HIPAA Security Manual



HIPAA Security Manual<Insert your organization/practice name>Table of Contents TOC \o "1-3" \h \z \u 1MANUAL INTRODUCTION PAGEREF _Toc358119981 \h 52ADMINISTRATIVE POLICES AND PROCEDURES PAGEREF _Toc358119982 \h 72.1Security Officer Job Responsibilities PAGEREF _Toc358119983 \h 72.2Audit Trails Policy and Procedures PAGEREF _Toc358119984 \h 92.3Protection from Malicious Software Policy and Procedures PAGEREF _Toc358119985 \h 112.4Security Incident Policy and Procedures PAGEREF _Toc358119986 \h 142.5Training Policy PAGEREF _Toc358119987 \h 172.6Sanction Policy and Procedures PAGEREF _Toc358119988 \h 182.7Workforce Termination Policy and Procedures PAGEREF _Toc358119989 \h 202.8Mobile Device Management Policy PAGEREF _Toc358119990 \h 212.9Patient Requests for Electronic Copy of ePHI Policy PAGEREF _Toc358119991 \h 252.10Fax and Copy Machine Usage Policy and Procedures PAGEREF _Toc358119992 \h 283PHYSICAL SAFEGUARDS POLICIES AND PROCEDURES PAGEREF _Toc358119993 \h 313.1Policy for User Identification and Authentication and Access PAGEREF _Toc358119994 \h 313.2Workforce Clearance Procedures PAGEREF _Toc358119995 \h 343.3Contingency Policy and Procedures PAGEREF _Toc358119996 \h 353.4Computer Backup Policy and Procedures PAGEREF _Toc358119997 \h 423.5Contingency Plan Steps, Emergency Mode Operation Plan PAGEREF _Toc358119998 \h 443.6Facilities Policy and Procedures PAGEREF _Toc358119999 \h 473.7Computer Workstation Use Policy and Procedures PAGEREF _Toc358120000 \h 493.8Mobile Device Management Procedure PAGEREF _Toc358120001 \h 554TECHNICAL – INFORMATION TECHNOLOGY (IT) PAGEREF _Toc358120002 \h 594.1IT Tasks Policy and Procedures PAGEREF _Toc358120003 \h 594.2IT Inventory Locations Device and Media Controls PAGEREF _Toc358120004 \h 604.3IT Tasks PAGEREF _Toc358120005 \h 624.4IT Inventory PAGEREF _Toc358120006 \h 634.5Network Map (Sample) PAGEREF _Toc358120007 \h 645LOGS AND EVENT RECORDS PAGEREF _Toc358120008 \h 665.1Audit Trail Event Record PAGEREF _Toc358120009 \h 665.2Security Incident Report – Anti-Virus PAGEREF _Toc358120010 \h 675.3Security Incident Log PAGEREF _Toc358120011 \h 685.4Facilities Maintenance Log PAGEREF _Toc358120012 \h 695.5Backup Testing and Recovery Log PAGEREF _Toc358120013 \h 705.6Training Checklist PAGEREF _Toc358120014 \h 715.7Termination Checklist PAGEREF _Toc358120015 \h 725.8Data Breach Log PAGEREF _Toc358120016 \h 735.9Sanction Log PAGEREF _Toc358120017 \h 745.10Contingency Planning PAGEREF _Toc358120018 \h 755.10.1Contingency Plan/Restoration Checklist PAGEREF _Toc358120019 \h 755.10.2Emergency Mode Operations Roles PAGEREF _Toc358120020 \h 765.10.3Emergency Mode Workforce Contact List PAGEREF _Toc358120021 \h 775.10.4Emergency Mode – Emergency Assembly Point PAGEREF _Toc358120022 \h 785.10.5Emergency Mode Alternate Location/Command Center PAGEREF _Toc358120023 \h 795.10.6Emergency Mode – Necessary Materials PAGEREF _Toc358120024 \h 805.10.7Contingency Testing and Revision PAGEREF _Toc358120025 \h 815.11Log and Record Review PAGEREF _Toc358120026 \h 826JOB DESCRIPTIONS PAGEREF _Toc358120027 \h 847REFERENCE PAGEREF _Toc358120028 \h 867.1Security Risk Analysis PAGEREF _Toc358120029 \h 867.2Audit Results PAGEREF _Toc358120030 \h 897.3Addressable Specifications PAGEREF _Toc358120031 \h 907.4Security Categorization PAGEREF _Toc358120032 \h 917.5Contingency Planning Threats, Preventive Measures and Responses PAGEREF _Toc358120033 \h 957.5.1Threats Affecting Contingency Planning PAGEREF _Toc358120034 \h 957.5.2Potential Disaster Threats, Preventive Measures and Responses PAGEREF _Toc358120035 \h 967.6References PAGEREF _Toc358120036 \h 977.7Glossary PAGEREF _Toc358120037 \h 997.8Abbreviations or Acronyms PAGEREF _Toc358120038 \h 1118VENDOR SPECIFIC PROCEDURES PAGEREF _Toc358120039 \h 1138.1User and Role Assignment PAGEREF _Toc358120040 \h 1138.2Emergency Access PAGEREF _Toc358120041 \h 1138.3Password Setting PAGEREF _Toc358120042 \h 1138.4Logoff Setting PAGEREF _Toc358120043 \h 1138.5Audit Policy PAGEREF _Toc358120044 \h 1138.6Patient Requests for Disclosures of EPHI through an Electronic Health Record PAGEREF _Toc358120045 \h 1138.7Backup Model PAGEREF _Toc358120046 \h 1138.8Integrity of EPHI PAGEREF _Toc358120047 \h 1138.9Standard Architecture of Network Mapping PAGEREF _Toc358120048 \h 1138.10Remote Online Backup PAGEREF _Toc358120049 \h 1139INDEX PAGEREF _Toc358120050 \h 114MANUAL INTRODUCTIONIntroductionThis Manual reflects the policies, IT infrastructure, and documentation for <Organization Name’s> protection of electronic protected health information (EPHI) as required by the HIPAA Security Rule. <Organization Name> is herein referred to as “the Organization” or “Organization.” ?This manual reflects the Organization’s REQUIRED Security Risk Assessment and Management as mandated by the HIPAA Security Rule to reflect the implementation of security measures to reduce risk and vulnerabilities to a reasonable and appropriate level to comply with the Rule. ?Policies and procedures are applicable to all the organization’s members such as owners, management, employees, volunteers and/or contractors. ?Membership includes, but is not limited to, employment, contractual or volunteer relationships. This Manual complies with the Security Rule’s documentation standard that requires covered entities to: (i) “Maintain the policies and procedures implemented to comply with [the Security Rule] in written (which may be electronic) form”; and (ii) “if an action, activity or assessment is required for HIPAA security compliance?the organization will maintain a written (which may be electronic) record of the action, activity, or assessment.”This Manual also complies with the Security Rule’s documentation standard specifications as follows:1. Time Limit (Required) - ??The Organization will “retain the documentation required by (HIPAA Security Rule) for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”2. Availability (Required) – The Organization will make the documentation available in paper or electronic format at the Organization such that it is “available to those persons responsible for implementing the procedures to which the documentation pertains.”3. Updates/Reviews (Required) – As noted by dates on each page, .the Organization will “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.” The Organization will maintain revisions to the documents, the dates of each revision, the individual who revised the document, the date of the most recent approval of the document, and the individual who approved it. Policy requirement sources are outlined at the beginning of each policy. See reference section for a full listing of references. ?The nomenclature for documents found in the Code of Federal Regulations (CFR)?include the appropriate title number, which precedes the CFR designation, followed by the chapter, part, and section numbers (Example: 45 C.F.R. §164.308(a) (2)). All material contained is only valid once reviewed by the Organization’s HIPAA Security Officer as evident by the initials of said officer on each policy with the date of the review and/or approval, and approved by the Organization’s Board of Directors or Managing Principal. Dates of reviews are also noted on the bottom of each policy, IT evaluation or log. ???All material is subject to review and modification in response to any environmental or operational change related to the protection of EPHI as required by the Rule. ?This includes, but is not limited to: ?identified security incident, Organizational change in ownership or key personnel, and/or the incorporation of new technology. ?The initials confirm these procedures, policies and logs are followed by this Organization and its employees. Reference pages reflect?the sources of appropriate implementation standards for the Organization. See Glossary in Reference Section for definitions.See Acronyms in Reference Section for acronyms and/or abbreviations used. IT Practice Consulting Corp., Pittsford, NYITPC- COPYRIGHT NOTICEFor the Manual, generally: Copyright ? 2013 ITPC and Kern, Augustine, Conroy & Schoppmann, P.C.ITPC will permit limited copying of this Manual, or portions thereof, for the internal use of the purchaser or authorized user of the Manual. ?This Manual, however, may not be further copied or otherwise reproduced, redistributed or resold without the prior written consent of ITPC. ?All other rights are reserved. ?To request permission or obtain additional information, please contact ITPC at 866-985-7884 or HIPAA@itpc-. ?This Manual has been prepared to provide the reader with accurate information on the topics covered in the Manual. ?The Manual is being provided with the understanding that ITPC is not engaged in rendering any legal or accounting advice through this manual. ?ITPC has made recommendations regarding referenced CMS or NIST standards for implementation. The security officer must sign off on all policies and procedures after verifying they are consistent with the size and scope of their Organization and respond to all audit results. This manual template does not constitute legal advice. The Organization will seek legal counsel for all state laws and situations unique to the organization. STATE LAW DISCLAIMER: This manual includes security protections in accordance with the national HIPAA Security Rule. The HIPAA Security rule establishes a national minimum standard. If a state law provides greater security protections, the state law must be observed.?Tabbed Section Administrative PoliciesADMINISTRATIVE POLICES AND PROCEDURESSecurity Officer Job Responsibilities Security Officer Job Responsibilities§164.308(a)(2): Assigned Security Responsibility - the responsibility for security should be assigned to a specific individual or organization to provide an organization focus and importance to security, and that the assignment be documented.Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aSecurity Officer Designate: <security officer name>Appointed on: <appointment date>Security Officer Initials: <initials> Security Officer Contact Information: <insert>The Security Officer for this organization oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to, the organization’s policies and procedures related to the security of patients’ electronic protected health information (EPHI) in compliance with federal and state laws and the organization’s security policies and procedures (the “Security Policy”).Responsibilities:Maintain the confidentiality, integrity, and availability of patients’ EPHI which the Organization creates, receives, maintains or transmits.Maintain current knowledge of applicable federal and state security laws. Develop, oversee, and monitor implementation of the organization’s Security Policies and ensure that the integrity of the Security Policies is maintained at all times so that persons may not make unauthorized edits to Security Policies.Report regularly to the organization’s governing body and officers and/or owners (as applicable) regarding the status of the Security Policies.Work with legal counsel, consultants, management, and committees to ensure that the organization maintains appropriate administrative materials in accordance with organization management and legal requirements.Document the references for materials. Establish and administer a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s security policies and procedures in coordination and collaboration with other similar functions, and, when necessary, with legal counsel.Oversee, direct, deliver, or ensure the delivery of security training and orientation to all employees, volunteers, medical and professional staff, and other appropriate personnel (organization workforce).Monitor attendance at all Security Policies training sessions and evaluate participants’ comprehension of the information provided at training sessions as well as maintain appropriate documentation of security training.Monitor organization’s compliance with Security Policies including periodic security risk assessments.Monitor and evaluate, on no less than an annual basis, the Security Policies success in meeting the organization’s goal for protection of EPHI.Coordinate and participate in disciplinary actions related to the failure of organization workforce members to comply with the organization’s Security Policies and/or applicable law.Monitor access controls to EPHI. Maintain access to EPHI only by authorized personnel.Monitor technological advancements related to electronic protected health information protection and security for consideration of adoption by the organization.Coordinate and facilitate the allocation of appropriate resources for the support of and the effective implementation of the Security Policies.Initiate, facilitate, and promote activities to foster security information awareness within the organization.Cooperate with CMS, other legal entities, and organization officers or owners in any compliance reviews or investigations.Perform periodic risk assessments and ongoing compliance monitoring activities at each organization location.Act as point of contact for the organization’s legal counsel in an ongoing manner and in the event of a reported violation.Maintain all Business Associate Agreements and respond appropriately if problems arise.Act as the organization-based point of contact for receiving, documenting, and tracking all complaints concerning security policies and procedures of the organization.Maintain documentation of the organization’s Security Policies and Procedures for a minimum of six years from the date the organization created the policies and procedures or last updated the policies and procedures.Responsible for overseeing the maintenance of the organization’s hardware and software.Responsible for the overseeing and maintenance of all logs and records included or referenced in this manual. Responsible for overseeing the installation and connectivity of computer equipment.Responsible for monitoring backup procedures.Responsible for disposal and media re-use.And other responsibilities as outlined in policies below. Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Audit Trails Policy and ProceduresAudit Trails Policy & Procedures§164.308(a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aIt is the organization’s policy to conduct audit trails to regularly track the identification and authentication of those accessing the computer system and software contained therein that contain electronic protected health information (ePHI). The organization will also maintain records of the activity performed within those for no less than three years. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization. Procedure Software and/or networks requiring Audit are Identified as: EHR: < organization intake >?PMS: <organization intake > Other Specified Software <organization intake note if applicable or specify, none>Fax Machines: < organization intake note if applicable or specify fax machines do not retain ePHI>Copiers: <note if applicable or specify copy machines do not retain ePHI>Network or workgroup: <IT intake> ?Remote Access Networks: ?<IT intake>Wireless Network(s): <IT intake>Events to be audited: User activity and/or access.Password activity including when passwords are changed and who changed themChanges to access privileges including when access privileges to software were changed and who changed themDocumentation: ?Any abnormalities will be documented in the log section of this manual including immediate follow up. Abnormalities include:Suspicious login attempts,Unusually frequent password changes,Computer files changes and/or deletions.Audit Trails:Designated Person to Conduct Audit Trail: <Org Intake>Frequency of Audit Trails:<IT intake> ? Audit Trail Location: <IT intake> ?Persons with Authorized Access to Trail: Security Officer. <others as specified by organization>Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Protection from Malicious Software Policy and ProceduresProtection from Malicious Software Policy & Procedures§ 164.308(a)(5)(ii)(B) - Protection from Malicious Software : Procedures for guarding against, detecting, and reporting malicious software.Implementation Specification: ?AddressableRisk Level: ?moderateFinancial Impact: ?cost of license per workstationOrganization Anti-malware Software: ??<IT intake>(i) the organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code via the organization’s specified anti-malware software. Information system entry and exit points include: electronic mail, electronic mail attachments, web accesses, removable media, or other common means. (ii) the organization employs malicious code protection mechanisms at workstations, servers and, as applicable, mobile computing devices on the network to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities(iii) the organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with configuration management policy and procedures. These updates are set to occur automatically. (iv) the organization defines the frequency of periodic scans of the information system by malicious code protection mechanisms as <frequency of scans>(v) the organization defines one or more of the following actions to be taken in response to malicious code detection: block malicious code; quarantine malicious code; and/or send alert to administrator(vi) the organization configures malicious code protection mechanisms to: perform periodic scans of the information system in accordance with organization defined frequency; perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and take organization defined action(s) in response to malicious code detection(vii) the organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.The organization is committed to taking the necessary steps to prevent computer viruses from infecting the organization’s computer system. ?Organization members must adhere to the policies and procedures listed below:Members should not open email attachments if he/she is not expecting an attachment from someone he/she knows or trusts.Members should not be accessing their personal email while at work. Members are strictly prohibited from using illegal or "pirated" software on the organization’s computers.Members are prohibited from installing and playing computer games on the organization’s computer system.Members are prohibited from utilizing discs or external thumb drives or hard-drives on the organization’s computer system.Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Antivirus Procedures:The virus scanning software will automatically scan for viruses when files are being downloaded onto the organization’s computer system. When the organization purchases new computer software, the System Administrator or Security Officer must make sure it is shrink-wrapped and must check the discs prior to installing the software on the computer system.The System Administrator or Security Officer must make sure that discs used to store computer software programs are “write-protected” or protected against information from being saved on this disk. This prevents viruses from being copied onto discs containing important information.All software should be acquired from reputable dealers and must be new. ??No recycled computers. The Security Officer must approve all software to be downloaded from the internet.Vulnerability Scanning Plans:Results from most recent vulnerability scan are found <IT Intake> Network Penetration Testing:Results from most recent network penetration test are found <IT Intake> Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Security Incident Policy and ProceduresSecurity Incident Policy and Procedures§164.308(a)(6): Security Incident Procedures - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.Implementation Specification: ?RequiredRisk Level: moderateFinancial Impact: ?N/APolicy: It is the organization’s policy to identify, record and address attempts to, incidentally or intentionally, access the organization’s physical space and/or the computer system and its components unless such access is authorized by the System Administrator or Security Officer. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Procedure: ?The organization will determine through a variety of security mechanisms, such as User IDs, password protection, anti-virus software, and audit trails when security incidents have occurred.The organization will periodically monitor user activity, including password activity, virus scans, and audit trails to determine if any security incidents have occurred.Following the identification of a security incident, the organization’s first priority will be to communicate the details of the incident to the relevant technical staff, such as the organization’s information technology consultant, to expeditiously log and begin resolving the issue.Once alerted to the incident, the appropriate staff will access the appropriate part of the computer system as quickly as possible. ?If more than one incident occurs simultaneously, the most critical issue will be addressed first.The incident(s) will be immediately logged on a security incident log. The organization will take necessary and reasonable steps to respond to and address all identified and confirmed security incidents. All responses will be logged into a security incident log. The log will be kept for 6 years.If the incident cannot be resolved and could potentially cause disruptions among other organization employees such that it will inhibit them from performing their assigned job responsibilities, the System Administrator or Security Officer will notify the rest of the staff of the situation via email, telephone, verbally, or in writing. The organization will select the communication media that works best under the circumstances. ?Affected staff will be notified of the estimated time necessary to address the security incident.Once the issue has been resolved, the System Administrator or Security Officer will notify organization staff of the resolution via email, telephone, verbally, or in writing. ?If there are new procedures which must take place as a result of the reported incident, these will be distributed to organization employees as well. ?The organization will select the communication media that works best under the circumstances.The organization utilizes computer system alarms to identify critical computer system errors.Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. Security Objectives The FISMA Federal Information Security Management Act of 2002 defines three security objectives for information and information systems: CONFIDENTIALITY “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system. Potential Impact on Organizations and Individuals FIPS (Federal Information Processing Standards Publication Publication) 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest. The potential impact is LOW if— - The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. The potential impact is MODERATE if— ?The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. The potential impact is HIGH if— ?The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. See the HIPAA Privacy Manual for the Organization’s Data Breach Notification Policy.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Training PolicyTraining Policy and Procedures§164.308(a)(5) Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management).Training - Procedures for guarding against, detecting, and reporting malicious software. §164.308(a)(5)(ii)(C): Security Awareness and Training - Procedures for monitoring log-in attempts and reporting discrepancies. §164.308(a)(5)(ii)(D): Security Awareness and Training - Procedures for creating, changing, and safeguarding passwords.§164.308(a)(5)(ii)(A): Security Awareness and Training - Periodic security updates.Implementation Specification: ?AddressableRisk Level: ?mediumFinancial Impact: ?minimum of 1 day’s salary per employeeTraining is conducted within one week of the date the member joins the organization and is reviewed annually. ?Security updates are distributed to the members via written notice for any changes or updates to the security policy that occur less than annually. ?Training conducted by: ?The Security Officer?????????Training will occur on all of the Organization’s Security Policies. See Training Checklist for training topics and training per workforce role. Attendees include those persons on the Training Documentation Form. ?Members who do not maintain security awareness are subject to sanctions pursuant to Policy 2.6 of this Manual. (CMS 2009 HIPAA Compliance Review Analysis and Summary of Results)Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Sanction Policy and ProceduresSanction Policy and Procedures§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(c) - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aThe Organization has adopted this Sanction Policy to comply with HIPAA), as well as to fulfill our duty to protect the confidentiality and integrity of confidential electronic medical information as required by law.The Organization has adopted a Security Policy requiring the Organization and its members to protect the integrity and confidentiality of electronic medical and other sensitive information pertaining to our patients. ?In addition, the Organization has adopted policies and standards to carry out the objectives of the Security Policy. All members of the Organization’s workforce, including management, must adhere to these policies and standards. The Organization will not tolerate violations of these policies and standards, and such violations constitute grounds for disciplinary action up to and including termination, professional discipline, and criminal prosecution.Any member of the Organization who believes another member of the Organization has breached the facility’s Security Policy or the policies and standards promulgated to carry out the objectives of the Security Policy or otherwise breached the integrity or confidentiality of patient or other sensitive information should immediately report such breach to his or her supervisor or to the Security Officer for the Organization.The Security Officer for the Organization will conduct a thorough and confidential investigation into the allegations. The Security Officer will inform the complainant of the results of the investigation and any corrective action taken. The Organization will not retaliate against or permit reprisals against a complainant. ?Allegations not made in good faith, however, may result in discharge or other discipline.The Organization has a progressive discipline policy under which sanctions become more severe for repeated infractions. This policy, however, does not mandate the use of a lesser sanction before the Organization terminates a member. ?In the discretion of management, the Organization may terminate a member for the first breach of the facility’s Security Policy or individual policies and standards if the seriousness of the offense warrants such action. A member could expect to lose his or her job for a willful or grossly negligent breach of confidentiality, willful or grossly negligent destruction of computer equipment or data, or knowing or grossly negligent violation of HIPAA or any other federal or state law protecting the integrity and confidentiality of patient information. ?A member may lose his or her job for a negligent breach of the Organization’s standards for protecting the integrity and confidentiality of patient information. ?For less serious breaches, management may impose a lesser sanction, such as a verbal or written warning, verbal or written reprimand, loss of access, suspension without pay, demotion, or other sanction. ?In addition, the Organization will seek to include such violations by contractors as a ground for termination of the contract and/or imposition of contract penalties.NOTE: ORGANIZATION MUST CONFORM PERSONNEL MANUAL WITH THE ABOVE PROVISION.Violation of the Organization’s Security Policy or individual policies and standards may constitute a criminal or civil offense under HIPAA, other federal laws, such as the Federal Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030, or state laws. ?Any member or contractor who violates such laws may expect that the Organization will provide information concerning the violation to appropriate law enforcement personnel or authorities and will cooperate with any subsequent investigation or prosecution.Further, violations of the facility’s Security Policy or individual policies and standards may constitute violations of professional ethics and be grounds for professional discipline. ?Any individual subject to professional ethics guidelines and/or professional discipline should expect the Organization to report such violations to appropriate licensure/accreditation agencies and to cooperate with any professional investigation or disciplinary proceedings.This Sanction Policy is intended as a guide for the efficient and professional performance of members’ duties to protect the integrity and confidentiality of medical and other sensitive information. ?Nothing herein shall be construed to create a contract between the member and the Organization. ?Additionally, nothing in this Sanction Policy is to be construed by any member as containing binding terms and conditions of any form of membership of, or continued employment by, the Organization. ?Nothing in this Sanction Policy should be construed as conferring any employment rights on members. ?Management retains the right to change the contents of this Sanction Policy as it deems necessary with or without notice, provided however, that members will be notified of any such changes.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Workforce Termination Policy and ProceduresWorkforce Security and Termination Policy and Procedures§164.308(a)(3): Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.Implementation Specification: ?AddressableRisk Level: ?mediumFinancial Impact: ?n/aPolicy: ?The Security Officer will be responsible for ensuring the following procedures take place immediately upon an individual’s termination from the organization. ?Doing so will revoke an individual’s access to the physical office as well as access to the computer system.Prior to the individual’s departure, the System Administrator or Security Officer will:Contact a locksmith to change the organization locks, if necessary.Secure a full computer backup.Instruct individual whether or not to clean out his/her computer hard drive, if appropriate.Retrieve the following from the individual prior to departure:Computer System PasswordsNetwork passwordsEmail passwordsAdditional passwordsRetrieve and secure organization property, including laptops, other hardware and cell phones.Circulate new security keypad code numbers and office keys to pertinent organization members, if necessary.Change or delete (as applicable) passwords to the computer workstation, network, and all email/internet accounts.