 |
| Risk Assessment & Security
Standards |
A) Administrative Procedures to Guard Data Integrity,
Confidentiality, and Availability |
|
| These are the processes which must be put in place to
administer the required documented, formal practices of selecting, executing
and managing security measures to protect health information, and to manage the
conduct of personnel in relation to the protection of that information. These
procedures include the following requirements: |
|
|
(A1)
Certification
The technical
evaluation performed as part of, and in support of, the accreditation process
that establishes the extent to which a particular computer system or network
design and implementation meet a pre-specified set of security requirements.
This evaluation may be performed internally or by an external accrediting
agency.
(A2) Chain of Trust & Business
Associate Agreements
Contracts entered into with business
partners, associates, collegues, vendors, suppliers, contractors, laboratories,
clearing houses, insurance companies and any other individual, companies or
organizations with whom you share, provide or exchange personal patient health
information. All parties must contractually agree to protect the integrity and
confidentiality of all shared and/or exchanged data.
(A3) A Contingency Plan
A routinely updated plan for
responding to a system emergency, that includes performing backups, preparing
critical facilities that can be used to facilitate continuity of operations in
the event of an emergency, and recovering from a disaster. The plan must
include all of the following implementation features:
(A3i)
An Applications and Data Criticality
Analysis An entity’s formal assessment of
the sensitivity, vulnerabilities, and security of its programs and information
it receives, manipulates, stores, and/or transmits.
(A3ii) Data Backup
Plan A documented and routinely updated plan
to create and maintain, for a specific period of time, retrievable exact copies
of information.
(A3iii) A Disaster Recovery Plan The
part of an overall contingency plan that contains a process enabling an
enterprise to restore any loss of data in the event of fire, vandalism, natural
disaster, or system failure.
(A3iv)
Emergency Mode Operation Plan
The part of an overall contingency plan that contains a
process enabling an enterprise to continue to operate in the event of fire,
vandalism, natural disaster, or system failure.
(A3v) Testing and Revision
Procedures The documented process of periodic
testing of written contingency plans to discover weaknesses and the subsequent
process of revising the documentation, if necessary. (A4) Formal Mechanism for
Processing Records
Documented policies and
procedures for the routine, and nonroutine, receipt, manipulation, storage,
dissemination, transmission, and/or disposal of health information.
(A5)
Information Access Control
Formal, documented policies and procedures for
granting different levels of access to health care information that includes
all of the following implementation features:
(A5i)
Access Authorization
Information-use policies and procedures that establish
the rules for granting access, for example to a terminal, transaction, program,
process, or some other user.
(A5ii)
Access Establishment Security policies and rules that determine an entity’s
initial right of access to a terminal, transaction, program, process or
some other user.
(A5iii) Access Modification Security
policies and rules that determine the types of, and reasons for, modification
to an entity’s established right of access, to a terminal, transaction,
program, process, or some other user. (A6) Internal Audit
In-house review of the records of system activity
(such as logins, file accesses, and security incidents) maintained by an
organization.
(A7) Personnel Security
All
personnel who have access to any sensitive information have the required
authorities as well as all appropriate clearances. This includes all of the
following implementation features:
(A7i)
Assuring Supervision of Maintenance Personnel by an
Authorized, Knowledgeable Person These
procedures are documented formal procedures and instructions for the oversight
of maintenance personnel when the personnel are near health information
pertaining to an individual.
(A7ii)
Maintaining a Record of Access
Authorizations Ongoing documentation and
review of the levels of access granted to a user, program, or procedure
accessing health information.
(A7iii) Assuring That Operating
and Maintenance Personnel Have Proper Access Authorization
Formal documented policies and procedures for determining
the access level to be granted to individuals working on, or near, health
information.
(A7iv) Establishing
Personnel Clearance Procedures A protective
measure applied to determine that an individual’s access to sensitive
unclassified automated information is admissible.
(A7v) Establishing and Maintaining Personnel Security Policies and
Procedures Formal, documentation of procedures
to ensure that all personnel who have access to sensitive information have the
required authority as well as appropriate clearances.
(A7vi)
Assuring that System Users, Including Maintenance
Personnel, Receive Security Awareness Training.
 |
(A8) Security
Configuration Management
Measures,
practices, and procedures for the security of information systems that must be
coordinated and integrated with each other and other measures, practices, and
procedures of the organization established in order to create a coherent system
of security that includes all of the following implementation features:
(A8i) Documentation Written security
plans, rules, procedures, and instructions concerning all components of
an entity’s security.
