AMC/HIPAA Workgroup 9 AMC HIPAA Security Guidelines Section One: Requirements for Security Administration

AMC/HIPAA Workgroup

AMC HIPAA Security Guidelines

Section One: Requirements for Security Administration

Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm

Page 2

AMC/HIPAA Workgroup

SEC.01

Certification § .308(a)(1)

HIPAA Requirement

...(The technical evaluation performed as part of, and in support of, the

accreditation process that establishes the extent to which a particular computer

system or network design and implementation meet a pre-specified set of security

requirements. This evaluation may be performed internally or by an external

accrediting agency.)

AMC Explanation of HIPAA Regulation

Certification is the process of determining whether technical security controls are implemented

and comply with specified criteria. Each covered entity is required to establish a certification

process that demonstrates and documents that its computer systems and networks meet these

criteria. Either internal staff or external persons may perform certifications. The process should

consider risks identified in the risk assessment process.

Key Issues

What systems and services require certification?

How often should certification occur?

Who or what organization is the certifying authority? Is it internal or external? How will

the certifying authority be selected?

Do reference documents exist to describe the covered entity's secure configuration of

network components, servers, databases, and applications?

Is there a periodic comparison of the actual configuration against the reference

documents to confirm compliance or reveal non-compliance? If there are differences, is

there a process for correction?

Do routine testing, auditing, and change management procedures support the certification

process?

What is the relationship between auditors and certifiers?

With what frequency or upon what event(s) should certification be done?

Category I Guidelines-Actions must be taken to address these

Implement a certification process to determine the extent to which systems and networks

meet established security criteria.

Category II Guidelines-Actions should be taken to address these

Document the network configuration.

Ensure that individuals performing certifications are knowledgeable about security

requirements and best practices.

Ensure that conflicts of interest do not exist in the certification process-specifically that

certifiers are not responsible for the system or network's administration or maintenance.

Perform certification a minimum of once every three years due to the changing nature of

computer systems and accelerating rate of change of IT-related security risks.

Page 3

AMC/HIPAA Workgroup

Prepare a formal "Certification and Accreditation Report" upon the completion of

certification and forward it, along with any recommendations on accreditation, to the

accrediting official.

Maintain records and reports of certification and accreditation activities for the last two

certification efforts to provide for an adequate history of certification information and an

audit trail of certification.

Establish routine testing, auditing, and change management procedures to support the

certification process.

Consider certification for system changes prior to placing such systems into production.

Consider a phased approach to certification in order to encourage continuity of the

process.

Consider linking the certification process to JCAHO Information Management

requirements.

Consider requiring formal security credentials for those conducting the certification

process.

Roadblocks

In complex institutions, it may be difficult to establish the necessary credibility and authority for

the certifier.

Comments

Although the evaluation of the program or one of its parts may be done by outside entities, the

certification is a statement by senior management of the institution. State law on record-keeping

may mandate additional retention requirements. Covered entities should be prepared to budget

for remedial action as necessary if deficiencies are discovered during the certification process.

Page 4

AMC/HIPAA Workgroup

SEC.02

Chain of Trust Partner Agreement § .308(a)(2)

HIPAA Requirement

A chain of trust partner agreement (a contract entered into by two business

partners in which the partners agree to electronically exchange data and protect

the integrity and confidentiality of the data exchanged).

AMC Explanation of HIPAA Regulation

A Chain of Trust Agreement is required between two business partners whenever data is

electronically exchanged. The Agreement requires that the sender and the receiver of the

protected health information work with each other to maintain the information's integrity and

confidentiality. Such contracts provide a legal basis for maintaining consistent levels of data

integrity and confidentiality.

Key Issues

With which persons or organizations is the health care provider, health plan, or health

care clearinghouse required to execute a Chain of Trust Agreement (COT)?

Is there a documented process for identifying all partners with which a COT is required?

Does the COT identify a process or processes to ensure the integrity and confidentiality

of the data transmitted?

How will security responsibilities and accountabilities be determined, drafted, and

monitored?

Does more than one unit have the authority to contract with a business partner?

Is there a process in place to assure that all AMC contracts have the required and

appropriate language?

Is there a process that will identify the data rights of the trading partners and incorporate

such rights in the COT language?

Does the agreement identify appropriate sanctions for failure to abide by its terms?

Is the duration of the agreement appropriate?

Is there a process in place to assure that all AMC contracting officers are aware of the

need for, and know the requisites of, an effective COT?

What organizational unit will be responsible for managing the COT policy

implementation?

Does the COT propagate with any further transfers of information between partners and

their other partners?

Does the COT survive other agreements with the partner?

How do COTs relate to the business associate contractual terms in the Privacy rule?

Category I Guidelines-Actions must be taken to address these

Develop a Chain of Trust Agreement with each party with which protected health

information is shared, including language that states that:

The parties agree to electronically exchange data and protect the transmitted data; and

Each party will maintain the integrity and confidentiality of the transmitted

information.

