HIPAA Security Manual · Web viewIntroduction This Manual reflects the policies, IT infrastructure, and documentation for protection of electronic protected

HIPAA Security Manual<Insert your organization/practice name>

2

Table of Contents1 MANUAL INTRODUCTION....................................................................................................................5

2 ADMINISTRATIVE POLICES AND PROCEDURES....................................................................................7

2.1 Security Officer Job Responsibilities............................................................................................7

2.2 Audit Trails Policy and Procedures...............................................................................................9

2.3 Protection from Malicious Software Policy and Procedures......................................................11

2.4 Security Incident Policy and Procedures....................................................................................14

2.5 Training Policy............................................................................................................................17

2.6 Sanction Policy and Procedures.................................................................................................18

2.7 Workforce Termination Policy and Procedures.........................................................................20

2.8 Mobile Device Management Policy...........................................................................................21

2.9 Patient Requests for Electronic Copy of ePHI Policy..................................................................25

2.10 Fax and Copy Machine Usage Policy and Procedures................................................................28

3 PHYSICAL SAFEGUARDS POLICIES AND PROCEDURES........................................................................31

3.1 Policy for User Identification and Authentication and Access....................................................31

3.2 Workforce Clearance Procedures..............................................................................................34

3.3 Contingency Policy and Procedures...........................................................................................35

3.4 Computer Backup Policy and Procedures..................................................................................42

3.5 Contingency Plan Steps, Emergency Mode Operation Plan.......................................................44

3.6 Facilities Policy and Procedures.................................................................................................47

3.7 Computer Workstation Use Policy and Procedures...................................................................49

3.8 Mobile Device Management Procedure....................................................................................55

4 TECHNICAL – INFORMATION TECHNOLOGY (IT)................................................................................59

4.1 IT Tasks Policy and Procedures..................................................................................................59

4.2 IT Inventory Locations Device and Media Controls....................................................................60

4.3 IT Tasks......................................................................................................................................62

4.4 IT Inventory................................................................................................................................63

4.5 Network Map (Sample)..............................................................................................................64

5 LOGS AND EVENT RECORDS...............................................................................................................66

5.1 Audit Trail Event Record............................................................................................................66

5.2 Security Incident Report – Anti-Virus.........................................................................................67

5.3 Security Incident Log..................................................................................................................68

3

5.4 Facilities Maintenance Log.........................................................................................................69

5.5 Backup Testing and Recovery Log..............................................................................................70

5.6 Training Checklist.......................................................................................................................71

5.7 Termination Checklist................................................................................................................72

5.8 Data Breach Log.........................................................................................................................73

5.9 Sanction Log...............................................................................................................................74

5.10 Contingency Planning................................................................................................................75

5.10.1 Contingency Plan/Restoration Checklist............................................................................75

5.10.2 Emergency Mode Operations Roles...................................................................................76

5.10.3 Emergency Mode Workforce Contact List.........................................................................77

5.10.4 Emergency Mode – Emergency Assembly Point................................................................78

5.10.5 Emergency Mode Alternate Location/Command Center...................................................79

5.10.6 Emergency Mode – Necessary Materials...........................................................................80

5.10.7 Contingency Testing and Revision......................................................................................81

5.11 Log and Record Review..............................................................................................................82

6 JOB DESCRIPTIONS.............................................................................................................................84

7 REFERENCE........................................................................................................................................86

7.1 Security Risk Analysis.................................................................................................................86

7.2 Audit Results..............................................................................................................................89

7.3 Addressable Specifications........................................................................................................90

7.4 Security Categorization..............................................................................................................91

7.5 Contingency Planning Threats, Preventive Measures and Responses.......................................95

7.5.1 Threats Affecting Contingency Planning............................................................................95

7.5.2 Potential Disaster Threats, Preventive Measures and Responses......................................96

7.6 References.................................................................................................................................97

7.7 Glossary.....................................................................................................................................99

7.8 Abbreviations or Acronyms......................................................................................................111

8 VENDOR SPECIFIC PROCEDURES......................................................................................................113

8.1 User and Role Assignment.......................................................................................................113

8.2 Emergency Access....................................................................................................................113

8.3 Password Setting......................................................................................................................113

4

8.4 Logoff Setting...........................................................................................................................113

8.5 Audit Policy..............................................................................................................................113

8.6 Patient Requests for Disclosures of EPHI through an Electronic Health Record......................113

8.7 Backup Model..........................................................................................................................113

8.8 Integrity of EPHI.......................................................................................................................113

8.9 Standard Architecture of Network Mapping............................................................................113

8.10 Remote Online Backup............................................................................................................113

9 INDEX...............................................................................................................................................114

5

1 MANUAL INTRODUCTION

IntroductionThis Manual reflects the policies, IT infrastructure, and documentation for <Organization Name’s> protection of electronic protected health information (EPHI) as required by the HIPAA Security Rule. <Organization Name> is herein referred to as “the Organization” or “Organization.” This manual reflects the Organization’s REQUIRED Security Risk Assessment and Management as mandated by the HIPAA Security Rule to reflect the implementation of security measures to reduce risk and vulnerabilities to a reasonable and appropriate level to comply with the Rule. Policies and procedures are applicable to all the organization’s members such as owners, management, employees, volunteers and/or contractors. Membership includes, but is not limited to, employment, contractual or volunteer relationships.

This Manual complies with the Security Rule’s documentation standard that requires covered entities to: (i) “Maintain the policies and procedures implemented to comply with [the Security Rule] in written (which may be electronic) form”; and (ii) “if an action, activity or assessment is required for HIPAA security compliance the organization will maintain a written (which may be electronic) record of the action, activity, or assessment.”

This Manual also complies with the Security Rule’s documentation standard specifications as follows:

1. Time Limit (Required) - The Organization will “retain the documentation required by (HIPAA Security Rule) for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

2. Availability (Required) – The Organization will make the documentation available in paper or electronic format at the Organization such that it is “available to those persons responsible for implementing the procedures to which the documentation pertains.”

3. Updates/Reviews (Required) – As noted by dates on each page, .the Organization will “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.” The Organization will maintain revisions to the documents, the dates of each revision, the individual who revised the document, the date of the most recent approval of the document, and the individual who approved it.

6

Policy requirement sources are outlined at the beginning of each policy. See reference section for a full listing of references. The nomenclature for documents found in the Code of Federal Regulations (CFR) include the appropriate title number, which precedes the CFR designation, followed by the chapter, part, and section numbers (Example: 45 C.F.R. §164.308(a) (2)).

All material contained is only valid once reviewed by the Organization’s HIPAA Security Officer as evident by the initials of said officer on each policy with the date of the review and/or approval, and approved by the Organization’s Board of Directors or Managing Principal. Dates of reviews are also noted on the bottom of each policy, IT evaluation or log. All material is subject to review and modification in response to any environmental or operational change related to the protection of EPHI as required by the Rule. This includes, but is not limited to: identified security incident, Organizational change in ownership or key personnel, and/or the incorporation of new technology. The initials confirm these procedures, policies and logs are followed by this Organization and its employees.

Reference pages reflect the sources of appropriate implementation standards for the Organization.

See Glossary in Reference Section for definitions.See Acronyms in Reference Section for acronyms and/or abbreviations used.

7

IT Practice Consulting Corp., Pittsford, NYwww.ITPC-Corp.com

COPYRIGHT NOTICE

For the Manual, generally:

Copyright © 2013 ITPC and Kern, Augustine, Conroy & Schoppmann, P.C.

ITPC will permit limited copying of this Manual, or portions thereof, for the internal use of the purchaser or authorized user of the Manual. This Manual, however, may not be further copied or otherwise reproduced, redistributed or resold without the prior written consent of ITPC. All other rights are reserved. To request permission or obtain additional information, please contact ITPC at 866-985-7884 or [email protected].

This Manual has been prepared to provide the reader with accurate information on the topics covered in the Manual. The Manual is being provided with the understanding that ITPC is not engaged in rendering any legal or accounting advice through this manual. ITPC has made recommendations regarding referenced CMS or NIST standards for implementation.

The security officer must sign off on all policies and procedures after verifying they are consistent with the size and scope of their Organization and respond to all audit results.

This manual template does not constitute legal advice. The Organization will seek legal counsel for all state laws and situations unique to the organization.

STATE LAW DISCLAIMER: This manual includes security protections in accordance with the national HIPAA Security Rule. The HIPAA Security rule establishes a national minimum standard. If a state law provides greater security protections, the state law must be observed.

8

Tabbed Section Administrative Policies

9

2 ADMINISTRATIVE POLICES AND PROCEDURES

2.1 Security Officer Job Responsibilities

Security Officer Job Responsibilities§164.308(a)(2): Assigned Security Responsibility - the responsibility for security should be assigned to a specific individual or organization to provide an organization focus and importance to security, and that the assignment be documented.

Implementation Specification: RequiredRisk Level: lowFinancial Impact: n/a

Security Officer Designate: <security officer name>Appointed on: <appointment date>Security Officer Initials: <initials> Security Officer Contact Information: <insert>

The Security Officer for this organization oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to, the organization’s policies and procedures related to the security of patients’ electronic protected health information (EPHI) in compliance with federal and state laws and the organization’s security policies and procedures (the “Security Policy”).

Responsibilities: Maintain the confidentiality, integrity, and availability of patients’ EPHI which the

Organization creates, receives, maintains or transmits. Maintain current knowledge of applicable federal and state security laws. Develop, oversee, and monitor implementation of the organization’s Security Policies

and ensure that the integrity of the Security Policies is maintained at all times so that persons may not make unauthorized edits to Security Policies.

Report regularly to the organization’s governing body and officers and/or owners (as applicable) regarding the status of the Security Policies.

Work with legal counsel, consultants, management, and committees to ensure that the organization maintains appropriate administrative materials in accordance with organization management and legal requirements.

Document the references for materials. Establish and administer a process for receiving, documenting, tracking,

investigating, and taking action on all complaints concerning the organization’s security policies and procedures in coordination and collaboration with other similar functions, and, when necessary, with legal counsel.

Oversee, direct, deliver, or ensure the delivery of security training and orientation to all employees, volunteers, medical and professional staff, and other appropriate personnel (organization workforce).

Monitor attendance at all Security Policies training sessions and evaluate participants’ comprehension of the information provided at training sessions as well as maintain appropriate documentation of security training.

10

Monitor organization’s compliance with Security Policies including periodic security risk assessments.

Monitor and evaluate, on no less than an annual basis, the Security Policies success in meeting the organization’s goal for protection of EPHI.

Coordinate and participate in disciplinary actions related to the failure of organization workforce members to comply with the organization’s Security Policies and/or applicable law.

Monitor access controls to EPHI. Maintain access to EPHI only by authorized personnel.

Monitor technological advancements related to electronic protected health information protection and security for consideration of adoption by the organization.

Coordinate and facilitate the allocation of appropriate resources for the support of and the effective implementation of the Security Policies.

Initiate, facilitate, and promote activities to foster security information awareness within the organization.

Cooperate with CMS, other legal entities, and organization officers or owners in any compliance reviews or investigations.

Perform periodic risk assessments and ongoing compliance monitoring activities at each organization location.

Act as point of contact for the organization’s legal counsel in an ongoing manner and in the event of a reported violation.

Maintain all Business Associate Agreements and respond appropriately if problems arise.

Act as the organization-based point of contact for receiving, documenting, and tracking all complaints concerning security policies and procedures of the organization.

Maintain documentation of the organization’s Security Policies and Procedures for a minimum of six years from the date the organization created the policies and procedures or last updated the policies and procedures.

Responsible for overseeing the maintenance of the organization’s hardware and software.

Responsible for the overseeing and maintenance of all logs and records included or referenced in this manual.

Responsible for overseeing the installation and connectivity of computer equipment. Responsible for monitoring backup procedures. Responsible for disposal and media re-use. And other responsibilities as outlined in policies below.

Approval: Date of Approval:

Reviewed: Date(s) of Review:

11

12

2.2 Audit Trails Policy and Procedures

Audit Trails Policy & Procedures§164.308(a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.


It is the organization’s policy to conduct audit trails to regularly track the identification and authentication of those accessing the computer system and software contained therein that contain electronic protected health information (ePHI). The organization will also maintain records of the activity performed within those for no less than three years. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.

Procedure

Software and/or networks requiring Audit are Identified as:

EHR: < organization intake > PMS: <organization intake > Other Specified Software <organization intake note if applicable or specify, none>Fax Machines: < organization intake note if applicable or specify fax machines do not

retain ePHI>Copiers: <note if applicable or specify copy machines do not retain ePHI>Network or workgroup: <IT intake> Remote Access Networks: <IT intake>Wireless Network(s): <IT intake>

Events to be audited: User activity and/or access. Password activity including when passwords are changed and who changed them Changes to access privileges including when access privileges to software were

changed and who changed them

Documentation:

13

Any abnormalities will be documented in the log section of this manual including immediate follow up. Abnormalities include:

o Suspicious login attempts,o Unusually frequent password changes,o Computer files changes and/or deletions.

