Page 1
AMC/HIPAA Workgroup
9
AMC HIPAA Security Guidelines
Section One: Requirements for Security Administration
Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  

Page 2
AMC/HIPAA Workgroup
10
SEC.01
Certification § .308(a)(1)
HIPAA Requirement
...(The technical evaluation performed as part of, and in support of, the
accreditation process that establishes the extent to which a particular computer
system or network design and implementation meet a pre-specified set of security
requirements. This evaluation may be performed internally or by an external
accrediting agency.)
AMC Explanation of HIPAA Regulation
Certification is the process of determining whether technical security controls are implemented
and comply with specified criteria. Each covered entity is required to establish a certification
process that demonstrates and documents that its computer systems and networks meet these
criteria. Either internal staff or external persons may perform certifications. The process should
consider risks identified in the risk assessment process.
Key Issues
What systems and services require certification?
How often should certification occur?
Who or what organization is the certifying authority? Is it internal or external? How will
the certifying authority be selected?
Do reference documents exist to describe the covered entity's secure configuration of
network components, servers, databases, and applications?
Is there a periodic comparison of the actual configuration against the reference
documents to confirm compliance or reveal non-compliance? If there are differences, is
there a process for correction?
Do routine testing, auditing, and change management procedures support the certification
process?
What is the relationship between auditors and certifiers?
With what frequency or upon what event(s) should certification be done?
Category I Guidelines-Actions must be taken to address these
Implement a certification process to determine the extent to which systems and networks
meet established security criteria.
Category II Guidelines-Actions should be taken to address these
Document the network configuration.
Ensure that individuals performing certifications are knowledgeable about security
requirements and best practices.
Ensure that conflicts of interest do not exist in the certification process-specifically that
certifiers are not responsible for the system or network's administration or maintenance.
Perform certification a minimum of once every three years due to the changing nature of
computer systems and accelerating rate of change of IT-related security risks.

Page 3
AMC/HIPAA Workgroup
11
Prepare a formal "Certification and Accreditation Report" upon the completion of
certification and forward it, along with any recommendations on accreditation, to the
accrediting official.
Maintain records and reports of certification and accreditation activities for the last two
certification efforts to provide for an adequate history of certification information and an
audit trail of certification.
Establish routine testing, auditing, and change management procedures to support the
certification process.
Consider certification for system changes prior to placing such systems into production.
Consider a phased approach to certification in order to encourage continuity of the
process.
Consider linking the certification process to JCAHO Information Management
requirements.
Consider requiring formal security credentials for those conducting the certification
process.
Roadblocks
In complex institutions, it may be difficult to establish the necessary credibility and authority for
the certifier.
Comments
Although the evaluation of the program or one of its parts may be done by outside entities, the
certification is a statement by senior management of the institution. State law on record-keeping
may mandate additional retention requirements. Covered entities should be prepared to budget
for remedial action as necessary if deficiencies are discovered during the certification process.

Page 4
AMC/HIPAA Workgroup
12
SEC.02
Chain of Trust Partner Agreement § .308(a)(2)
HIPAA Requirement
A chain of trust partner agreement (a contract entered into by two business
partners in which the partners agree to electronically exchange data and protect
the integrity and confidentiality of the data exchanged).
AMC Explanation of HIPAA Regulation
A Chain of Trust Agreement is required between two business partners whenever data is
electronically exchanged. The Agreement requires that the sender and the receiver of the
protected health information work with each other to maintain the information's integrity and
confidentiality. Such contracts provide a legal basis for maintaining consistent levels of data
integrity and confidentiality.
Key Issues
With which persons or organizations is the health care provider, health plan, or health
care clearinghouse required to execute a Chain of Trust Agreement (COT)?
Is there a documented process for identifying all partners with which a COT is required?
Does the COT identify a process or processes to ensure the integrity and confidentiality
of the data transmitted?
How will security responsibilities and accountabilities be determined, drafted, and
monitored?
Does more than one unit have the authority to contract with a business partner?
Is there a process in place to assure that all AMC contracts have the required and
appropriate language?
Is there a process that will identify the data rights of the trading partners and incorporate
such rights in the COT language?
Does the agreement identify appropriate sanctions for failure to abide by its terms?
Is the duration of the agreement appropriate?
Is there a process in place to assure that all AMC contracting officers are aware of the
need for, and know the requisites of, an effective COT?
What organizational unit will be responsible for managing the COT policy
implementation?
Does the COT propagate with any further transfers of information between partners and
their other partners?
Does the COT survive other agreements with the partner?
How do COTs relate to the business associate contractual terms in the Privacy rule?
Category I Guidelines-Actions must be taken to address these
Develop a Chain of Trust Agreement with each party with which protected health
information is shared, including language that states that:
The parties agree to electronically exchange data and protect the transmitted data; and
Each party will maintain the integrity and confidentiality of the transmitted
information.

