Security Rule Implementation - The VGM Group by shitingting


         A summary of the final Security Rule standards and
                  implementation specifications


R—Required: Facilities must implement this specification.

A—Addressable: Facilities must assess their individual needs and
risks to determine whether to implement this specification. If they
decide not to, they must either choose a comparable alternative, or
document the reason for not doing so.

I. Administrative safeguards
A). Security management: Create a set of policies and procedures to protect, detect,
contain, and correct any security violations.

Implementation specifications:

R - Risk analysis: Thoroughly assess any potential risks to the confidentiality, integrity,
and availability of protected health information (PHI) at your facility.
R - Risk management: Create reasonable and appropriate security measures that reduce
those risks and vulnerabilities.
R - Sanction policy: Sanction workers who don’t follow your organization’s security-
related policies and procedures.
R - Information system activity review: Implement procedures to regularly review audit
logs, system activity, access reports, and security incident tracking reports.

B). Assigned security responsibility: Choose someone within your organization to act
as the security official. This person is responsible for developing and implementing your
security policies and procedures.
C). Workforce security: Create policies and procedures that allow the necessary
members of your workforce to gain access to your patients’ PHI. Include provisions for
keeping PHI away from workers who don’t need to see it.

Implementation specifications

A- Authorization and/or supervision: Create procedures that mandate supervision or
special authorization controls for workers who have access to PHI, and the locations
where they’ll work with it.
A- Work force clearance procedure: Determine the appropriateness of the amount of PHI
each staff member may access.
A- Termination process: Terminate a workers’ access to PHI when they leave your
organization. Create a termination procedure when a worker is deemed to have too much
access to PHI, per the above specification.

D). Information access management: Create policies and procedures to authorize
access to PHI.

Implementation specifications

R- Isolating health care clearinghouse functions: Clearinghouses that are part of larger
organizations must create policies and procedures to prevent the larger organization from
gaining unauthorized access to PHI within the clearinghouse.
A - Access authorization: Create policies and procedures that contain specifics about
allowing workers to access PHI, including details about particular workstations, software
programs, necessary transactions, and other mechanisms for accessing PHI.
A- Access establishment and modification: Create policies and procedures that allow
your organization to change or review workers access rights to PHI.

E). Security awareness and training: Develop and implement a security awareness and
training program for all members of your work force including management.

Implementation specifications

A-Security reminders: Remind your workers about security measures periodically.
A-Protection from malicious software: Protect your electronic systems from viruses or
other programs that could damage PHI. Create procedures for detecting and reporting
these programs.
A-Password management: Create procedures to establish, change, and safeguard

F). Security incident procedures: Create policies and procedures that address possible
security problems or incidents at your facility.
Implementation specifications

R- Response and reporting: Find and respond to any security problems in your
organization. Predict any harm that could be done to protected health information by
existing security problems. Document security incidents, including the outcomes.

G). Contingency plan: Create policies and procedures for responding to emergency
situations, including fire, vandalism, a system failure, or natural disaster, that could
compromise the security of PHI.

Implementation specifications

R- Data backup plan: Implement procedures to create and maintain back-up copies of all
of your organization's PHI.
R- Disaster recovery plan: Create procedures to find and restore PHI that’s damaged or
R- Emergency mode operation plan: Guarantee that PHI remains secure, even when your
systems are operating in emergency mode after a security incident.
A- Testing and revision procedures: Periodically test and revise your organization’s
contingency plan.
A- Applications and data criticality analysis: Assess the elements of your contingency
plan, including specific data and applications, to determine how each contributes to the
plan’s overall effectiveness.

H). Evaluation: Evaluate security processes and procedures periodically to determine
whether your organization remains compliant with the Security Rule. Do this especially
after you make any operational or environmental changes at your facility.

I). Business associate contracts and other arrangements: Ensure that your business
associates agree to protect PHI appropriately. This standard does not apply if the
information being exchanged is
     related to a patient's treatment
     between a group health plan, HMO or health insurer on behalf of a group health
       plan to a plan sponsor
     between a provider and a covered entity that is a government program providing
       public benefits
A business associate that violates its assurances to protect the information is
noncompliant with this standard.

Implementation specifications

R- Written contract or other arrangement: Document the assurances mentioned above in a
written contract or other arrangement with business associates.
II. Physical safeguards
A). Facility access controls: Create and implement policies and procedures that limit
physical access to information systems and the buildings where they’re housed while
allowing access to these systems to employees who need it.