Audit Trails:

Designated Person to Conduct Audit Trail: <Org Intake> Frequency of Audit Trails:<IT intake> Audit Trail Location: <IT intake> Persons with Authorized Access to Trail: Security Officer. <others as specified by

organization>



14

2.3 Protection from Malicious Software Policy and Procedures

Protection from Malicious Software Policy & Procedures

§ 164.308(a)(5)(ii)(B) - Protection from Malicious Software : Procedures for guarding against, detecting, and reporting malicious software.

Implementation Specification: AddressableRisk Level: moderateFinancial Impact: cost of license per workstationOrganization Anti-malware Software: <IT intake>

(i) the organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code via the organization’s specified anti-malware software. Information system entry and exit points include: electronic mail, electronic mail attachments, web accesses, removable media, or other common means.

(ii) the organization employs malicious code protection mechanisms at workstations, servers and, as applicable, mobile computing devices on the network to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities

(iii) the organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with configuration management policy and procedures. These updates are set to occur automatically.

(iv) the organization defines the frequency of periodic scans of the information system by malicious code protection mechanisms as <frequency of scans>

(v) the organization defines one or more of the following actions to be taken in response to malicious code detection: block malicious code; quarantine malicious code; and/or send alert to administrator

(vi) the organization configures malicious code protection mechanisms to: perform periodic

15

scans of the information system in accordance with organization defined frequency; perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and take organization defined action(s) in response to malicious code detection

(vii) the organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

The organization is committed to taking the necessary steps to prevent computer viruses from infecting the organization’s computer system. Organization members must adhere to the policies and procedures listed below:

Members should not open email attachments if he/she is not expecting an attachment from someone he/she knows or trusts.

Members should not be accessing their personal email while at work.

Members are strictly prohibited from using illegal or "pirated" software on the organization’s computers.

Members are prohibited from installing and playing computer games on the organization’s computer system.

Members are prohibited from utilizing discs or external thumb drives or hard-drives on the organization’s computer system.

Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.

Antivirus Procedures:

The virus scanning software will automatically scan for viruses when files are being downloaded onto the organization’s computer system.

When the organization purchases new computer software, the System Administrator or Security Officer must make sure it is shrink-wrapped and must check the discs prior to installing the software on the computer system.

The System Administrator or Security Officer must make sure that discs used to store computer software programs are “write-protected” or protected against information from being saved on this disk. This prevents viruses from being copied onto discs containing important information.

All software should be acquired from reputable dealers and must be new. No recycled computers.

The Security Officer must approve all software to be downloaded from the internet.

16

Vulnerability Scanning Plans:

Results from most recent vulnerability scan are found <IT Intake>

Network Penetration Testing:

Results from most recent network penetration test are found <IT Intake>



17

2.4 Security Incident Policy and Procedures

Security Incident Policy and Procedures§164.308(a)(6): Security Incident Procedures - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Implementation Specification: RequiredRisk Level: moderateFinancial Impact: N/A

Policy: It is the organization’s policy to identify, record and address attempts to, incidentally or intentionally, access the organization’s physical space and/or the computer system and its components unless such access is authorized by the System Administrator or Security Officer. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.

Procedure: The organization will determine through a variety of security mechanisms, such as User IDs, password protection, anti-virus software, and audit trails when security incidents have occurred.

The organization will periodically monitor user activity, including password activity, virus scans, and audit trails to determine if any security incidents have occurred.

Following the identification of a security incident, the organization’s first priority will be to communicate the details of the incident to the relevant technical staff, such as the organization’s information technology consultant, to expeditiously log and begin resolving the issue.

Once alerted to the incident, the appropriate staff will access the appropriate part of the computer system as quickly as possible. If more than one incident occurs simultaneously, the most critical issue will be addressed first.

The incident(s) will be immediately logged on a security incident log. The organization will take necessary and reasonable steps to respond to and address all identified and confirmed security incidents. All responses will be logged into a security incident log. The log will be kept for 6 years.

If the incident cannot be resolved and could potentially cause disruptions among other organization employees such that it will inhibit them from performing their assigned job

18

responsibilities, the System Administrator or Security Officer will notify the rest of the staff of the situation via email, telephone, verbally, or in writing. The organization will select the communication media that works best under the circumstances. Affected staff will be notified of the estimated time necessary to address the security incident.

Once the issue has been resolved, the System Administrator or Security Officer will notify organization staff of the resolution via email, telephone, verbally, or in writing. If there are new procedures which must take place as a result of the reported incident, these will be distributed to organization employees as well. The organization will select the communication media that works best under the circumstances.

The organization utilizes computer system alarms to identify critical computer system errors.

Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law.

Security Objectives The FISMA Federal Information Security Management Act of 2002 defines three security objectives for information and information systems: CONFIDENTIALITY “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system.

Potential Impact on Organizations and Individuals FIPS (Federal Information Processing Standards Publication Publication) 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest.

The potential impact is LOW if— - The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and

19

duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

The potential impact is MODERATE if— −The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

The potential impact is HIGH if— −The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

See the HIPAA Privacy Manual for the Organization’s Data Breach Notification Policy.



20

2.5 Training Policy

Training Policy and Procedures

§164.308(a)(5) Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management).

Training - Procedures for guarding against, detecting, and reporting malicious software.

§164.308(a)(5)(ii)(C): Security Awareness and Training - Procedures for monitoring log-in attempts and reporting discrepancies.

§164.308(a)(5)(ii)(D): Security Awareness and Training - Procedures for creating, changing, and safeguarding passwords.

§164.308(a)(5)(ii)(A): Security Awareness and Training - Periodic security updates.

Implementation Specification: AddressableRisk Level: mediumFinancial Impact: minimum of 1 day’s salary per employee

Training is conducted within one week of the date the member joins the organization and is reviewed annually. Security updates are distributed to the members via written notice for any changes or updates to the security policy that occur less than annually.

Training conducted by: The Security Officer Training will occur on all of the Organization’s Security Policies. See Training Checklist for training topics and training per workforce role. Attendees include those persons on the Training Documentation Form.

Members who do not maintain security awareness are subject to sanctions pursuant to Policy 2.6 of this Manual. (CMS 2009 HIPAA Compliance Review Analysis and Summary of Results)



21

2.6 Sanction Policy and Procedures

Sanction Policy and Procedures§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(c) - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.


The Organization has adopted this Sanction Policy to comply with HIPAA), as well as to fulfill our duty to protect the confidentiality and integrity of confidential electronic medical information as required by law.

The Organization has adopted a Security Policy requiring the Organization and its members to protect the integrity and confidentiality of electronic medical and other sensitive information pertaining to our patients. In addition, the Organization has adopted policies and standards to carry out the objectives of the Security Policy. All members of the Organization’s workforce, including management, must adhere to these policies and standards. The Organization will not tolerate violations of these policies and standards, and such violations constitute grounds for disciplinary action up to and including termination, professional discipline, and criminal prosecution.

Any member of the Organization who believes another member of the Organization has breached the facility’s Security Policy or the policies and standards promulgated to carry out the objectives of the Security Policy or otherwise breached the integrity or confidentiality of patient or other sensitive information should immediately report such breach to his or her supervisor or to the Security Officer for the Organization.

The Security Officer for the Organization will conduct a thorough and confidential investigation into the allegations. The Security Officer will inform the complainant of the results of the investigation and any corrective action taken. The Organization will not retaliate against or permit reprisals against a complainant. Allegations not made in good faith, however, may result in discharge or other discipline.

The Organization has a progressive discipline policy under which sanctions become more severe for repeated infractions. This policy, however, does not mandate the use of a lesser sanction before the Organization terminates a member. In the discretion of management, the

22

Organization may terminate a member for the first breach of the facility’s Security Policy or individual policies and standards if the seriousness of the offense warrants such action. A member could expect to lose his or her job for a willful or grossly negligent breach of confidentiality, willful or grossly negligent destruction of computer equipment or data, or knowing or grossly negligent violation of HIPAA or any other federal or state law protecting the integrity and confidentiality of patient information. A member may lose his or her job for a negligent breach of the Organization’s standards for protecting the integrity and confidentiality of patient information. For less serious breaches, management may impose a lesser sanction, such as a verbal or written warning, verbal or written reprimand, loss of access, suspension without pay, demotion, or other sanction. In addition, the Organization will seek to include such violations by contractors as a ground for termination of the contract and/or imposition of contract penalties.

NOTE: ORGANIZATION MUST CONFORM PERSONNEL MANUAL WITH THE ABOVE PROVISION.

Violation of the Organization’s Security Policy or individual policies and standards may constitute a criminal or civil offense under HIPAA, other federal laws, such as the Federal Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030, or state laws. Any member or contractor who violates such laws may expect that the Organization will provide information concerning the violation to appropriate law enforcement personnel or authorities and will cooperate with any subsequent investigation or prosecution.

Further, violations of the facility’s Security Policy or individual policies and standards may constitute violations of professional ethics and be grounds for professional discipline. Any individual subject to professional ethics guidelines and/or professional discipline should expect the Organization to report such violations to appropriate licensure/accreditation agencies and to cooperate with any professional investigation or disciplinary proceedings.

This Sanction Policy is intended as a guide for the efficient and professional performance of members’ duties to protect the integrity and confidentiality of medical and other sensitive information. Nothing herein shall be construed to create a contract between the member and the Organization. Additionally, nothing in this Sanction Policy is to be construed by any member as containing binding terms and conditions of any form of membership of, or continued employment by, the Organization. Nothing in this Sanction Policy should be construed as conferring any employment rights on members. Management retains the right to change the contents of this Sanction Policy as it deems necessary with or without notice, provided however, that members will be notified of any such changes.



23

2.7 Workforce Termination Policy and Procedures

Workforce Security and Termination Policy and Procedures

§164.308(a)(3): Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.

Implementation Specification: AddressableRisk Level: mediumFinancial Impact: n/a

Policy: The Security Officer will be responsible for ensuring the following procedures take place immediately upon an individual’s termination from the organization. Doing so will revoke an individual’s access to the physical office as well as access to the computer system.

Prior to the individual’s departure, the System Administrator or Security Officer will:

Contact a locksmith to change the organization locks, if necessary. Secure a full computer backup. Instruct individual whether or not to clean out his/her computer hard drive, if appropriate. Retrieve the following from the individual prior to departure:

o Computer System Passwordso Network passwordso Email passwordso Additional passwords

Retrieve and secure organization property, including laptops, other hardware and cell phones.

Circulate new security keypad code numbers and office keys to pertinent organization members, if necessary.

Change or delete (as applicable) passwords to the computer workstation, network, and all email/internet accounts.



24

2.8 Mobile Device Management Policy

Mobile Device Management PolicyImplementation Specification: AddressableRisk Level: mediumSecurity Category ePHI = {(confidentiality, medium), (integrity, medium), (availability, low)}. See Security Categorization in Reference Section.

Policy: The organization acknowledges that members may bring personally owned mobile devices into the organizational setting such as a smart-phone or tablet.

Current mobile devices lack the hardware-based roots of trust. Personally owned mobile devices, Bring Your Own Device (BYOD) <are/are not> permitted to be used for access to ePHI in our organization.


<IF NOT PERMITTED – DELETE the rest of this policy from the manual>

Mobile Device UseThe following devices are approved for use at our organization: <LIST: device and operating system – example – smartphone-iphone and/or tablet-ipad)>

Mobile Devices permitted in the organization shall be inspected and approved by the security officer.

All mobile devices shall have the latest patches and updated to the latest operating systems.

“Jailbroken or rooted phones” shall not be used in the organization. The devices will be recorded in the hardware inventory log.

Mobile Device Security CapabilitiesMobile Devices will have the following three security capabilities:

1) Device Integrity : Device integrity is the absence of corruption in the hardware, firmware and software of a device. A mobile device can provide evidence that it has maintained device integrity if the state of the device can be shown to be in a state that is trusted by a relying party. A device has integrity if its software, firmware, and hardware configurations are in a state that is trusted by a relying party. The mechanism for communicating this trusted state is through one or more assertions that the Device Owner allows a device to make to the Information Owner.

25

2) Isolation: Isolation prevents unintended interaction between Information Owners on the same device.

3) Protected Storage: Protected storage preserves the confidentiality and integrity of sensitive data on the device while at rest, while in use (in the event an unauthorized application attempts to access an item in protected storage), and upon revocation of access.

Camera Use

Members shall not use BYOD cameras on the premises of the organization.

Data communication and storage:

BYOD must support strongly encrypted data communications and data storage that may be remotely wiped from the device if it is lost or stolen and is at risk of having its data recovered by an untrusted party.

User and device authentication:

Required authentication before accessing organization resources, resetting forgotten passwords remotely, automatically locking idle devices and remotely locking devices suspected of being left unlocked in an unsecured location.

