Policy and Procedure Standards

pOLICY AND pROCEDURE sTANDARDS

Table of Contents

SECURITY MANAGEMENT PROCESS P1-P4

ASSIGNED SECURITY RESPONSIBILITY P5-P7

WORKFORCE SECURITY P8-P9

INFORMATION ACCESS MANAGEMENT P10-P11

SECURITY AWARENESS AND TRAINING P13-P15

SECURITY INCIDENT PROCEDURES P17

CONTINGENCY PLAN P18-P20

EVALUATION P22

BUSINESS ASSOCIATE CONTRACTS AND OTHER

ARRANGEMENTS P23-P24

FACILITY ACCESS CONTROLS P29-P30

WORKSTATION USE P31-P34

WORKSTATION SECURITY P35

DEVICE AND MEDIA CONTROLS P36-P37

ACCESS CONTROL P38

AUDIT CONTROLS P39

INTEGRITY P40

PERSON OR ENTITY AUTHENTICATION P41

TRANSMISSION SECURITY P42

Security Management Process Policy and Procedures

Implementation Specifications covered under this standard:

·  Risk Analysis

·  Risk Management

·  Sanction Policy

·  Information System Activity Review

Purpose

The purpose of this policy is to establish a process to identify the risks to the organization and to manage those risks. The practice is committed to ensure the confidentiality, integrity, and availability of its information systems containing EPHI by implementing policies and procedures to prevent, detect, contain, and correct security violations.

Policy

1.  The Practice will ensure the confidentiality, integrity, and availability of its information systems containing EPHI by implementing appropriate and reasonable policies, procedures and controls to prevent, detect, contain, and correct security violations.

2.  All Practice workforce members are responsible for appropriately protecting EPHI from unauthorized access, modification, destruction and disclosure.

Risk Analysis

The organization will conduct a survey of all computer and information systems in order to determine where electronic protected health information is stored, how it is transmitted, and which employees currently have access. The organization will also identify the type of information contained on each system and the impact to daily activities that would be caused by a loss of this information. (See Risk Analysis, Worksheet 1). This process will be repeated for all new equipment, information systems or computer systems that are installed.

The identification, definition and prioritization of risks to the Practice information systems containing EPHI is based on a formal, documented risk analysis process. At a minimum, the Practice’s risk analysis process will include the following:

·  Identification and prioritization of the threats to the Practice information systems containing EPHI.

·  Identification and prioritization of the vulnerabilities of the Practice information systems containing EPHI.

·  Identification and definition of security measures used to protect the confidentiality, integrity, and availability of the Practice information systems containing EPHI.

·  Identification of the likelihood that a given threat will exploit a specific vulnerability on a Practice information system containing EPHI.

P1

Security Management Process Policy and Procedures

Policy

·  Identification of the potential impacts to the confidentiality, integrity, and availability of the Practice information systems containing EPHI if a given threat exploits a specific vulnerability.

·  The organization will use good faith efforts to identify all known and/or anticipated threats to electronic protected health information and any vulnerability that would cause a program or system to be impacted by threats.

Risk Management

The Practice will implement security measures that reduce the risks to its information systems containing EPHI to reasonable and appropriate levels.

It will be the responsibility of the Security Officer to gather information and present this information to the appropriate decision-making authorities within the organization so that determinations can by made based upon the risks to the organization and the costs associated with mitigating these risks.

Employee Sanctions

Employees will be sanctioned appropriately for breaching security policies and procedures. All sanctions will be in accordance with the organization’s disciplinary policies, and, at a minimum, will take into account the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicates a pattern or practice of improper use or disclosure of protected health information.

The Practice will have a formal, documented process for applying appropriate sanctions against workforce members who do not comply with its security policies and procedures.

Sanctions may include, but will not be limited to: (1) a verbal warning; (2) a written reprimand; (3) re-education; (4) suspension; and/or (5) termination. The sanction policy, however, does not alter the at-will status of employees.

Information System Activity Review

The Practice is committed to conducting periodic internal system reviews of records to minimize security violations to electronic protected health information. As such, the Practice will continually assess potential risks and vulnerabilities to protected health information in its possession, and develop, implement, and maintain appropriate administrative, physical, and technical security measures.

