Sanction Policy by tZyk1317

VIEWS: 20 PAGES: 7

									                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                         Policy # AS-20.1
Title: Sanction Policy                                                                Page 1 of 7


Effective Date of This Revision:             February 7, 2013

                HIPAA Security Officer                        Responsible Department:
                Sue Hawkins                                   Facility for Advanced Spatial Technology
Contact:
                1200 Larimer Street NC 5032
                303-556-4172

HIPAA REGULATORY INFORMATION: Security Management Process Standard

                      Administrative Safeguard                Type:        Standard
Category:             Physical Safeguard                                   Implementation Specification
                      Technical Safeguard                                      Required      Addressable

                      Officers              Staff/ Faculty       Student clinicians      Volunteers
Applies to:
                      Other agents          Visitors             Contractors




BACKGROUND:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that access to
Protected Health Information (PHI) shall be managed to guard the integrity, confidentiality, and availability
of electronic PHI (ePHI) data. According to the law, all FAST officers, employees and agents of units
within a FAST Entity must preserve the integrity and the confidentiality of individually identifiable health
information (IIHI) pertaining to each patient or client.


The Sanction Policy of the rule requires formal, documented policies and procedures that address
how a covered entity addresses the security violations of ePHI by it’s workforce to include misuse
of workstation, breach of security, and disregard for the security environment.

        SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
        “Apply appropriate sanctions against workforce members who fail to comply with the security policies and
        procedures of the covered entity.”




 HIPAA Requirement     Security Management Process Standard
 HIPAA Reference:      45 C.F.R.164.308(a)(1)(ii)(c)
 Reviewed by:          Sue Hawkins
 Approved by:          Sue Hawkins
 Effective Date        2/7/2013
 Supersedes Policy:    N/A
                                          University of Colorado Denver
                                Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                        Policy # AS-20.1
Title: Sanction Policy                                                               Page 2 of 7


PURPOSE:

Sanction policy requires FAST to apply appropriate sanctions against workforce members who do not
comply with organizational security policies and procedures. FAST must understand who comprises its
workforce, who are authorized users, defined in Access Authorization (AS-1.1) and what the security
policies and procedures are to better understand this requirement.
Policy:
FAST is committed to applying appropriate sanctions against FAST‘s workforce members who fail to
comply with the security policies and procedures of FAST and of the relevant health covered component.


Each Unit of FAST health care component (HCC) will require workforce members to attend training
covering how to protect and implement security of portable and fixed workstations that store ePHI in
accordance with FAST‘s Security Awareness & Training policy (AS-16.1)


Each Unit of FAST (HCC), which handles ePHI, shall have facility security policies and procedures in
place, to ensure availability, confidentiality, and integrity of ePHI; while limiting the minimum necessary
privileges for a person or software application to perform their duties.


Each Unit of FAST (HCC), will take reasonable steps to ensure that applicable security policies and
procedures are adhered to by FAST‘s workforce members. Reasonable compliance with these security
policies and procedures is necessary to safeguard the confidentiality, integrity, and availability of ePHI.


Each Unit of FAST (HCC) ,shall impose appropriate sanctions against workforce members who do not
comply with applicable FAST, and covered component security policies and procedures. The imposition
of those appropriate sanctions shall be a documented process.


Sanctions shall be proportionate to the severity of the non-compliance with the applicable security policies
and procedures and may reflect, among other things, the extent to which the non-compliance affects the
confidentiality, integrity, and availability of ePHI, and the employee’s awareness or knowledge of the non-
compliance.




 HIPAA Requirement    Security Management Process Standard
 HIPAA Reference:     45 C.F.R.164.308(a)(1)(ii)(c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       2/7/2013
 Supersedes Policy:   N/A
                                          University of Colorado Denver
                                Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                     Policy # AS-20.1
Title: Sanction Policy                                                            Page 3 of 7




FAST Security Compliance Officer:, the ePHI security officer at the covered component, the Human
Resources and Legal departments, and other departments or personnel, all as applicable and
appropriate, shall be involved in identifying and defining appropriate sanctions. Sanctions may include,
but are not limited to:
     Verbal warnings
     Suspension or limitation of access to FAST’s and/or the covered component’s information
      systems, repositories, and conduits that contain ePHI
     Required re-training
     Letter of warning
     Suspension from work
     Termination




 HIPAA Requirement    Security Management Process Standard
 HIPAA Reference:     45 C.F.R.164.308(a)(1)(ii)(c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       2/7/2013
 Supersedes Policy:   N/A
                                          University of Colorado Denver
                                Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                         Policy # AS-20.1
Title: Sanction Policy                                                                Page 4 of 7




DEFINITIONS:
HIPAA: Health Insurance Portability and Accountability Act of 1996
Electronic Protected Health Information (ePHI): Electronic health information or health care payment
information, including demographic information collected from an individual, which identifies the individual
or can be used to identify the individual. ePHI does not include students records held by educational
institutions or employment records held by employers.