Applications:

Restricting which applications may be installed (through whitelisting or blacklisting), installing and updating applications, restricting the use of synchronization services, digitally signing applications, distributing the organization’s applications from a dedicated mobile application store, and limiting or preventing access to the enterprise based on the mobile device’s operating system version or mobile device management software client version

The following resources may be accessed through mobile devices: <___>

The following resources shall not be accessed through BYOD: <___>

Threat Model for BYOD or enterprise owned mobile devices:

Our organization has gone through the following threat modeling which involves identifying

26

BYOD feasible threats, vulnerabilities and security controls (or mitigation) related to these resources, then quantifying the likelihood of successful attacks and their impacts and finally analyzing this information to determine where security controls need to be improved or added.

Mobile Threats:

Lack of physical security controls:

o Vulnerability - Lack of physical security controls. These devices may be transported outside of the physical organization.

o Feasible Threat - Theft with attempt to recover data from the device or remote resources.

o Mitigation - Encrypt data on device or no data storage on device authentication required before gaining access

Use of untrusted networks:

o Vulnerability - Use of untrusted networks. (Wi-Fi, cellular, etc. ) o Threat - Eavesdroppingo Mitigation - Encryption of data and mutual authentication mechanisms to verify the

identities of both endpoints before transmitting data

Third party applications:

o Vulnerability - Third party applications. o Threat - Exposure to unrestricted third-party application publishingo Mitigation - Prohibit third party applications whitelisting of approved applications and

blacklisting of others.

Interaction with other systems:

o Vulnerability - Interaction with other systems; byod mobile device connected to organization computers organizational owned mobile device connecting to personal computers.

o Threat - Data stored in an unsecure location, transmission of malwareo Mitigation - Prohibition of these combinations

Use of untrusted content:

o Vulnerability - Use of untrusted content; use of QR codeso Threat - May direct to malicious web siteo Mitigation - Education regarding QR codes

27

References: NIST Special Publication 800-164 DRAFTGuidelines on Hardware - Rooted Security in Mobile DevicesNational Institute of Standards and Technology Special Publication 800-164 (Draft)Natl. Inst. Stand. Technol. Spec. Publ. 800-164, 33 pages (October 2012)CODEN : NSPUE2

See NIST SP 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise [SP800-124],

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.



28

2.9 Patient Requests for Electronic Copy of ePHI Policy

Patient Request for Electronic Copy of ePHISection 13405(e) of the HITECH Act requires that when an individual requests a restriction on disclosure pursuant to § 164.522, the covered entity must agree to the requested restriction unless the disclosure is otherwise required by law, if the request for restriction is on disclosures of protected health information to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full.

§ 164.524(c)(2): Require covered entities to provide electronic information to an individual in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.

Privacy Rule at § 164.524(c)(2)(ii) to require that if an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.

§ 164.524(c)(3) If requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.

§ 164.524(c)(4) of the Privacy Rule permits a covered entity to impose a reasonable, cost-based fee for a copy of protected health information (or a summary or explanation of such information). Such a fee may only include the cost of: (1) The supplies for, and labor of, copying the protected health information; (2) the postage associated with mailing the protected health information, if applicable; and (3) the preparation of an explanation or summary of the protected health information, if agreed to by the individual

§ 164.524(c)(4)(i) Includes the labor for copying protected health information, whether in paper or electronic form, as one factor that may be included in a reasonable cost-based fee

Section 13405(e)(2) of the HITECH Act provides that a covered entity may not charge more than its labor costs in responding to the request for the copy

§ 164.524(b)(2)(iii) that permits a covered entity a one-time extension of 30 days to respond to the individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request).


29

Requests for Restrictions on Restricted Health Care Item or Service: The organization will employ some method to flag or make a notation in the record with

respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan.

The organization will apply minimum necessary policies and procedures, which require limiting the protected health information disclosed to a health plan to the amount reasonably necessary to achieve the purpose of the disclosure.

If the organization is required by law to submit protected health information to a Federal health plan, it may continue to do so as necessary to comply with that legal mandate.

Providing Electronic Information to an individual in the electronic form: Organization will provide some kind of readable electronic copies of protected health

information that are currently available on its various systems (example: PDF) If the individual declines to accept any of the electronic formats that are readily

producible by the organization, the covered entity will provide a hard copy as an option to fulfill the access request.

Transmitting a copy of protected health information to another designated person: If requested by an individual, the organization will transmit the copy of protected health

information directly to another person designated by the individual. The individual may direct the covered entity to transmit such copy directly to the

individual’s designee, provided that any such choice is clear, conspicuous, and specific When an individual directs the organization to send the copy of protected health

information to another designated person, the request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the protected health information.

If the organization has decided to require all access requests in writing, the third party recipient information and signature by the individual can be included in the same written request; no additional or separate written request is required.

Cost-Based Fee: Reasonable, cost-based fee for a copy of protected health information (or a summary or

explanation of such information) including o supplies for, and the labor for copying protected health information, whether in

paper or electronic form o the postage associated with mailing the protected health information, if

applicable, o the preparation of an explanation or summary of the protected health information,

if agreed to by the individual Fee ________________

Timeframe to honor requests for electronic copies of EPHI:

30

Organizations have 30 days to provide access Organization is to provide the access requested by the individual in a timely manner,

which includes arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information

An organization has a one-time extension of 30 days to respond to the individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request).

Procedures: See Vendor Specific Section




31

2.10 Fax and Copy Machine Usage Policy and ProceduresFax and Copy Machine Usage Policy and Procedures

Section 160.103 - Electronic media means:1. Electronic storage material on which data is or may be recorded electronically,

including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;

2. Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

Policy: Photocopier, facsimiles or fax machines, and other office machines may retain electronic data, potentially store protected health information when used by covered entities or business associates. Protected health information stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules. It is the organization’s policy to safeguard patient health information from any kind of disclosure or exposure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals. The use of fax machines and/or photo copiers in not prohibited. However, the organization will follow strict regulations that protect the security and privacy of the information both at the point of dispatch, during transmit and at the point of delivery.

Fax Machines: <type – traditional or email? – note if email facsimile ONLY and eliminate the following>

Storage of EPHI: <note if fax machine retains electronic copies of EPHI or specify that fax machines do not retain EPHI>

Location: <must be placed in a secure area and not generally accessible>

Access: <only authorized personnel are to have access to fax machines>

Procedures: The fax machine(s) is stored in a secured area and only accessible to authorized personnel. When transmitting EPHI, the following procedures must be followed:

Destination numbers must be verified before transmission Notify recipients that they have been sent a fax

32

Include a cover sheet with HIPAA disclaimer Fax only to secure destinations Maintain a copy of the confirmation sheet of the fax transmission Confirm fax delivery with a follow-up phone call Remove incoming faxes immediately from the output tray Store received faxes in a secure location.

Copier: <type – traditional or digital? – note if traditional and eliminate the following>

Storage of EPHI: <note if copier uses a hard disk drive to manage copy jobs and therefore retains electronic copies of EPHI>

Location: <must be placed in a secure are and not generally accessible>

Access: <only authorized personnel are to have access to digital copier>

Data Security: <note if copier has data security features such as encryption, overwriting – overwriting that occurs periodically should be documented in _______ log, or if data is deleted, or if the hard drive is locked with a passcode>

Data Disposal: <indicate how organization will dispose of data that has accumulated on the copier over time – review lease or purchase agreements and make sure that your organization will retain ownership of all hard drives at end of usage ---- note how organization will dispose of data at end of copier usage>

Procedures:

Copier(s) is stored in a secure area with restricted physical access. The hard drive will be physically destroyed before turn-in or disposal.



33

Tabbed Section – Physical Safeguards and Policies

34

3 PHYSICAL SAFEGUARDS POLICIES AND PROCEDURES

3.1 Policy for User Identification and Authentication and Access

Policy for User Identification and Authentication and Access

§164.308(a)(4): Information Access Management §164.308(a)(4)(ii)(B) - Implement policies and procedures for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism.

§164.308(a)(4): Information Access Management §164.308(a)(4)(ii)(C) - Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

§164.312(a)(1): Access Control - §164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.

§164.312(a)(1) Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

§164.312(a)(2)(ii): Access Control - Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Identify a method of supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems.

§164.312(a)(2)(iii): Access Control - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

§ 164.312(c)(2): Identify methods available for authentication. Under the HIPAA Security Rule, authentication is the corroboration that a person is the one claimed (45 CFR § 164.304). Authentication requires establishing the validity of a transmission source and/or verifying an individual’s claim that he or she has been authorized for specific access privileges to information and information systems.

35

§164.312(d): Person or Organization Authentication - Weigh the relative advantages and disadvantages of commonly used authentication approaches.

Implementation Specification: RequiredRisk Level: moderateFinancial Impact: n/a

The organization utilizes user IDs and unique passwords to control access to the organization's computer system. The organization expects organization information to be available when it is needed, to be accurate, and to be safeguarded from access by unauthorized individuals. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.

Security Procedures

The organization requires all of its members to have effective and secure user IDs and passwords for access to the organization’s computer system. The Security Officer or System Administrator provides oversight of the process for administering and maintaining user IDs and passwords for the organization as follows:

Unique User Authentication and Identification: Required

All organization members’ passwords, even temporary passwords established for new and temporary organization members, meet the following characteristics:

o Are easy for the organization members to remember, but difficult for an unauthorized user to guess

o Are at least six characters in lengtho Consist of a mix of alpha and at least one numeric or special charactero Are easy to type quicklyo Are not portions of associated account names (e.g., user ID, log-in name)o Are not the organization member's spouse, children, or pets name in any formo Are not information easily obtained about the employee (i.e., license plate numbers,

telephone numbers, social security numbers, the brand of his/her automobile, the name of the street he/she lives on, date of birth, email name, etc.)

o Are not character strings (e.g., abc or 123) Each organization member, including new and temporary organization members, is

assigned a unique user identification (user ID) Each organization member, including new and temporary organization members, is

assigned a unique temporary password Furthermore, organization members are required to select a new password immediately

after their initial log on to the computer system using the temporary user ID and password Authentication approaches include: Something a person knows, such as a password;

Something a person has or is in possession of, such as a token (smart card, ATM card, etc.); Some type of biometric identification a person provides, such as a fingerprint; A combination of two or more of the above approaches.

36

User Access Controls and Management

The Security Officer will:

Disable user IDs and password accounts not used for 180 days and review such accounts for possible deletion. Review and delete accounts that have been disabled for 60 days. Review and delete password accounts for the organization’s contractors on the expiration date of their contract.

Instruct organization members to keep passwords confidential. Organization members will be instructed to not share his/her password with anyone, including other organization members, temporary organization members, and contractors.

Remove vendor or service passwords from computer systems and assign new passwords to all computer systems immediately upon installation at the organization.

Instruct organization members that passwords will not be visible on a data entry screen or display or documented in writing in any form (e.g., on a post-it note, on a message pad, on a calendar, or smartphone).

Change passwords and disable user accounts promptly upon organization member’s termination, including temporary organization members, regardless of whether the termination was mandatory or voluntary. Users should immediately change their password if they suspect it has been compromised and should immediately notify the Security Officer.

Limit organization members’ log-on attempts to five (5) to prevent unauthorized access to the computer system by programming computer system account to “lock up” or not provide further access by organization member until discussion with System Administrator or Security Officer.

Document in each individual’s job description the level of access consistent with their described role within the organization. See the Organization’s HIPAA Manual, Minimum Necessary Policy.

Ensure that there is mechanism in place to encrypt and decrypt electronic protected health information. Encryption Level <______>

Emergency Access Procedure: As outlined in the Vendor Specific Section



37

3.2 Workforce Clearance Procedures

Workforce Clearance Procedures

Workforce Security § 164.308(a)(3)(ii)(B) Implement procedures to determinethat the access of a workforce member to electronic protected health information is appropriate.

Implementation Specification: AddressableRisk Level: lowFinancial Impact: n/a

The organization’s policy is to ensure that all members of its workforce have appropriate access to PHI (including EPHI) and prevent those who do not need access from obtaining access.

Authorization workforce - Authorization is done at the time of joining the organization. Roles are specified in an organization member’s job description that correlates with the member’s role within the EHR system ensuring appropriate access. Organization members must provide proof of license as required by state law in order to access certain areas of the EHR. Certain areas of the HER can only be accessed by clinical personnel holding an applicable professional license. Such members will provide proof of such licensure at the time of joining the organization and receiving workforce clearance. This will be done at the time of joining the organization.

Roles and permissions within the EHR are assigned by the Security Officer at the time of joining the organization.

Job descriptions are in place and developed for each of the organization members. These documents describe the responsibilities of each staff position and the level of access that each needs to PHI (including EPHI). Job descriptions are routinely reviewed, but no less than annually, for accuracy and appropriateness. Consistent with the Privacy Rule, job descriptions address the minimum necessary access required by a person or job title in the organization that must have access to EPHI to carry out their duties. Each organization member has a copy or access to their written job description. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.

Approval: Date of Approval: Reviewed: Date(s) of Review:

38

3.3 Contingency Policy and Procedures

Contingency Policy & Procedures§164.308(a)(7)(i) Contingency Plan Establish policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (See Policy 3.6 of this Manual for additional emergency contingency plan policies and procedures.)

§164.308(a)(7)(ii)(C) Emergency Mode Operation Plan: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

§164.308(a)(7)(ii)(A) Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

§164.308(a)(7)(ii)(B) Disaster Recovery Plan: Establish (and implement as needed) procedures to restore any loss of data.