Page 5
AMC/HIPAA Workgroup
13
Develop a plan to update all current agreements to ensure that the terms and conditions
do not contain any provisions, including data content and format definitions, that conflict
with the standards outlined in the security regulations
Develop a plan to ensure that all future agreements have appropriate provisions.
Category II Guidelines-Actions should be taken to address these
Engage legal counsel to develop and review contract language for the COT.
Establish monitors to ensure compliance by all parties subject to the agreement.
Train all contracting officials about the nature and intent of the COT.
Devise and promulgate a COT template for all Contracting Officers to use.
Establish a process to determine when/how to activate the sanctions for nonperformance
with regard to COT.
Periodically review all current partnerships for COT need.
Develop process to review partners' COTs for adequacy and fairness.
Roadblocks
It will likely be difficult to get approval for COTs which are inconsistent between partners, or
which are perceived as unbalanced in responsibility. Contracts are frequently negotiated and
approved by various departments within the University or AMC. Each area within the
University and AMC must be trained as to when and with whom this required language should
be used.
Comments
Since the originator of information bears the responsibility for improper disclosure or other
security failures regarding that information, a COT is the only protection most providers will
have once information is turned over to their partners in healthcare provision.
As part of a compliance program, business associates should warrant, and the AMC department
responsible for negotiating and signing the Agreement should verify, that the trading partner is
not excluded from participation in any government program. Contracts should also include a
statement that the trading partner warrants that any subcontractors or agents are not excluded
from participation in any government program.
The Chain of Trust Agreement in the Supplement contains language that can be used to satisfy
both the proposed security regulation (discussed in this point) and the final privacy regulation
(discussed in PRIV.03).

Page 6
AMC/HIPAA Workgroup
14
SEC.03
Contingency Planning § .380 (a)(3)
HIPAA Requirement
...a routinely updated plan for responding to a system emergency, that includes
performing backups, preparing critical facilities that can be used to facilitate
continuity of operations in the event of an emergency, and recovering from a
disaster. The plan must include all of the following implementation features:
(i) An applications and data criticality analysis [an entity's formal assessment of
the sensitivity, vulnerabilities, and security of its programs and information it
receives, manipulates, stores, and/or transmits).
(ii) Data backup plan (a documented and routinely updated plan to create and
maintain, for a specific period of time, retrievable exact copies of information).
(iii) A disaster recovery plan (the part of an overall contingency plan that
contains a process enabling an enterprise to restore any loss of data in the event
of fire, vandalism, natural disaster, or system failure).
(iv) Emergency mode operation plan (the part of an overall contingency plan that
contains a process enabling an enterprise to continue to operate in the event of
fire, vandalism, natural disaster, or system failure).
(v) Testing and revision procedures (the documented process of periodic testing
of written contingency plans to discover weaknesses and the subsequent process
of revising the documentation, if necessary).
AMC Explanation of HIPAA Regulation
Each covered entity is required to maintain a contingency plan for responding to system
emergencies involving systems that contain protected health information. The covered entity is
required to perform periodic backups of data, have critical facilities for continuing operations in
the event of an emergency, and have disaster recovery procedures in place for such systems.
Systems that do not involve protected health information are not required to have contingency
plans.
Key Issues
What will be needed to recreate each data element in the event of an emergency? Has an
assessment been performed?
What is the appropriate frequency and depth of backups?
Where should backup data be located?
How easy is restoration of backup data?
How timely would such a restoration be?
How is security of data assured at the backup location?
What is the mechanism for testing the plans and procedures?
How long will backups be retained?
How is overall integrity of data assured?
How often will various levels or types of tests be performed?

Page 7
AMC/HIPAA Workgroup
15
Category I Guidelines-Actions must be taken to address these
Assess all systems with protected health information for reasonably anticipated risks,
focusing on the potential impact of the lack of availability of specific applications and
data on the secure operation of the covered entity.
Prepare a data backup plan that details how data will be maintained and duplicated in
order to prevent its loss during a natural or man-made disaster.
Prepare a disaster recovery plan that details how data and operations would be restored in
a timely fashion following a catastrophic event or unanticipated interruption of
operations.
Prepare a plan to use for emergency operations following a catastrophic event until
normal operations can be restored.
Test these procedures periodically and revise them accordingly to address any
weaknesses discovered during testing.
Category II Guidelines-Actions should be considered to address these
Develop a data storage plan that ensures that the medium and location of backup storage
are secure from physical damage and that backup storage is separated in some way from
the main site.
Dispose of information in a manner that maintains its security. Shred paper and wipe
magnetic or optical media.
Make backups at regular intervals.
Develop a procedure covering the scope (full, incremental, and differential) of backups.
Provide adequate facilities to support recovery operations.
Test contingency and disaster recovery plans regularly, specifically including restoration
of data.
Protect backup information at the same level as the original data.
Roadblocks
Identifying and testing critical components may be more realistic and cost effective than testing
plans sufficiently often to ensure that they are viable.
Formal disaster recovery/contingency plans usually occur at the level of central IT within an
AMC. The distributed nature of support and systems within an AMC may serve as a roadblock
to ensuring consistent planning.
Comments
The security regulations (unlike the privacy regulations) supersede conflicting state laws. Non-
conflicting state laws, however, still apply and may affect various aspects of this plan.
Also see: AMC.09 Stricter State Law, SEC.14 Media Controls

