

protected health information on the covered entity's behalf only if the

covered entity obtains satisfactory assurances, in accordance with Sec.164.314(a) that the business associate will appropriately safeguard the

information.

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

Security Awareness and Training

Implement a security awareness and

training program for all members of

its workforce (including

management).

164.308

(a)(5)

Administrative Safeguards (continued)

Implementation

Contingency Plan

Establish (and implement as needed)

policies and procedures for

responding to an emergency or other

occurrence (for example, fire,

vandalism, system failure, and natural

disaster) that damages systems that

contain electronic PHI.

164.308

(a)(7)

164.308(a)(8)

Required (R): When a standard includes required implementation specifications, a covered entity must implement the implementation specifications.

Addressable (A): When a standard includes addressable implementation specifications, a covered entity must--

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the like

(ii) As applicable to the entity--

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate--







(2) Implement an equivalent alternative measure if reasonable and appropriate.








Contingency

Operations

(A) Establish (and implement as needed) procedures that allow facility

access in support of restoration of lost data under the disaster recovery

plan and emergency mode operations plan in the event of an emergency.

Facility Security

Plan

(A) Implement policies and procedures to safeguard the facility and the

equipment therein from unauthorized physical access, tampering, and

theft.

Access Control

and Validation

Procedures

(A) Implement procedures to control and validate a person's access to

facilities based on their role or function, including visitor control, and

control of access to software programs for testing and revision.

Maintenance

Records

(A) Implement policies and procedures to document repairs and

modifications to the physical components of a facility which are related

to security (for example, hardware, walls, doors, and locks).

Workstation Use (R) Implement policies and procedures that specify the proper functions to

be performed, the manner in which those functions are to be performed,

and the physical attributes of the surroundings of a specific workstation

or class of workstation that can access electronic PHI.

Workstation Security (R) Implement physical safeguards for all workstations that access electronic

PHI, to restrict access to authorized users.

Disposal (R) Implement policies and procedures to address the final disposition of

electronic PHI, and/or the hardware or electronic media on which it is

stored.

Media Re-use (R) Implement procedures for removal of electronic PHI from electronic

media before the media are made available for re-use.

Accountability (A) Maintain a record of the movements of hardware and electronic media

and any person responsible therefore.

Data Backup and

Storage

(A) Create a retrievable, exact copy of electronic protected health

information, when needed, before movement of equipment.

The physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equip

Physical Safeguards

Facility Access Controls


limit physical access to its electronic

information systems and the facility

or facilities in which they are housed,

while ensuring that properly

authorized access is allowed.

164.310

(a)

164.310

(b)

Implementation


164.310

(c)

Device and Media Controls

Implement physical safeguards for all

workstations that access electronic

PHI, to restrict access to authorized

users.

164.310

(d)















Unique User

Identification

(R) Assign a unique name and/or number for identifying and tracking user

identity.

Emergency

Access Procedure

(R) Establish (and implement as needed) procedures for obtaining necessary

electronic protected health information during an emergency.

Automatic Logoff (A) Implement electronic procedures that terminate an electronic session

after a predetermined time of inactivity.

Encryption and

Decryption

(A) Implement a method to encrypt and decrypt electronic protected health

information.

Audit Controls (R) Implement hardware, software, and/or procedural mechanisms that

record and examine activity in information systems that contain or use

electronic protected health information.

Integrity


protect electronic protected health

information from improper alteration or

destruction.

164.312

(c)

Mechanism to

Authenticate

Electronic PHI

(A) Implement electronic mechanisms to corroborate that electronic

protected health information has not been altered or destroyed in an

unauthorized manner.

Person or Entity Authentication (R) Implement procedures to verify that a person or entity seeking access to

electronic protected health information is the one claimed.

Integrity Controls (A) Implement security measures to ensure that electronically transmitted

electronic protected health information is not improperly modified

without detection until disposed of.

Encryption (A) Implement a mechanism to encrypt electronic protected health

information whenever deemed appropriate.


164.312

(a)

164.312

(b)

164.312

(d)

Transmission Security

Implement technical security measures to

guard against unauthorized access to

electronic protected health information

that is being transmitted over an electronic

communications network.




Access Control

Implement technical policies and

procedures for electronic information

systems that maintain electronic

protected health information to allow

access only to those persons or

software programs that have been

granted access rights as specified in

Sec. 164.308(a)(4).

164.312

(e)




Implementation

The technology and the policy and procedures for its use that protect electronic protected health information (PHI) and control access to it.