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Mobile Device Management PolicyMobile Device Management PolicyImplementation Specification: ?AddressableRisk Level: ?mediumSecurity Category ePHI = {(confidentiality, medium), (integrity, medium), (availability, low)}. See Security Categorization in Reference Section.Policy: ??The organization acknowledges that members may bring personally owned mobile devices into the organizational setting such as a smart-phone or tablet. Current mobile devices lack the hardware-based roots of trust. ?Personally owned mobile devices, Bring Your Own Device (BYOD) <are/are not> permitted to be used for access to ePHI in our organization. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.<IF NOT PERMITTED – DELETE the rest of this policy from the manual>Mobile Device UseThe following devices are approved for use at our organization: <LIST: device and operating system – example – smartphone-iphone and/or tablet-ipad)> Mobile Devices permitted in the organization shall be inspected and approved by the security officer. ?All mobile devices shall have the latest patches and updated to the latest operating systems. ??“Jailbroken or rooted phones” shall not be used in the organization. The devices will be recorded in the hardware inventory log. Mobile Device Security CapabilitiesMobile Devices will have the following three security capabilities: 1) ?Device Integrity: Device integrity is the absence of corruption in the hardware, firmware and software of a device. A mobile device can provide evidence that it has maintained device integrity if the state of the device can be shown to be in a state that is trusted by a relying party. A device has integrity if its software, firmware, and hardware configurations are in a state that is trusted by a relying party. The mechanism for communicating this trusted state is through one or more assertions that the Device Owner allows a device to make to the Information Owner.2) ?Isolation: Isolation prevents unintended interaction between Information Owners on the same device.3) ?Protected Storage: Protected storage preserves the confidentiality and integrity of sensitive data on the device while at rest, while in use (in the event an unauthorized application attempts to access an item in protected storage), and upon revocation of access.Camera Use ?Members shall not use BYOD cameras on the premises of the organization. Data communication and storage: BYOD must support strongly encrypted data communications and data storage that may be remotely wiped from the device if it is lost or stolen and is at risk of having its data recovered by an untrusted party.User and device authentication:Required authentication before accessing organization resources, resetting forgotten passwords remotely, automatically locking idle devices and remotely locking devices suspected of being left unlocked in an unsecured location.Applications: Restricting which applications may be installed (through whitelisting or blacklisting), installing and updating applications, restricting the use of synchronization services, digitally signing applications, distributing the organization’s applications from a dedicated mobile application store, and limiting or preventing access to the enterprise based on the mobile device’s operating system version or mobile device management software client versionThe following resources may be accessed through mobile devices: <___>The following resources shall not be accessed through BYOD: <___>Threat Model for BYOD or enterprise owned mobile devices:Our organization has gone through the following threat modeling which involves identifying BYOD ?feasible threats, vulnerabilities and security controls (or mitigation) related to these resources, then quantifying the likelihood of successful attacks and their impacts and finally analyzing this information to determine where security controls need to be improved or added.Mobile Threats: ?Lack of physical security controls:Vulnerability - Lack of physical security controls. ?These devices may be transported outside of the physical organization.Feasible Threat - Theft with attempt to recover data from the device or remote resources.Mitigation - ?Encrypt data on device or no data storage on device authentication required before gaining access Use of untrusted networks:Vulnerability - ?Use of untrusted networks. ?(Wi-Fi, cellular, etc. ) Threat - EavesdroppingMitigation - ?Encryption of data and mutual authentication mechanisms to verify the identities of both endpoints before transmitting dataThird party applications:Vulnerability - Third party applications. Threat - ?Exposure to unrestricted third-party application publishingMitigation - ?Prohibit third party applications whitelisting of approved applications and blacklisting of others. Interaction with other systems: Vulnerability - Interaction with other systems; byod mobile device connected to organization computers organizational owned mobile device connecting to personal computers. Threat - ?Data stored in an unsecure location, transmission of malwareMitigation - ?Prohibition of these combinationsUse of untrusted content:Vulnerability - Use of untrusted content; use of QR codesThreat - ?May direct to malicious web siteMitigation - ?Education regarding QR codes?????????????????????????References: ?NIST Special Publication 800-164 DRAFTGuidelines on Hardware - Rooted Security in Mobile DevicesNational Institute of Standards and Technology Special Publication 800-164 (Draft)Natl. Inst. Stand. Technol. Spec. Publ. 800-164, 33 pages (October 2012)CODEN : NSPUE2See NIST SP 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise [SP800-124],The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Patient Requests for Electronic Copy of ePHI PolicyPatient Request for Electronic Copy of ePHISection 13405(e) of the HITECH Act requires that when an individual requests a restriction on disclosure pursuant to § 164.522, the covered entity must agree to the requested restriction unless the disclosure is otherwise required by law, if the request for restriction is on disclosures of protected health information to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full.§ 164.524(c)(2): Require covered entities to provide electronic information to an individual in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.Privacy Rule at § 164.524(c)(2)(ii) to require that if an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.§ 164.524(c)(3) If requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.§ 164.524(c)(4) of the Privacy Rule permits a covered entity to impose a reasonable, cost-based fee for a copy of protected health information (or a summary or explanation of such information). Such a fee may only include the cost of: (1) The supplies for, and labor of, copying the protected health information; (2) the postage associated with mailing the protected health information, if applicable; and (3) the preparation of an explanation or summary of the protected health information, if agreed to by the individual§ 164.524(c)(4)(i) Includes the labor for copying protected health information, whether in paper or electronic form, as one factor that may be included in a reasonable cost-based feeSection 13405(e)(2) of the HITECH Act provides that a covered entity may not charge more than its labor costs in responding to the request for the copy§ 164.524(b)(2)(iii) that permits a covered entity a one-time extension of 30 days to respond to the individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request).Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aRequests for Restrictions on Restricted Health Care Item or Service:The organization will employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan. The organization will apply minimum necessary policies and procedures, which require limiting the protected health information disclosed to a health plan to the amount reasonably necessary to achieve the purpose of the disclosure. If the organization is required by law to submit protected health information to a Federal health plan, it may continue to do so as necessary to comply with that legal mandate.Providing Electronic Information to an individual in the electronic form:Organization will provide some kind of readable electronic copies of protected health information that are currently available on its various systems (example: PDF)If the individual declines to accept any of the electronic formats that are readily producible by the organization, the covered entity will provide a hard copy as an option to fulfill the access request.Transmitting a copy of protected health information to another designated person:If requested by an individual, the organization will transmit the copy of protected health information directly to another person designated by the individual.The individual may direct the covered entity to transmit such copy directly to the individual’s designee, provided that any such choice is clear, conspicuous, and specificWhen an individual directs the organization to send the copy of protected health information to another designated person, the request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the protected health information. If the organization has decided to require all access requests in writing, the third party recipient information and signature by the individual can be included in the same written request; no additional or separate written request is required.Cost-Based Fee:Reasonable, cost-based fee for a copy of protected health information (or a summary or explanation of such information) including supplies for, and the labor for copying protected health information, whether in paper or electronic form the postage associated with mailing the protected health information, if applicable, the preparation of an explanation or summary of the protected health information, if agreed to by the individual Fee ________________Timeframe to honor requests for electronic copies of EPHI:Organizations have 30 days to provide accessOrganization is to provide the access requested by the individual in a timely manner, which includes arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health informationAn organization has a one-time extension of 30 days to respond to the individual’s request (with written notice to the individual of the reasons for delay and the expected date by which the entity will complete action on the request).Procedures: See Vendor Specific Section Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Fax and Copy Machine Usage Policy and ProceduresFax and Copy Machine Usage Policy and ProceduresSection 160.103 - Electronic media?means:Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.Policy: Photocopier, facsimiles or fax machines, and other office machines may retain electronic data, potentially store protected health information when used by covered entities or business associates. Protected health information stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules. It is the organization’s policy to safeguard patient health information from any kind of disclosure or exposure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals. The use of fax machines and/or photo copiers in not prohibited. However, the organization will follow strict regulations that protect the security and privacy of the information both at the point of dispatch, during transmit and at the point of delivery.Fax Machines: <type – traditional or email? – note if email facsimile ONLY and eliminate the following>Storage of EPHI: <note if fax machine retains electronic copies of EPHI or specify that fax machines do not retain EPHI>Location: <must be placed in a secure area and not generally accessible>Access: <only authorized personnel are to have access to fax machines>Procedures: The fax machine(s) is stored in a secured area and only accessible to authorized personnel. When transmitting EPHI, the following procedures must be followed:Destination numbers must be verified before transmissionNotify recipients that they have been sent a faxInclude a cover sheet with HIPAA disclaimerFax only to secure destinationsMaintain a copy of the confirmation sheet of the fax transmissionConfirm fax delivery with a follow-up phone callRemove incoming faxes immediately from the output trayStore received faxes in a secure location.Copier: <type – traditional or digital? – note if traditional and eliminate the following>Storage of EPHI: <note if copier uses a hard disk drive to manage copy jobs and therefore retains electronic copies of EPHI>Location: <must be placed in a secure are and not generally accessible>Access: <only authorized personnel are to have access to digital copier>Data Security: <note if copier has data security features such as encryption, overwriting – overwriting that occurs periodically should be documented in _______ log, or if data is deleted, or if the hard drive is locked with a passcode>Data Disposal: <indicate how organization will dispose of data that has accumulated on the copier over time – review lease or purchase agreements and make sure that your organization will retain ownership of all hard drives at end of usage ---- note how organization will dispose of data at end of copier usage>Procedures: Copier(s) is stored in a secure area with restricted physical access.The hard drive will be physically destroyed before turn-in or disposal.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Tabbed Section – Physical Safeguards and PoliciesPHYSICAL SAFEGUARDS POLICIES AND PROCEDURESPolicy for User Identification and Authentication and AccessPolicy for User Identification and Authentication and Access§164.308(a)(4): Information Access Management §164.308(a)(4)(ii)(B) - Implement policies and procedures for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism.§164.308(a)(4): Information Access Management §164.308(a)(4)(ii)(C) - Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.§164.312(a)(1): Access Control - §164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.§164.312(a)(1) Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).§164.312(a)(2)(ii): Access Control - Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. ?Identify a method of supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems.§164.312(a)(2)(iii): Access Control - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.§ 164.312(c)(2): ?Identify methods available for authentication. Under the HIPAA Security Rule, authentication is the corroboration that a person is the one claimed (45 CFR § 164.304). ?Authentication requires establishing the validity of a transmission source and/or verifying an individual’s claim that he or she has been authorized for specific access privileges to information and information systems.§164.312(d): Person or Organization Authentication - Weigh the relative advantages and disadvantages of commonly used authentication approaches. Implementation Specification: ?RequiredRisk Level: ?moderateFinancial Impact: ?n/aThe organization utilizes user IDs and unique passwords to control access to the organization's computer system. ?The organization expects organization information to be available when it is needed, to be accurate, and to be safeguarded from access by unauthorized individuals. ?Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Security ProceduresThe organization requires all of its members to have effective and secure user IDs and passwords for access to the organization’s computer system. The Security Officer or System Administrator provides oversight of the process for administering and maintaining user IDs and passwords for the organization as follows:Unique User Authentication and Identification: ?RequiredAll organization members’ passwords, even temporary passwords established for new and temporary organization members, meet the following characteristics:Are easy for the organization members to remember, but difficult for an unauthorized user to guessAre at least six characters in lengthConsist of a mix of alpha and at least one numeric or special characterAre easy to type quicklyAre not portions of associated account names (e.g., user ID, log-in name)Are not the organization member's spouse, children, or pets name in any formAre not information easily obtained about the employee (i.e., license plate numbers, telephone numbers, social security numbers, the brand of his/her automobile, the name of the street he/she lives on, date of birth, email name, etc.)Are not character strings (e.g., abc or 123)Each organization member, including new and temporary organization members, is assigned a unique user identification (user ID)Each organization member, including new and temporary organization members, is assigned a unique temporary passwordFurthermore, organization members are required to select a new password immediately after their initial log on to the computer system using the temporary user ID and passwordAuthentication approaches include: Something a person knows, such as a password; Something a person has or is in possession of, such as a token (smart card, ATM card, etc.); Some type of biometric identification a person provides, such as a fingerprint; A combination of two or more of the above approaches. User Access Controls and ManagementThe Security Officer will:Disable user IDs and password accounts not used for 180 days and review such accounts for possible deletion. Review and delete accounts that have been disabled for 60 days. Review and delete password accounts for the organization’s contractors on the expiration date of their contract.Instruct organization members to keep passwords confidential. Organization members will be instructed to not share his/her password with anyone, including other organization members, temporary organization members, and contractors.Remove vendor or service passwords from computer systems and assign new passwords to all computer systems immediately upon installation at the organization. ?Instruct organization members that passwords will not be visible on a data entry screen or display or documented in writing in any form (e.g., on a post-it note, on a message pad, on a calendar, or smartphone).Change passwords and disable user accounts promptly upon organization member’s termination, including temporary organization members, regardless of whether the termination was mandatory or voluntary. Users should immediately change their password if they suspect it has been compromised and should immediately notify the Security Officer.Limit organization members’ log-on attempts to five (5) to prevent unauthorized access to the computer system by programming computer system account to “lock up” or not provide further access by organization member until discussion with System Administrator or Security Officer.Document in each individual’s job description the level of access consistent with their described role within the organization. See the Organization’s HIPAA Manual, Minimum Necessary Policy.Ensure that there is mechanism in place to encrypt and decrypt electronic protected health information. Encryption Level <______>Emergency Access Procedure: ?As outlined in the Vendor Specific SectionApproval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Workforce Clearance ProceduresWorkforce Clearance ProceduresWorkforce Security § 164.308(a)(3)(ii)(B) Implement procedures to determinethat the access of a workforce member to electronic protected health information is appropriate.Implementation Specification: ?AddressableRisk Level: ?lowFinancial Impact: ?n/aThe organization’s policy is to ensure that all members of its workforce have appropriate access to PHI (including EPHI) and prevent those who do not need access from obtaining access. Authorization workforce - Authorization is done at the time of joining the organization. ?Roles are specified in an organization member’s job description that correlates with the member’s role within the EHR system ensuring appropriate access. ?Organization members must provide proof of license as required by state law in order to access certain areas of the EHR. Certain areas of the HER can only be accessed by clinical personnel holding an applicable professional license. Such members will provide proof of such licensure at the time of joining the organization and receiving workforce clearance. This will be done at the time of joining the organization. Roles and permissions within the EHR are assigned by the Security Officer at the time of joining the organization. Job descriptions are in place and developed for each of the organization members. These documents describe the responsibilities of each staff position and the level of access that each needs to PHI (including EPHI). ?Job descriptions are routinely reviewed, but no less than annually, for accuracy and appropriateness. ?Consistent with the Privacy Rule, job descriptions address the minimum necessary access required by a person or job title in the organization that must have access to EPHI to carry out their duties. ?Each organization member has a copy or access to their written job description. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Contingency Policy and ProceduresContingency Policy & Procedures§164.308(a)(7)(i) Contingency Plan Establish policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (See Policy 3.6 of this Manual for additional emergency contingency plan policies and procedures.)§164.308(a)(7)(ii)(C) Emergency Mode Operation Plan: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. §164.308(a)(7)(ii)(A) Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. §164.308(a)(7)(ii)(B) Disaster Recovery Plan: Establish (and implement as needed) procedures to restore any loss of data. §164.308(a)(7)(ii)(D)Testing and Revision Procedures: Implement procedures for periodic testing and revision of contingency plans. (Addressable) §164.308(a)(7) Preventive Measures must be identified.§164.308(a)(7)(E) Applications and Data Criticality Analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components. (Addressable)Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aPolicy: It is the policy of the Organization to establish Contingency Plans in order to protect the confidentiality, integrity, and accessibility of our electronic protected health information from vulnerability in the event of an emergency. ?It is the purpose of the Organization to enable sustained operation of the information systems in the event of an extraordinary event that causes these systems to fail minimum production requirements. The Organization will assess the needs and requirements so that the Organization may be prepared to respond to the event in order to regain efficient operation of the systems that are damaged. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Procedure:Every member of the Organization's workforce is responsible for the integrity of the Organization’s electronic protected health information.The Security Officer (or other designated person) will inspect the facilties per the Facilities Policy and Procedures and maintain a log of all repairs and enhancements to security.The Security Officer will respond to the Contingency Plan steps for the Organization.The Organization will establish procedures in order to reduce the risk of vulnerability determined by the Facility Security Analysis.The Contingency Plan of the Organization is an ongoing responsibility and will be reviewed by the Security Officer of the Organization as necessary to include quarterly and annual reviews.The Security Officer will train the members of the Organization on the procedures of the Contingency Plan.Identified key applications are identified in the backup policy and procedure section 3.5. Steps to Activate Contingency Plan:Response PhaseThe Security Officer will:Establish an immediate and controlled presence at the incident site.Conduct a preliminary assessment of incident impact, extent of damage, and disruption to the information system and/or business operations.Scale of damageTotal: Physical facilities, hardware and/or data is destroyed, requiring the replacement of equipment and data to recoverMajor: ???There is extensive hardware and/or data damage, requiring some replacement of equipment and data to recoverPartial: ??There is minor damage to hardware and/or data, requiring some replacement of equipment but mostly restoring dataMinor: ??Only data is damaged and only restoration is required to recoverFind and disseminate information if or when access to the information system and/or facility will be allowed.Provide all members with the facts necessary to make informed decisions regarding subsequent resumption and recovery activity.Response Phase ChecklistPurpose: To detect and assess damage and to activate the plan. Includes immediate actions, personnel safety, damage mitigation, and reporting.The first responder is to notify Security Officer. All known information must be relayed to the Security Officer.The Security Officer will inform necessary personnel of the event. The Security Officer will begin or delegate the commencement of the assessment procedures.Begin the assessment procedures to determine the extent of damage and estimated recovery time. (Use alternate procedures if damage assessment cannot be performed locally because of unsafe conditions).Damage Assessment Procedures: Determine:The cause of the disruptionPotential for additional disruption or damageHow the physical area has been affectedThe status of the physical infrastructureStatus of IT equipment functionality and inventoryIT equipment that will need to be replacedEstimated time to repair services to normal operationsAlternate Assessment Procedures:Determine when damage assessment can be completedNotify the Security Officer of the resultsThe Security Officer will evaluate the results and determine whether the contingency plan is to be activated and if relocation is requiredBased on assessment results, the Security Officer is to notify assessment to emergency personnel (e.g. police or fire department) as appropriateDetermine what resources are required to support critical functions.Consider the following:Human Resources: Can people get to work? Are their critical skills and knowledge possessed by the appropriate people? Can people easily get to an alternative site?Process Capabilities: Are the computers or other hardware harmed? What happens if some of the equipment is inoperable, but not all?Automated Applications and Data: Has data integrity been affected? Has an application been sabotaged? Can an application run on a different processing platform?Computer-Based Services: Can the computers communicate? To where? Can people communicate? Are information services down? For how long?Infrastructure: Do people have a place to work? Do they have the equipment to do their jobs? Can they occupy the department/building?Documents/Paper: Can needed records be found? Are they readable?Activate the Contingency Plan if one or more of the following criteria are met:(EHR system) will be unavailable for more than 48 hoursFacility is damaged and will be unavailable for more than 24 hoursOther criteria, as appropriateIf plan is activated, Security Official is to notify all team leaders and inform them of the details of the event and if relocation is requiredUpon notification, the team leaders will notify their respective teams.The Security Official will notify the (off-site storage facility) that a contingency event has been declared and to ship the necessary materials to the alternate siteThe Security Official will notify the alternate site that a contingency event has been declared and to prepare the facility for the organization’s arrivalResponse Phase – EHR Response Phase ChecklistThe availability of EPHI is critical to ensure safe and effective communication of patient healthcare providers. Utilize established procedures to ensure that EPHI is backed up and information is retrievable. In the event of downtime disruption and inability to assess the EHR, the organization shall:Identify operations or services that will be impactedMake necessary notification of the unavailability of EPHIImplement existing backup systems to access historical patient health informationIdentify and make available resources for retrieval, delivery, return, etc.Make temporary paper documentation tools available for healthcare providers Identify processes to carry out (ADT transmissions, order placement and communication, diagnostic study results reporting)Identify processes, procedures, and responsible personnel to ensure processing of paper documentation following EHR resumptionResponse Phase Personnel Safety ProceduresIn an emergency, the Organization’s top priority is to preserve the health and safety of its staff before proceeding to the Response procedures.Hazardous MaterialStaff should remain inside the building Doors and windows should be secured Curtains or mini-blinds should be closed if possible to shield from flying glass Staff should take shelter in the hallway if necessary Evacuation of the building is a last resort and should be done only under the direction of Security Official or notification by local authorities.FireIf possible, determine where the fire is locatedIf the area is filled with smoke, leave the area for a safer locationCall authoritiesStay out of the area until the smoke is cleared and the area is securedIf the fire is not out of control and you are not in dangerTrained staff should use fire extinguishers if it is safeSound the alarm (if applicable)Call authoritiesIf the fire is out of control, all personnel should evacuateCall authoritiesStay at least 300 feet from the areaOnce outside, proceed to the Emergency Assembly PointDo not leave the premisesExplosion or Similar IncidentImmediately take cover under tables, desks, and other such objects for protection against falling glass and debrisAfter immediate effects of the explosion or incident subside, notify authoritiesWhen advised, evacuate the buildingOnce outside, proceed to the Emergency Assembly PointDo not leave the premisesEarthquake, Fire or Explosion, Structural DamageMay be necessary to evacuate the building immediately until it can be declared safe for occupancyFollow building evacuation proceduresEvacuate upon notification by local authorities, Security Official, or if there is a life threatening incident or disasterPay attention to all marked exits from the buildingWalk quickly to the nearest exit and leave the buildingOnce outside, proceed to the Emergency Assembly Point. Do not leave the area (roll call may be taken)Do not return to the building until directed to by either local authorities or the Security OfficialTelephone Bomb