The organization will determine which reports the organization’s information systems and software programs are capable of generating, including, but not limited to audit logs, access reports, and security incident tracking reports.

The organization will run such reports at intervals as determined by the security officer based upon the usefulness of the report.

P1

Security Management Process Policy and Procedures

Procedure

1.  The Security Officer will be responsible for completing a Comprehensive Risk Analysis (either by personally completing the form or delegating the responsibility) and will be responsible for overseeing the updating of this analysis as new systems or software programs are added. See Risk Analysis Worksheets 1-4.

2.  The risk analysis shall demonstrate, at a minimum, the following information:

a.  The level of risk and the steps to be taken to reduce the risk of vulnerability;

b.  Processes for maintaining no more than the acceptable level of risk.

3.  The Security Officer will be responsible either personally or by delegation for the completion of a Threat Assessment (Risk Analysis Worksheet 2). This assessment will be updated as needed or any time that a new threat or vulnerability is identified or any time that a new system or software program is added.

4.  The Security Officer will be responsible for completing a Risk Management Analysis (Risk Analysis Worksheet 3-4). The Security Officer will be responsible for identifying and including administrative personnel who have authority to make decisions with respect to which security solutions may be implemented (based upon a cost/benefit analysis).

5.  The Practice’s risk management process will be based on the following steps:

a.  Inventory. The Practice will conduct an inventory of its information systems containing EPHI and the security measures protecting those systems. The Practice must be able to identify its information systems and the relative value and importance of those systems. (See Risk Analysis, Worksheet 1)

b.  Risk prioritization. Based on the risks defined by the Practice’s risk analysis, all risks will be prioritized on a scale from 1 to 9 based on the potential impact to information systems containing EPHI and the probability of occurrence. When deciding what Practice resources will be allocated to identified risks, highest priority must be given to those risks with unacceptably high risk rankings.

c.  Cost-benefit analysis. The Practice will identify and define the costs and benefits of implementing or not implementing specific security methods.

d.  Security method selection. Based on the cost-benefit of each solution, the Practice will determine the most appropriate, reasonable and cost-effective security method(s) for reducing identified risks to each system containing EPHI.

P1

Security Management Process Policy and Procedures

Procedure (continued)

6.  The Security Officer will be responsible for bringing employee breaches of security policies and procedures to the attention of the employee’s supervisor who shall be responsible for disciplining the employee in accordance with this policy and with the organization’s general disciplinary policies.

7.  The Security Officer will be responsible for reviewing all informational reports and the frequency with which each report should be routinely run, as well as any events that will trigger the running of the report(s). Currently, such reports will be run as needed and monitored on an exception basis.

8.  If the Security Officer identifies suspicious activity based upon the reports, it will be investigated and the results of such investigation documented. If the investigation identifies an employee breach, the employee will be disciplined in accordance with the guidelines set forth in the organizations disciplinary policies.

9.  The Security Officer will be responsible for reviewing reports and maintaining all reports for a period of six years (either personally or delegating the responsibility).

P1

Assigned Security Responsibility Policy and Procedures

Purpose

The purpose of this policy is to assign a single employee overall final responsibility for the confidentiality, integrity, and availability of EPHI.

Policy

The Practice Security Officer will be responsible for the Security of PHI and EPHI at the Practice. The Security Officer is responsible for the development and implementation of all policies and procedures necessary to appropriately protect the confidentiality, integrity, and availability of the Practice’s information systems and EPHI.

Procedures

1.  The Security Officer will conduct himself/herself in a manner appropriate for this position and as outlined in their job description.