Page 5

AMC/HIPAA Workgroup

Develop a plan to update all current agreements to ensure that the terms and conditions

do not contain any provisions, including data content and format definitions, that conflict

with the standards outlined in the security regulations

Develop a plan to ensure that all future agreements have appropriate provisions.

Category II Guidelines-Actions should be taken to address these

Engage legal counsel to develop and review contract language for the COT.

Establish monitors to ensure compliance by all parties subject to the agreement.

Train all contracting officials about the nature and intent of the COT.

Devise and promulgate a COT template for all Contracting Officers to use.

Establish a process to determine when/how to activate the sanctions for nonperformance

with regard to COT.

Periodically review all current partnerships for COT need.

Develop process to review partners' COTs for adequacy and fairness.

Roadblocks

It will likely be difficult to get approval for COTs which are inconsistent between partners, or

which are perceived as unbalanced in responsibility. Contracts are frequently negotiated and

approved by various departments within the University or AMC. Each area within the

University and AMC must be trained as to when and with whom this required language should

be used.

Comments

Since the originator of information bears the responsibility for improper disclosure or other

security failures regarding that information, a COT is the only protection most providers will

have once information is turned over to their partners in healthcare provision.

As part of a compliance program, business associates should warrant, and the AMC department

responsible for negotiating and signing the Agreement should verify, that the trading partner is

not excluded from participation in any government program. Contracts should also include a

statement that the trading partner warrants that any subcontractors or agents are not excluded

from participation in any government program.

The Chain of Trust Agreement in the Supplement contains language that can be used to satisfy

both the proposed security regulation (discussed in this point) and the final privacy regulation

(discussed in PRIV.03).

Page 6

AMC/HIPAA Workgroup

SEC.03

Contingency Planning § .380 (a)(3)

HIPAA Requirement

...a routinely updated plan for responding to a system emergency, that includes

performing backups, preparing critical facilities that can be used to facilitate

continuity of operations in the event of an emergency, and recovering from a

disaster. The plan must include all of the following implementation features:

(i) An applications and data criticality analysis [an entity's formal assessment of

the sensitivity, vulnerabilities, and security of its programs and information it

receives, manipulates, stores, and/or transmits).

(ii) Data backup plan (a documented and routinely updated plan to create and

maintain, for a specific period of time, retrievable exact copies of information).

(iii) A disaster recovery plan (the part of an overall contingency plan that

contains a process enabling an enterprise to restore any loss of data in the event

of fire, vandalism, natural disaster, or system failure).

(iv) Emergency mode operation plan (the part of an overall contingency plan that

contains a process enabling an enterprise to continue to operate in the event of

fire, vandalism, natural disaster, or system failure).

(v) Testing and revision procedures (the documented process of periodic testing

of written contingency plans to discover weaknesses and the subsequent process

of revising the documentation, if necessary).

AMC Explanation of HIPAA Regulation

Each covered entity is required to maintain a contingency plan for responding to system

emergencies involving systems that contain protected health information. The covered entity is

required to perform periodic backups of data, have critical facilities for continuing operations in

the event of an emergency, and have disaster recovery procedures in place for such systems.

Systems that do not involve protected health information are not required to have contingency

plans.

Key Issues

What will be needed to recreate each data element in the event of an emergency? Has an

assessment been performed?

What is the appropriate frequency and depth of backups?

Where should backup data be located?

How easy is restoration of backup data?

How timely would such a restoration be?

How is security of data assured at the backup location?

What is the mechanism for testing the plans and procedures?

How long will backups be retained?

How is overall integrity of data assured?

How often will various levels or types of tests be performed?

Page 7

AMC/HIPAA Workgroup

Category I Guidelines-Actions must be taken to address these

Assess all systems with protected health information for reasonably anticipated risks,

focusing on the potential impact of the lack of availability of specific applications and

data on the secure operation of the covered entity.

Prepare a data backup plan that details how data will be maintained and duplicated in

order to prevent its loss during a natural or man-made disaster.

Prepare a disaster recovery plan that details how data and operations would be restored in

a timely fashion following a catastrophic event or unanticipated interruption of

operations.

Prepare a plan to use for emergency operations following a catastrophic event until

normal operations can be restored.

Test these procedures periodically and revise them accordingly to address any

weaknesses discovered during testing.

Category II Guidelines-Actions should be considered to address these

Develop a data storage plan that ensures that the medium and location of backup storage

are secure from physical damage and that backup storage is separated in some way from

the main site.

Dispose of information in a manner that maintains its security. Shred paper and wipe

magnetic or optical media.

Make backups at regular intervals.

Develop a procedure covering the scope (full, incremental, and differential) of backups.

Provide adequate facilities to support recovery operations.

Test contingency and disaster recovery plans regularly, specifically including restoration

of data.

Protect backup information at the same level as the original data.