§164.308(a)(7)(ii)(D)Testing and Revision Procedures: Implement procedures for periodic testing and revision of contingency plans. (Addressable)

§164.308(a)(7) Preventive Measures must be identified.

§164.308(a)(7)(E) Applications and Data Criticality Analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components. (Addressable)


Policy: It is the policy of the Organization to establish Contingency Plans in order to protect the confidentiality, integrity, and accessibility of our electronic protected health information from vulnerability in the event of an emergency. It is the purpose of the Organization to enable sustained operation of the information systems in the event of an extraordinary event that

39

causes these systems to fail minimum production requirements. The Organization will assess the needs and requirements so that the Organization may be prepared to respond to the event in order to regain efficient operation of the systems that are damaged. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.

Procedure:

Every member of the Organization's workforce is responsible for the integrity of the Organization’s electronic protected health information.

The Security Officer (or other designated person) will inspect the facilties per the Facilities Policy and Procedures and maintain a log of all repairs and enhancements to security.

The Security Officer will respond to the Contingency Plan steps for the Organization. The Organization will establish procedures in order to reduce the risk of vulnerability

determined by the Facility Security Analysis. The Contingency Plan of the Organization is an ongoing responsibility and will be reviewed

by the Security Officer of the Organization as necessary to include quarterly and annual reviews.

The Security Officer will train the members of the Organization on the procedures of the Contingency Plan.

Identified key applications are identified in the backup policy and procedure section 3.5.

Steps to Activate Contingency Plan:

Response PhaseThe Security Officer will:

Establish an immediate and controlled presence at the incident site. Conduct a preliminary assessment of incident impact, extent of damage, and disruption to

the information system and/or business operations.o Scale of damage

Total: Physical facilities, hardware and/or data is destroyed, requiring the replacement of equipment and data to recover

Major: There is extensive hardware and/or data damage, requiring some replacement of equipment and data to recover

Partial: There is minor damage to hardware and/or data, requiring some replacement of equipment but mostly restoring data

Minor: Only data is damaged and only restoration is required to recover Find and disseminate information if or when access to the information system and/or facility

will be allowed. Provide all members with the facts necessary to make informed decisions regarding

subsequent resumption and recovery activity.

40

Response Phase Checklist

Purpose: To detect and assess damage and to activate the plan. Includes immediate actions, personnel safety, damage mitigation, and reporting.

The first responder is to notify Security Officer. All known information must be relayed to the Security Officer.

The Security Officer will inform necessary personnel of the event. The Security Officer will begin or delegate the commencement of the assessment procedures.

Begin the assessment procedures to determine the extent of damage and estimated recovery time. (Use alternate procedures if damage assessment cannot be performed locally because of unsafe conditions).

o Damage Assessment Procedures: Determine: The cause of the disruption Potential for additional disruption or damage How the physical area has been affected The status of the physical infrastructure Status of IT equipment functionality and inventory IT equipment that will need to be replaced Estimated time to repair services to normal operations

o Alternate Assessment Procedures: Determine when damage assessment can be completed Notify the Security Officer of the results The Security Officer will evaluate the results and determine

whether the contingency plan is to be activated and if relocation is required

Based on assessment results, the Security Officer is to notify assessment to emergency personnel (e.g. police or fire department) as appropriate

Determine what resources are required to support critical functions.o Consider the following:

- Human Resources: Can people get to work? Are their critical skills and knowledge possessed by the appropriate people? Can people easily get to an alternative site?

- Process Capabilities: Are the computers or other hardware harmed? What happens if some of the equipment is inoperable, but not all?

- Automated Applications and Data: Has data integrity been affected? Has an application been sabotaged? Can an application run on a different processing platform?

- Computer-Based Services: Can the computers communicate? To where? Can people communicate? Are information services down? For how long?

41

- Infrastructure: Do people have a place to work? Do they have the equipment to do their jobs? Can they occupy the department/building?

- Documents/Paper: Can needed records be found? Are they readable? Activate the Contingency Plan if one or more of the following criteria are met:

o (EHR system) will be unavailable for more than 48 hourso Facility is damaged and will be unavailable for more than 24 hourso Other criteria, as appropriateo If plan is activated,

- Security Official is to notify all team leaders and inform them of the details of the event and if relocation is required

- Upon notification, the team leaders will notify their respective teams.- The Security Official will notify the (off-site storage facility) that a

contingency event has been declared and to ship the necessary materials to the alternate site

- The Security Official will notify the alternate site that a contingency event has been declared and to prepare the facility for the organization’s arrival

Response Phase – EHR Response Phase Checklist

The availability of EPHI is critical to ensure safe and effective communication of patient healthcare providers. Utilize established procedures to ensure that EPHI is backed up and information is retrievable. In the event of downtime disruption and inability to assess the EHR, the organization shall:

Identify operations or services that will be impacted

Make necessary notification of the unavailability of EPHI

Implement existing backup systems to access historical patient health information

Identify and make available resources for retrieval, delivery, return, etc.

Make temporary paper documentation tools available for healthcare providers

Identify processes to carry out (ADT transmissions, order placement and

communication, diagnostic study results reporting)

Identify processes, procedures, and responsible personnel to ensure processing of

paper documentation following EHR resumption

Response Phase Personnel Safety Procedures

In an emergency, the Organization’s top priority is to preserve the health and safety of its staff before proceeding to the Response procedures.

42

Hazardous Material

Staff should remain inside the building Doors and windows should be secured Curtains or mini-blinds should be closed if possible to shield from flying glass Staff should take shelter in the hallway if necessary Evacuation of the building is a last resort and should be done only under the

direction of Security Official or notification by local authorities.

Fire

If possible, determine where the fire is located If the area is filled with smoke, leave the area for a safer location

o Call authoritieso Stay out of the area until the smoke is cleared and the area is secured

If the fire is not out of control and you are not in dangero Trained staff should use fire extinguishers if it is safeo Sound the alarm (if applicable)o Call authorities

If the fire is out of control, all personnel should evacuateo Call authoritieso Stay at least 300 feet from the area

Once outside, proceed to the Emergency Assembly Point Do not leave the premises

Explosion or Similar Incident

Immediately take cover under tables, desks, and other such objects for protection against falling glass and debris

After immediate effects of the explosion or incident subside, notify authorities When advised, evacuate the building Once outside, proceed to the Emergency Assembly Point Do not leave the premises

Earthquake, Fire or

Explosion, Structural Damage

May be necessary to evacuate the building immediately until it can be declared safe for occupancy

Follow building evacuation procedureso Evacuate upon notification by local authorities, Security Official, or if there

is a life threatening incident or disastero Pay attention to all marked exits from the buildingo Walk quickly to the nearest exit and leave the buildingo Once outside, proceed to the Emergency Assembly Point. Do not leave

the area (roll call may be taken)o Do not return to the building until directed to by either local authorities or

the Security Official

Telephone Bomb

Threats

Keep the caller on the line for as long as possible Record every statement spoken by the person on the call Be sure the caller providers information regarding the location and time of

detonation If possible, place the caller on speakerphone so that other staff may assist in

verifying information After hanging up (or simultaneously by another staff member) call authorities Evacuate

Resumption PhaseThe Security Officer will:

Establish and organize a management control center and headquarters for the resumption of operations.

43

Activate the support teams necessary to facilitate and support the resumption process. Notify and appraise time-sensitive business operation resumption team leaders of the

situation. Alert employees, vendors, and other internal and external individuals and organizations.

Recovery PhaseThe Security Officer will:

Prepare and implement procedures necessary to facilitate and support the recovery of time-sensitive business operations.

Coordinate with the members responsible for business operations and recovery. Coordinate with members, vendors, and other internal and external individuals and

organizations.

Purpose: To restore temporary IT operations and recover damage done to the original system. The Recovery Phase begins after the contingency plan has been activated, damage assessment has been completed (if possible), personnel have been notified, and appropriate personnel mobilized. The Recovery Phase includes procedures to recover hardware, software, data, telecommunications, and reporting.

Focus: Contingency measures to execute temporary IT processing capabilities, repair damage to an original system, and restore operation capabilities at the original or new facility.

Overall Goal: At the completion of the Recovery Phase, the IT system will be operational and performing the functions designated in the plan

Recovery Goal: Restore Data

Procedures: Utilize existing policy and procedures for data backup and restoration. The Security Official will oversee and/or initiate the organizational data backup and recovery processes for those applications, systems, and networks under its control.

Recovery Goal: Communication Infrastructure

Procedures: Recover critical telecom networks and equipment first. Because IT infrastructure can depend on the telecommunications network, recovery of telecommunications is important. Set up workspace and stage equipment for recovery of systems. Set up internet connectivity. Recover data server. Begin recovery of secondary applications. Set up additional phones for staff.

Restorations PhaseThe Security Officer will:

Prepare and implement procedures necessary to facilitate the relocation and migration of business operations and technology to the new or repaired facility.

44

Manage the relocation/migration effort as well as perform employee, vendor, and customer notification before, during, and after relocation or migration.

Purpose: To restore IT system processing capabilities to normal operations. The Restorations phase may include refurbishing, replacing, constructing, or returning.

Terminate recovery activities

Transfer normal operations back to the organization’s facility (if applicable)

Prepare a new facility to support system processing requirements (if applicable)



45

3.4 Computer Backup Policy and Procedures

Computer Backup Policy §164.308(a)(7)(ii)(A) - Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Contingency Plan §164.308(a)(7)(ii)(B) - Establish (and implement as needed) procedures to restore any loss of data.


Policy: It is the policy of the Organization to implement backup procedures in order to protect the confidentiality, integrity, and availability of the electronic protected health information (EPHI) of our patients. Members are responsible for notifying the Security Officer immediately if his/her attempt to save EPHI fails or if EPHI is compromised in any way. All media belonging to the Organization is assumed to contain sensitive information and should be treated as such. Media control procedures provide for:

Receipt and removal of hardware/software; Backup, storage and expiration of Information; Disposal of out-of-date or incorrect Information; Encryption of Nominative Information during transit; and Reuse and Disposal of Media.


Procedure:

Our Organization identified key applications that support electronic protected health information and identified a backup schedule as well as the approximate recovery time as follows:

Organization Management and Electronic Health Record:

Backup Method – < > Frequency – < >Encryption – < >

46

Test of Data Backup Frequency – < >Date of Last Data Backup Test – See Backup LogRecovery Time – < >Reuse and Disposal of Media – < >Procedure: See vendor specific section

Accounting Software: (REMOVE if the organization does on have EPHI in the accounting software)

Backup Method – < >Frequency – < >Encryption – < >Test of Data Backup Frequency – < >Date of Last Data Backup Test – See Backup LogRecovery Time – < >Reuse and Disposal of Media – < >

Any other software with EPHI: <name of software> (REMOVE if the organization does on have EPHI on any other software)

Backup Method – < >Frequency – < >Encryption – < >Test of Data Backup Frequency – < >Date of Last Data Backup Test – See Backup LogRecovery Time – < >Reuse and Disposal of Media – < >

Server Configuration and Set-up (if applicable)

Method – < >Frequency – < >

Identified persons who are authorized to access the backed up data include: The Security Officer <organization intake>



47

3.5 Contingency Plan Steps, Emergency Mode Operation Plan

Contingency Plan Steps, Emergency Mode Operation Plan

§164.308(a)(7)(i) Contingency Plan - Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI.


Identified Organization Threats/Risks

Natural - <organization intake (fire, flood, ice storm, tornadoes, wind storms> Human - network or computer based attacks, malicious software upload, data entry deletion

(low probability); theft or vandalism Environmental - power failure (low probability) Scale of damage:

o Total: Physical facilities, hardware and/or data is destroyed, requiring the replacement of equipment and data to recover

o Major: There is extensive hardware and/or data damage, requiring some replacement of equipment and data to recover

o Partial: There is minor damage to hardware and/or data, requiring some replacement of equipment but mostly restoring data

o Minor: Only data is damaged and only restoration is required to recovero None: No physical damage to hardware and/or no data destroyed, Disruption is due to

a recoverable event.

Disaster Recovery Plan: Scenario #1 - Server Dies Scale of Damage: Major

There is extensive hardware and/or data damage, requiring some replacement of equipment and data to recover

The Security Officer will activate the Plan and the Plan’s activation will be communicated to the rest of the Organization via <Org Intake>

48

New server or switch to redundant server Obtain data restoration from <Org Intake> A senior level manager and/or owner will confirm the restored data. List of all member names and addresses can be found: <Org Intake> Vendor contact list can be found: <Org Intake> Vital records for the Organization, such as server and workstation warranties can be

found: <Org Intake>

Disaster Recovery Plan: Scenario #2 - Destruction of Office Due to Natural Threat

Scale of Damage: Total

Physical facilities, hardware and/or data is destroyed, requiring the replacement of equipment and data to recover

The Security Officer will activate the Plan and the Plan’s activation will be communicated to the rest of the Organization via phone or in person

Communication outreach to patients will be done via: < > Follow directions for procurement of needed hardware. Follow directions for backup restoration to new hardware. The doctors and office manager will confirm the restored data. Utilize checklist to aid in the transition and restoration of your normal business

operations: facilities, members, computers, restore databases.

