S HIPAA SECURITY RULE: IMPLEMENTATION GUIDE A summary of the final Security Rule standards and implementation specifications Key: R—Required: Facilities must implement this specification. A—Addressable: Facilities must assess their individual needs and risks to determine whether to implement this specification. If they decide not to, they must either choose a comparable alternative, or document the reason for not doing so. I. Administrative safeguards A). Security management: Create a set of policies and procedures to protect, detect, contain, and correct any security violations. Implementation specifications: R - Risk analysis: Thoroughly assess any potential risks to the confidentiality, integrity, and availability of protected health information (PHI) at your facility. R - Risk management: Create reasonable and appropriate security measures that reduce those risks and vulnerabilities. R - Sanction policy: Sanction workers who don’t follow your organization’s security- related policies and procedures. R - Information system activity review: Implement procedures to regularly review audit logs, system activity, access reports, and security incident tracking reports. B). Assigned security responsibility: Choose someone within your organization to act as the security official. This person is responsible for developing and implementing your security policies and procedures. C). Workforce security: Create policies and procedures that allow the necessary members of your workforce to gain access to your patients’ PHI. Include provisions for keeping PHI away from workers who don’t need to see it. Implementation specifications A- Authorization and/or supervision: Create procedures that mandate supervision or special authorization controls for workers who have access to PHI, and the locations where they’ll work with it. A- Work force clearance procedure: Determine the appropriateness of the amount of PHI each staff member may access. A- Termination process: Terminate a workers’ access to PHI when they leave your organization. Create a termination procedure when a worker is deemed to have too much access to PHI, per the above specification. D). Information access management: Create policies and procedures to authorize access to PHI. Implementation specifications R- Isolating health care clearinghouse functions: Clearinghouses that are part of larger organizations must create policies and procedures to prevent the larger organization from gaining unauthorized access to PHI within the clearinghouse. A - Access authorization: Create policies and procedures that contain specifics about allowing workers to access PHI, including details about particular workstations, software programs, necessary transactions, and other mechanisms for accessing PHI. A- Access establishment and modification: Create policies and procedures that allow your organization to change or review workers access rights to PHI. E). Security awareness and training: Develop and implement a security awareness and training program for all members of your work force including management. Implementation specifications A-Security reminders: Remind your workers about security measures periodically. A-Protection from malicious software: Protect your electronic systems from viruses or other programs that could damage PHI. Create procedures for detecting and reporting these programs. A-Password management: Create procedures to establish, change, and safeguard passwords. F). Security incident procedures: Create policies and procedures that address possible security problems or incidents at your facility. Implementation specifications R- Response and reporting: Find and respond to any security problems in your organization. Predict any harm that could be done to protected health information by existing security problems. Document security incidents, including the outcomes. G). Contingency plan: Create policies and procedures for responding to emergency situations, including fire, vandalism, a system failure, or natural disaster, that could compromise the security of PHI. Implementation specifications R- Data backup plan: Implement procedures to create and maintain back-up copies of all of your organization's PHI. R- Disaster recovery plan: Create procedures to find and restore PHI that’s damaged or lost. R- Emergency mode operation plan: Guarantee that PHI remains secure, even when your systems are operating in emergency mode after a security incident. A- Testing and revision procedures: Periodically test and revise your organization’s contingency plan. A- Applications and data criticality analysis: Assess the elements of your contingency plan, including specific data and applications, to determine how each contributes to the plan’s overall effectiveness. H). Evaluation: Evaluate security processes and procedures periodically to determine whether your organization remains compliant with the Security Rule. Do this especially after you make any operational or environmental changes at your facility. I). Business associate contracts and other arrangements: Ensure that your business associates agree to protect PHI appropriately. This standard does not apply if the information being exchanged is related to a patient's treatment between a group health plan, HMO or health insurer on behalf of a group health plan to a plan sponsor between a provider and a covered entity that is a government program providing public benefits A business associate that violates its assurances to protect the information is noncompliant with this standard. Implementation specifications R- Written contract or other arrangement: Document the assurances mentioned above in a written contract or other arrangement with business