Roadblocks

Identifying and testing critical components may be more realistic and cost effective than testing

plans sufficiently often to ensure that they are viable.

Formal disaster recovery/contingency plans usually occur at the level of central IT within an

AMC. The distributed nature of support and systems within an AMC may serve as a roadblock

to ensuring consistent planning.

Comments

The security regulations (unlike the privacy regulations) supersede conflicting state laws. Non-

conflicting state laws, however, still apply and may affect various aspects of this plan.

Also see: AMC.09 Stricter State Law, SEC.14 Media Controls

Page 8

AMC/HIPAA Workgroup

SEC.04

Formal Mechanism for Processing Records § .308(a)(4)

HIPAA Requirement

Formal mechanism for processing record (documented policies and procedures

for the routine and non-routine receipt, manipulation, storage, dissemination,

transmission, and/or disposal of health information).

AMC Explanation of HIPAA Regulation

Covered entities are required to maintain documented policies and procedures for the routine and

non-routine receipt, manipulation, storage, dissemination, transmission, and/or disposal of

protected health information.

Key Issues

Do clear lines of authority and responsibilities exist that fit the structure and function of

entities (Hospital, Departments, Sections)?

Are there provisions for evaluating and improving policies and procedures at all levels?

Category I Guidelines-Actions must be taken to address these

Develop and document processes to govern the creation of protected health information.

Establish policies and procedures on storage of data, including administrative policies

governing the length of time to various types of data are to be stored and policies for the

archiving and destruction of data.

Establish policies for data dissemination within and external to the covered entity. (See

Comments.)

Develop policies for secure disposal of protected health information, including

information contained on media and systems that are replaced.

Category II Guidelines-Actions should be taken to address these

Protect records to a degree commensurate with the risk associated with them.

Consider standardizing record management policies across the enterprise.

Roadblocks

The presence of already existing unofficial systems may act as a barrier to change, as these will

need to be brought under the umbrella of protection. If staff do not accept needed changes, then

implementation may be delayed.

Redundancy of records in multiple systems presents a challenge, with updates in one system not

always filing or updating correctly in other systems downstream.

Comments

Policies external to the covered entity may be problematic in terms of generality or specificity.

Standards, such as message types (HL7, XML, etc.) may help in this regard.

Page 9

AMC/HIPAA Workgroup

SEC.05

Information Access and Control § .308(a)(5)

HIPAA Requirement

...(formal, documented policies and procedures for granting different levels of

access to health care information) that includes all of the following

implementation features:

(i) Access authorization (information-use policies and procedures that establish

the rules for granting access, for example, to a terminal, transaction, program,

process, or some other user.)

(ii) Access establishment (security policies and rules that determine an entity's

initial right of access to a terminal, transaction, program, process or some other

user).

(iii) Access modification (security policies and rules that determine the types of,

and reasons for, modification to an entity's established right of access, to a

terminal, transaction, program, process, or some other user.)

AMC Explanation of HIPAA Regulation

Each covered entity is required to establish and maintain formal, documented policies and

procedures for granting different levels of access to protected health information. These policies

and procedures must, at a minimum, include:

Access authorization policies and procedures;

Access establishment policies and procedures; and

Access modification policies and procedures.

Key Issues

Does the covered entity currently have a documented access control policy?

Is there a process to establish an individual right-to-know and/or need-to-know?

Does the access control policy consider all means of access?

Do procedures define the authorization requirements for various forms of protected

health information, and is special authorization required for more sensitive information

(e.g., psychiatry, infectious diseases, genetic disorders)?

Is access authorization documented and maintained?

Is there a documented process for revoking access?

How does the covered entity authorize, implement, and revoke emergency access?

Category I Guidelines-Actions must be taken to address these

Establish documented policies and procedures to assign, implement, revoke, and modify

access to protected health information.

Category II Guidelines-Actions should be taken to address these

Create a process for determining access needs for individuals and other entities such as

law enforcement and public health.

Grant access on the basis of need-to-know and/or right-to-know.

Page 10

AMC/HIPAA Workgroup

Provide a means to review the effectiveness of access management and control.

Assign responsibility for implementing the policy to specific individuals or organizations

within the covered entity.

Enact a process to modify access, taking into account the types of, and reasons for,

previously established access.

Require implementation of technical means to control information access.

Require execution of a grantor-grantee agreement to honor information security

requirements before access is granted.

Establish a process to ensure that system access is available at appropriate times for

repair and other maintenance purposes.

Establish a documented plan to ensure that all workforce members can demonstrate

knowledge of access control responsibilities and how to obtain access authorization.

Establish a process whereby termination of a workforce member or other entity's need

for data access will trigger timely revocation of access.

Require data owners or stewards to list functions that will require access to data for

which they are responsible.

Roadblocks

Any part of the access control process can be rendered ineffective if those with access do not

respect the process - if the users do not understand their responsibilities and buy in to the

program, it will not work.