Page 8
AMC/HIPAA Workgroup
16
SEC.04
Formal Mechanism for Processing Records § .308(a)(4)
HIPAA Requirement
Formal mechanism for processing record (documented policies and procedures
for the routine and non-routine receipt, manipulation, storage, dissemination,
transmission, and/or disposal of health information).
AMC Explanation of HIPAA Regulation
Covered entities are required to maintain documented policies and procedures for the routine and
non-routine receipt, manipulation, storage, dissemination, transmission, and/or disposal of
protected health information.
Key Issues
Do clear lines of authority and responsibilities exist that fit the structure and function of
entities (Hospital, Departments, Sections)?
Are there provisions for evaluating and improving policies and procedures at all levels?
Category I Guidelines-Actions must be taken to address these
Develop and document processes to govern the creation of protected health information.
Establish policies and procedures on storage of data, including administrative policies
governing the length of time to various types of data are to be stored and policies for the
archiving and destruction of data.
Establish policies for data dissemination within and external to the covered entity. (See
Comments.)
Develop policies for secure disposal of protected health information, including
information contained on media and systems that are replaced.
Category II Guidelines-Actions should be taken to address these
Protect records to a degree commensurate with the risk associated with them.
Consider standardizing record management policies across the enterprise.
Roadblocks
The presence of already existing unofficial systems may act as a barrier to change, as these will
need to be brought under the umbrella of protection. If staff do not accept needed changes, then
implementation may be delayed.
Redundancy of records in multiple systems presents a challenge, with updates in one system not
always filing or updating correctly in other systems downstream.
Comments
Policies external to the covered entity may be problematic in terms of generality or specificity.
Standards, such as message types (HL7, XML, etc.) may help in this regard.

Page 9
AMC/HIPAA Workgroup
17
SEC.05
Information Access and Control § .308(a)(5)
HIPAA Requirement
...(formal, documented policies and procedures for granting different levels of
access to health care information) that includes all of the following
implementation features:
(i) Access authorization (information-use policies and procedures that establish
the rules for granting access, for example, to a terminal, transaction, program,
process, or some other user.)
(ii) Access establishment (security policies and rules that determine an entity's
initial right of access to a terminal, transaction, program, process or some other
user).
(iii) Access modification (security policies and rules that determine the types of,
and reasons for, modification to an entity's established right of access, to a
terminal, transaction, program, process, or some other user.)
AMC Explanation of HIPAA Regulation
Each covered entity is required to establish and maintain formal, documented policies and
procedures for granting different levels of access to protected health information. These policies
and procedures must, at a minimum, include:
Access authorization policies and procedures;
Access establishment policies and procedures; and
Access modification policies and procedures.
Key Issues
Does the covered entity currently have a documented access control policy?
Is there a process to establish an individual right-to-know and/or need-to-know?
Does the access control policy consider all means of access?
Do procedures define the authorization requirements for various forms of protected
health information, and is special authorization required for more sensitive information
(e.g., psychiatry, infectious diseases, genetic disorders)?
Is access authorization documented and maintained?
Is there a documented process for revoking access?
How does the covered entity authorize, implement, and revoke emergency access?
Category I Guidelines-Actions must be taken to address these
Establish documented policies and procedures to assign, implement, revoke, and modify
access to protected health information.
Category II Guidelines-Actions should be taken to address these
Create a process for determining access needs for individuals and other entities such as
law enforcement and public health.
Grant access on the basis of need-to-know and/or right-to-know.

Page 10
AMC/HIPAA Workgroup
18
Provide a means to review the effectiveness of access management and control.
Assign responsibility for implementing the policy to specific individuals or organizations
within the covered entity.
Enact a process to modify access, taking into account the types of, and reasons for,
previously established access.
Require implementation of technical means to control information access.
Require execution of a grantor-grantee agreement to honor information security
requirements before access is granted.
Establish a process to ensure that system access is available at appropriate times for
repair and other maintenance purposes.
Establish a documented plan to ensure that all workforce members can demonstrate
knowledge of access control responsibilities and how to obtain access authorization.
Establish a process whereby termination of a workforce member or other entity's need
for data access will trigger timely revocation of access.
Require data owners or stewards to list functions that will require access to data for
which they are responsible.
Roadblocks
Any part of the access control process can be rendered ineffective if those with access do not
respect the process - if the users do not understand their responsibilities and buy in to the
program, it will not work.
Comments
Also see: SEC.19 Access Control
Access control requirements appear throughout the security regulations in a number of different
contexts relating to personnel security requirements, physical safeguards, technical security
services, and technical security mechanisms. Access control is an integral part of almost every
element of information security. Vulnerabilities in this area include
ad hoc
practices and/or
incomplete policies and procedures for authorizing and establishing access to organizational
systems, failure to include smaller departmental systems in access control policies and practices,
and broken processes to address the modification and revocation of user access following job
changes or termination.