Technical Safe uards







* These are simply suggestions that might be used as a starting point. Do not rely on these being representative of the regulation or the intent of the regulators







Possible Grading Scale for Required Safeguards *

A. RA completed. Risks fully prioritized and followup actions scheduled.

B. RA completed. Risks not yet prioritized and followup actions not scheduled.

C. RA started but not completed. Top risk areas identified.

D. RA planned and method being developed

F. RA not started

A. RM action plan developed and fully implemented

B. RM action plan developed and partially implemented

D. RM action plan developed and scheduled but not yet started.

E. RM action plan brief list developed but no implementation to date.

F. No RM action plan.

A. Policy is completed and full implemented. Staff trained to follow policy.

B. Policy is completed and full implemented. Still some gaps in training.

C. Policy is completed. Implementation and training not well developed.

D. Policy may be started but not completed or approved. Minor consequences if a failure.

F. Policy not written and/or implemented. Major consequences if a failure.

Same as Sanction Policy

A. Security Officer assigned and fully engaged.

B. Security Officer assigned and becoming familiar with responsibilities

C. Recruiting Security Officer

D. Trying to agree on requirements of Security Officer

F. No SO on the horizon

Not Applicable

measures to protect electronic protected health information (PHI) and to manage the conduct








A. Response team in place and effective. All incidents documented and followed up.

B. Response team in place and effective. Incidents documented and some followed up.C. Response team designated but less effective. Sporadic documentation and followup

D. No response team, documentation or followup – minor consequences of failure

F. No response team, documentation or followup – major consequences of failure

A. Plan is completed and full implemented. Staff well trained to follow plan.

B. Plan is completed and full implemented. Still some gaps in training.

C. Plan is completed. Implementation and training not well developed.

D. Plan may be started but not completed or approved. Minor consequences if a failure.

F. Plan not written and/or implemented. Major consequences if a failure.

Same as Data Backup Plan

Same as Data Backup Plan

A. Technical and non/tech evaluations conducted after all major environmental or operational changes.

B. Technical and non/tech evaluations conducted after some major environmental or operational changes.

C. Evaluations conducted sporadically.

D. Evaluations not conducted. Minor consequences of not conducting.

F. Evaluations not conducted. Major consequences of not conducting.

A. Business associate contracts exist for all entities. BA’s audited periodically.

B. Business associate contracts exist for all entities. BA’ s audited by exception only.

C. Business associate contracts exist for some entities. BA’ s not audited.D. Business associate contracts do not exist. Minor consequences likely.

F. Business associate contracts do not exist. Major consequences likely.

ly contribution to protecting the entity's electronic protected health information; and














A = Policy and procedure in place that address the following for workstations that access electronic PHI:

proper workstation functions, manner in which those functions are to be performed and physical

surroundings of workstation.

B = Draft policy and procedure being revised.

C = Determining proper workstation functions, end-user behavior and physical surroundings for

workstation. Evaluating resources to reach intended outcome.

D = Workgroup charged to develop Workstation Use Policy.

F = No efforts towards Workstation Use Policy.

Similar to Workstation Use

A = Policy and procedure in place to address the final disposition of electronic PHI

and/or the hardware or electronic media on which it is stored.

B = Draft policy and procedure being revised.

C = Determining scope of devices require disposition of PHI electronic data.

Evaluating methods to reach intended outcome.

D = Workgroup charged to develop Device and Media Control Disposal Policy.

F = No efforts towards Device and Media Control Disposal Policy.

Similar to Disposal.

ent, from natural and environmental hazards, and unauthorized intrusion.









A. All users identified uniquely within organization, ultimately linked to UW ID

B. Few users accessing PHI but all uniquely identified within unit. No linkage to UW ID

C. Many users accessing PHI, all uniquely identified within unit only

D. Several users accessing PHI, identified by group or shared access

F. No unique way of identifying users

A. Well documented step-by-step procedures in place to provide access to PHI in emergency such as loss

of power or environmental controls

B. Some procedures available for accessing PHI in emergency

C. No procedures in place for emergency access but no time-critical PHID. Contain some time-critical PHI with no procedure for emergency access

F. Contain large amounts of time-critical PHI with no procedure for emergency access

A. All PHI contained in database that supports full record-level logging of database access

B. File-level logging of all modifies and writes for any PHI

C. Small number of users or PHI and minimal logging of system activity such as log-ins

D. Large body of users and significant amounts of PHI with no mechanism in place to log account activity

such as log-ins

F. No mechanism in place to log access to any PHI

A. Two-level identification of individuals including some combination of passwords, ID cards, biometrics

and certificatesB. Widespread use of ID cards or specific policy in place to specify password use

C. Policies requiring password use by all staff

D. General use of password authentication of individuals but no policy addressing password use

F. No procedures in place to authenticate individual users








.




Documents

Building a Health Information Infrastructure to Support HIPAA (157522956)