 |
|
ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY,
CONFIDENTIALITY, AND AVAILABILITY |
Requirement
|
Implementation Features
|
|
Certification |
· Varies by discipline and
application.
|
|
Chain of Trust & Business Associate
Agreements |
· All legal requirements necessary to extend the HIPAA
rules to health care associates, vendors, contractors and
suppliers.
|
|
Contingency Plan |
· Applications and data criticality
analysis.
· Data backup plan.
· Disaster recovery
plan.
· Emergency mode operation plan.
· Testing and
revision.
|
|
Formal Mechanisms For Processing Records |
· Policy and procedures manual.
·
Security safeguards.
· Accountability.
·
Auditability.
|
|
Information Access Controls |
· Access authorization.
· Access
establishment.
· Access modification.
|
|
Internal audit |
· Absolute accountability.
|
|
Personnel Security |
· Assure supervision of maintenance personnel by
authorized, knowledgeable person.
· Maintenance of record of access
authorizations.
· Operating, and in some cases, maintenance
personnel have proper access authorization.
· Personnel clearance
procedure.
· Personnel security policy/procedure.
·
System users, including maintenance personnel, trained in
security.
|
|
Security Configuration Management |
· Assure supervision of maintenance personnel by
authorized, knowledgeable person.
· Maintenance of record of access
authorizations.
· Operating, and in some cases, maintenance
personnel have proper access authorization.
· Personnel clearance
procedure.
· Personnel security policy/procedure.
·
System users, including maintenance personnel, trained in
security.
|
|
Security Incident Procedures |
· Report procedures
· Response
procedures.
|
|
Security Management Process |
· Risk Analysis.
· Risk
Management.
· Sanction Policy.
· Security
Policy.
|
|
Termination Procedures |
· Combination locks changed.
· Removal
from access lists.
· Removal of user account(s).
· Turn
in keys, token or cards that allow access.
|
|
Training |
· Awareness training for all personnel including
management.
· Periodic security reminders.
· User
education concerning virus protection.
· User education in
importance of monitoring log in success/failure, and how to report
discrepancies.
· User education in password
management.
|
 |
| Overview of Above
Requirements |
Certification
Each health
care provider and organization must evaluate its computer system(s) or network
design(s) to certify that the appropriate security has been implemented. This
evaluation could be performed internally or by an external accrediting agency.
Chain of Trust
Agreements
If personal health information is exchanged
between different parties or processed through a third party, the parties are
required to enter into a chain of trust agreement. This is a contract in which
the parties agree to exchange data and to protect the data. The sender and
receiver are required and depend upon each other to maintain the integrity and
confidentiality of the transmitted information. Multiple two-party contracts
may be involved in moving information from the originating party to the
ultimate receiving party. For example, a health care provider may contract with
a clearinghouse to transmit claims to the clearinghouse. The clearinghouse, in
turn, may contract with another clearinghouse or with a payer for further
transmittal of those claims. These agreements are important so that the same
level of security will be maintained at all links in the chain when information
moves from one individual or organization to another.
Additionally, to
ensure the confidentiality of personal health information, business associate
agreements are required between health care providers and outside contractors
or vendors who may come into contact with personal health information. An
example, to name only a few, would be a janitorial service, computer
technicians and a telephone answering service.
Contingency Plan
A contingency plan is
required for responding to system emergencies. Periodic backups of data is
required and facilities must be available for continuing operations in the
event of an emergency. To satisfy the requirement, the plan would include the
following:
· Applications and data criticality
analysis.
· A data backup plan.
· A disaster
recovery plan.
· An emergency mode operation
plan.
· Testing and revision procedures.
Formal Mechanism for Processing
Records
A formal mechanism is required for processing records
including documented policies and procedures for the routine and nonroutine
receipt, manipulation, storage, dissemination, transmission, and/or disposal of
health information. This is important to limit the inadvertent loss or
disclosure of secure information because of process issues.
Information Access
Control
Health care providers are required to establish and
maintain formal, documented policies and procedures for granting different
levels of access to health care information. To satisfy this requirement, the
following features must be provided:
· Access
authorization policies and procedures.
· Access establishment
policies and procedures.
· Access modification policies and
procedures.
Internal
Audit
An ongoing internal audit process is required, which is
a review of the records of system activity. For example, logins, file accesses,
security incidents. This is important to enable the individual or organization
to identify potential security violations.
Personnel Security
It is required that
all health care providers and all co-workers with access to health information
must be authorized to do so after receiving appropriate clearances. This is
important to prevent unnecessary or inadvertent access to secure information.
The personnel security requirement requires covered entities to meet the
following conditions:
· Assure supervision of personnel
performing technical systems
 maintenance activities by authorized, knowledgeable
persons.
· Maintain access authorization records.
· Employ co-worker/employee clearance
procedures.
· Employ co-worker/employee security
policy/procedures.
· Ensure that computer users, including
technical maintenance personnel
are trained in system security.
Security Configuration Management
It is a
requirement to implement accurate and current security incident procedures.
These are formal, documented instructions for reporting security breaches, so
that security violations are reported and handled promptly. These instructions
must include the following:
· Report
procedures.
· Response procedures.
· Security
testing.
Security Management
Process
A process for security management is required even
for the smallest of group ptactices. This involves creating, administering, and
overseeing policies to ensure the prevention, detection, containment, and
correction of security breaches. Organizations must have a formal security
management process in place to address the full range of security issues.
Security management includes the following mandatory implementation
features:
· Risk analysis.
· Risk
management.
· A sanction policy.
· A security
policy.
Termination
Procedures
Termination implementation procedures are
required. They must be formal, documented instructions, including appropriate
security measures, for the ending of an employee’s employment or an
internal/external user’s access. These procedures are important to prevent
the possibility of unauthorized access to secure data by those who are no
longer authorized to access the data. Termination procedures must include the
following mandatory implementation features
· Changing
combination locks.
· Removal from access lists.
·
Removal of user account(s).
· Turn in of keys, tokens, or
cards that allow access.
Training
Training is required for all
staff regarding the security vulnerabilities of the health information in an
the possession of a health care provider and throughout the office. This is
important because employees need to understand their security responsibilities
and make security a part of their day-to-day activities. The following
implementation features are required:
· Awareness training
for all co-workers and personnel, including management.
·
Periodic security reminders.
· User education concerning
virus protection.
· User education in the importance of
monitoring login success & failure, and how to report
discrepancies.
· User education in password management and
protection.
|
|
|
| HIPAA Compliance
Dates |
| Standard |
Compliance
Date |
Extention
Date |
| Transactions and Code
Sets |
10/16/2003 |
10/16/2003
Only if application filed
before
Oct 15, 2002. |
|
| National Provider
Identifier |
Pending |
Not Applicable |
|
| National Employer
Identifier |
Pending |
Not Applicable |
|
| Security
Rule |
4/20/2005 |
Not Applicable |
|
| Privacy
Rule |
4/14/2003 |
Not Applicable |
|
| National Health Plan
identifier |
Pending |
Not Applicable |
|
| Claims
Attachments |
Pending |
Not Applicable |
|
| Enforcement |
Pending |
Not Applicable |
|
| National Individual
Identifier |
Pending |
Not Applicable |
|
| Business
Associates |
4/14/2003 |
4/14/2004
Extension applies ONLY to business
associates with exisiting business associate contracts made prior to April 14,
2003. |
|
|
|