Implementation specifications

A- Contingency operations: Allow the necessary workers access to pertinent parts of your
facility to retrieve lost data.
A- Facility security plan: Protect your facility and the equipment containing PHI from
theft, tampering, and unauthorized physical access.
A- Access control and validation procedures: Create access and validation controls for
workers handling PHI based on their role in your facility. This includes visitors and
others who need access to software programs for testing or upgrading purposes.
A- Maintenance records: Document repairs and changes to the physical environment that
affect security, including hardware, doors, walls, and locks.

B). Workstation use: Create and implement policies and procedures that describe the
types of appropriate functions that will be performed on computer workstations that use
PHI, and the ways those functions should be performed. Include a detailed description of
the physical environment around a workstation or a class of workstations.

C). Workstation security: Create physical safeguards around workstations that contain
PHI. The safeguards should prevent unauthorized users from gaining access to the

D). Device and media controls: Create policies and procedures that detail how
computers and other hardware containing PHI, will enter and exit your facility if it’s
necessary to move them. Also indicate how these items should be transported within the

Implementation specifications

R- Disposal: Determine how your facility will permanently dispose of PHI and the
hardware that stores it, and create policies and procedures accordingly.
R- Media re-use: Remove PHI from hardware and other electronic media before reusing
the media.
A- Accountability: Document the movement of hardware and other electronic media, and
take note of the people who are responsible for it after it leaves your department or
A- Data backup and storage: Create back-up copies of all electronic PHI before moving
the equipment.
III. Technical safeguards
A). Access control: Create policies and procedures that allow access to PHI only to
those employees who have proper access rights.

Implementation specifications

R- Unique user identification: Assign unique user names and numbers to identify and
track users.
R- Emergency access procedure: Obtain necessary health information in an emergency.
A- Automatic logoff: Terminate electronic sessions after a predetermined period of
A- Encryption and decryption: Encrypt and decrypt electronic PHI.

B). Audit controls: Install software or hardware, or implement an equivalent procedure
that records and analyzes the activity in your organization’s information systems that use

C). Integrity: Create policies and procedures to en-sure that PHI will not be improperly
altered or destroyed.

Implementation specifications

A- Mechanism to authenticate electronic PHI: Create an electronic mechanism that will
corroborate that PHI has not been improperly altered or destroyed.

D). Person or entity authentification: Create policies and procedures that verify the
identity of employees who need access to PHI.

E). Transmission security: Institute appropriate technical security measures that keep
PHI away from unauthorized workers.

Implementation specifications

A- Integrity controls: Create security measures that guarantee electronic PHI is not
improperly modified until you permanently dispose of it.
A- Encryption: Create a mechanism to encrypt PHI when appropriate.
                                  Common FAQs
Q: I see the terms “addressable” and “required”. What’s that mean?

A: As an HME or Re-hab provider (i.e., a HIPAA covered entity), you must meet all of the
“required” implementation specifications in the Security Rule. For “addressable” standards, you
must assess them and determine whether the implementation specification is reasonable and
appropriate for your organization. This assessment should take into account the size and
capabilities of your organization, as well as any unique risk factors. If you determine that the
specification is reasonable and appropriate, you must implement it. If you determine that it’s
not, you must do one of two things. You can either implement a different measure that
accomplishes the same goal as the original implementation specification, or, you can choose not
to implement it at all. If you choose this option, you must document your reasons for doing so.

Q: What is the compliance date?

A: All covered entities (that’s you!) must be in compliance with the HIPAA Security Rule by
April 21, 2005. There is a one year extension for some small health plans.

Q: How do I know whether I’m covered by the Security Rule?

A: You are covered by the Security Rule if you are a health care provider who transmits any
health information in electronic form. Thus, almost all VGM Group members will be covered.
Also, all health plans and clearinghouses are covered.

Q: Will VGM make available another “HIPAA Guide” with more detail and examples as how
HME and Rehab providers should comply with the final Security Rule and provide sample
polices and procedures?

A. Yes! And, we’ll again post the most important information, tutorials, forms, policies and
procedures, etc. on the web site. HHS will most likely release guidance materials (as the
Department did for Privacy Rule compliance) sometime later this year.

To top