Docstoc

Security Reminders - UC Denver FAST GIS - University of Colorado

Document Sample
Security Reminders - UC Denver FAST GIS - University of Colorado Powered By Docstoc
					                                           University of Colorado Denver
                                  Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                             Policy #: AS-27.1
Title: Security Reminders                                                                         Page 1 of 4



Effective Date of This Revision:              June 1, 2013

                HIPAA Security Officer                            Responsible Department:
                Sue Hawkins                                       Facility for Advanced Spatial Technology
Contact:
                12200 Larimer Street NC 5032
                303-556-4172

HIPAA REGULATORY INFORMATION: Security Awareness and Training Standard

                      Administrative Safeguard                    Type:        Standard
Category:             Physical Safeguard                                       Implementation Specification
                      Technical Safeguard                                          Required      Addressable

                      Officers               Staff/ Faculty          Student clinicians      Volunteers
Applies to:
                      Other agents           Visitors                Contractors




BACKGROUND:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that access to
Protected Health Information (PHI) shall be managed to guard the integrity, confidentiality, and availability
of electronic PHI (ePHI) data. According to the law, all FAST officers, employees and agents of units
within a FAST Entity must preserve the integrity and the confidentiality of individually identifiable health
information (IIHI) pertaining to each patient or client.




        SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
        “Implement: …Periodic security updates.”




 HIPAA Requirement     Security Awareness and Training Standard
 HIPAA Reference:      45 CFR 164.308(a)(5)(i)
 Reviewed by:          Sue Hawkins
 Approved by:          Sue Hawkins
 Effective Date        6/1/2013
 Supersedes Policy:    N/A
                                          University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                      Policy #: AS-27.1
Title: Security Reminders                                                                  Page 2 of 4




PURPOSE:

Each Unit of FAST health care component (HCC), which handles ePHI, will implement the ability to
effectively communicate security processes used to protect confidentiality, availability and integrity. Who
is affected by this policy is documented in Policies, Procedures, and Documentation policy (OP-1.1)
This policy provides guidance for FAST‘s Security Office in adopting the Security Awareness and Training
standard [45 CFR 164§.312(c)(1)].


Policy:

Each Unit of FAST’s Security Compliancy Officer will be responsible for taking reasonable steps to ensure
that FAST’s workforce members, including those work remotely, receive security information and
awareness reminders periodically and as needed, including:

         Information security risks significant to ePHI containing systems

         How to follow’s security policies and procedures

         How to use ePHI Systems in a manner that reduces security risks, and on selected security
          topics, including:

         Legal and business responsibilities of FAST for protecting ePHI Systems

         Substantial revisions made to FAST’s security policies/ procedures and controls

         Substantial changes are made to FAST legal or business responsibilities

         Substantial threats or risks arise against ePHI Systems

Means of providing security information and awareness reminders and updates may include, but are not
limited to, e-mail reminders, posters, letters, workforce member meetings, security days, screen savers,
information system sign-on messages, newsletter articles, and information posted to a Web site.




 HIPAA Requirement    Security Awareness and Training Standard
 HIPAA Reference:     45 CFR 164.308(a)(5)(i)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/1/2013
 Supersedes Policy:   N/A
                                          University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                         Policy #: AS-27.1
Title: Security Reminders                                                                      Page 3 of 4




DEFINITIONS:
HIPAA: Health Insurance Portability and Accountability Act of 1996
Electronic Protected Health Information (ePHI): Electronic health information or health care payment
information, including demographic information collected from an individual, which identifies the individual
or can be used to identify the individual. ePHI does not include students records held by educational
institutions or employment records held by employers.

Individually Identifiable Health Information (IIHI): Information that is a subset of health information,
including demographic information collected from an individual, and:

     Is created or received by a health care provider, health plan, employer, or health care
      clearinghouse; and
     Relates to the past, present, or future physical or mental health or condition of an individual; the
      provision of health care to an individual; or the past, present, or future payment for the provision
      of health care to an individual; and
     That identifies the individual; or
     With respect to which there is a reasonable basis to believe the information can be used to
      identify the individual.
FAST Health Care Component (HCC): Those units of the FAST that have been designated by the FAST
as part of its health care component under HIPAA.
FAST Security Compliance Officer: the individual appointed by FAST to be the HIPAA Security Officer
under s. 164.306(2) of the HIPAA Security Rule.
Addressable: When a standard adopted under 45 CFR Part 164.312 includes addressable
implementation specifications, a unit within the FAST HCC must (i) assess whether each implementation
specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference
to the likely contribution to protecting the unit’s electronic ePHI and (ii) as applicable to the unit: (A)
implement the implementation specification if reasonable and appropriate; or (B) if implementing the
implementation specification is not reasonable and appropriate: (1) document why it would not be
reasonable and appropriate to implement the implementation specification; and (2) implement an
equivalent alternative measure if reasonable and appropriate.




 HIPAA Requirement    Security Awareness and Training Standard
 HIPAA Reference:     45 CFR 164.308(a)(5)(i)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/1/2013
 Supersedes Policy:   N/A
                                          University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                               Policy #: AS-27.1
Title: Security Reminders                                                          Page 4 of 4




Related Policies:
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
Information Access Management Standard (Ass-3.1)
Encryption and Decryption (TS-1.1)
Unique User Identification (TS-2.1)
Emergency Access Procedure (TS-3.1)
Automatic Logoff (TS-4.1)


Reference:
Access to Electronic Health Information Flow Sheet
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
HIPAA Final Security Rule, 45 CFR Parts 160, 162, and 164, Department of Health and Human Services,
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp, February 20, 2003.

CMS, “CMS Information Systems Security Policy, Standards and Guidelines Handbook”, CMS, February
2002.

International Standards Organization (ISO/IEC 17799:2000(E))




 HIPAA Requirement    Security Awareness and Training Standard
 HIPAA Reference:     45 CFR 164.308(a)(5)(i)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       6/1/2013
 Supersedes Policy:   N/A

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:5/27/2013
language:Unknown
pages:4
tang shuming tang shuming
About