Comments

Also see: SEC.19 Access Control

Access control requirements appear throughout the security regulations in a number of different

contexts relating to personnel security requirements, physical safeguards, technical security

services, and technical security mechanisms. Access control is an integral part of almost every

element of information security. Vulnerabilities in this area include

ad hoc

practices and/or

incomplete policies and procedures for authorizing and establishing access to organizational

systems, failure to include smaller departmental systems in access control policies and practices,

and broken processes to address the modification and revocation of user access following job

changes or termination.

Page 11

AMC/HIPAA Workgroup

SEC.06

Internal Audit § .308(a)(6)

HIPAA Requirement

...in-house review of the records of system activity (such as logins, file accesses,

and security incidents) maintained by an organization.

AMC Explanation of HIPAA Regulation

This requirement calls for periodic reviews of a covered entity's internal security controls,

including records of logins, file accesses, and security incidents.

Key Issues

At what level in data structures should audits be maintained? Table? Record? Field?

How will this degrade system performance?

For what data will logs be maintained, and for how long?

Who will review the records? (The log itself may have protected health information in it.)

How much of the review can be done by software?

How often will audits occur?

What logged activity will be considered suspicious?

What actions will be taken in response to suspicious audit information?

Category I Guidelines-Actions must be taken to address these

Maintain, and periodically review, audit trails or activity logs for critical application

systems, including user-written applications.

Category II Guidelines-Actions should be taken to address these

Follow up on suspicious entries such as unauthorized accesses and access attempts.

Identify and resolve inappropriate activity.

Ensure that audit procedures validate the necessity for data input, processing, and output.

Ensure that audit requirements and activities do not disrupt important business processes.

Agree to and control the scope of the checks.

Explicitly identify resources for performing the checks and ensure that they are available.

Identify and agree to requirements for special or additional processing, such as

prospective audits of user activity.

Document all procedures, requirements, and responsibilities.

Consider making logs of access to individuals' health information available to the

subjects of the records via a "patient portal."

Develop an audit process to ensure that users comply with access control procedures.

Roadblocks

Users, in carrying out their respective duties, should never feel threatened by an audit. In most

cases, information systems personnel are checking a system for problem-solving purposes and it

remains transparent to the user. If the user is made aware, it is usually for the purpose of

problem solving or procedure correction.

Page 12

AMC/HIPAA Workgroup

Comments

The logs themselves may contain protected health information and should be appropriately

secure. Additional controls may be required for systems that process or have an impact on

sensitive, valuable, or critical organizational assets. Such controls should be determined on the

basis of security requirements and a formal risk assessment. Audit trails may become evidence

in legal proceedings, so care should be taken to protect their integrity in order to preserve their

usefulness for such purposes. Take the possibility of using audit trails as evidence into account

when deciding how long they should be retained. Prospective audits are onerous and usually

require clinician input to resolve need-to-know issues; they should be performed sparingly and

only with good cause as determined through the risk analysis process.

Audits can be a significant cost consideration and logging records could have an unreasonable

cost impact. A cost/benefit and risk analysis would be in order to determine what systems

should employ logging and how long the records should be stored.

Formal audit log retention standards are prudent. Destruction of log data should not appear to be

an attempt to destroy evidence in the case of legal action.

Also see: SEC.20 Audit Controls.

Page 13

AMC/HIPAA Workgroup

SEC.07

Personnel Security § .308(a)(7)

HIPAA Requirement

...(all personnel who have access to any sensitive information have the required

authorities as well as all appropriate clearances) that includes all of the following

implementation features:

Assuring supervision of maintenance personnel by an authorized, knowledgeable

person. These procedures are documented formal procedures and instructions for

the oversight of maintenance personnel when the personnel are near health

information pertaining to an individual.

Maintaining a record of access authorizations (ongoing documentation and

review of the levels of access granted to a user, program, or procedure accessing

health information).

Assuring that operating and maintenance personnel have proper access

authorization (formal documented policies and procedures for determining the

access level to be granted to individuals working on, or near, health information).

Establishing personnel clearance procedures (a protective measure applied to

determine that an unclassified automated information is admissible).

Establishing and maintaining personnel security policies and procedures (formal,

documentation of procedures to ensure that all personnel who have access to

sensitive information have the required authority as well as appropriate

clearances).

Assuring that system users, including maintenance personnel, receive security

awareness training.

AMC Explanation of HIPAA Regulation

Each covered entity must establish a personnel security clearance process to administratively

determine that persons and computers are trustworthy before giving them access to protected

health information. This process must account for, and document, levels of access granted to

individuals, programs, and procedures. The process must also address persons who fill roles

where incidental access to protected health information may occur, such as system and network

support and maintenance personnel. Supervision of uncleared or unauthorized personnel, such as

support and maintenance personnel, is necessary unless their access to protected health

information can be precluded. Awareness training on these policies and procedures is required

both for those who are cleared for and given access and those who have incidental access.