Identified Range of Events: Events that may cause the total or partial relocation or suspension of Organization’s operations: <Org Intake>

Identified Relocation Facility: <organization intake> Addressable see addressable specifications

Identified Contingency Staff: <organization intake> Addressable see addressable specifications

Identified communication plan for members, business partners, and patients: <organization intake>

Contingency Plans Testing and Revision: Training for all personnel on the policies and procedures regarding the organization’s

contingency plans will occur upon joining the organization and annual review.

Testing of plan will occur every other year and will include a determination and documentation of any weaknesses in the disaster and emergency operations plans and

49

the addressing of any weaknesses discovered.

Last test or Reason for not testing the Contingency Plan: <Org Intake>

Disaster Recovery Plan: Scenario #3 - Loss of Electricity

Scale of Damage: None

The Security Officer will evaluate the likely probability of extended loss of electricity. If the power disruption will last more than 4 hours, the Organization will identify an alternative power source or an alternative means of accessing patient da



50

3.6 Facilities Policy and Procedures

Facilities Policy and Procedures

§164.310(a)(2)(ii): Facility access controls - Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

§164.310(a)(2)(iv): Facility access controls - Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

The Organization recognizes the importance of physical security in preventing unauthorized access to PHI and has developed the following policies and procedures. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.

Inspections: It is the Organization’s policy to conduct routine physical inspections of the facilities. Each outside access point has appropriate physical safeguards. Inspections, repairs and maintenance records are maintained in the facilities log.

Doors: <Org Intake> Keys are assigned and distributed by the Security Officer

Windows: <Org Intake>

Alarm System: <Org Intake>

Workstations (if applicable): <Org Intake>

Physical locations of workstations are documented in hardware log. Visible at all times : password protected, log off for inactivity or if stepping away from location If NOT visible at all times : area where computer is located has physical access restrictions

as specified. These restrictions may include observed entry points and/or locked entry points. The hardware is password protected, automatic log off procedure when not in use

Server: specify If on-site or off-site: <security> If off-site: <security>

Device and Media Controls:

51

Disposal: Required - documented in hardware inventory Media Reuse: Required - documented in hardware inventory Location and accountability: Addressable documented in hardware inventory



52

3.7 Computer Workstation Use Policy and Procedures

Computer Workstation Use Policy and Procedures

§164.310(b) Workstation Use - Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

§164.310(b): Workstation Use - Covered entities must identify expected Performance of Each type of workstation.

§164.310(b): Workstation Use - Covered entities should analyze physical surroundings for physical attributes.

§164.310(c): Workstation Security §164.310(b) - Covered entities should implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

§164.310(d)(1): Device and Media Controls - §164.310(d)(2)(i) Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored.

Device and Media Controls - §164.310(d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

§164.310(d)(1: Device and Media Controls - §164.310(d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

§164.310(d)(1): Device and Media Controls - §164.310(d)(2)(ii) Implement procedures for removal of ePHI from electronic media before the media are made available for reuse. Ensure that ePHI previously stored on electronic media cannot be accessed and reused. Identify removable media and their use. Ensure that ePHI is removed from reusable media before they are used to record new information.

§164.312(a)(1): Access Control - §164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.

53

§164.312(a)(1) Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

§164.312(a)(2)(iii): Access Control - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

§164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

§164.312(c): Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

§164.312(e)(1): Transmission Security - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.


Policy and Procedures:Operating Environment

1. All computers owned by the Organization will be connected to surge protectors purchased by the Organization.

2. Members will monitor the computer system and report potential threats to the security of the data contained in the system to the Security Officer of the Organization. All members will take appropriate measures to protect computers and data from disasters based on the policies and procedures of the Organization.

3. The members of the Organization should be cautious with food and drink near computer terminals, hard drives, keyboards, and screens.

4. The network and workstations have been configured according to standards provided by the Organization. The programs that have been installed are for the sole use of the Organization. All accessible data, personal or private, is for the sole use of the Organization. This includes data that members may put on their local hard drives. The computer has been set up for your individual use solely for the business of the Organization. Members of the Organization are not authorized to change any settings unless instructed by the Security Officer. The Security Officer monitors which software and hardware is at each workstation. Do not change anything without approval from the Security Officer.

5. Members will not subject the Organization’s system to malicious programs (e.g., viruses, worms, etc.)

54

6. All hardware and software owned by the Organization is documented in an inventory log. The log details:

The location and function of all hardware and software The data contained within encryption methods if applicable. Backup procedure for all devices Audit methodology for access of hardware or software Destruction methods for reuse or retirement of all devices

Passwords

Members are expected to maintain the confidentiality of their password(s). The Organization expects authorized users to be responsible for the security of their password.

Members will log on to the system with their own password(s). Under no circumstances will a member share their password(s) with another member or unauthorized person in order to allow them access to the system. The Organization monitors system access by authorized users.

Content

A Member of the Organization will be held responsible for the content of any data that Member entered into the system. This includes any information transmitted within the Organization or outside the Organization. A member will not hide his/her identity as the author of any entry or represent that someone else entered the data or sent the message.

The Security Officer of the Organization will issue access authorization to each member. No member may access any confidential patient or other information that they do not need to know. No member may disclose confidential patient or other information, unless properly authorized.

Log-off (Addressable)

When members leave their computer terminal for any length of time, the system will automatically log off after two minutes of idle screen time unless the computer is in a physical space where someone is present at all times.

Screen savers will be programmed for each computer to activate after five minutes of idle screen time and require password for sign in back in.

Backup Procedures (Required)

Members are required to adhere to the backup policies and procedures of the Organization with regard to all utilized applications. See Policy 3.5 of this Manual.

Device and Media Controls

Members will use backup media that are provided by the Organization. Members will assume that all electronic media belonging to the Organization contains

confidential information.

Destruction Procedures

55

Members are required to adhere to the destruction procedures of the Organization with regard to devices and media that contain EPHI.

Hard drives will be cleaned of all EPHI prior to resell, donation, or disposal by use of appropriate “cleaning” software.

Electronic media (e.g., tapes, CDs, disks, etc.) will be destroyed via shredding or incineration prior to disposal.

Sanctions

Any member found to have violated this policy would be subject to disciplinary action, up to and including termination of membership.

Electronic Mail

The Email system should generally be used for work related purposes. The Organization reserves the right to monitor Email and Internet usage.

Only open attachments from trusted sources. Forgery (or attempted forgery) of electronic mail messages is prohibited. Attempts to read, delete, copy, or modify the electronic mail of other users are prohibited. Attempts at sending harassing, obscene, or threatening email to another user are prohibited. Attempts at sending junk mail, “for-profit,” or chain email is prohibited.

Internet Access

The Organization authorizes the availability of the Internet/World Wide Web to provide access to Internet resources that will enhance and support business activities. It is expected that members will use the Internet to improve their job knowledge and to access information on topics which have relevance to the Organization.

Members should be aware that access is accomplished using Internet protocol addresses and domain names registered to the Organization. They may be perceived by others to represent the Organization. Users are advised not to use the Internet for any purpose that would reflect negatively on the Organization or its members.

Members will follow existing security policies and procedures in their use of Internet services and will refrain from any access to internet sites that might jeopardize the computer systems and data files. These include, but are not limited to virus attacks, when downloading files from the Internet.

Members using equipment owned by the Organization to access the Internet are subject to having activities monitored by the Security Officer. Use of this system constitutes consent to security monitoring and members should remember that no session or transmission should be considered private.

EPHI is not to be transmitted over the Internet without encryption. The computer system of the Organization is not for personal use. When certain criteria are

met, users are permitted to engage in the following activitieso During working hours, access job-related information, as needed, to meet the

requirements of their jobs.o During working hours, participate in email discussion groups (list servers), provided

these sessions have a direct relationship to the user's job with the Organization and the user’s participation has been pre-approved by their supervisor.

56

The following uses of the Internet, either during working hours or personal time, using the Organization’s equipment or facilities, are not allowed:

o Access, retrieve, or print text and graphics information that is unrelated to the user’s job duties or assignments.

o Access, retrieve, or print text and graphics information that exceeds the bounds of generally accepted standards of good taste and ethics .

o Engage in any unlawful activities or any other activities that would in any way bring discredit on the Organization.

o Engage in personal commercial activities on the Internet, including offering services or merchandise for sale or ordering services or merchandise from online vendors.

o Engage in any activity that would compromise the security of the Organization. o Obtaining personal files via the Internet on individual PC hard drives or on local area

network (LAN) file servers.o Game playing of any kind.o Propagating any computer virus or maintaining a secret pass code.

Remote AccessThis policy applies to the Organization’s members, contractors, vendors, and agents and applies to both Organization-owned and personally-owned computers or workstations used to connect to the Organization’s network. This policy applies to remote access connections used to do work on behalf of the Organization, including reading or sending email and viewing Internet web resources. Remote access means any access to the Organization’s network through a non-Organization controlled network device or medium.

Members, contractors, vendors, and agents with remote access privileges to the Organization’s network are required to ensure that their remote access connection is given the same consideration as the user’s on-site connection to the Organization.

Please review the encryption policy for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of the Organization’s network.

Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication.

At no time should any Organization member provide his/her login or email password to anyone, not even family members.

Members with remote access privileges must ensure that their Organization owned or personal computer or workstation, which is remotely connected to the Organization’s network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not permitted at any time.

All hosts that are connected to the Organization’s internal networks via remote access technologies must use the most up-to-date anti-virus software, which includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.

Personal equipment that is used to connect to the Organization’s networks must meet the requirements of the Organization's owned equipment for remote access.

Encryption and Decryption of Media: Addressable

57

All EPHI that electronically goes outside the Organization firewall is encrypted with a minimum standard of <128> bit.

All EPHI that is on media that is physically taken out of the facility or may easily be taken out of the facility is encrypted with a minimum standard of <128> bit.

Decryption keys are maintained separate from the media or electronic transmission of the EPHI.




58

3.8 Mobile Device Management Procedure

Mobile Device ProcedureImplementation Specification: AddressableRisk Level: mediumSecurity Category ePHI = {(confidentiality, medium), (integrity, medium), (availability, low)} - See Security Categorization in Reference Section.

Procedure: The Security Officer will inspect each Bring Your Own Device (BYOD) and confirm user device:

o integrity by confirming the latest OS is present with automatic updateso authentication is present by having unique single user name and passwordo protected storage program to wipe out sensitive data if the phone is lost or

stolen.

The Security Officer will screen all programs or resources which may be used by BYOD brought into the organization and list them on allowed software on the software inventory.

References: NIST Special Publication 800-164 DRAFTGuidelines on Hardware - Rooted Security in Mobile DevicesNational Institute of Standards and Technology Special Publication 800-164 (Draft)Natl. Inst. Stand. Technol. Spec. Publ. 800-164, 33 pages (October 2012)CODEN : NSPUE2

See NIST SP 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise [SP800-124],

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.


59

Tabbed Section – Technical

Information Technology (IT)

60

4 TECHNICAL – INFORMATION TECHNOLOGY (IT)

4.1 IT Tasks Policy and Procedures

IT Tasks Policy and Procedures

IT Support for the Organization is provided by:

Company Name: <IT intake>

Primary Contact: <IT intake> Address: <IT intake>Contact email, phone <IT intake>Website: <intake or remove>

The Organization’s Security Officer will work with IT support to ensure complete documentation of the Organization’s IT infrastructure. The officer will also work with IT support to ensure size appropriate technologies for:

Anti-virus software Network Integrity Assurance Firewalls Encryption of backup data Encryption of online data Audit Trails for each system and software that may have EPHI Data Backup and Testing of Data Back ups Design and Implementation of User Identification and Authentication



61

4.2 IT Inventory Locations Device and Media Controls

IT Inventory Locations Device and Media Controls

The Organization maintains IT inventories electronically. The Organization recognizes that as part of its risk analysis process, it has identified all systems which store, process, or transmit EPHI. This includes components of the Organization which handle EPHI and the physical location of IT assets that contain EPHI. Each system and its information is categorized according to Federal Standards with the following nomenclature:

The generalized format for expressing the security category, SC, of an information type is: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE (see glossary for definitions of all terms).

IT Inventories can be found at: <IT Intake>

Hardware: Hardware inventory details the physical location including: Is it fixed or mobile? If it is fixed, how is physical access to the device restricted to assure only authorized

personnel can access it? If mobile, how is any EPHI encrypted on the device and how are users instructed to

physically protect the device? The encryption standard for any EPHI on the hardware. If the hardware is reused or retired, the hardware inventory also contains the method for

removal of EPHI or the destruction of the hardware as required. Inventory address the backup method for any EPHI on the said device.