(A8ii) Hardware and
Software Installation and Maintenance Review and Testing for Security
Features Formal, documented procedures for
connecting and loading new equipment and programs, periodic review of the
maintenance occurring on that equipment and programs, and periodic security
testing of the security attributes of that
hardware/software.
(A8iii) Inventory The formal,
documented identification of hardware and software assets.
(A8iv)
Security Testing Process used to determine
that the security features of a system are implemented as designed and that
they are adequate for a proposed applications environment; this process
includes hands-on functional testing, penetration testing, and
verification.
(A8v) Virus Checking
The act of running a computer program that identifies and
disables:
(A8va) Another Virus
Computer program, typically hidden, that attaches itself to other programs and
has the ability to replicate.
(A8vb) A Code
Fragment Not an independent program that reproduces by attaching to
another program.
(A8vc) A Code Embedded Within
a Program that causes a copy of itself to be inserted in one or more
other programs. (A9) Security Incident
Procedures
Formal documented instructions for reporting
security breaches that include all of the following implementation
features:
(A9i) Report Procedures Documented formal mechanism
employed to document security incidents.
(A9ii) Response Procedures Documented formal rules or
instructions for actions to be taken as a result of the receipt of a security
incident report.
(A10) Security
Management Process
Creation, administration, and oversight
of policies to ensure the prevention, detection, containment, and correction of
security breaches involving risk analysis and risk management. It includes the
establishment of accountability, management controls (policies and education),
electronic controls, physical security, and penalties for the abuse and misuse
of its assets (both physical and electronic) that includes all of the following
implementation features:
(A10i) Risk Analysis A process whereby cost-effective
security/control measuresmay be selected by balancing the costs of various
security/control measures against the losses that would be expected if these
measures were not in place.
(A10ii) Risk
Management Process of assessing risk, taking steps to reduce risk to
an acceptable level, and maintaining that level of risk.
(A10iii)
Sanction Policies and Procedures Statements
regarding disciplinary actions that are communicated to all employees, agents,
and contractors. For example, verbal warning, notice of disciplinary action
placed in personnel files, removal of system privileges, termination of
employment, and contract penalties. They must include employee, agent, and
contractor notice of civil or criminal penalties for misuse or misappropriation
of health information and must make employees, agents, and contractors aware
that violations may result in notification to law enforcement officials and
regulatory, accreditation, and licensure organizations.
(A10iv) Security Policy Statement(s) of information values,
protection responsibilities, and organization commitment for a system. This is
the framework within which an entity establishes needed levels of information
security to achieve the desired confidentiality goals. (A11)
Termination Procedures
Formal
documented instructions, which include appropriate security measures, for the
ending of an employee’s employment or an internal/external user's access
that include procedures for all of the following implementation features:
(A11i) Changing Locks A documented procedure for changing
combinations of locking mechanisms, both on a recurring basis and when
personnel knowledgeable of combinations no longer have a need to know or
require access to the protected facility or system.
(A11ii) Removal From Access Lists Physical eradication of an
entity's access privileges.
(A11iii) Removal of
User Account(s) Termination or deletion of an individual’s
access privileges to the information, services, and resources for which they
currently have clearance, authorization, and need-to-know when such clearance,
authorization and need-to-know no longer exists.
(A11iv) Turning in of Keys, Tokens, or Cards That Allow
Access Formal, documented procedure to ensure all physical items
that allow a terminated employee to access a property, building, or equipment
are retrieved from that employee, preferably before termination.
(A12)
Training
Education concerning the vulnerabilities of the
health information in an entity’s possession and ways to ensure the
protection of that information that includes all of the following
implementation features:
(A12i) Awareness Training For all personnel, including
management personnel n security awareness, including, but not limited to,
password maintenance, incident reporting, and viruses and other forms of
malicious software.
(A12ii) Periodic Security
Reminders Employees, agents, and contractors are made aware of
security concerns on an ongoing basis.
(A12iii) User Education Concerning Virus Protection Training
relative to user awareness of the potential harm that can be caused by a virus,
how to prevent the introduction of a virus to a computer system, and what to do
if a virus is detected.
(A12iv) User Education
in Importance of Monitoring Login Success or F failure and How to Report
Discrepancies Training in the user’s responsibility to ensure
the security of health care information.