Key Issues

How closely must maintenance personnel be supervised?

How often should procedures, instructions, and levels of access be reviewed?

How broad, or how specific, should security training be? What should it cover?

How often should security training be repeated for employees? For vendors and other

contracting personnel?

Page 14

AMC/HIPAA Workgroup

Category I Guidelines-Actions must be taken to address these

Establish written personnel clearance procedures for determining the appropriateness of

access to protected health information or systems.

Maintain documentation regarding the levels of access granted to each individual,

program, and procedure.

Review access levels periodically.

Review access levels when the status of the workforce member changes.

Ensure that system users and technical maintenance staff receive security awareness

training.

Ensure that maintenance and vendor personnel are supervised when working on or near

protected health information.

Category II Guidelines-Actions should be taken to address these

Conduct records checks on applicants for employment, including residence, employment,

criminal history, and education, when job requires access to protected health information.

(See Comments.)

Require staff and maintenance/vendor employees to sign non-disclosure statements

before being given access to protected health information.

Roadblocks

Workforce member status changes can be difficult to track in a large covered entity. Consistent

application of personnel access policies may be problematic when protected health information is

shared between institutions.

Comments

The personnel clearance process is an administrative determination of trustworthiness. Human

Resources normally performs this function in AMCs. A nominal records check should ascertain

that an individual is not falsifying identity, previous employment or education, or any

professional certifications. Additionally, any potentially disqualifying criminal activity should

be discovered. Federal criminal records are centralized in the FBI database, but state and local

records are largely unlinked. It is therefore necessary to determine where individuals have

resided in order to check state and local criminal records in disparate jurisdictions. Arrest and

conviction data is public information and available on request.

Page 15

AMC/HIPAA Workgroup

SEC.08

Security Configuration Management § .308(a)(8)

HIPAA Requirement

...(measures, practices, and procedures for the security of information systems

that must be coordinated and integrated with each other and other measures,

practices, and procedures of the organization established in order to create a

coherent system of security) that includes all of the following implementation

features:

(i) Documentation (written security plans, rules, procedures, and instructions

concerning all components of an entity's security).

(ii) Hardware and software installation and maintenance review and testing for

security features (formal, documented procedures for connecting and loading new

equipment and programs, periodic review of the maintenance occurring on that

equipment and programs, and periodic security testing of the security attributes of

that hardware/software).

(iii) Inventory (the formal, documented identification of hardware and software

assets).

(iv) Security testing (process used to determine that the security features of a

system are implemented as designed and that they are adequate for a proposed

applications environment; this process includes hands-on functional testing,

penetration testing, and verification).

(v) Virus checking. (The act of running a computer program that identifies and

disables:

(A) Another "virus" computer program, typically hidden, that attaches itself to

other programs and has the ability to replicate.

(B) A code fragment (not an independent program) that reproduces by attaching

to another program.

(C) A code embedded within a program that causes a copy of itself to be inserted

in one or more other programs.)

AMC Explanation of HIPAA Requirement

A covered entity is required to have written security plans and procedures guiding its security

efforts so as to create a comprehensive security program. The security program must include an

inventory of system assets, formal procedures for installing and testing new systems, a regular

security testing schedule, and virus checking.

Key Issues

How can a covered entity identify all components of its security features?

How should inventory be reviewed and updated-when assets are added and removed or

on a routine schedule?

At what levels should virus scans be run? Servers? Mail hubs?

How often should virus scans be run?

How often should virus detection programs be updated?

How frequently should security testing, such as penetration testing, occur?

Page 16

AMC/HIPAA Workgroup

Category I Guidelines-Actions must be taken to address these

Develop written security plans, procedures, and instructions to cover all areas of the

covered entity's information security needs.

Create and document procedures for installing and maintaining software and hardware

and periodic testing of that software and/or hardware's security attributes.

Develop a written inventory of hardware and software assets and keep the inventory

current.

Conduct security testing to ensure that the covered entity's security features are adequate;

security testing must include a manual or automated process of identifying

vulnerabilities, functional and penetration testing, and verification.

Ensure that virus scans are run on a regular schedule.

Category II Guidelines-Actions should be taken to address these

Establish a team representing diverse perspectives to plan security controls.

Have written procedures to report equipment malfunctions and any remedial actions

taken.

Require departmental systems not managed centrally to comply with the same security

configuration requirements as centrally managed systems.

Employ anti-virus countermeasures at multiple levels, for example on servers, e-mail

hosts, and desktops.

Maintain a separate test environment and test system changes for security integrity there

before moving them to the production systems.

Roadblocks

A single, well-integrated security plan is difficult to establish in an institution with hundreds of

distributed, heterogeneous systems using a wide range of technologies. The plan should be

multi-tiered and well coordinated. Even identifying all departmental systems with patient

information may be difficult in a decentralized AMC.