2.  The Practice’s Security Officer’s responsibilities include, but are not limited to:

a.  Ensure that Practice’s information systems comply with all applicable federal, state, and local laws and regulations.

b.  Develop, document, and ensure dissemination of appropriate security policies, procedures, and standards for the users and administrators of Practice’s information systems and the data contained within them.

c.  Ensure that newly acquired Practice information systems have features that support required and/or addressable security Implementation Specifications.

d.  Coordinate the selection, implementation, and administration of significant Practice security controls.

e.  Ensure Practice workforce members receive regular security awareness and training.

f.  Conduct periodic risk analysis of Practice information systems and security processes.

g.  Conduct regular evaluations of the Practice’s security controls and processes.

h.  Develop and implement an effective risk management program.

i.  Regularly monitor and evaluate threats and risks to Practice information systems’ activity to identify inappropriate activity.

j.  Create an effective security incident response policy and related procedures.

k.  Ensure adequate physical security controls exist to protect Practice’s EPHI.

l.  Coordinate with Practice’s Privacy Officer to ensure that security policies, procedures and controls support compliance with the HIPAA Privacy Rule.

P1

Security Officer – Job Description

The Practice is committed to ensuring the privacy and security of protected health information. In order to manage the facilitation and implementation of activities related to the privacy and security of protected health information, The Practice will appoint and maintain a Security Officer position.

The Security Officer will serve as the focal point for security compliance-related activities and responsibilities, as listed below. In general, the Security Officer is charged with developing, maintaining, and implementing organizational policies and procedures, conducting educational programs, reviewing conduct of those assigned security responsibilities, and administering reviews relating to the company’s security program.

The Security Officer must demonstrate familiarity with the legal requirements relating to privacy, security and health care operations, as well as the ability to communicate effectively with and coordinate the efforts of technology and non-technology personnel.

The current Security Officer is:

Bonnie Rondot

419-991-7805 (work) or 419-999-6344 (home)

2875 W. Elm St., Lima, OH 45805

e-mail address:

Responsibilities

The Security Officer has the following job responsibilities:

1.  Lead in the development and enforcement of information security policies and procedures, measures and mechanisms to ensure the prevention, detection, containment, and correction of security incidents. Ensure that security standards comply with statutory and regulatory requirements regarding health information.

2.  Maintain security policies that include:

a.  Administrative security: Formal mechanisms for risk analysis and management, information access controls, and appropriate sanctions for failure to comply.

b.  Physical safeguards: Ensure assigned security responsibilities, control access to media (e.g., diskettes, tapes, backups, disposal of data), protect against hazards and unauthorized access to computer systems, and secure workstation locations and use.

c.  Technical security: Establish access controls, emergency procedures, authorization controls, and data/entry access and authentication.

P1

Security Officer – Job Description

Responsibilities (continued)

3.  Maintain security procedures that include:

a.  Evaluation of compliance with security measures.

b.  Contingency plans for emergencies and disaster recovery.

c.  Security incident response process and protocols.

d.  Testing of security procedures, measures and mechanisms, and continuous improvement.

e.  Security incident reporting mechanisms and sanction policy.

4.  Maintain appropriate security measures to guard against unauthorized access to electronically stored and transmitted patient data and protect against reasonably anticipated threats and hazards, including:

a.  Integrity controls.

b.  Authentication controls.

c.  Access controls.

5.  Oversee and/or perform on-going security monitoring of organization information systems.

a.  Perform periodic information security risk evaluations and assessments.

b.  Evaluate and recommend new information security technologies and counter-measures against threats to information or privacy.

6.  Ensure compliance through adequate training programs and periodic security audits.

P1

Workforce Security Policy and Procedures

Implementation Specifications covered under this standard

·  Authorization and/or Supervision

·  Workforce Clearance Procedures

·  Termination Procedures

Purpose

This policy reflects Practice’s commitment to allow access to information systems containing EPHI only to workforce members who have been appropriately authorized.

Policy

1.  Practice will protect the confidentiality, integrity, and availability of its information systems containing EPHI by preventing unauthorized access while ensuring that properly authorized workforce member access is allowed.

2.  Access to Practice information systems containing EPHI will be granted to only workforce members who have been properly authorized.

3.  Access to Practice information systems containing EPHI will be authorized only for properly trained Practice workforce members having a legitimate need for specific information in order to accomplish job responsibilities. Such access will be regularly reviewed and revised as necessary.

Procedures

1.  Authorization and/or Supervision

Ø  Practice will ensure that all workforce members who can access Practice information systems containing EPHI are appropriately authorized to access the system or supervised when they do so.

Ø  Practice workforce members will not be allowed access to information systems containing EPHI until properly authorized.