ThreatsKeep the caller on the line for as long as possibleRecord every statement spoken by the person on the callBe sure the caller providers information regarding the location and time of detonationIf possible, place the caller on speakerphone so that other staff may assist in verifying informationAfter hanging up (or simultaneously by another staff member) call authoritiesEvacuate Resumption PhaseThe Security Officer will: Establish and organize a management control center and headquarters for the resumption of operations.Activate the support teams necessary to facilitate and support the resumption process.Notify and appraise time-sensitive business operation resumption team leaders of the situation.Alert employees, vendors, and other internal and external individuals and organizations.Recovery PhaseThe Security Officer will: Prepare and implement procedures necessary to facilitate and support the recovery of time-sensitive business operations.Coordinate with the members responsible for business operations and recovery.Coordinate with members, vendors, and other internal and external individuals and organizations.Purpose: To restore temporary IT operations and recover damage done to the original system. The Recovery Phase begins after the contingency plan has been activated, damage assessment has been completed (if possible), personnel have been notified, and appropriate personnel mobilized. The Recovery Phase includes procedures to recover hardware, software, data, telecommunications, and reporting.Focus: Contingency measures to execute temporary IT processing capabilities, repair damage to an original system, and restore operation capabilities at the original or new facility. Overall Goal: At the completion of the Recovery Phase, the IT system will be operational and performing the functions designated in the planRecovery Goal: Restore DataProcedures: Utilize existing policy and procedures for data backup and restoration. The Security Official will oversee and/or initiate the organizational data backup and recovery processes for those applications, systems, and networks under its control.Recovery Goal: Communication InfrastructureProcedures: Recover critical telecom networks and equipment first. Because IT infrastructure can depend on the telecommunications network, recovery of telecommunications is important. Set up workspace and stage equipment for recovery of systems. Set up internet connectivity. Recover data server. Begin recovery of secondary applications. Set up additional phones for staff.Restorations PhaseThe Security Officer will: Prepare and implement procedures necessary to facilitate the relocation and migration of business operations and technology to the new or repaired facility.Manage the relocation/migration effort as well as perform employee, vendor, and customer notification before, during, and after relocation or migration.Purpose: To restore IT system processing capabilities to normal operations. The Restorations phase may include refurbishing, replacing, constructing, or returning.Terminate recovery activitiesTransfer normal operations back to the organization’s facility (if applicable)Prepare a new facility to support system processing requirements (if applicable)Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Computer Backup Policy and ProceduresComputer Backup Policy §164.308(a)(7)(ii)(A) - Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Contingency Plan §164.308(a)(7)(ii)(B) - Establish (and implement as needed) procedures to restore any loss of data.Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aPolicy: It is the policy of the Organization to implement backup procedures in order to protect the confidentiality, integrity, and availability of the electronic protected health information (EPHI) of our patients. ?Members are responsible for notifying the Security Officer immediately if his/her attempt to save EPHI fails or if EPHI is compromised in any way. All media belonging to the Organization is assumed to contain sensitive information and should be treated as such. ? Media control procedures provide for:Receipt and removal of hardware/software;Backup, storage and expiration of Information;Disposal of out-of-date or incorrect Information;Encryption of Nominative Information during transit; andReuse and Disposal of Media.Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Procedure: Our Organization identified key applications that support electronic protected health information and identified a backup schedule as well as the approximate recovery time as follows: Organization Management and Electronic Health Record: ?Backup Method – < > Frequency – < >Encryption – < >Test of Data Backup Frequency – < >Date of Last Data Backup Test – See Backup LogRecovery Time – < >Reuse and Disposal of Media – < >Procedure: See vendor specific sectionAccounting Software: (REMOVE if the organization does on have EPHI in the accounting software)Backup Method – < >Frequency – < >Encryption – < >Test of Data Backup Frequency – < >Date of Last Data Backup Test – See Backup LogRecovery Time – < >Reuse and Disposal of Media – < >?????????????????????Any other software with EPHI: <name of software> (REMOVE if the organization does on have EPHI on any other software)Backup Method – < >Frequency – < >Encryption – < >Test of Data Backup Frequency – < >Date of Last Data Backup Test – See Backup LogRecovery Time – < >Reuse and Disposal of Media – < >Server Configuration and Set-up (if applicable)Method – < >Frequency – < >Identified persons who are authorized to access the backed up data include: The Security Officer <organization intake> Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Contingency Plan Steps, Emergency Mode Operation PlanContingency Plan Steps, Emergency Mode Operation Plan §164.308(a)(7)(i) Contingency Plan - Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI.Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aIdentified Organization Threats/RisksNatural - <organization intake (fire, flood, ice storm, tornadoes, wind storms> Human - network or computer based attacks, malicious ?software upload, data entry deletion (low probability); theft or vandalismEnvironmental - power failure (low probability) Scale of damage:Total: Physical facilities, hardware and/or data is destroyed, requiring the replacement of equipment and data to recoverMajor: ???There is extensive hardware and/or data damage, requiring some replacement of equipment and data to recoverPartial: ??There is minor damage to hardware and/or data, requiring some replacement of equipment but mostly restoring dataMinor: ??Only data is damaged and only restoration is required to recoverNone: ??No physical damage to hardware and/or no data destroyed, Disruption is due to a recoverable event. Disaster Recovery Plan: ?Scenario #1 - Server DiesScale of Damage: Major There is extensive hardware and/or data damage, requiring some replacement of equipment and data to recoverThe Security Officer will activate the Plan and the Plan’s activation will be communicated to the rest of the Organization via <Org Intake>New server or switch to redundant serverObtain data restoration from <Org Intake> ?A senior level manager and/or owner will confirm the restored data.List of all member names and addresses can be found: <Org Intake> ?Vendor contact list can be found: <Org Intake> ?Vital records for the Organization, such as server and workstation warranties can be found: <Org Intake> ?Disaster Recovery Plan: ?Scenario #2 ?- ?Destruction of Office Due to Natural ThreatScale of Damage: Total Physical facilities, hardware and/or data is destroyed, requiring the replacement of equipment and data to recoverThe Security Officer will activate the Plan and the Plan’s activation will be communicated to the rest of the Organization via phone or in person Communication outreach to patients will be done via: < >Follow directions for procurement of needed hardware.Follow directions for backup restoration to new hardware. The doctors and office manager will confirm the restored data.Utilize checklist to aid in the transition and restoration of your normal business operations: facilities, members, computers, restore databases. ?Identified Range of Events: Events that may cause the total or partial relocation or suspension of Organization’s operations: <Org Intake> ?Identified Relocation Facility: <organization intake> Addressable see addressable specificationsIdentified Contingency Staff: <organization intake> Addressable see addressable specificationsIdentified communication plan for members, business partners, and patients: <organization intake> Contingency Plans Testing and Revision: Training for all personnel on the policies and procedures regarding the organization’s contingency plans will occur upon joining the organization and annual review. Testing of plan will occur every other year and will include a determination and documentation of any weaknesses in the disaster and emergency operations plans and the addressing of any weaknesses discovered. Last test or Reason for not testing the Contingency Plan: <Org Intake> ?Disaster Recovery Plan: ?Scenario #3 - Loss of ElectricityScale of Damage: ?NoneThe Security Officer will evaluate the likely probability of extended loss of electricity. If the power disruption will last more than 4 hours, the Organization will identify an alternative power source or an alternative means of accessing patient daApproval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Facilities Policy and ProceduresFacilities Policy and Procedures§164.310(a)(2)(ii): Facility access controls - Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. §164.310(a)(2)(iv): Facility access controls - Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).The Organization recognizes the importance of physical security in preventing unauthorized access to PHI and has developed the following policies and procedures. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Inspections: ?It is the Organization’s policy to conduct routine physical inspections of the facilities. Each outside access point has appropriate physical safeguards. ?Inspections, repairs and maintenance records are maintained in the facilities log. Doors: <Org Intake> ?Keys are assigned and distributed by the Security OfficerWindows: ?