AMC/HIPAA Workgroup 35 Section Two: Requirements for Physical Safeguards

AMC/HIPAA Workgroup

Section Two: Requirements for Physical Safeguards

Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm

Page 2

AMC/HIPAA Workgroup

SEC.13

Assigned Security Responsibility § .308(b)(1)

HIPAA Requirement

...(practices established by management to manage and supervise the execution

and use of security measures to protect data and to manage and supervise the

conduct of personnel in relation to the protection of data).

AMC Explanation of HIPAA Regulation

The governing body of each covered entity must designate a security officer or group to oversee

the safeguarding of protected health information and assign the necessary responsibility and

accountability to that role. This person or group will manage the execution and use of security

measures and supervise the conduct of personnel in relation to data protection.

Key Issues

Will the covered entity instill this responsibility in an individual role or charge a

committee?

How will the covered entity empower the security officer or group to effectively

accomplish security goals?

How will multiple facility entities assign oversight?

How will multiple entity systems assign oversight?

Category I Guidelines-Actions must be taken to address these

Assign overall responsibility for securing protected health information to an individual

security officer or a group specifically charged to do so.

Make this person or group accountable for the information security program to include:

Processes employed to safeguard protected health information;

Technologies and architectures employed to safeguard protected health information;

Conduct of personnel in relation to the safeguarding of protected health information.

Category II Guidelines-Actions should be taken to address these

Have the organization's governing body assign this responsibility and instill the authority

to effectively accomplish the task.

Ensure that the security officer possesses the necessary body of knowledge, skill set, and

experience to effectively oversee the security program.

Extend the security officer's responsibility to the entire entity.

If the organization has multiple security officers, coordinate their efforts.

Avoid combining the responsibilities of the security officer and the privacy official, as

the knowledge bases and skill sets required for each differ.

Roadblocks

Security officers with the knowledge, skills, and experience necessary to effectively manage an

information security program in an AMC are few and difficult to recruit. On the other hand,

training a person with a general or non-healthcare information security background on the job

takes a good deal of time.

Page 3

AMC/HIPAA Workgroup

Comments

None.

Page 4

AMC/HIPAA Workgroup

SEC.14

Media Controls § .308(b)(2)

HIPAA Requirement

...(formal, documented policies and procedures that govern the receipt and

removal of hardware/software (such as diskettes and tapes) into and out of a

facility) that include all of the following implementation features:

Access control.

Accountability (the property that ensures that the actions of an entity can be

traced uniquely to that entity).

Data backup (a retrievable, exact copy of information).

Data storage (the retention of health care information pertaining to an individual

in an electronic format).

Disposal (final disposition of electronic data, and/or the hardware on which

electronic data is stored).

AMC Explanation of HIPAA Regulation

While this item states that it is focused upon the transfer of hardware and software media into

and out of a facility, it also requires consideration of the larger issue of how to handle record

copies of protected media from creation to destruction. Each entity will need to decide how to

categorize, annotate, account for, store, and dispose of protected health information in record

form.

Key Issues

How and by whom is new media introduced into the record environment?

How are working materials created, marked, controlled, and destroyed?

How are media and computer equipment controlled when entering and leaving the

facility?

Is equipment properly inventoried?

Is media disposed of properly?

Do the use of unofficial and "shadow" record systems undermine accountability and

controls and, if so, how can they be brought into line with media controls?

Category I Guidelines-Actions must be taken to address these

Establish accountability and access controls for media containing protected health

information, including equipment with media installed and hardcopies containing

protected health information, from creation to disposition.

Ensure that policies and procedures address access control, accountability, data backup,

data storage, and data disposal.

Category II Guidelines-Actions should be taken to address these

Establish uniform terminology and guidelines for classifying and marking materials as

"confidential," "proprietary," "patient-confidential," etc.

Page 5

AMC/HIPAA Workgroup

Establish procedures for assigning accountability for newly created media, including

hardcopy when created and recording/removing the media from accountability when

properly destroyed.

Establish guidelines to restrict the use of "unofficial" or "shadow" records to ensure the

integrity and protection of protected health information.