(A12v) User Education in Password Management Type of user
training in the rules to be followed in creating and changing passwords and the
need to keep them confidential. |
| B) Physical Safeguards to Guard Data Integrity,
Confidentiality, and Availability. |
|
| These are the processes that must be put in place to protect
the your computer or computer system (network), and your office(s) and/or
home(s) which maintain personal health information and equipment from fire and
other natural and environmental hazards, as well as from intrusion. It covers
the use of locks, keys, and administrative measures used to control access to
computer systems and facilities. Physical safeguards must include all of the
following requirements and implementation features: |
|
|
(B1)
Assigned Security Responsibility
Practices established by individuals or management to manage and
supervise the execution and use of security measures to protect data and to
manage and supervise the conduct of individuals and other personnel in relation
to the protection of data.(B2)
(B2) Media
Controls
Formal, documented policies and procedures that
govern the receipt and removal of hardware/software (such as diskettes and
tapes) into and out of a facility that include all of the following
implementation features:
(B2i) Access Control
(B2ii) Accountability The property that ensures that the
actions of an entity can be traced uniquely to that entity.
(B2iii)
Data Backup A retrievable, exact copy of
information.
(B2iv) Data Storage The
retention of health care information pertaining to an individual in an
electonic format.
(B2v) Disposal
Final disposition of electronic data, and/or the hardware on which electronic
data is stored. (B3) Physical Access
Controls (limited Access)
Formal, documented policies and
procedures to be followed to limit physical access to an entity while ensuring
that properly authorized access is allowed that include all of the following
implementation features:
(B3i) Disaster Recovery The process enabling an entity to
restore any loss of data in the event of fire, vandalism, natural disaster, or
system failure.
(B3ii) Emergency Mode
Operation Access controls in place that enable an entity to continue
to operate in the event of fire, vandalism, natural disaster, or system
failure.
(B3iii) Equipment Control (Into and
Out-of Site) Documented security procedures for bringing hardware
and software into and out of a facility and for maintaining a record of that
equipment. This includes, but is not limited to, the marking, handling, and
disposal of hardware and storage media.
(B3iv) Facility Security Plan A plan to safeguard the
premises and building (exterior and interior) from unauthorized physical access
and to safeguard the equipment therein from unauthorized physical access,
tampering, and theft.
(B3v) Procedures for
Verifying Access Authorizations Before Granting Physical Access
Formal, documented policies and instructions for validating the access
privileges of an entity before granting those privileges.
(B3vi)
Maintenance Records Documentation of
repairs and modifications to the physical components of a facility, such as
hardware, software, walls, doors, and locks.
(B3vii) Need-To-Know Procedures for Personnel Access A
security principle stating that a user should have access only to the data he
or she needs to perform a particular function.
(B3viii) Procedures To Sign In Visitors and Provide Escorts, If
Appropriate Formal documented procedure governing the reception and
hosting of visitors.
(B3ix) Testing and Revision The restriction of program
testing and revision to formally authorized personnel. (B4)
Policy and Guidelines on Work Station Use
Documented instructions/procedures delineating the proper functions to
be performed, the manner in which those functions are to be performed, and the
physical attributes of the surroundings of a specific computer terminal site or
type of site, dependent upon the sensitivity of the information accessed from
that site.
(B5) A Secure Work Station
Location
Physical safeguards to eliminate or minimize the
possibility of unauthorized access to information; for example, locating a
terminal used to access sensitive information in a locked room and restricting
access to that room to authorized personnel, not placing a terminal used to
access patient information in any area of a doctor’s office where the
screen contents can be viewed from the reception area.
(B6) Security Awareness Training
Information
security awareness training programs in which all employees, agents, and
contractors must participate, including, based on job responsibilities,
customized education programs that focus on issues regarding use of health
information and responsibilities regarding confidentiality and security. |
|
| C) Technical Security Services To Guard Data Integrity,
Confidentiality, and Availability. |
|
| These are the processes that must be put in place to protect
information and to control individual access to information. They
include: |
|
|
(C1)
Technical Security Services
Must
include all of the following requirements and the specified implementation
features:
(C1i) Access Control Must include:
(C1ia) A Procedure for Emergency Access Documented
instructions for obtaining necessary information during a crisis that must
include:
(C1ib) At Least One of the Following
Implementation Features:
(C1ibi)Context-Based Access An access control procedure
based on the context of a transaction (as opposed to being based on attributes
of the initiator or target.