Software: Software inventories include: All software that contains EPHI The location of such information The encryption level

Network: The Network inventory contains a detailed mapping of all access points to EPHI including: Internet Local area networks Switches

62

Routers Firewalls Protection method for data being transmitted over any network



63

4.3 IT TasksIT Tasks

Task Name of Individual

Completing Task

Date Task Completed

Notes and Follow Up Security Official Initials

Hardware InventoryLocation:

Software InventoryLocation:

Network MappingLocation:

Protection from malicious software – anti-virus

install and update

Network Scanning for Vulnerability

Type:

Firewall installedType:

Encryption of backup data

Level:

Encryption of online dataLevel:

Automatic log offType:

Software in use is capable of providing electronic/audit

trails; if so…audit trail creation

Create one for each system and/or software with EPHI.Location of log:

Audit trail on computer systems

Create one for each system and/or software with EPHI.Location of log:

Design and Implement User ID and

Authentication Procedures

Written Passwords biometrics RFID etc.

Data backup and testingCreate one for each system and/or software with EPHI.Location of log:

64

4.4 IT InventoryHARDWARE

Hardware

Is the hardware fixed or mobile?If it is fixed, how is physical access to the device restricted?If it is mobile, how are users instructed to physically protect the device?Encryption standard for any EPHI on the hardwareIf hardware is reused or retired, what is the method for removal of EPHI or the destruction of the hardwareBackup method for any EPHI on the device

SOFTWARE

Software

Location of software

Encryption level of software

NETWORK

The Network inventory contains a detailed mapping of all access points to EPHI including:

Internet Local area networks Switches Routers Firewalls Protection method for data being transmitted over any network

65

4.5 Network Map (Sample)

66

Tabbed Section – Logs and Event Records

67

5 LOGS AND EVENT RECORDS

5.1 Audit Trail Event RecordAudit Trail Event Record

Event TypeTime and

Date of Event

User ID Associated with Event

Computer System

Component Involved

Follow UpSecurity Official Initials

SAMPLE: Employee who

was not authorized

accessed billing system

4:00pm4/4/2012 Sjones Billing software

- Meeting with sjones regarding unauthorized access- Verbal warning- Employee understands that she will receive written warning for repeat offence

68

5.2 Security Incident Report – Anti-VirusSecurity Incident Report – Anti-Virus

IncidentTime & Date of Event


Computer System

Component Involved

Anti-virus Log Text

Resolution/Response

Security Official Initials

SAMPLE 4:00pm4/4/201

2Sjones Lab Computer Removal of

virus

69

5.3 Security Incident Log

Security Incident Log Record

IncidentTime & Date of Event


Computer System

Component Involved

Anti-virus Log Text

Resolution/Response


70

5.4 Facilities Maintenance LogFacilities Maintenance Log

Date Maintenance Issue How Addressed Date Resolved

Notes / Security Officer Initials


71

5.5 Backup Testing and Recovery LogBackup Testing and Recovery Log

Database Tested

Data Backup Location / Encryption

Restore Successful

DateModifications if Unsuccessful Next Due


SAMPLE:EHR

On site external drive, 256 bit 3/6/2012 3/5/2013

72

5.6 Training ChecklistTraining Checklist

Date of Training: Date of Review:

Item Policy Reviewed NotesSecurity Official Initials

Introduction to HIPAA and Security Rule

Security Official and Overview of Security Official Job

Responsibilities

Explanation of Workforce Confidentiality Agreement

Workstation Use

Workstation Security

Virus Protection

Logging On and Off

Password Management

Data Backup

Contingency Plans

Who can access EPHI

Sanctions

Employees Present

73

5.7 Termination ChecklistTermination Checklist

Task Name of Individual Completing Task

Date Task Completed Notes

Security Officer Initials

Contact a locksmith to change the locks, if

necessary

Secure a full computer backup

Recover external hard drives

Keys – outside doors

Keys- inside doors

Secure books

Secure written records

Change security keypad code numbers

Circulate new keypad code numbers and keys to office

Change applicable passwords to the computer

workstation, network, and all email/internet accounts to prevent access through

outside meansPrepare pre-termination and post-termination audit trails

documenting employers workstation/password activity

pre and post terminationConduct limited audit of patient information and financial information.

(Contingent upon employee’s degree of

access.)

74

5.8 Data Breach Log

Data Breach LogEvent Type

Time and Date Event Occurred

What type of protected health information was impermissibly used or disclosed?

Who impermissibly used the information or to whom was the information impermissibly disclosed?

Was the protected health information actually accessed?

What actions have been taken to mitigate or eliminate the risk of harm?

Number of Persons Affected

Communication To:

Communication Method:

Date of Communication:

Security Officer Initials

75

5.9 Sanction Log

Sanction LogDate Employee Description of

Violation Sanction NotesSecurity Official Initials

76

5.10 Contingency Planning

5.10.1 Contingency Plan/Restoration Checklist

Contingency Plan / Restoration Checklist

Item Equipment NeededPerson

Responsible For:

Notes

Establish an immediate and controlled presence at the

organization

Meet relocation address

Prepare room for patients

Prepare office area for server and workstations Desktop, laptop

Confirm data restorationDesktop, laptop

Ipad for billing Ipad

Phone forwarding to cell phone Cell phones

Notify patients via website and constant contact Desktop, laptop

77

5.10.2 Emergency Mode Operations Roles

Role Primary Responsibilities Personnel

SignatureBy signing below, I

understand my role as defined under “Primary

Responsibilities”

Security Official

Determine the type, extent, and impact of the disaster

Initiate the emergency mode operations plan

Notify vendors of disaster occurrence

Begin operations at determined site (on-site or an alternate site)

Attempt to bring computer systems back to operational level

Ensure that periodic backup is being done

Continue attempts for restoration of regular services

Train workforce for emergency mode operations

Document

Team Leaders

Notify team members of disaster occurrence

Direct team members per direction from Security Official

Physicians:

Nursing:

Front Desk:

All Employees

Be familiar with and adhere to policies, plans, and procedures

Meet at relocation facility (if necessary)

Support Security Official in completion of tasks as necessary, which may include:

o Preparing a room for patients in relocation facility

o Preparing an office area for computer(s) and server(s) at relocation facility

o Confirming data restoration

o Maintaining billingo Notifying patients

* If person is unavailable, authority will pass to the next person on the list.

78

5.10.3 Emergency Mode Workforce Contact List

Name Home Phone Cell Phone Email Team

79

5.10.4 Emergency Mode – Emergency Assembly Point

The Emergency Assembly point is a large, open area, away from power lines, falling debris and other hazards where people can assemble to be accounted for, receive minor first aid, receive instructions and obtain information. Consider assigning a designated person to be in charge at the Emergency Assembly Point.

Designated Person in charge at Emergency

Assembly Point

Emergency Assembly Point

LOCATION:

80

5.10.5 Emergency Mode Alternate Location/Command Center

The alternate location must be able to accommodate the necessary critical resources and equipment required for disaster recovery: hardware, software, electrical support, telecommunications support, desks, chairs, tables, lights.

Alternate LocationFacility Name:

Address: Floor/Room:

Phone Number: Fax Number:

Contact Person:

Alternate Contact:

Directions from Organization address:

Security Considerations:

81

5.10.6 Emergency Mode – Necessary Materials

Recovery Resources Supply ChecklistWorkspace

Desk, Chairs, Table, Lights

Electrical Support

Telecommunication Support

Documentation HIPAA Security Manual

o Hardware Inventory List

o Software Inventory List

o Network Map

Business Associate Agreements

Hardware PC’s/Laptops

Printers

Scanners

Other Supplies Office Supplies (pens, paper, folders,

paper clips, scissors, tape, etc.)

Office Equipment

Backup Media

Flashlights and spare batteries

Telephone log

Software Backup Copies of Data Files

Other

Communication Telephones

Cell Phones with Chargers

Fax

Dedicated Phone Lines

Radios (walkie-talkie) as required

Organizational Contact

Information/Directories

Telephone Directories

Telephone Log

82

5.10.7 Contingency Testing and Revision• Organizations must implement periodic testing and revision of contingency plans• Testing the contingency and disaster plans will validate your ability to respond to a crisis

in a coordinated, timely, and effective manner

Date of Test

Objectives of Test

Description of Test

Results

Recommendations

83

5.11 Log and Record Review

The Security Officer’s initials at the bottom of this page indicate that the Security Officer has read and reviewed the following logs and event records:

Audit Trail and Event Record Security Incident Report – Anti-Virus Security Incident Log Record Facilities Maintenance Log Backup Testing and Recovery Log Contingency Plan / Restoration Checklist Business Associate Listing Training Checklist Termination Checklist Data Breach Record Sanction Log

The Security Officer’s initials at the bottom of this page indicate that the Security Officer has read, reviewed, and/or completed the records associated with Contingency Planning:

Emergency Mode Operation ROLES Workforce Member Contact List Emergency Assembly Point Alternate Location/Command Center Necessary Materials Checklist Training Report Testing and Revision

**** Manual is not complete until all documents in the log section are filled out completely or electronic versions of such logs are updated.



84

Tabbed Section – Job Descriptions

85

6 JOB DESCRIPTIONS

THIS PAGE INTENTIONALLY BLANK

Insert Job Descriptions

86

Tabbed Section – Reference

87

7 REFERENCE

7.1 Security Risk Analysis

Security Risk Analysis and References§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) – Risk Analysis - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

§164.308(a)(8) Evaluation - Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an organization s security policies and procedures meet the requirements of this subpart.

Implementation Specification: RequiredRisk Level: ModerateFinancial Impact: n/a

The organization conducts a risk analysis annually or when there is a change to the organization environment or a significant advance in technology applicable to the organization. the resulting risk assessment should be approved by management, e.g., managing physician, Board of Directors.

This manual reflects the initial evaluation per the HIPAA Security Rule – “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”

Each policy has a level of risk assigned to it based on the likelihood of a threat occurrence and resulting impact if the threat occurred.

The organization has evaluated: Administrative, physical and technical safeguards, remote access, organizational policies and procedures as well as documentation requirements of the Security Rule.

The organization uses the NIST Risk Management Framework:

88

Categorization of Information Systemso See Inventories

Selection and Implementation of Security Controlso See policies

Assessment of Security controlso See policies

Authorization of Information Systemso See policies

Monitoring of Security Stateso See Audit policies and logs

Organization Size: <Org Intake> (Solo / Small 2-4 FTE providers / Medium: 5-10 FTE providers / Large: More than 10 FTE providers)

Complexity: Number of employees: <Org Intake>Number of Information Systems: <Org Intake>Number of Business Associates: <Org Intake>

Capabilities: <Org Intake – Outsource IT?>

Criticality of the system and its data: Patient Clinical Information Critical

Identify Threats to the system: Minimal with IT infrastructure maintenance Fire Flood Other Natural Disasters Power Failures Software Failures Hardware Failure Theft/Vandalism

Identify Vulnerabilities on the system:

Natural disasters unlikely Personnel

Analyze the controls that have been implemented, or are planned for implementation:

Detailed in IT section.

The probability that vulnerability may be exploited:

89

Malicious attack unlikely Office personnel exploitation (specify per organizational size - unlikely in a small

organization size (1 provider) – CUSTOMIZE STATEMENTS PER ORG SIZE

The organization has performed a risk assessment and sought recommendations and suggested remediation from the appropriate consultants as detailed. The organization maintains a copy of the organization, IT and Vendor intake information forms used in customizing this manual as well as documentation of any verbal interviews.

Included in this manual are audit results that were not corrected at the time of the manual creation. The covered organization will address all areas of the audit results.



90

7.2 Audit Results§164.308(a)(8): Evaluation - requires covered entities to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity's security policy and the requirements of this subpart. Covered entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation, for example, new technology adopted or responses to newly recognized risks to the security of their information.

CMS Audit Protocol Specification: Inquire of management as to whether formal or informal security policies and procedures specify that evaluations will be repeated when environmental and operational changes are made that affect the security of ePHI. Obtain and review the entity's formal or informal security policies and procedures and evaluate the content in relation to the specified criteria to determine the process for repeat evaluations. Determine if formal or informal security policies and procedures are reviewed on a periodic basis.

At the date of the audit, the Organiztion’s HIPAA Security Manual was missing the following information, policy or procedure.As part of your periodic required Security Risk Analysis, these identified items must be addressed with documentation of remediation.

Page Document Item Missing Corrective Action Taken

Date

The manual is not complete until all documents in the log section are filled out completely or electronic versions of such logs are updated.


91

92

7.3 Addressable Specifications

93

7.4 Security CategorizationSecurity Objective

The Federal Information Security Management Act of 2002 (FISMA) defines three security objectives for information and information systems:

o Confidentiality: A loss of confidentiality is the unauthorized disclosure of information.o Integrity: A loss of integrity is the unauthorized modification or destruction of

information.o Availability: A loss of availability is the disruption of access to or use of information

or an information system.