Mark temporary working materials, whether on computer media or hard copy, that

contain protected health information appropriately when created and establish a date for

either destroying the working materials or bringing them under control as record

documents.

Ensure that appropriate secure storage and destruction facilities, such as shredders, are

readily available, clearly marked, and used.

Ensure that protected health information in hardcopy format is disposed of properly.

Responsible personnel should authorize the shipping and receiving of protected media

and maintain appropriate records. Establish a formal system for shipping and

transporting materials containing protected health information with receipts to ensure that

shipped materials have been properly received and accountability has been transferred to

the receiving office. Establish standards for wrapping and marking shipped media that

both minimize the likelihood of its being identified as containing protected health

information and prevent tampering.

Set a standard for purging protected health information from magnetic media, and adhere

to it. Degaussing and overwriting are acceptable methods. (See Comments.)

Before releasing any magnetic media that may contain protected health information

outside the entity, process it to purge any information residing on it.

If media is left unattended, secure it and use reasonable care.

Do not leave printed versions (hardcopy) of protected health information unattended and

open to compromise, and do not copy it indiscriminately.

Establish and maintain accountability for all equipment used to process protected health

information, including requirements for regular inventory and resolving any loss of

accountability.

Ensure that essential patient care information is properly backed up in a secure location.

Periodically check to ensure that data can be restored from backup media.

Consider periodic audits by outside agencies to ensure that appropriate media controls are

maintained.

Roadblocks

Unlike many business environments, there is no real control over movement of people and

equipment on and off campus. While establishing controls for centrally managed data is

relatively straightforward, the issue of enforcing media controls for "shadows" and other

unofficial systems is a significant one.

Comments

A reasonable standard for purging magnetic media containing protected health information by

overwriting is a one-time bit-by-bit method that wipes the entire piece of media. The

government standard for declassifying media is a three-time overwrite: First overwrite with a

Page 6

AMC/HIPAA Workgroup

character or character string, second overwrite with the binary compliment of the first, and the

third overwrite may consist of any character or character string.

Page 7

AMC/HIPAA Workgroup

SEC.15

Physical access controls § .308(b)(3)

HIPAA Requirement

...(limited access) (formal, documented policies and procedures to be followed to

limit physical access to an entity while ensuring that properly authorized access is

allowed) that include all of the following implementation features:

(i) Disaster recovery (the process enabling an entity to restore any loss of data in

the event of fire, vandalism, natural disaster, or system failure).

(ii) An emergency mode operation (access controls in place that enable an entity

to continue to operate in the event of fire, vandalism, natural disaster, or system

failure).

(iii) Equipment control (into and out of site) (documented security procedures for

bringing hardware and software into and out of a facility and for maintaining a

record of that equipment. This includes, but is not limited to, the marking,

handling, and disposal of hardware and storage media.)

(iv) A facility security plan (a plan to safeguard the premises and building

(exterior and interior) from unauthorized physical access and to safeguard the

equipment therein from unauthorized physical access, tampering, and theft).

(v) Procedures for verifying access authorizations before granting physical

access (formal, documented policies and instructions for validating the access

privileges of an entity before granting those privileges)

(vi) Maintenance records (documentation of repairs and modifications to the

physical components of a facility, such as hardware, software, walls, doors, and

locks).

(vii) Need-to-know procedures for personnel access (a security principle stating

that a user should have access only to the data he or she needs to perform a

particular function).

(viii) Procedures to sign in visitors and provide escorts, if appropriate (formal

documented procedure governing the reception and hosting of visitors).

(ix) Testing and revision (the restriction of program testing and revision to

formally authorized personnel).

AMC Explanation of HIPAA Regulation

Each covered entity is required to establish formal, documented policies and procedures for

limiting physical access while ensuring that properly authorized access is allowed. Mandatory

implementation features also include plans for emergency operation and disaster recovery as well

as for testing and revision.

Key Issues

None.

Category I Guidelines-Actions must be taken to address these

House critical or sensitive protected health information processing facilities in secure

areas, protected by a defined security perimeter, with appropriate security barriers and

Page 8

AMC/HIPAA Workgroup

entry controls. Physically protect them from unauthorized access, damage, and

interference.