(C1ibii) Role-Based
Access
(C1ibiii) User-Based
Access
(C1ii) Optional Use of
Encryption
(C1iii) Audit
Controls Mechanisms employed to record and examine system
activity.
(C2) Authorization Control
The mechanism for
obtaining consent for the use and disclosure of health information that
includes at least one of the following implementation features:
(C2i) Role-based Access
(C2ii) User-based Access (C3) Data Authentication
The corroboration that
data has not been altered or destroyed in an unauthorized manner. Examples of
how data corroboration may be assured include the use of a check sum, double
keying, a message authentication code, or digital signature.
(C4)
Entity Authentication
The
corroboration that an entity is the one claimed that includes:
(C4i) Automatic Logoff A security procedure that causes an
electronic session to terminate after a predetermined time of inactivity, such
as 15 minutes
(C4ii) Unique User
Identifier A combination name/number assigned and maintained in
security procedures for identifying and tracking individual user identity
.
(C4iii) Implementation Features
With at least one of the following:
(C4iii1) Biometric Identification An identification system
that identifies a human from a measurement of a physical feature or repeatable
action of the individual. For example, hand geometry, retinal scan, iris scan,
fingerprint patterns, facial characteristics, DNA sequence characteristics,
voice prints, and hand written signature.
(C4iii2) Password
(C4iii3) Personal Identification Number (PIN) A number or
code assigned to an individual and used to provide verification of
identity.
(C4iv) A Telephone Callback
Procedure Method of authenticating the identity of the receiver and
sender of information through a series of "questions" and "answers" sent back
and forth establishing the identity of each. For example, when the
communicating systems exchange a series of identification codes as part of the
initiation of a session to exchange information, or when a host computer
disconnects the initial session before the authentication is complete, and the
host calls the user back to establish a session at a predetermined telephone
number. |
|
| D) Technical Safeguards Against Unauthorized Access to
Data. |
|
| These are the processes that must be put in place to guard
against unauthorized access to all personal health information, with particular
attention to data transmitted over a communications network. They
include: |
|
|
(D1)
If an Entity Uses Communications or Network
Control its security standards for technical security mechanisms
must include the following:
(D1i) Integrity Controls A security mechanism employed to
ensure the validity of the information being electronically transmitted or
stored.
(D1ii) Message
Authentication Ensuring, typically with a message authentication
code, that a message received (usually via a network) matches the message
sent.
(D1iii) Access Controls
Protection of sensitive communications transmissions over open or private
networks so that they cannot be easily intercepted and interpreted by parties
other than the intended recipient.
(D1iv) Encryption (D2) If an Entity Uses Network Controls to Protect a Sensitive
Comunication that is transmitted electronically over open networks
so that it cannot be easily intercepted and interpreted by parties other than
the intended recipient, its technical security mechanisms must include all of
the following implementation features:
(D2i) Alarm In communication systems, any device that can
sense an abnormal condition within the system and provide, either locally or
remotely, a signal indicating the presence of the abnormality. The signal may
be in any desired form ranging from a simple contact closure (or opening) to a
time-phased automatic shutdown and restart cycle.
(D2ii) Audit Trail The data collected and potentially used
to facilitate a security audit.
(D2iii) Entity
Authentication A communications or network mechanism to irrefutably
identify authorized users, programs, and processes and to deny access to
unauthorized users, programs, and processes.
(D2iv) Event Reporting A network message indicating
operational irregularities in physical elements of a network or a response to
the occurrence of a significant task, typically the completion of a request for
information. |
|
|
| HIPAA Compliance
Dates |
| Standard |
Compliance
Date |
Extention
Date |
| Transactions and Code
Sets |
10/16/2003 |
10/16/2003
Only if application filed
before
Oct 15, 2002. |
|
| National Provider
Identifier |
Pending |
Not Applicable |
|
| National Employer
Identifier |
Pending |
Not Applicable |
|
| Security
Rule |
4/20/2005 |
Not Applicable |
|
| Privacy
Rule |
4/14/2003 |
Not Applicable |
|
| National Health Plan
identifier |
Pending |
Not Applicable |
|
| Claims
Attachments |
Pending |
Not Applicable |
|
| Enforcement |
Pending |
Not Applicable |
|
| National Individual
Identifier |
Pending |
Not Applicable |
|
| Business
Associates |
4/14/2003 |
4/14/2004
Extension applies ONLY to business
associates with exisiting business associate contracts made prior to April 14,
2003. |
|
|
|