Comments

AMCs may want to consider coordinating their inventory reviews with accreditation agency

standards and reviews.

Page 17

AMC/HIPAA Workgroup

SEC.09

Security Incident Procedures § .308(a)(9)

HIPAA Requirement

...(formal documented instructions for reporting security breaches) that include

all of the following implementation features:

(i) Report procedures (documented formal mechanism employed to document

security incidents).

(ii) Response procedures (documented formal rules or instructions for actions to

be taken as a result of the receipt of a security incident report).

AMC Explanation of HIPAA Regulation

The covered entity must have written procedures for reporting security breaches to ensure that

security violations are handled promptly and appropriately. These must include:

Procedures for reporting security incidents.

Procedures describing response, i.e. actions to take when a security incident is reported.

Key Issues

What constitutes a security incident?

How should the covered entity define levels of incidents and sanctions for each (e.g.,

accessing protected health information as opposed to sharing protected health

information)?

How can security awareness be kept "hot?"

How can a covered entity determine when access to protected health information is

inappropriate?

Category I Guidelines-Actions must be taken to address these

Implement an incident reporting and response procedure and document it.

Category II Guidelines-Actions should be taken to address these

Tell workforce members when, how, and to whom to report a security incident.

Require workforce members to acknowledge that they have received security incident

training.

Require workforce members to report the incident if they inadvertently access protected

health information they should not have accessed.

Ensure that workforce members know that they should report security violations to a

supervisor, system administrator, security, internal audit, or others as appropriate.

Require workforce members to report instances of noncompliance.

Ensure that the teams of people who are typically involved in responding to a security

incident have a well-understood working arrangement that ensures that the incident is

handled efficiently, expeditiously, and with respect for law and individual rights.

Roadblocks

Communications between different organizational units within an AMC can be poor. Covered

entities should make sure that their IT organizations share information about security incidents

Page 18

AMC/HIPAA Workgroup

with each other in a timely manner, and may need to set up mechanisms to ensure that this

happens.

Determining where potential security breaches may occur is challenging. For instance,

physicians may download medical data onto personal digital assistants. They often purchase

such devices themselves, and Security Management has no way of knowing about the purchase

or whether the physicians are adhering to security standards.

Comments

Also see: PRIV.53 Sanctions.

Page 19

AMC/HIPAA Workgroup

SEC.10

Security Management Process § .308(a)(10)

HIPAA Requirement

...(creation, administration, and oversight of policies to ensure the prevention,

detection, containment, and correction of security breaches involving risk

analysis and risk management). It includes the establishment of accountability,

management controls (policies and education), electronic controls, physical

security, and penalties for the abuse and misuse of its assets (both physical and

electronic) that includes all of the following implementation features:

(i) Risk analysis, a process whereby cost-effective security/control measures may

be selected by balancing the costs of various security/control measures against

the losses that would be expected if these measures were not in place.

(ii) Risk management (process of assessing risk, taking steps to reduce risk to an

acceptable level, and maintaining that level of risk).

(iii) Sanction policies and procedures (statements regarding disciplinary actions

that are communicated to all employees, agents, and contractors; for example,

verbal warning, notice of disciplinary action placed in personnel files, removal of

system privileges, termination of employment, and contract penalties). They must

include employee, agent, and contractor notice of civil or criminal penalties for

misuse or misappropriation of health information and must make employees,

agents, and contractors aware that violations may result in notification to law

enforcement officials and regulatory, accreditation, and licensure organizations.

(iv) Security policy (statement(s) of information values, protection

responsibilities, and organization commitment for a system). This is the

framework within which an entity establishes needed levels of information

security to achieve the desired confidentiality goals.

AMC Explanation of HIPAA Regulation Key Issues

An overall information security management process is necessary to establish policy, provide

oversight, and administer operational aspects of the program. The process must function in a

proactive, risk-appropriate manner and establish the framework for safeguarding protected health

information within the AMC. An over-arching information security policy that commits the

AMC to safeguard protected health information, to establish goals, and to assign responsibility is

necessary. Supporting policy statements and procedures are required to facilitate the prevention,

detection, containment, and correction of security breaches. Specific areas that the security

management process must cover are: risk analysis process, risk management process, sanction

process, and security policy.

Key Issues

What are the covered entity's values with regard to protecting information?

What are the covered entity's security goals?

How does the covered entity's security policy demonstrate commitment to these goals?

How will values, policy, and process be effectively communicated to those covered by

them?

Page 20

AMC/HIPAA Workgroup

What activities can not be managed in a secure way?

Category I Guidelines-Actions must be taken to address these

Establish a management structure that identifies roles and responsibilities for security

oversight and operational aspects.

Establish an overall information security policy that articulates the organization's

priorities and expectations with respect to safeguarding protected health information.

Identify and communicate security responsibilities of workforce member who access or

manage access to protected health information.

Employ risk analysis to identify information assets, threats, and the likelihood and costs

of adverse occurrences.