Establish and maintain a specific disaster recovery plan.

Supervise or clear contractors and other visitors to secure areas, and record their date and

time of entry and departure.

Control access to protected health information and information processing facilities, and

restrict it to authorized persons only.

Provide security for off-site equipment that is equivalent to that provided for on-site

equipment used for the same purpose, taking into account the risks of working outside the

covered entity's premises.

Keep records of maintenance of equipment.

Restrict testing and revision to authorized personnel.

Category II Guidelines-Action should be considered to address these

Provide protection commensurate with the identified risks.

Regularly review and update access rights to secure areas.

Grant contractors and visitors access only for specific, authorized purposes and issue

them with instructions on the security requirements of the area and on emergency

procedures.

Require all workforce members to wear some form of visible identification and

encourage them to challenge unescorted strangers and anyone not wearing visible

identification.

Physically protect equipment from security threats and environmental hazards.

Maintain equipment in accordance with the supplier's recommended service intervals and

specifications.

Use authentication controls, e.g. swipe card plus PIN, to authorize and validate all access.

Maintain a secure audit trail of all access.

Require management authorization for the use of any equipment outside a covered

entity's premises for processing of protected health information.

Ensure that only authorized maintenance personnel carry out repairs and service

equipment.

Maintain records of all suspected or actual faults and all preventative and corrective

maintenance.

Establish appropriate controls when sending equipment off premises for maintenance.

Comply with all requirements imposed by insurance policies.

Check all items of equipment containing storage media, e.g. fixed hard disks, to ensure

that any protected health information and licensed software has been removed or

overwritten prior to disposal.

Require authorization in order to take any equipment, protected health information, or

software off site. Where necessary and appropriate, require equipment to be logged out

and logged back in when returned. Perform spot checks to detect unauthorized removal

of property, and make individuals aware that spot checks will take place.

Forbid users to connect unauthorized devices to the enterprise network.

Escort and supervise maintenance personnel; assign knowledgeable persons to this task.

Page 9

AMC/HIPAA Workgroup

Roadblocks

Those responsible for implementation and enforcement may be slow to accept the need for new

policies.

Comments

Also see: SEC.14 Media Controls

Page 10

AMC/HIPAA Workgroup

SEC.16

Policy/guideline on workstation use § .308(b)(4)

HIPAA Requirement

...(documented instructions/procedures delineating the proper functions to be

performed, the manner in which those functions are to be performed, and the

physical attributes of the surroundings of a specific computer terminal site or type

of site, dependent upon the sensitivity of the information accessed from that site).

AMC Explanation of HIPAA Regulation

Each covered entity is required to establish a policy/guideline on secure workstation use. These

documents will establish the rules for minimizing the risk of exposing protected health

information to unauthorized access. They will include technical measures (automatic logoff) as

well as behavioral rules (no sharing of passwords).

Key Issues

Is there a documented procedure for siting workstations (including both printers and data

entry/display terminals) in such a way as to minimize shoulder surfing?

Is there a process for determining automatic logoff intervals for each site?

Is there a process for activating and deactivating passwords?

Is there a documented process to train users about their responsibilities in maintaining

workstation security?

Category I Guidelines-Actions must be taken to address these

Develop a Workstation Use Policy.

Position workstations to minimize unauthorized viewing of protected health information

either by shoulder surfing or by other direct physical means of obtaining access to data

present on the workstation.

Grant workstation access only to those who need it in order to perform their job function.

Category II Guidelines-Actions should be taken to address these

Develop a policy/guideline to protect the workstations from exposure to physical threats

including theft.

Consider establishing automatic logoff to minimize opportunities for unauthorized use of

a workstation.

Educate users about their responsibilities for workstation security.

Monitor workstation sites for good user practice including logoff and password usage.

Consider two-factor login for user authentication.

Avoid login methods that may require the use of multiple passwords by an individual.