Individually Identifiable Health Information (IIHI): Information that is a subset of health information,
including demographic information collected from an individual, and:

     Is created or received by a health care provider, health plan, employer, or health care
      clearinghouse; and
     Relates to the past, present, or future physical or mental health or condition of an individual; the
      provision of health care to an individual; or the past, present, or future payment for the provision
      of health care to an individual; and
     That identifies the individual; or
     With respect to which there is a reasonable basis to believe the information can be used to
      identify the individual.
FAST Health Care Component (HCC): Those units of FAST that have been designated by the FAST as
part of its health care component under HIPAA.
FAST Security Compliance Officer: the individual appointed by FAST to be the HIPAA Security Officer
under s. 164.306(2) of the HIPAA Security Rule.
Addressable: When a standard adopted under 45 CFR Part 164.312 includes addressable
implementation specifications, a unit within the FAST HCC must (i) assess whether each implementation
specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference
to the likely contribution to protecting the unit’s electronic ePHI and (ii) as applicable to the unit: (A)
implement the implementation specification if reasonable and appropriate; or (B) if implementing the
implementation specification is not reasonable and appropriate: (1) document why it would not be
reasonable and appropriate to implement the implementation specification; and (2) implement an
equivalent alternative measure if reasonable and appropriate.
Access: the ability or the means necessary to read, write, modify, or communicate data/information or
otherwise use any system resource.

Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s


 HIPAA Requirement    Security Management Process Standard
 HIPAA Reference:     45 C.F.R.164.308(a)(1)(ii)(c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       2/7/2013
 Supersedes Policy:   N/A
                                          University of Colorado Denver
                                Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                    Policy # AS-20.1
Title: Sanction Policy                                                           Page 5 of 7


electronic information systems and related buildings and equipment, from natural and environmental
hazards, and unauthorized intrusion.

Security or Security measures encompass all of the administrative, physical, and technical safeguards in
an information system.

Workstation: an electronic computing device, for example, a laptop or desktop computer, or any other
device that performs similar functions, and electronic media stored in its immediate environment. This
latter statement extends the definition of workstation to a wider range of computer input and output
devices—unintelligent and intelligent computer terminals, personal digital assistants, other wireless
devices, diagnostic equipment, etc.
Workforce Members: are employees and other persons whose conduct, in the performance of work for a
covered entity, is under the direct control of such an entity, whether or not they are paid by the covered
entity. Workforce members may also include; student, trainees or volunteers.




 HIPAA Requirement    Security Management Process Standard
 HIPAA Reference:     45 C.F.R.164.308(a)(1)(ii)(c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       2/7/2013
 Supersedes Policy:   N/A
                                          University of Colorado Denver
                                Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                             Policy # AS-20.1
Title: Sanction Policy                                                    Page 6 of 7




Related Policies:
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
Information Access Management Standard (AS-3.1)
Overview: Policies, Procedures, and Documentation (OR-1.1)
Risk Analysis (AS-6.1)
Access Establishment and Modification (AS-2.1)
Contingency Plan (AS-10.1)
Disaster Recovery Plan (AS-11.1)
Emergency Mode Operation Plan (AS-12.1)
Workstation Use (PS-2.1)
HIPAA Privacy Regulations covered component’s Minimum Necessary Policy (PP-1.1)
Workforce Security (PS-1.1)
Facility Access Controls (PS-3.1)
Device and Media Controls (PS-4.1)
Access Controls (TS-5.1)
Person or Entity Authentication (TS-6.1)
Security Awareness Training (AS-16.1)


Reference:
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
Information Access Management Standard (AS-3.1)
Overview: Policies, Procedures, and Documentation (OR-1.1)
Workstation Use (PS-2.1)
HIPAA Privacy Regulations covered component’s Minimum Necessary Policy (PP-1.1)


 HIPAA Requirement    Security Management Process Standard
 HIPAA Reference:     45 C.F.R.164.308(a)(1)(ii)(c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       2/7/2013
 Supersedes Policy:   N/A
                                          University of Colorado Denver
                                Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                Policy # AS-20.1
Title: Sanction Policy                                                       Page 7 of 7


Workforce Security (AS-15.1)
Facility Access Controls (PS-3.1)
Risk Analysis (AS-6.1)
Access Establishment and Modification (AS-2.1)
Contingency Plan (AS-10.1)
Policies, Procedures, and Documentation (OR-1.1)
Security Management Process (AS-14.1)
Disaster Recovery Plan (AS-11.1)
Emergency Mode Operation Plan (AS-12.1)
Evaluation (AS-13.1)
Workstation Security (PS-1.1)
HIPAA Privacy Regulations covered component’s Minimum Necessary Policy (PP-1.1)
Access to Electronic Health Information Flow Sheet
HIPAA Final Security Rule, 45 CFR Parts 160, 162, and 164, Department of Health and Human Services,
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp, February 20, 2003.

CMS, “CMS Information Systems Security Policy, Standards and Guidelines Handbook”, CMS, February
2002.


NIST SP 800-12, An Introduction to Computer Security and Chapters 10 and 14, October 1995.


NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology
Systems, September 1996.


NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Rule, DRAFT, May 2004.
International Standards Organization (ISO/IEC 17799:2000(E))




 HIPAA Requirement    Security Management Process Standard
 HIPAA Reference:     45 C.F.R.164.308(a)(1)(ii)(c)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       2/7/2013
 Supersedes Policy:   N/A

								
To top