2.7 ADMINISTRATIVE SAFEGUARDS

Risk Analysis (Required)

This is a comprehensive look at the vulnerabilities and threats to your organization that would compromise the confidentiality, integrity, or availability of ePHI. Your assessment is based on the complexity of services offered and probability of the risk occurring. A small rural doctor's practice that does not use cardiac telemetry to monitor and treat angina will have a different risk assessment than a large teaching hospital where Fortune 100 CXOs are patients even though both may assess fire as a risk.

Risk Management (Required)

Once you have assessed all risks you have to decide how to manage your risk. Will you do nothing and accept the risk? Will you change how you operate or purchase additional equipment to remove the risk? How you deal with the risk depends on the covered entity's expertise and resources. The risk management plan must meet the guiding principals of the security rule;

• Ensure the confidentiality, integrity, and availability of all ePHI

• Protect against any reasonable threats or hazards to the security or integrity of such information

• Protect against any reasonably anticipated uses or disclosures not permitted

• Ensure workforce compliance

Sanction Policy (Required)

Develop a policy that clearly states to all employees policies and procedures to secure ePHI. This policy identifies the actions implemented by the covered entity when an employee fails to follow established procedures

Information System Activity Review (Required)

Covered entities are required to regularly review their information systems. This means looking at

• Audit logs to see if someone tried to log in without success and why. Did they lose their password or were they trying to access a resource they did have authorization to use?

• Access records to determine who entered information in to an individual's record

• Security incident reports to assess if security controls are appropriate or need to be improved for organizational effectiveness

Workforce Authorization and Supervision (Addressable)

How does an employee obtain access to ePHI and who monitors their performance to ensure the quality of the information? Hospitals where Dictaphone machine tapes are transcribed by at home workers will have different policies and procedures than hospitals that perform this function by on-site employees.

Workforce clearance procedures (Addressable)

Health care workers need ePHI to perform their jobs appropriately. Does this mean all nurses have access to all clinical records, or just ePHI records for individuals assigned to them? What audit mechanisms are in place to show who accessed ePHI?

Termination procedures (Addressable)

How are employees who leave your workforce prevented from accessing ePHI? Are user accounts deleted or just inactivated? Are smart cards and keys returned or are access codes and locks changed?

Isolating Health Care Clearinghouse Functions (Required)

Large organizations that perform healthcare clearinghouse functions as well as health services must ensure ePHI are separated and protected from one part of the organization to the other.

Access Authorization (Addressable)

Policies and procedures developed to address how workstations, transactions, programs, etc. that have ePHI are accessed and by who

Access Establishment and Modification (Addressable)

Periodic review and documentation of a user's rights and modification of rights to secure ePHI

Security Reminders (Addressable)

Covered entities must decide the type and level of security updates to provide to employees. Do you need a screen saver to pop-up when everyone logs in for the day? Does the help desk need a poster near their monitor reminding them not to reset passwords without proper authorization? Do staff need periodic in-services and if so what is the frequency?

Protection from Malicious Software (Addressable)

What are the policies and procedures for evaluating and using new software? Do end users have access to bootable drives? What is the penalty for using USB drives at work?

Log-In Monitoring (Addressable)

How are log-ins monitored ? Do you monitor log-ins?

Password Management (Addressable)

Do employees keep the same passwords for life? Do they understand the difference between strong and weak passwords? Does the network system prevent reuse of passwords?

Response and Reporting (Required)

Your policy and procedures must identify the actions to take when a security incident is discovered , the outcome of your actions, and the impact on the information you are protecting. This means if you an unauthorized person gained access to ePHI, what actions did you take to revoke the access, assess that the information is still valid, and controls you put in place so the event could not occur again?

Data Back Up Plan (Required)

All covered entities must have a data back up plan. A small doctor's office may have all files backed up nightly to a CD/RW disc. A large hospital may have a dedicated back-up server that back's up all data in real time.

Disaster Recovery Plan (Required)

All covered entities must have procedures established to restore any loss of data. A covered entity may have back-ups of all data. What do you do if your computer fails or the software you use to read the information becomes unusable?

Emergency Mode Operation Plan (Required)

What procedures do you have in place to ensure all ePHI is protected when continuing your business under emergency conditions? What new risks do you have to look at and address to secure ePHI?

Testing and Revision Procedures (Addressable)

Covered entities should look at how they will test their contingency plans. What type of testing do you perform and how often?

Applications and Data Criticality Analysis (Addressable)

When looking at contingency plans have you looked at all applications where ePHI is stored or transmitted and will you be able to get to critical information in the event of an emergency?