Page 11
AMC/HIPAA Workgroup
19
SEC.06
Internal Audit § .308(a)(6)
HIPAA Requirement
...in-house review of the records of system activity (such as logins, file accesses,
and security incidents) maintained by an organization.
AMC Explanation of HIPAA Regulation
This requirement calls for periodic reviews of a covered entity's internal security controls,
including records of logins, file accesses, and security incidents.
Key Issues
At what level in data structures should audits be maintained? Table? Record? Field?
How will this degrade system performance?
For what data will logs be maintained, and for how long?
Who will review the records? (The log itself may have protected health information in it.)
How much of the review can be done by software?
How often will audits occur?
What logged activity will be considered suspicious?
What actions will be taken in response to suspicious audit information?
Category I Guidelines-Actions must be taken to address these
Maintain, and periodically review, audit trails or activity logs for critical application
systems, including user-written applications.
Category II Guidelines-Actions should be taken to address these
Follow up on suspicious entries such as unauthorized accesses and access attempts.
Identify and resolve inappropriate activity.
Ensure that audit procedures validate the necessity for data input, processing, and output.
Ensure that audit requirements and activities do not disrupt important business processes.
Agree to and control the scope of the checks.
Explicitly identify resources for performing the checks and ensure that they are available.
Identify and agree to requirements for special or additional processing, such as
prospective audits of user activity.
Document all procedures, requirements, and responsibilities.
Consider making logs of access to individuals' health information available to the
subjects of the records via a "patient portal."
Develop an audit process to ensure that users comply with access control procedures.
Roadblocks
Users, in carrying out their respective duties, should never feel threatened by an audit. In most
cases, information systems personnel are checking a system for problem-solving purposes and it
remains transparent to the user. If the user is made aware, it is usually for the purpose of
problem solving or procedure correction.

Page 12
AMC/HIPAA Workgroup
20
Comments
The logs themselves may contain protected health information and should be appropriately
secure. Additional controls may be required for systems that process or have an impact on
sensitive, valuable, or critical organizational assets. Such controls should be determined on the
basis of security requirements and a formal risk assessment. Audit trails may become evidence
in legal proceedings, so care should be taken to protect their integrity in order to preserve their
usefulness for such purposes. Take the possibility of using audit trails as evidence into account
when deciding how long they should be retained. Prospective audits are onerous and usually
require clinician input to resolve need-to-know issues; they should be performed sparingly and
only with good cause as determined through the risk analysis process.
Audits can be a significant cost consideration and logging records could have an unreasonable
cost impact. A cost/benefit and risk analysis would be in order to determine what systems
should employ logging and how long the records should be stored.
Formal audit log retention standards are prudent. Destruction of log data should not appear to be
an attempt to destroy evidence in the case of legal action.
Also see: SEC.20 Audit Controls.

Page 13
AMC/HIPAA Workgroup
21
SEC.07
Personnel Security § .308(a)(7)
HIPAA Requirement
...(all personnel who have access to any sensitive information have the required
authorities as well as all appropriate clearances) that includes all of the following
implementation features:
Assuring supervision of maintenance personnel by an authorized, knowledgeable
person. These procedures are documented formal procedures and instructions for
the oversight of maintenance personnel when the personnel are near health
information pertaining to an individual.
Maintaining a record of access authorizations (ongoing documentation and
review of the levels of access granted to a user, program, or procedure accessing
health information).
Assuring that operating and maintenance personnel have proper access
authorization (formal documented policies and procedures for determining the
access level to be granted to individuals working on, or near, health information).
Establishing personnel clearance procedures (a protective measure applied to
determine that an unclassified automated information is admissible).
Establishing and maintaining personnel security policies and procedures (formal,
documentation of procedures to ensure that all personnel who have access to
sensitive information have the required authority as well as appropriate
clearances).
Assuring that system users, including maintenance personnel, receive security
awareness training.
AMC Explanation of HIPAA Regulation
Each covered entity must establish a personnel security clearance process to administratively
determine that persons and computers are trustworthy before giving them access to protected
health information. This process must account for, and document, levels of access granted to
individuals, programs, and procedures. The process must also address persons who fill roles
where incidental access to protected health information may occur, such as system and network
support and maintenance personnel. Supervision of uncleared or unauthorized personnel, such as
support and maintenance personnel, is necessary unless their access to protected health
information can be precluded. Awareness training on these policies and procedures is required
both for those who are cleared for and given access and those who have incidental access.
Key Issues
How closely must maintenance personnel be supervised?
How often should procedures, instructions, and levels of access be reviewed?
How broad, or how specific, should security training be? What should it cover?
How often should security training be repeated for employees? For vendors and other
contracting personnel?