Manage risk by applying cost-effective security solutions to reduce likelihood and extent

of losses due to adverse occurrences.

Develop a sanctioning process for violators and communicate it to all workforce

members. In addition to institutional corrective action, the policy must include notices of

civil or criminal penalties and notices that violations may result in notification of law

enforcement, and/or regulatory, accreditation, and licensure organizations.

Category II Guidelines-Actions should be taken to address these

Develop and apply a data criticality/sensitivity classification scheme.

Make risk analysis and risk management ongoing.

Consider establishing progressive sanctions, such as verbal warning, written warning,

suspension, and employment termination.

Ensure that the sanction policy provides for swift and strong action when appropriate.

Establish a process to document and evaluate trends in breaches and sanctions in order to

identify potential improvements in security, e.g. changes to policy, procedures, training,

or technical measures.

Require all who have, or may have, access to protected health information to sign

security, confidentiality, and computer usage agreements.

Roadblocks

Developing and implementing consistent policies and procedures for sanctions and security

policy may be hindered by the typical AMC's decentralized structure and culture of autonomy

(academic freedom). At some AMCs, these policies may also have to be coordinated with the

associated university's central administration, especially its legal counsel's office and human

resources department.

Comments

The reader is referred to the following additional references:

Carnegie Mellon University

Software Engineering Institute

Computer Emergency Response Team Coordination Center (Cert/CC)

http://www.cert.org/octave/

Page 21

AMC/HIPAA Workgroup

Information Security Risk Evaluation

CPRI-Toolkit for Managing Information Security in Healthcare

http://www.3com.com/healthcare/securitynet/hipaa/toc.html

Health Information Risk Assessment and Management

Page 22

AMC/HIPAA Workgroup

SEC.11

Termination Procedures § .308(a)(11)

HIPAA Requirement

...(formal documented instructions, which include appropriate security measures,

for the ending of an employee's employment or an internal/external user's access)

that include procedures for all of the following implementation features:

(i) Changing locks (a documented procedure for changing combinations of

locking mechanisms, both on a recurring basis and when personnel

knowledgeable of combinations no longer have a need to know or require access

to the protected facility or system).

(ii) Removal from access lists (physical eradication of an entity's access

privileges).

(iii) Removal of user account(s) (termination or deletion of an individual's access

privileges to the information, services, and resources for which they currently

have clearance, authorization, and need-to-know when such clearance,

authorization and need-to-know no longer exists).

(iv) Turning in of keys, tokens, or cards that allow access (formal, documented

procedure to ensure all physical items that allow a terminated employee to access

a property, building, or equipment are retrieved from that employee, preferably

before termination).

AMC Explanation of HIPAA Regulation

Entities must revoke physical access to controlled areas and remove user accounts when

employees terminate employment or when others, such as contractors and vendors, no longer

require access. Academic medical centers can reduce risk by implementing procedures to ensure

prompt collection of the items that enable access: e.g., identification cards, keys, and physical

tokens, and by changing locks or lock combinations, and by revoking computer accounts.

Although this point is entitled "termination," the text includes provisions for other occasions in

which removal of access rights is called for.

Key Issues

Is access disabled in a timely and consistent manner for terminated users?

Is there timely notification to: human resources, central security administration,

decentralized security administrators, when an employee is terminated?

Is there a way to deal with terminations of individuals who are not employees, e.g.

physicians, contractors, vendors, volunteers? Are there provisions to modify/remove

access when workforce members change roles in ways that imply change in access

privileges?

Category I Guidelines-Actions must be taken to address these

When workforce members either terminate employment or lose clearance, or their

authorization or need-to-know no longer exists, take the following actions:

Recover keys, identification cards, physical tokens, and any other objects that

facilitate physical access to property, buildings, and equipment;

Page 23

AMC/HIPAA Workgroup

Change locks and/or combinations that control physical access to areas and

equipment (this must also be done on a recurring basis);

Revoke user accounts that provide access to information, services, and resources;

Remove them from lists that document authorized access to controlled areas and

information, services, and resources;

Document these processes as formal instructions.

Category II Guidelines-Actions should be taken to address these

Establish a policy and process to promptly report all terminations and ensure that the

revocation process works promptly.

Document explicit maximum time intervals that are permissible for:

Reporting terminations;

Communicating terminations to security administrators;

Disabling access.

Develop and document a process to ensure that, in instances of involuntary termination,

the action is immediately reported to security administrators and that items that enable

access are collected or inactivated immediately.

Consider revoking access prior to employment termination, particularly in instances of

involuntary termination.

Consider conditions in which people put on administrative leave (e.g. pending an

investigation of misuse of access) should have their access privileges altered.

Revise access when roles change.

Disable access privileges for any user account that shows no activity for a pre-determined

period of time (e.g. three months).

Review all suspended accounts for activity or attempted activity and report any such

activity for investigation as a potential breach.