Security Objective The potential impact is LOW if…

The potential impact is MODERATE if…

The potential impact is HIGH if…

CONFIDENTIALITY Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.[44 U.S.C., SEC. 3542]

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

INTEGRITYGuarding against improperinformation modificationor destruction, and includes ensuring information non-repudiation and authenticity.[44 U.S.C., SEC. 3542]

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

AVAILABILITYEnsuring timely and reliable access to and use of information.[44 U.S.C., SEC. 3542]

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

94

Levels of Potential Impact

If there is a security breach, the following outlines the levels of potential impact as defined by Federal Information Processing Standards (FIPS) Publication 199

POTENTIAL IMPACT

Ability to Perform

FunctionsAssets Financial

Loss

Harm to Individuals

LIMITED Able to perform; effectiveness of functions is reduced

Minor damage Minor loss Minor harm

SERIOUS Significant degradation in capability to perform; effectiveness is significantly reduced

Significant damage

Significant loss Significant harm

SEVERE or CATASTROPHIC

Not able to perform one or more of its primary functions

Major damage Major financial loss

Severe or catastrophic hard to individuals; loss of life or serious life threatening illness

95

Security Categorization

The security category of an information type can be associated with both user information and system information.

Is applicable to information in electronic or non-electronic form Can be used as input in considering the appropriate category of an information

system Establishing an appropriate security category of information type requires

determining the potential impact for each security objective associated with the particular information type.

The generalized format for expressing the security category, SC, of an information type is:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

The acceptable value for impact is LOW, MODERATE, or HIGH

Determining the security category of an information system requires more analysis Must consider the security categories of all information types resident on the

information system After each security category has been determined, the potential impact values shall

be the highest values There is no “not applicable” value due to the fundamental requirement to protect the

system-level processing functions and information critical to the operation of the information system

EXAMPLE: An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. The management within the contracting organization determines that: (i) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and (ii) for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low. The resulting security categories, SC, of these information types are expressed as:

SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},

andSC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.

The resulting security category of the information system is expressed as:

SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},

96

representing the high water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system.

REFERENCES:FIPS Publication 199 - Standards for Security Categorization of Federal Information and Information Systems

97

7.5 Contingency Planning Threats, Preventive Measures and Responses

7.5.1 Threats Affecting Contingency Planning

Potential Threats

Natural Hazards:

EarthquakeTornadoFloodingLightningSmoke, dirt, dustWindstormSnow/ice storm

Accidents:

Disclosure of confidential informationElectrical disturbanceElectrical interruptionSpill of toxic chemical

Environmental Failure:

Water damageStructural failureFireHardware failureWater leakageOperator/user errorSoftware errorTelecommunications interruption

Intentional Acts:

Alteration of dataAlteration of softwareComputer virusBomb ThreatDisclosure of confidential informationEmployee sabotageExternal sabotageFraudTheftUnauthorized useVandalism

98

7.5.2 Potential Disaster Threats, Preventive Measures and ResponsesPotential Disaster

Threat Preventive Measures ResponsePower Failure(Power outage)

Purchase a generator Test generator periodically to

ensure that the generator is functional

Use emergency back-up generators UPS (uninterruptible power supply) unit – an

electrical apparatus that provides energy power to load when power fails – near instantaneous protection by supplying energy stored in batteries or a flywheel

Utility Failure(Heating, ventilation, and

air conditioning)

Have contact information for utility companies easily assessable

Contact maintenance and/or utility company to restore utility

If necessary, rent or purchase a backup temporary utility unit

Water Damage/Flooding

(Fire suppression, roof damage, plumbing

failures, chemical spills, or natural disasters)

Do not store anything on the floor (furniture and durable equipment excluded)

Stock emergency supplies for water damage

o Plastic Tarpso Absorbent

Towels/Wipeso Wet-vaco Floor squeegees

Install fire and smoke detectors

Swiftly tarp computer, equipment, files, and other critical components

Determine emergency backup priorities and strive for resumption of operations to the fullest extent possible

Fire/Smoke Damage Install fire suppression systems (sprinkler system)

Install fire and smoke detectors

Equip with fire extinguishers Periodically test the fire

prevention equipment Train staff in fire safety

If possible, determine where the fire is located

If the area is filled with smoke, leave the area for a safer location

o Call authoritieso Stay out of the area until the smoke

is cleared and the area is secured If the fire is not out of control and you are

not in dangero Trained staff should use fire

extinguishers if it is safeo Sound the alarm (if applicable)o Call authorities

If the fire is out of control, all personnel should evacuate

o Call authoritieso Stay at least 300 feet from the area

Once outside, proceed to the Emergency Assembly Point

Do not leave the premisesSnow Emergency Contract for snow removal

Have salt and shovels stored and available for use

Monitor news broadcasts Call for snow removal Monitor snow removal to ensure that

walkways, parking lots, and driveways are clear

99

7.6 References

ReferencesCFR 45 HIPAA Security Rule 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act;Other Modifications to the HIPAA Rules; Final Rule Published in the Code of Federal Register Volume 78, Number 17, pages 5566 to 5702

NIST (National Institute of Standards and Technology) Web Site

CMS Web Site

ONC Web site

Office of E Health Standards and Services (OESS) Web Site

"2009 HIPAA Compliance Review Analysis And Summary of Results"

"Guidance on Risk Analysis Requirements under the HIPAA Security Rule "

Information request for on-site compliance CMS

NIST Guidance for mapping information and IS to security levels

"The HIPAA Security Rule: Health Insurance Reform: Security Standards, February 20,2003, 68 CFR 8334.

"Section 13401(c) of the Health Information Technology for Economic and Clinical (HlTECH) Act.

NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems

NIST Special Publication 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations

100

NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule

NIST Special Publication 800-77: Guide to IPsec VPNs

NIST Special Publication 800-88: Computer Security

NIST Special Publication 800-111: Guide to Storage Encryption Technologies for End User Devices

NIST Special Publication 800-113: Guide to SSL VPNs

Federal Information Processing Standards Publication 140-2

CMS Security Series: Security 101 for Covered Entities

CMS Security Series: Administrative Safeguards

CMS Security Series: Physical Safeguards

CMS Security Series: Technical Safeguards

CMS Security Series: Organizational, Policies and Procedures and Documentation Requirements

CMS Security Series: Basics of Risk Analysis and Risk Management

CMS Security Series: Security Standards: Implementation for the Small Provider

CMS Audit Protocol

NIST SP 800-66, Section #4 "Considerations When Applying the HIPAA Security Rule."


101

7.7 Glossary

GlossaryAccess: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource that creates, maintains, or transmits EPHI.

Access Authorization: Process by which rules are established for granting and/or restricting access to a user, terminal, transaction, program, or process for the purpose of creating, maintaining, or transmitting EPHI. For example, the billing staff usually only needs access to the current visit notes, not the entire clinical record.

Access Control: A method of restricting access to resources; allowing only privileged entities access. Types of access control include mandatory access control, discretionary access control, time-of-day, classification. For example, passwords can provide a certain level of access control.

Addressable Specification: One of two types of implementation specifications addressed by the Security Rule. An organization must implement IF it is reasonable and appropriate OR, if not, either document why it’s not reasonable and appropriate AND implement an “equivalent alternative measure if reasonable and appropriate.” (See also Required Specification.) See also addressable specifications matrix.

Administrative Safeguards: Formal documented practices to protect EPHI. This includes the selection and execution of security measures and the management of personnel as it relates to protecting EPHI.

Audit Trail: Data collected and potentially used to facilitate a security audit to include the who (login ID), what (read-only, modify, delete, add, etc.), and when (date/time stamp).

Audit Controls: Mechanisms employed to record and examine system activity.

Authentication: Corroboration that a person is the one he or she claims to be.

Authorization Form: A form that a healthcare provider must obtain from the individual patient or patient’s legal guardian in order to use or disclose the individual’s protected health information (PHI) for purposes other than for treatment, payment, or healthcare operations (TPO) or for specific purposes listed in the Privacy Rule, such as public health or health oversight

Automatic Logoffs: A process that a computer server uses to disconnect a connection to the computer server when no data has been transmitted for a given period of time.

102

Availability: The property that data or information is accessible and useable upon demand by an authorized person.

Biometric Identification: Identification system that identifies a human with measurement of a physical feature of the individual. (e.g., hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature) (§ 142.308(c)(1)(v) HHS HIPAA Security NRPM).

Business Associate: With certain exceptions, a person or entity that is not a member of your practice’s workforce who: (1) creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule or (2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a Covered Entity, or to or for an Organized Health Care Arrangement in which the Covered Entity participates, where the provision of the service involves the disclosure of protected individually identifiable health information from such Covered Entity or Arrangement, or from another Business Associate of such Covered Entity or Arrangement, to the person.

Centers for Medicare & Medicaid Services (CMS): The federal agency within DHSS responsible for the enforcement of the HIPAA Security Rule.

Confidentiality: The property by which data or information is not made available or disclosed to unauthorized persons or processes.

Consent Form: A form that a healthcare provider having a direct treatment relationship with an individual may obtain from the individual in order to use or disclose the individual’s protected health information (PHI) for treatment, payment and healthcare operations (TPO). USE OF THIS FORM IS OPTIONAL AND NOT REQUIRED UNDER HIPAA.

Covered Entity: Health plans, healthcare clearinghouses and any healthcare providers (physicians, hospitals, nursing homes, etc.) that transmit any health information in electronic form in connection with a HIPAA transaction.

Criticality: Addresses those assets that are critical to the function of a practice and expresses the significance given to a functional failure of those important assets.

Critical: These functions cannot be performed unless the same capabilities (i.e., computer systems) are found to replace the damaged system. Critical applications cannot be replaced by manual methods under any circumstances. Tolerance to interruption is very low and the recovery cost is very high.

Cryptographic Key: A special type of password created by a computer outfitted with encryption technology, that when used, will secure data (encrypt) being transmitted over a network or the Internet. The receiving computer of the data must also know the password in order to display

103

the secured data (decrypt). There are two types of cryptographic keys, private (symmetric) and public (asymmetric). Once the encryption software is loaded, the cryptographic key is part of the practice’s computer system. When e-mail is sent, the “key” performs its function without any extra effort on the part of the person sending the e-mail.

Cryptography: The study of encoding (putting message into a code) and decoding (converting a message from a code into plain text).

Data Resolution: The process by which data is restored.

Data Use Agreement: An agreement that sets forth the permitted uses and disclosures oflimited data sets, including who may use or receive the data and limitations on the receivingparty’s ability to re- identify or contact the individuals who are subjects of the limited data sets.

Decryption: Decoding data that has been encrypted into a secret format. Decrypting encrypted messages requires a secret key or password. (See Encryption)

De-identified: Health information that meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified.

Department of Health and Human Services (DHHS): The department of the executive branch of the federal government that has overall responsibility for implementing HIPAA.

Device Owner: An organization that has purchased and maintains ownership of a mobile device.Information Owner is an organization whose information is stored and/or processed on a device.

Direct Treatment Relationship: A treatment relationship between the individual and a healthcare provider in which the provider delivers healthcare directly to an individual rather than through another healthcare provider. (See “Indirect Treatment Relationship” definition.)

Disaster Recovery: Process whereby a practice would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.

Disclosure: The release, transfer, provision of, access to, or divulging in any other manner of information outside the organization holding the information.

Electronic Protected Health Information (EPHI): Protected health information (PHI) transmitted by electronic media or maintained by electronic media.

104

Electronic Media:

(1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;

(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

Emergency Mode Operation: Procedures that enable an organization to continue to operate in the event of fire, vandalism, natural disaster, or system failure.

Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Facility Security Plan: Plan to safeguard the premises and building(s) (exterior and interior) of an organization from unauthorized physical access and to safeguard the equipment therein from unauthorized physical access, tampering, and theft.

First Responder: First organization member on site during an emergency

Health Information: Any information, including genetic information, whether oral or recorded in any form or medium, created or received by a provider that relates to the past, present, or future physical or mental health condition of a patient; the provision of healthcare to a patient; or the past, present or future payment for the provision of healthcare to a patient.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): A federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships and which gives the U.S. Department of Health and Human Services (DHHS) the authority to: (1) mandate the use of standards for the electronic exchange of healthcare data; (2) specify what medical and administrative code sets should be used within those standards; (3) require the use of national identification systems for healthcare patients, providers, payers (or plans), and employers (or sponsors); and (4) specify the types of measures required to protect the security and privacy of personally identifiable healthcare information.

Health Plan: An individual or group plan that provides or pays the cost of medical care.

105

Healthcare Clearinghouse: An entity that processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or that receives a standard transaction from another entity and processes or facilitates the processing of that information into a nonstandard format or nonstandard data content for a receiving entity.

Healthcare Operations: Activities related to your practice’s business, clinical management and administrative duties. Some examples of these activities are the use of PHI or EPHI to obtain a referral, quality assurance, quality improvement, case management, training programs, licensing, credentialing, certification, accreditation, compliance programs, business management, and general administrative activities of the practice. Healthcare operations include the sale, transfer, merger, or consolidation of all or part of a Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity. and the due diligence related to such activity.

Healthcare Provider: A person or organization that provides medical or health services and any other person or organization who furnishes, bills or is paid for healthcare in the normal course of business.

High Vulnerability – may result in highly costly loss of major tangible assets or resources; may significantly violate, hard or impede an organization mission reputation or interests; may result in human death or serious injury

Identification: The process that enables a computer system to recognize a computer user. The most common form of identification is a User ID.