Page 14
AMC/HIPAA Workgroup
22
Category I Guidelines-Actions must be taken to address these
Establish written personnel clearance procedures for determining the appropriateness of
access to protected health information or systems.
Maintain documentation regarding the levels of access granted to each individual,
program, and procedure.
Review access levels periodically.
Review access levels when the status of the workforce member changes.
Ensure that system users and technical maintenance staff receive security awareness
training.
Ensure that maintenance and vendor personnel are supervised when working on or near
protected health information.
Category II Guidelines-Actions should be taken to address these
Conduct records checks on applicants for employment, including residence, employment,
criminal history, and education, when job requires access to protected health information.
(See Comments.)
Require staff and maintenance/vendor employees to sign non-disclosure statements
before being given access to protected health information.
Roadblocks
Workforce member status changes can be difficult to track in a large covered entity. Consistent
application of personnel access policies may be problematic when protected health information is
shared between institutions.
Comments
The personnel clearance process is an administrative determination of trustworthiness. Human
Resources normally performs this function in AMCs. A nominal records check should ascertain
that an individual is not falsifying identity, previous employment or education, or any
professional certifications. Additionally, any potentially disqualifying criminal activity should
be discovered. Federal criminal records are centralized in the FBI database, but state and local
records are largely unlinked. It is therefore necessary to determine where individuals have
resided in order to check state and local criminal records in disparate jurisdictions. Arrest and
conviction data is public information and available on request.

Page 15
AMC/HIPAA Workgroup
23
SEC.08
Security Configuration Management § .308(a)(8)
HIPAA Requirement
...(measures, practices, and procedures for the security of information systems
that must be coordinated and integrated with each other and other measures,
practices, and procedures of the organization established in order to create a
coherent system of security) that includes all of the following implementation
features:
(i) Documentation (written security plans, rules, procedures, and instructions
concerning all components of an entity's security).
(ii) Hardware and software installation and maintenance review and testing for
security features (formal, documented procedures for connecting and loading new
equipment and programs, periodic review of the maintenance occurring on that
equipment and programs, and periodic security testing of the security attributes of
that hardware/software).
(iii) Inventory (the formal, documented identification of hardware and software
assets).
(iv) Security testing (process used to determine that the security features of a
system are implemented as designed and that they are adequate for a proposed
applications environment; this process includes hands-on functional testing,
penetration testing, and verification).
(v) Virus checking. (The act of running a computer program that identifies and
disables:
(A) Another "virus" computer program, typically hidden, that attaches itself to
other programs and has the ability to replicate.
(B) A code fragment (not an independent program) that reproduces by attaching
to another program.
(C) A code embedded within a program that causes a copy of itself to be inserted
in one or more other programs.)
AMC Explanation of HIPAA Requirement
A covered entity is required to have written security plans and procedures guiding its security
efforts so as to create a comprehensive security program. The security program must include an
inventory of system assets, formal procedures for installing and testing new systems, a regular
security testing schedule, and virus checking.
Key Issues
How can a covered entity identify all components of its security features?
How should inventory be reviewed and updated-when assets are added and removed or
on a routine schedule?
At what levels should virus scans be run? Servers? Mail hubs?
How often should virus scans be run?
How often should virus detection programs be updated?
How frequently should security testing, such as penetration testing, occur?

Page 16
AMC/HIPAA Workgroup
24
Category I Guidelines-Actions must be taken to address these
Develop written security plans, procedures, and instructions to cover all areas of the
covered entity's information security needs.
Create and document procedures for installing and maintaining software and hardware
and periodic testing of that software and/or hardware's security attributes.
Develop a written inventory of hardware and software assets and keep the inventory
current.
Conduct security testing to ensure that the covered entity's security features are adequate;
security testing must include a manual or automated process of identifying
vulnerabilities, functional and penetration testing, and verification.
Ensure that virus scans are run on a regular schedule.
Category II Guidelines-Actions should be taken to address these
Establish a team representing diverse perspectives to plan security controls.
Have written procedures to report equipment malfunctions and any remedial actions
taken.
Require departmental systems not managed centrally to comply with the same security
configuration requirements as centrally managed systems.
Employ anti-virus countermeasures at multiple levels, for example on servers, e-mail
hosts, and desktops.
Maintain a separate test environment and test system changes for security integrity there
before moving them to the production systems.
Roadblocks
A single, well-integrated security plan is difficult to establish in an institution with hundreds of
distributed, heterogeneous systems using a wide range of technologies. The plan should be
multi-tiered and well coordinated. Even identifying all departmental systems with patient
information may be difficult in a decentralized AMC.
Comments
AMCs may want to consider coordinating their inventory reviews with accreditation agency
standards and reviews.