Periodically audit the effectiveness of the process for disabling access in the event of a

termination to ensure that procedures and guidelines are being followed.

Record the completion of inactivation activities.

Perform exit interviews for any termination in which a potential security concern has

been identified.

Maintain a record of any changes made to an individual's access privileges, and retain it

long enough so it is possible to determine the extent of an individual's historic access in

case it is relevant to an investigation.

Roadblocks

AMCs often have a decentralized structure and culture, and thus have many computer systems

with decentralized management. Take into consideration that AMCs often have many sites with

controlled physical access.

Comments

Linkage of HR, Payroll, and IT systems is a major step in resolving this difficult issue.

Education, procedures, and checklists for managers on terminating staff are essential for a

successful termination process.

Page 24

AMC/HIPAA Workgroup

SEC.12

Security Training § .308(a)(12)

HIPAA Requirement

...(education concerning the vulnerabilities of the health information in an

entity's possession and ways to ensure the protection of that information) that

includes all of the following implementation features:

(i) Awareness training for all personnel, including management personnel (in

security awareness, including, but not limited to, password maintenance, incident

reporting, and viruses and other forms of malicious software).

(ii) Periodic security reminders (employees, agents, and contractors are made

aware of security concerns on an ongoing basis).

(iii) User education concerning virus protection (training relative to user

awareness of the potential harm that can be caused by a virus, how to prevent the

introduction of a virus to a computer system, and what to do if a virus is

detected).

(iv) User education in importance of monitoring log-in success or failure and how

to report discrepancies (training in the user's responsibility to ensure the security

of health care information).

(v) User education in password management (type of user training in the rules to

be followed in creating and changing passwords and the need to keep them

confidential).

AMC Explanation of HIPAA Regulation

Security training is necessary for all workforce members who access protected health

information. This training must include overall security awareness, periodic reminders, virus

awareness, password management, and user-specific topics necessary for individual workstation

security.

Key Issues

How will the security training program be updated to reflect changes in the security

environment and security responsibilities of workforce members?

How is the training program tailored to support the various classes of system users and

the level of information sensitivity to which each class of user has access?

Are all system users included in the training program, including those accessing

organizational systems from remote sites?

How is training documented?

How is training effectiveness evaluated?

Does the training content meet all of the HIPAA training requirements?

How often should reminders or refresher courses be provided?

Category I Guidelines-Actions must be taken to address these

Establish a formal, documented security awareness training program for all workforce

members that addresses, at a minimum, the following topics:

Protection against, and reporting of, viruses;

Page 25

AMC/HIPAA Workgroup

Reporting security incidents;

Managing individual passwords.

Establish a formal, documented security awareness program tailored to system users that

addresses, at a minimum:

Virus protection;

Potential harm viruses can cause;

How to prevent the introduction of viruses into a computer system;

What to do if a virus is detected;

The importance of monitoring log-in success or failure;

How to report discrepancies in the log-in process;

Rules for creating and changing passwords;

Safeguarding passwords.

Provide periodic security awareness reminders to all workforce members.

Category II Guidelines-Actions should be taken to address these

Make training role and/or job-specific.

Assign responsibility for security training.

Document the training that has been provided to each individual.

Develop a training program that demonstrates mastery of the material presented.

Evaluate the effectiveness of training.

Roadblocks

Security training is generally not given a high priority in orientation and training for new hires,

so the time available may be inadequate. It is also often difficult to arrange security training for

third-party agents and sub-contractors with access to health information. Without centralized

responsibility for the development of content for the security program, it will be difficult to

ensure consistent training across the AMC.

Comments

Using experts in this field will enhance the content of security training programs. Some AMCs

reduce the costs of security training by weaving training into ongoing training activities.

Consider including a security training curriculum for residents, as well as for medical and

nursing students.

Also see: SEC.18 Security Awareness Training.

The reader is referred to the following additional references:

American Health Information Management Society

https://secure.ahima.org/commerce/

Faxing Safeguards: Guidelines For Transmitting Patient Health Information

Security And Access: Guidelines For Managing Electronic Patient Information

Information Security: HIPAA Sets The Standard Program In A Box

Carnegie Mellon University

Page 26

AMC/HIPAA Workgroup

Software Engineering Institute

Computer Emergency Response Team Coordination Center (Cert/CC)

http://www.cert.org/nav/training.html

Computer Security Institute, Manager's Guide to Computer Security Awareness

http://www.gocsi.com/

CPRI-Toolkit for Managing Information Security in Healthcare

http://www.3com.com/healthcare/securitynet/hipaa/toc.html

CPRI Guide - Information Security Education

Instructor Guide

Slides for Training Program

MIS Training Institute

http://www.misti.com/

National Institutes of Health Web Security Links

http://www.alw.nih.gov/Security/security.html

National Institute of Standards and Technology (NIST)

Computer Security Resource Center

http://csrc.ncsl.nist.gov/