Implementation Specification: Specific requirements or instructions for implementing a standard. Specifications are designated as either Required or Addressable per the Security Rule (e.g., Covered entities are required to perform a security risk assessment. Covered entities must address the necessity of implementing facility access controls.)

Incidental Use or Disclosure: A secondary use or disclosure of PHI that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure.

Indirect Treatment Relationship: A relationship between an individual and a healthcare provider in which:

(1) The healthcare provider delivers healthcare to the individual based on the orders of another healthcare provider; and (2) The healthcare provider typically provides healthcare services or products, reports the diagnosis or results associated with the health care directly to another healthcare provider who uses this information to provide care to the individual.

106

Individually Identifiable Health Information (IIHI): Any health information (including demographic information) that is collected from the patient and

(1) is created or received by a healthcare provider or other Covered Entity or employer and(2) that relates to the past, present or future physical or mental health or condition of an individual; OR the provision of healthcare to an individual, OR the past, present or future payment for the provision of healthcare at your practice; AND that identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.

Institutional Review Board or IRB or Privacy Board: Within the provisions of the institutional review board (IRB) rules (21 CFR, Part 56) are requirements that the IRB ensure that there are adequate provisions to protect the privacy of research subjects and to maintain the confidentiality of research data.

Information system: A computer system including a desktop, laptop, or a PDA loaded with software that maintains data.

Information type: An information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.

Integrity: The trait that data or information have not been altered or destroyed in an unauthorized manner.

Internal Audits: The in-house review of the records of system activity (for example, logins, file accesses, security incidents) maintained by an organization.

IT: Information technology or information technologist.

Jailbreak: The process of removing the limitations imposed by Apple on devices running the iOS operating system through the use of hardware/software exploits – such devices include the iPhone, iPod touch, iPad, and second generation Apple TV. Jailbreaking allows iOS users to gain root access to the operating system, allowing them to download additional applications, extensions, and themes that are unavailable through the official Apple App Store.

Law Enforcement Official: An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an official inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law.

Malicious Software: Software designed to damage or disrupt a system (e.g., virus).

http://en.wikipedia.org/wiki/Apple_App_Store

http://en.wikipedia.org/wiki/Root_access

http://en.wikipedia.org/wiki/Apple_TV

http://en.wikipedia.org/wiki/IPad

http://en.wikipedia.org/wiki/IPod_touch

http://en.wikipedia.org/wiki/IPhone

http://en.wikipedia.org/wiki/IPhone

http://en.wikipedia.org/wiki/Exploit_(computer_security)

http://en.wikipedia.org/wiki/Operating_system

http://en.wikipedia.org/wiki/IOS


http://en.wikipedia.org/wiki/Apple_Inc.

http://en.wikipedia.org/wiki/Hardware_restrictions

107

May: This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

Minimum Necessary: The principle that at Covered Entity, to the extent practical, , when using or disclosing PHI, or when requesting PHI from another Covered Entity, must limit such PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. HHS will issue guidance on what constitutes the “minimum necessary”.

Must: This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

Must Not: This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.

Need-To-Know: A “minimum necessary” principle stating that a user should have access only to the data he or she needs to perform a particular function And which must be addressed within the workforce job description.

Non-Critical – These applications may be interrupted for an extended period, at little or no cost to the organization , and require little or no catching up when restored. Software applications such as the Microsoft office suite used to provide email communication, word processing, etc. are considered non-critical.

Not Recommended: This phrase, or the phrase "SHOULD NOT" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

Office for Civil Rights (OCR): The federal agency within DHHS responsible for the enforcement of the HIPAA Privacy Rule and Data Breach Notification Rule

Operations: See Healthcare Operations

Optional: This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced

108

functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

Organized Health Care Arrangement (OHCA): A clinically integrated healthcare setting in which individuals typically receive healthcare from more than one provider, or an organized system of healthcare in which more than one Covered Entity participates and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement, and participate in joint activities that include at least one of the following, as further defined in 45 CFR §160.103:

A. Utilization reviewB. Quality assessment and improvement activitiesC. Payment activities.

Overwriting: The act of changing the value of the bits on the disk that make up a file by overwriting existing data with random characters

Password: A confidential numeric and/or character string used in conjunction with a user ID to verify the identity of the individual attempting to gain access to a computer system (see Authentication).

Payer: In healthcare, an organization that assumes the risk of paying for medical treatments. This can be a self-pay patient, a self-insured employer, a health plan, or an HMO (also, “Payor”).

Payment: The activities by the practice to obtain reimbursement for healthcare services. This includes, among others, billing, claims management, collection activities, verification of insurance coverage, and precertification of services.

Personal Identification Number (PIN): A number or code assigned to an individual used to provide verification of identity.

Physical Safeguards: Physical measures, policies and procedures to protect computer systems, written records, buildings, and equipment from fire and other natural and environmental hazards, as well as from unauthorized access.

Protected Health Information (PHI): With few exceptions, includes individually identifiable health information (IIHI) held or disclosed by a practice regardless of how it is communicated (e.g., electronically, verbally, or written).

Recommended: This word, or the adjective “SHOULD", mean that there may exist valid

109

reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

Required : This word, or the terms "MUST" or "SHALL", mean that the definition is an absolute requirement of the specification.

Required Specification: An implementation specification that a Covered Entity is required to implement based on the Security Rule (e.g., covered entities are required to perform a security risk assessment).

Required by Law: A mandate contained in law that compels a Covered Entity to make a use or disclosure of PHI and that is enforceable in a court of law, e.g., court orders, court-ordered warrants, subpoenas, and summons; a civil investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

Risk: "The net mission impact considering (1) the probability that a particular [threat} willexercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2)the resulting impact if this should occur .. .. [R]isks arise from legal liability or mission lossdue to-

1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or manmade disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.

Roots of Trust (RoTs): Security primitives composed of hardware, firmware and/or software that provide a set of trusted, security-critical functions.

Sandbox: A security mechanism for separating running programs. (example - Applications for Apple's mobile operating system iOS are sandboxed. They are only able to access files inside their own respective storage areas, and cannot change system settings.)

Scalable: Capable of being scaled. The HIPAA Security Rule is scalable to the needs of the individual practices (see Addressable Specification).

Screensaver: A screensaver is a computer file that was originally designed to protect a computer monitor from discoloring. Screensavers have multiple uses today, one of which is security. If an employee leaves his/her workstation for a period of time, the computer can be programmed to launch the screensaver program. Screensavers can also be password-protected to prevent unauthorized individuals from accessing sensitive information.


http://en.wikipedia.org/wiki/Apple,_Inc.

http://en.wikipedia.org/wiki/Apple,_Inc.

110

Secure Electronic Environment: An environment that has administrative procedures, physical safeguards, and technical security services and mechanisms in place to prevent unauthorized access to EPHI.

Security or Security Measures: Encompasses all of the administrative, physical, and technical safeguards in an information system (e.g., passwords, firewalls, backups, etc.).

Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Shall: This word, or the terms "REQUIRED" or "MUST", mean that the definition is an absolute requirement of the specification.

Shall Not: This phrase, or the phrase "MUST NOT", mean that the definition is an absolute prohibition of the specification.

Should: This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood andcarefully weighed before choosing a different course.

Should Not: This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

Smart Card: A type of plastic card similar to a credit card, but embedded with a computer chip that stores data. Users can be authenticated and authorized to have access to specific information based on preset privileges stored on the chip. Only computers that have a reader as part of its system read the data stored on the card.

Subcontractor: A person or entity that creates, receives, maintains or transmits protected health information on behalf of a Business Associate.

Superuser: The superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator, admin or supervisor. In some cases the actual name is not significant, rather an authorization flag in the user's profile determines if administrative functions can be performed.

System: Normally includes hardware, software, data, applications, and means of communication.

http://en.wikipedia.org/wiki/System_administration

http://en.wikipedia.org/wiki/User_account

111

System Administrator: A person or persons responsible for administering rights and privileges within an information system.

Technical Safeguards: Processes that are implemented to control and monitor access to EPHI such as passwords, as well as limit unauthorized access to data that is transmitted over a communications network (Internet, Intranet, fax, etc.)

Third Party Administrator (TPA): An organization that processes healthcare claims and performs related business functions for a health plan.

Threat: An adapted definition of threat, from NIST SP 800-30, is "[t]he potential for a person orthing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability."

Threat Modeling: Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added.

Time-Of-Day Access Control: Access to data is restricted to certain periods, e.g., Monday through Friday, 8:00 a.m. to 6:00 p.m. This is a function of audit controls that allows the practice to determine exactly when the system was accessed.

Trading Partner: (see Business Associate)

Treatment: The provision, coordination, or management of healthcare and related services by one or more healthcare providers, or the referral of a patient for healthcare from one provider to another.

Use: With respect to individually identifiable health information (IIHI), the sharing, employment, application, utilization, examination, or analysis of such information within an organization that maintains such information.

User: A person or organization with authorized access.

User ID: A unique identifier given to an individual allowing that individual access to a computer system. A User ID is usually accompanied by a password.

Vendor: One that sells or vends to the organization

Vital: Functions which cannot be performed by manual means or can be performed manually for only a very brief period. There is a somewhat higher tolerance for interruption, and a somewhat lower cost for recovery, provided that functions are restored within a certain time, usually only a few days. For applications classified as “vital,” a brief suspension of processing

112

can be tolerated, but a considerable amount of “catching up” will be needed to restore data to current or useable form.

Vulnerability: A flaw orweakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy. See NIST Special Publication (SP) 800-30.

Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.

Workstation: A computer used for running software applications, storing, and transmitting data. In networking, workstation refers to any computer connected to a local area network.

113

7.8 Abbreviations or Acronyms

CMS - Center for Medicare and Medicaid ServicesCEHR – Certified Electronic Health Record TechnologyEHR – Electronic Health RecordEPHI – Electronic Protected Health InformationEMR – Electronic Medical RecordFIPS - Federal Information Processing Standards PublicationHIPAA - Health Insurance Portability and Accountability ActHITECH - Health Information Technology for Economic and Clinical Health ActMU – Meaningful UseNPRM – Notice of Proposed Rule MakingOS – Operating SystemPMS – Practice Management System

114

Tabbed Section – Vendor Specific

115

8 VENDOR SPECIFIC PROCEDURES

Insert Vendor Specific Policies and Procedures HERE Include all encryption levels where applicable for data at rest or in transit.

8.1 User and Role Assignment

8.2 Emergency Access

8.3 Password Setting

8.4 Logoff Setting

8.5 Audit Policy

8.6 Patient Requests for Disclosures of EPHI through an Electronic Health Record

8.7 Backup Model

8.8 Integrity of EPHI

8.9 Standard Architecture of Network Mapping

8.10 Remote Online Backup

116

9 INDEX

AAddressable Specifications ReferenceAnti-Virus Administrative Policies Audit / Risk Analysis Results ReferenceAudit Policy Vendor Specific Procedures Audit Trail Event Record Logs & Event Records Audit Trails Administrative Policies

BBack Up Model Vendor Specific ProceduresBackup Testing and Recovery Log Logs & Event RecordsBusiness Associates Agreement Template Administrative PoliciesBusiness Associates Decision Tree ReferenceBusiness Associates Listings Vendor Specific ProceduresBusiness Associates Policy Administrative Policies

CComputer Backup Physical Safeguards & PoliciesComputer Workstation Use Physical Safeguards & PoliciesContingency Plan Checklist Logs & Event RecordsContingency & Emergency Mode Plan Physical Safeguards & PoliciesContingency Policy & Procedures Physical Safeguards & Policies

DData Breach Administrative PoliciesData Breach Record Logs & Event Records

FFacilities Physical Safeguards & PoliciesFacility Maintenance Log Logs & Event Records

GGlossary Reference

IIntegrity of EPHI Vendor Specific ProceduresIT Locations - Device and Media Controls IT (Information Technology)

117

IT Tasks HIPAA Spreadsheet IT (Information Technology)IT Tasks Policy & Procedures IT (Information Technology

JJob Descriptions Job Descriptions

LLog Off Setting Vendor Specific Procedures

NNetwork Mapping IT (Information Technology)

OOrganizational IT Tasks IT (Information Technology)

PPassword Setting Vendor Specific ProceduresPatient Requests for Disclosures of Vendor Specific Procedures ePHI through an Electronic Health Record

RReferences ReferenceRole Assignment Vendor Specific Procedures

SSanctions Administrative PoliciesSecurity Anti-Virus Event Record Logs & Event RecordsSecurity Incident Administrative PoliciesSecurity Incident Log Logs & Event RecordsSecurity Officer Job Description Administrative PoliciesSecurity Risk Analysis & References Reference

TTraining Administrative PoliciesTraining Checklist and Documentation Form Logs and Event RecordsUUser Identification, Authentication, & Access Physical Safeguards & Policies

WWorkforce Clearance Procedures Physical Safeguards & Policies

118

Workforce Confidentiality Agreement Template Administrative PoliciesWorkforce Termination Administrative PoliciesWorkforce Termination Record Logs & Event Records