Security is not a product or service but a process implemented by the entire workforce within a covered entity. The direction and consistency of the security controls within a covered entity is set by senior management. This administrative oversight is clearly defined in the security rule with the seven administrative safeguard standards and 22 implementation specifications. This safeguard stipulates the policy and procedures covered entities must have in place to make certain the organization completes a comprehensive review of all ePHI it handles and how to secure the information and the media where it is located.
This standard has four required implementation specifications that all covered entities must implement. There are no addressable implementation specifications
This is a comprehensive look at the vulnerabilities and threats to your organization that would compromise the confidentiality, integrity, or availability of ePHI. Your assessment is based on the complexity of services offered and probability of the risk occurring. A small rural doctor's practice that does not use cardiac telemetry to monitor and treat angina will have a different risk assessment than a large teaching hospital where Fortune 100 CXOs are patients even though both may assess fire as a risk.
Once you have assessed all risks you have to decide how to manage your risk. Will you do nothing and accept the risk? Will you change how you operate or purchase additional equipment to remove the risk? How you deal with the risk depends on the covered entity's expertise and resources. The risk management plan must meet the guiding principals of the security rule;
Ensure the confidentiality, integrity, and availability of all ePHI
Protect against any reasonable threats or hazards to the security or integrity of such information
Protect against any reasonably anticipated uses or disclosures not permitted
Ensure workforce compliance
Develop a policy that clearly states to all employees policies and procedures to secure ePHI. This policy identifies the actions implemented by the covered entity when an employee fails to follow established procedures
Covered entities are required to regularly review their information systems. This means looking at
Audit logs to see if someone tried to log in without success and why. Did they lose their password or were they trying to access a resource they did have authorization to use?
Access records to determine who entered information in to an individual's record
Security incident reports to assess if security controls are appropriate or need to be improved for organizational effectiveness
This standard has one required implementation specification. Each covered entity must have one person who is responsible for implementing the HIPAA security rule. Can this role be combined with others such as CIO? Yes. The decision on who to assign and what additional responsibilities the person has rests with the covered entity. Can there be more than one person responsible for this role? No. There is only one HIPAA security officer for each covered entity. If the covered entity has multiple locations, there can be a security liaison to the HIPAA security officer at each location.
This standard ensures employees have the right access to the right resources to perform their job while securing ePHI from unauthorized access, and disclosure. There are three addressable implementation specifications in this standard. They are:
How does an employee obtain access to ePHI and who monitors their performance to ensure the quality of the information? Hospitals where Dictaphone machine tapes are transcribed by at home workers will have different policies and procedures than hospitals that perform this function by on-site employees.
Health care workers need ePHI to perform their jobs appropriately. Does this mean all nurses have access to all clinical records, or just ePHI records for individuals assigned to them? What audit mechanisms are in place to show who accessed ePHI?
How are employees who leave your workforce prevented from accessing ePHI? Are user accounts deleted or just inactivated? Are smart cards and keys returned or are access codes and locks changed?
Health care providers should have access to the minimum necessary ePHI needed to effectively perform treatment, payment, or heath care operational duties . This standard has one required implementation specification and two addressable implementation specifications.
Large organizations that perform healthcare clearinghouse functions as well as health services must ensure ePHI are separated and protected from one part of the organization to the other.
Policies and procedures developed to address how workstations, transactions, programs, etc. that have ePHI are accessed and by who
Periodic review and documentation of a user's rights and modification of rights to secure ePHI
Security is a habit. A security awareness and training program should guarantee all employees from management to support staff understand their role in securing ePHI. There are four addressable implementation specifications in this standard
Covered entities must decide the type and level of security updates to provide to employees. Do you need a screen saver to pop-up when everyone logs in for the day? Does the help desk need a poster near their monitor reminding them not to reset passwords without proper authorization? Do staff need periodic in-services and if so what is the frequency?
What are the policies and procedures for evaluating and using new software? Do end users have access to bootable drives? What is the penalty for using USB drives at work?
How are log-ins monitored ? Do you monitor log-ins?
Do employees keep the same passwords for life? Do they understand the difference between strong and weak passwords? Does the network system prevent reuse of passwords?
All covered entities must have policies and procedures to handle events that compromise your organizations security plan.
Your policy and procedures must identify the actions to take when a security incident is discovered , the outcome of your actions, and the impact on the information you are protecting. This means if you an unauthorized person gained access to ePHI, what actions did you take to revoke the access, assess that the information is still valid, and controls you put in place so the event could not occur again?
How do you respond to an emergency that damages systems that contain ePHI? You must have policies and procedures in place to address unauthorized human error, (intentional or unintentional), natural disasters, system failures.
All covered entities must have a data back up plan. A small doctor's office may have all files backed up nightly to a CD/RW disc. A large hospital may have a dedicated back-up server that back's up all data in real time.
All covered entities must have procedures established to restore any loss of data. A covered entity may have back-ups of all data. What do you do if your computer fails or the software you use to read the information becomes unusable?
What procedures do you have in place to ensure all ePHI is protected when continuing your business under emergency conditions? What new risks do you have to look at and address to secure ePHI?
Covered entities should look at how they will test their contingency plans. What type of testing do you perform and how often?
When looking at contingency plans have you looked at all applications where ePHI is stored or transmitted and will you be able to get to critical information in the event of an emergency?
Covered entities are required to perform a periodic technical and non-technical evaluation. The initial evaluation is completed to implement the standards under this rule and than is update as your environment and operational needs change.
Written contracts are required from business associates who maintain create, receive or transmit ePHI for covered entities. The business associate is required to safeguard this information according to the security rule.