associates. II. Physical safeguards A). Facility access controls: Create and implement policies and procedures that limit physical access to information systems and the buildings where they’re housed while allowing access to these systems to employees who need it. Implementation specifications A- Contingency operations: Allow the necessary workers access to pertinent parts of your facility to retrieve lost data. A- Facility security plan: Protect your facility and the equipment containing PHI from theft, tampering, and unauthorized physical access. A- Access control and validation procedures: Create access and validation controls for workers handling PHI based on their role in your facility. This includes visitors and others who need access to software programs for testing or upgrading purposes. A- Maintenance records: Document repairs and changes to the physical environment that affect security, including hardware, doors, walls, and locks. B). Workstation use: Create and implement policies and procedures that describe the types of appropriate functions that will be performed on computer workstations that use PHI, and the ways those functions should be performed. Include a detailed description of the physical environment around a workstation or a class of workstations. C). Workstation security: Create physical safeguards around workstations that contain PHI. The safeguards should prevent unauthorized users from gaining access to the information. D). Device and media controls: Create policies and procedures that detail how computers and other hardware containing PHI, will enter and exit your facility if it’s necessary to move them. Also indicate how these items should be transported within the facility. Implementation specifications R- Disposal: Determine how your facility will permanently dispose of PHI and the hardware that stores it, and create policies and procedures accordingly. R- Media re-use: Remove PHI from hardware and other electronic media before reusing the media. A- Accountability: Document the movement of hardware and other electronic media, and take note of the people who are responsible for it after it leaves your department or facility. A- Data backup and storage: Create back-up copies of all electronic PHI before moving the equipment. III. Technical safeguards A). Access control: Create policies and procedures that allow access to PHI only to those employees who have proper access rights. Implementation specifications R- Unique user identification: Assign unique user names and numbers to identify and track users. R- Emergency access procedure: Obtain necessary health information in an emergency. A- Automatic logoff: Terminate electronic sessions after a predetermined period of inactivity. A- Encryption and decryption: Encrypt and decrypt electronic PHI. B). Audit controls: Install software or hardware, or implement an equivalent procedure that records and analyzes the activity in your organization’s information systems that use PHI. C). Integrity: Create policies and procedures to en-sure that PHI will not be improperly altered or destroyed. Implementation specifications A- Mechanism to authenticate electronic PHI: Create an electronic mechanism that will corroborate that PHI has not been improperly altered or destroyed. D). Person or entity authentification: Create policies and procedures that verify the identity of employees who need access to PHI. E). Transmission security: Institute appropriate technical security measures that keep PHI away from unauthorized workers. Implementation specifications A- Integrity controls: Create security measures that guarantee electronic PHI is not improperly modified until you permanently dispose of it. A- Encryption: Create a mechanism to encrypt PHI when appropriate. Common FAQs Q: I see the terms “addressable” and “required”. What’s that mean? A: As an HME or Re-hab provider (i.e., a HIPAA covered entity), you must meet all of the “required” implementation specifications in the Security Rule. For “addressable” standards, you must assess them and determine whether the implementation specification is reasonable and appropriate for your organization. This assessment should take into account the size and capabilities of your organization, as well as any unique risk factors. If you determine that the specification is reasonable and appropriate, you must implement it. If you determine that it’s not, you must do one of two things. You can either implement a different measure that accomplishes the same goal as the original implementation specification, or, you can choose not to implement it at all. If you choose this option, you must document your reasons for doing so. Q: What is the compliance date? A: All covered entities (that’s you!) must be in compliance with the HIPAA Security Rule by April 21, 2005. There is a one year extension for some small health plans. Q: How do I know whether I’m covered by the Security Rule? A: You are covered by the Security Rule if you are a health care provider who transmits any health information in electronic form. Thus, almost all VGM Group members will be covered. Also, all health plans and clearinghouses are covered. Q: Will VGM make available another “HIPAA Guide” with more detail and examples as how HME and Rehab providers should comply with the final Security Rule and provide sample polices and procedures? A. Yes! And, we’ll again post the most important information, tutorials, forms, policies and procedures, etc. on the web site. HHS will most likely release guidance materials (as the Department did for Privacy Rule compliance) sometime later this year.
Pages to are hidden for
"Security Rule Implementation - The VGM Group"Please download to view full document