Page 17
AMC/HIPAA Workgroup
25
SEC.09
Security Incident Procedures § .308(a)(9)
HIPAA Requirement
...(formal documented instructions for reporting security breaches) that include
all of the following implementation features:
(i) Report procedures (documented formal mechanism employed to document
security incidents).
(ii) Response procedures (documented formal rules or instructions for actions to
be taken as a result of the receipt of a security incident report).
AMC Explanation of HIPAA Regulation
The covered entity must have written procedures for reporting security breaches to ensure that
security violations are handled promptly and appropriately. These must include:
Procedures for reporting security incidents.
Procedures describing response, i.e. actions to take when a security incident is reported.
Key Issues
What constitutes a security incident?
How should the covered entity define levels of incidents and sanctions for each (e.g.,
accessing protected health information as opposed to sharing protected health
information)?
How can security awareness be kept "hot?"
How can a covered entity determine when access to protected health information is
inappropriate?
Category I Guidelines-Actions must be taken to address these
Implement an incident reporting and response procedure and document it.
Category II Guidelines-Actions should be taken to address these
Tell workforce members when, how, and to whom to report a security incident.
Require workforce members to acknowledge that they have received security incident
training.
Require workforce members to report the incident if they inadvertently access protected
health information they should not have accessed.
Ensure that workforce members know that they should report security violations to a
supervisor, system administrator, security, internal audit, or others as appropriate.
Require workforce members to report instances of noncompliance.
Ensure that the teams of people who are typically involved in responding to a security
incident have a well-understood working arrangement that ensures that the incident is
handled efficiently, expeditiously, and with respect for law and individual rights.
Roadblocks
Communications between different organizational units within an AMC can be poor. Covered
entities should make sure that their IT organizations share information about security incidents

Page 18
AMC/HIPAA Workgroup
26
with each other in a timely manner, and may need to set up mechanisms to ensure that this
happens.
Determining where potential security breaches may occur is challenging. For instance,
physicians may download medical data onto personal digital assistants. They often purchase
such devices themselves, and Security Management has no way of knowing about the purchase
or whether the physicians are adhering to security standards.
Comments
Also see: PRIV.53 Sanctions.

Page 19
AMC/HIPAA Workgroup
27
SEC.10
Security Management Process § .308(a)(10)
HIPAA Requirement
...(creation, administration, and oversight of policies to ensure the prevention,
detection, containment, and correction of security breaches involving risk
analysis and risk management). It includes the establishment of accountability,
management controls (policies and education), electronic controls, physical
security, and penalties for the abuse and misuse of its assets (both physical and
electronic) that includes all of the following implementation features:
(i) Risk analysis, a process whereby cost-effective security/control measures may
be selected by balancing the costs of various security/control measures against
the losses that would be expected if these measures were not in place.
(ii) Risk management (process of assessing risk, taking steps to reduce risk to an
acceptable level, and maintaining that level of risk).
(iii) Sanction policies and procedures (statements regarding disciplinary actions
that are communicated to all employees, agents, and contractors; for example,
verbal warning, notice of disciplinary action placed in personnel files, removal of
system privileges, termination of employment, and contract penalties). They must
include employee, agent, and contractor notice of civil or criminal penalties for
misuse or misappropriation of health information and must make employees,
agents, and contractors aware that violations may result in notification to law
enforcement officials and regulatory, accreditation, and licensure organizations.
(iv) Security policy (statement(s) of information values, protection
responsibilities, and organization commitment for a system). This is the
framework within which an entity establishes needed levels of information
security to achieve the desired confidentiality goals.
AMC Explanation of HIPAA Regulation Key Issues
An overall information security management process is necessary to establish policy, provide
oversight, and administer operational aspects of the program. The process must function in a
proactive, risk-appropriate manner and establish the framework for safeguarding protected health
information within the AMC. An over-arching information security policy that commits the
AMC to safeguard protected health information, to establish goals, and to assign responsibility is
necessary. Supporting policy statements and procedures are required to facilitate the prevention,
detection, containment, and correction of security breaches. Specific areas that the security
management process must cover are: risk analysis process, risk management process, sanction
process, and security policy.
Key Issues
What are the covered entity's values with regard to protecting information?
What are the covered entity's security goals?
How does the covered entity's security policy demonstrate commitment to these goals?
How will values, policy, and process be effectively communicated to those covered by
them?