Roadblocks

In many institutions, guarding passwords and workstations is of secondary importance to the

need to accomplish the goal of providing healthcare. Procedures that substantially impede the

use of data entry and data retrieval will meet resistance.

Page 11

AMC/HIPAA Workgroup

Comments

When interpreting this rule, consider that a workstation may include any or all of several devices

such as data terminals, printers, and fax machines. Printouts may contain the most sensitive

information in a patient's file and are as great a security risk as any other source of information.

Since turnover may be high among those who have broad access to protected health information,

it is important to have a facile and flexible way to manage granting and revocation of access

privileges.

Training users about their security responsibilities as well as functional aspects is vital,

especially in AMCs.

Page 12

AMC/HIPAA Workgroup

SEC.17

Secure work station location § .308(b)(5)

HIPAA Requirement

...(physical safeguards to eliminate or minimize the possibility of unauthorized

access to information; example, locating a terminal used to access sensitive

information in a locked room and restricting access to that room authorized

personnel, not placing terminal used to access patient information in any area of

a doctor's office where the screen contents can viewed from the reception area).

AMC Explanation of HIPAA Regulation

Each covered entity is required to implement physical safeguards to eliminate or minimize the

possibility of unauthorized access to protected health information. This is especially important

in public buildings, provider locations, and other areas where there is heavy pedestrian traffic.

Key Issues

What are the trade-offs between workstation accessibility and protection of protected

health information?

How will potential workstation location changes impact workflow?

Category I Guidelines-Actions must be taken to address these

Establish workstation location criteria to eliminate or minimize the possibility of

unauthorized access to protected health information.

Employ physical safeguards as determined by risk analysis, such as locating workstations

in controlled access areas or installing covers or enclosures to preclude passerby access to

protected health information.

Category II Guidelines-Actions should be taken to address these

When practical, locate workstations used to access protected health information in areas

that are continuously monitored by cleared personnel when open for business and

otherwise securely locked and alarmed with a 24 hour security monitoring service.

Locate workstations to minimize the possibility of unauthorized personnel viewing

screens or data.

Establish workstation inactivity timeouts and use timed, password-protected screen

savers.

Consider the use of proximity detectors to reduce exposure at unattended workstations.

Roadblocks

No roadblocks specific to this point.

Comments

Ideally, workstations used to access protected health information would be located only in

controlled areas - but this may unacceptably restrict access to and use of electronic patient

records. In these cases, consider additional controls such physical devices to limit viewing,

Page 13

AMC/HIPAA Workgroup

timeout/lockout of individual sessions, use of password-protected screensavers, and other

procedures to provide adequate confidentiality.

Page 14

AMC/HIPAA Workgroup

SEC.18

Security Awareness training § .308(b)(6)

HIPAA Requirement

...(information security awareness training programs in which all employees,

agents, and contractors must participate, including, based on job responsibilities,

customized education programs that focus on issues regarding use of health

information and responsibilities regarding confidentiality and security).

AMC Explanation of HIPAA Regulation

Covered entities are required to establish security awareness training programs customized to

individual job responsibilities. Training for all workforce members in the use of protected health

information and its confidentiality and security is required.

Key Issues

How will the covered entity tailor security awareness training to hundreds of separate

roles?

How will the covered entity merge privacy training (use of information) with security

training to address this requirement?

Category I Guidelines-Actions must be taken to address these

Provide job-specific security awareness training to all workforce members.

Focus the training on use of protected health information (privacy) and security.

Category II Guidelines-Actions should be taken to address these

Make this aspect of training a supervisory or departmental responsibility, as appropriate.

Consider the security guidelines in this document-Category I and Category II

Guidelines-and determine which pertain to each job class. Develop a training program

to communicate them.

Roadblocks

Developing meaningful job-specific training programs in large organizations is difficult. Making

supervisors responsible and accountable for training at this level is an approach that should

maximize the likelihood of success.

Comments

Also see: SEC.12, as covered in §.308(a)(12). SEC.12 Security Training is general in nature,

establishing high-level expectations for all staff and somewhat more focused expectations for the

system user community. This Security Awareness Training point focuses on customized

education tailored to individual job responsibilities.