Page 20
AMC/HIPAA Workgroup
28
What activities can not be managed in a secure way?
Category I Guidelines-Actions must be taken to address these
Establish a management structure that identifies roles and responsibilities for security
oversight and operational aspects.
Establish an overall information security policy that articulates the organization's
priorities and expectations with respect to safeguarding protected health information.
Identify and communicate security responsibilities of workforce member who access or
manage access to protected health information.
Employ risk analysis to identify information assets, threats, and the likelihood and costs
of adverse occurrences.
Manage risk by applying cost-effective security solutions to reduce likelihood and extent
of losses due to adverse occurrences.
Develop a sanctioning process for violators and communicate it to all workforce
members. In addition to institutional corrective action, the policy must include notices of
civil or criminal penalties and notices that violations may result in notification of law
enforcement, and/or regulatory, accreditation, and licensure organizations.
Category II Guidelines-Actions should be taken to address these
Develop and apply a data criticality/sensitivity classification scheme.
Make risk analysis and risk management ongoing.
Consider establishing progressive sanctions, such as verbal warning, written warning,
suspension, and employment termination.
Ensure that the sanction policy provides for swift and strong action when appropriate.
Establish a process to document and evaluate trends in breaches and sanctions in order to
identify potential improvements in security, e.g. changes to policy, procedures, training,
or technical measures.
Require all who have, or may have, access to protected health information to sign
security, confidentiality, and computer usage agreements.
Roadblocks
Developing and implementing consistent policies and procedures for sanctions and security
policy may be hindered by the typical AMC's decentralized structure and culture of autonomy
(academic freedom). At some AMCs, these policies may also have to be coordinated with the
associated university's central administration, especially its legal counsel's office and human
resources department.
Comments
The reader is referred to the following additional references:
Carnegie Mellon University
Software Engineering Institute
Computer Emergency Response Team Coordination Center (Cert/CC)
http://www.cert.org/octave/

Page 21
AMC/HIPAA Workgroup
29
Information Security Risk Evaluation
CPRI-Toolkit for Managing Information Security in Healthcare
http://www.3com.com/healthcare/securitynet/hipaa/toc.html
Health Information Risk Assessment and Management

Page 22
AMC/HIPAA Workgroup
30
SEC.11
Termination Procedures § .308(a)(11)
HIPAA Requirement
...(formal documented instructions, which include appropriate security measures,
for the ending of an employee's employment or an internal/external user's access)
that include procedures for all of the following implementation features:
(i) Changing locks (a documented procedure for changing combinations of
locking mechanisms, both on a recurring basis and when personnel
knowledgeable of combinations no longer have a need to know or require access
to the protected facility or system).
(ii) Removal from access lists (physical eradication of an entity's access
privileges).
(iii) Removal of user account(s) (termination or deletion of an individual's access
privileges to the information, services, and resources for which they currently
have clearance, authorization, and need-to-know when such clearance,
authorization and need-to-know no longer exists).
(iv) Turning in of keys, tokens, or cards that allow access (formal, documented
procedure to ensure all physical items that allow a terminated employee to access
a property, building, or equipment are retrieved from that employee, preferably
before termination).
AMC Explanation of HIPAA Regulation
Entities must revoke physical access to controlled areas and remove user accounts when
employees terminate employment or when others, such as contractors and vendors, no longer
require access. Academic medical centers can reduce risk by implementing procedures to ensure
prompt collection of the items that enable access: e.g., identification cards, keys, and physical
tokens, and by changing locks or lock combinations, and by revoking computer accounts.
Although this point is entitled "termination," the text includes provisions for other occasions in
which removal of access rights is called for.
Key Issues
Is access disabled in a timely and consistent manner for terminated users?
Is there timely notification to: human resources, central security administration,
decentralized security administrators, when an employee is terminated?
Is there a way to deal with terminations of individuals who are not employees, e.g.
physicians, contractors, vendors, volunteers? Are there provisions to modify/remove
access when workforce members change roles in ways that imply change in access
privileges?
Category I Guidelines-Actions must be taken to address these
When workforce members either terminate employment or lose clearance, or their
authorization or need-to-know no longer exists, take the following actions:
Recover keys, identification cards, physical tokens, and any other objects that
facilitate physical access to property, buildings, and equipment;

Page 23
AMC/HIPAA Workgroup
31
Change locks and/or combinations that control physical access to areas and
equipment (this must also be done on a recurring basis);
Revoke user accounts that provide access to information, services, and resources;
Remove them from lists that document authorized access to controlled areas and
information, services, and resources;
Document these processes as formal instructions.
Category II Guidelines-Actions should be taken to address these
Establish a policy and process to promptly report all terminations and ensure that the
revocation process works promptly.
Document explicit maximum time intervals that are permissible for:
Reporting terminations;
Communicating terminations to security administrators;
Disabling access.
Develop and document a process to ensure that, in instances of involuntary termination,
the action is immediately reported to security administrators and that items that enable
access are collected or inactivated immediately.
Consider revoking access prior to employment termination, particularly in instances of
involuntary termination.
Consider conditions in which people put on administrative leave (e.g. pending an
investigation of misuse of access) should have their access privileges altered.
Revise access when roles change.
Disable access privileges for any user account that shows no activity for a pre-determined
period of time (e.g. three months).
Review all suspended accounts for activity or attempted activity and report any such
activity for investigation as a potential breach.
Periodically audit the effectiveness of the process for disabling access in the event of a
termination to ensure that procedures and guidelines are being followed.
Record the completion of inactivation activities.
Perform exit interviews for any termination in which a potential security concern has
been identified.
Maintain a record of any changes made to an individual's access privileges, and retain it
long enough so it is possible to determine the extent of an individual's historic access in
case it is relevant to an investigation.
Roadblocks
AMCs often have a decentralized structure and culture, and thus have many computer systems
with decentralized management. Take into consideration that AMCs often have many sites with
controlled physical access.
Comments
Linkage of HR, Payroll, and IT systems is a major step in resolving this difficult issue.
Education, procedures, and checklists for managers on terminating staff are essential for a
successful termination process.

Page 24
AMC/HIPAA Workgroup
32
SEC.12
Security Training § .308(a)(12)
HIPAA Requirement
...(education concerning the vulnerabilities of the health information in an
entity's possession and ways to ensure the protection of that information) that
includes all of the following implementation features:
(i) Awareness training for all personnel, including management personnel (in
security awareness, including, but not limited to, password maintenance, incident
reporting, and viruses and other forms of malicious software).
(ii) Periodic security reminders (employees, agents, and contractors are made
aware of security concerns on an ongoing basis).
(iii) User education concerning virus protection (training relative to user
awareness of the potential harm that can be caused by a virus, how to prevent the
introduction of a virus to a computer system, and what to do if a virus is
detected).
(iv) User education in importance of monitoring log-in success or failure and how
to report discrepancies (training in the user's responsibility to ensure the security
of health care information).
(v) User education in password management (type of user training in the rules to
be followed in creating and changing passwords and the need to keep them
confidential).
AMC Explanation of HIPAA Regulation
Security training is necessary for all workforce members who access protected health
information. This training must include overall security awareness, periodic reminders, virus
awareness, password management, and user-specific topics necessary for individual workstation
security.
Key Issues
How will the security training program be updated to reflect changes in the security
environment and security responsibilities of workforce members?
How is the training program tailored to support the various classes of system users and
the level of information sensitivity to which each class of user has access?
Are all system users included in the training program, including those accessing
organizational systems from remote sites?
How is training documented?
How is training effectiveness evaluated?
Does the training content meet all of the HIPAA training requirements?
How often should reminders or refresher courses be provided?
Category I Guidelines-Actions must be taken to address these
Establish a formal, documented security awareness training program for all workforce
members that addresses, at a minimum, the following topics:
Protection against, and reporting of, viruses;

Page 25
AMC/HIPAA Workgroup
33
Reporting security incidents;
Managing individual passwords.
Establish a formal, documented security awareness program tailored to system users that
addresses, at a minimum:
Virus protection;
Potential harm viruses can cause;
How to prevent the introduction of viruses into a computer system;
What to do if a virus is detected;
The importance of monitoring log-in success or failure;
How to report discrepancies in the log-in process;
Rules for creating and changing passwords;
Safeguarding passwords.
Provide periodic security awareness reminders to all workforce members.
Category II Guidelines-Actions should be taken to address these
Make training role and/or job-specific.
Assign responsibility for security training.
Document the training that has been provided to each individual.
Develop a training program that demonstrates mastery of the material presented.
Evaluate the effectiveness of training.
Roadblocks
Security training is generally not given a high priority in orientation and training for new hires,
so the time available may be inadequate. It is also often difficult to arrange security training for
third-party agents and sub-contractors with access to health information. Without centralized
responsibility for the development of content for the security program, it will be difficult to
ensure consistent training across the AMC.
Comments
Using experts in this field will enhance the content of security training programs. Some AMCs
reduce the costs of security training by weaving training into ongoing training activities.
Consider including a security training curriculum for residents, as well as for medical and
nursing students.
Also see: SEC.18 Security Awareness Training.
The reader is referred to the following additional references:
American Health Information Management Society
https://secure.ahima.org/commerce/
*
Faxing Safeguards: Guidelines For Transmitting Patient Health Information
*
Security And Access: Guidelines For Managing Electronic Patient Information
*
Information Security: HIPAA Sets The Standard Program In A Box
Carnegie Mellon University

Page 26
AMC/HIPAA Workgroup
34
Software Engineering Institute
Computer Emergency Response Team Coordination Center (Cert/CC)
http://www.cert.org/nav/training.html
Computer Security Institute, Manager's Guide to Computer Security Awareness
http://www.gocsi.com/
CPRI-Toolkit for Managing Information Security in Healthcare
http://www.3com.com/healthcare/securitynet/hipaa/toc.html
*
CPRI Guide - Information Security Education
*
Instructor Guide
*
Slides for Training Program
MIS Training Institute
http://www.misti.com/
National Institutes of Health Web Security Links
http://www.alw.nih.gov/Security/security.html
National Institute of Standards and Technology (NIST)
Computer Security Resource Center
http://csrc.ncsl.nist.gov/