<Org Intake> ?Alarm System: ??<Org Intake> ?Workstations (if applicable): <Org Intake> ?Physical locations of workstations are documented in hardware log. Visible at all times: password protected, log off for inactivity or if stepping away from locationIf NOT visible at all times: ?area where computer is located has physical access restrictions as specified. ?These restrictions may include observed entry points and/or locked entry points. The hardware is password protected, automatic log off procedure when not in useServer: ?specify If on-site or off-site: ?<security> If off-site: <security>Device and Media Controls: ?Disposal: ?Required - documented in hardware inventoryMedia Reuse: ?Required - documented in hardware inventoryLocation and accountability: ?Addressable documented in hardware inventoryApproval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Computer Workstation Use Policy and ProceduresComputer Workstation Use Policy and Procedures§164.310(b) Workstation Use - Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.§164.310(b): Workstation Use - Covered entities must identify expected Performance of Each type of workstation.§164.310(b): Workstation Use - Covered entities should analyze physical surroundings for physical attributes.§164.310(c): Workstation Security §164.310(b) - Covered entities should implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.§164.310(d)(1): Device and Media Controls - §164.310(d)(2)(i) Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored. ?Device and Media Controls - §164.310(d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore.§164.310(d)(1: Device and Media Controls - §164.310(d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore.§164.310(d)(1): Device and Media Controls - §164.310(d)(2)(ii) Implement procedures for removal of ePHI from electronic media before the media are made available for reuse. Ensure that ePHI previously stored on electronic media cannot be accessed and reused. Identify removable media and their use. Ensure that ePHI is removed from reusable media before they are used to record new information.§164.312(a)(1): Access Control - §164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information. §164.312(a)(1) Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).§164.312(a)(2)(iii): Access Control - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.§164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.§164.312(c): Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.§164.312(e)(1): Transmission Security - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.Implementation Specification: ?RequiredRisk Level: ?lowFinancial Impact: ?n/aPolicy and Procedures:Operating EnvironmentAll computers owned by the Organization will be connected to surge protectors purchased by the Organization.Members will monitor the computer system and report potential threats to the security of the data contained in the system to the Security Officer of the Organization. All members will take appropriate measures to protect computers and data from disasters based on the policies and procedures of the Organization.The members of the Organization should be cautious with food and drink near computer terminals, hard drives, keyboards, and screens. ?The network and workstations have been configured according to standards provided by the Organization. The programs that have been installed are for the sole use of the Organization. ?All accessible data, personal or private, is for the sole use of the Organization. This includes data that members may put on their local hard drives. ?The computer has been set up for your individual use solely for the business of the Organization. ?Members of the Organization are not authorized to change any settings unless instructed by the Security Officer. The Security Officer monitors which software and hardware is at each workstation. ?Do not change anything without approval from the Security Officer.Members will not subject the Organization’s system to malicious programs (e.g., viruses, worms, etc.)All hardware and software owned by the Organization is documented in an inventory log. The log details: ?The location and function of all hardware and software The data contained within encryption methods if applicable. Backup procedure for all devicesAudit methodology for access of hardware or softwareDestruction methods for reuse or retirement of all devices PasswordsMembers are expected to maintain the confidentiality of their password(s). The Organization expects authorized users to be responsible for the security of their password.Members will log on to the system with their own password(s). Under no circumstances will a member share their password(s) with another member or unauthorized person in order to allow them access to the system. The Organization?monitors system access by authorized users.ContentA Member of the Organization will be held responsible for the content of any data that Member entered into the system. This includes any information transmitted within the Organization or outside the Organization. A member will not hide his/her identity as the author of any entry or represent that someone else entered the data or sent the message.The Security Officer of the Organization will issue access authorization to each member. ?No member may access any confidential patient or other information that they do not need to know. No member may disclose confidential patient or other information, unless properly authorized.Log-off (Addressable) When members leave their computer terminal for any length of time, the system will automatically log off after two minutes of idle screen time unless the computer is in a physical space where someone is present at all times. Screen savers will be programmed for each computer to activate after five minutes of idle screen time and require password for sign in back in. ?Backup Procedures (Required) Members are required to adhere to the backup policies and procedures of the Organization with regard to all utilized applications. See Policy 3.5 of this Manual.Device and Media ControlsMembers will use backup media that are provided by the Organization.Members will assume that all electronic media belonging to the Organization contains confidential information.Destruction ProceduresMembers are required to adhere to the destruction procedures of the Organization with regard to devices and media that contain EPHI.Hard drives will be cleaned of all EPHI prior to resell, donation, or disposal by use of appropriate “cleaning” software.Electronic media (e.g., tapes, CDs, disks, etc.) will be destroyed via shredding or incineration prior to disposal.SanctionsAny member found to have violated this policy would be subject to disciplinary action, up to and including termination of membership.Electronic MailThe Email system should generally be used for work related purposes. The Organization reserves the right to monitor Email and Internet usage.Only open attachments from trusted sources. Forgery (or attempted forgery) of electronic mail messages is prohibited.Attempts to read, delete, copy, or modify the electronic mail of other users are prohibited.Attempts at sending harassing, obscene, or threatening email to another user are prohibited.Attempts at sending junk mail, “for-profit,” or chain email is prohibited.Internet AccessThe Organization authorizes the availability of the Internet/World Wide Web to provide access to Internet resources that will enhance and support business activities. It is expected that members will use the Internet to improve their job knowledge and to access information on topics which have relevance to the Organization.Members should be aware that access is accomplished using Internet protocol addresses and domain names registered to the Organization. They may be perceived by others to represent the Organization. Users are advised not to use the Internet for any purpose that would reflect negatively on the Organization or its members.Members will follow existing security policies and procedures in their use of Internet services and will refrain from any access to internet sites that might jeopardize the computer systems and data files. These include, but are not limited to virus attacks, when downloading files from the Internet.Members using equipment owned by the Organization to access the Internet are subject to having activities monitored by the Security Officer. Use of this system constitutes consent to security monitoring and members should remember that no session or transmission should be considered private.EPHI is not to be transmitted over the Internet without encryption.The computer system of the Organization is not for personal use. When certain criteria are met, users are permitted to engage in the following activitiesDuring working hours, access job-related information, as needed, to meet the requirements of their jobs.During working hours, participate in email discussion groups (list servers), provided these sessions have a direct relationship to the user's job with the Organization and the user’s participation has been pre-approved by their supervisor.The following uses of the Internet, either during working hours or personal time, using ?the Organization’s equipment or facilities, are not allowed:Access, retrieve, or print text and graphics information that is unrelated to the user’s job duties or assignments. Access, retrieve, or print text and graphics information that exceeds the bounds of generally accepted standards of good taste and ethics .Engage in any unlawful activities or any other activities that would in any way bring discredit on the Organization.Engage in personal commercial activities on the Internet, including offering services or merchandise for sale or ordering services or merchandise from online vendors.Engage in any activity that would compromise the security of the Organization. Obtaining personal files via the Internet on individual PC hard drives or on local area network (LAN) file servers.Game playing of any kind.Propagating any computer virus or maintaining a secret pass code.Remote AccessThis policy applies to the Organization’s members, contractors, vendors, and agents and applies to both Organization-owned and personally-owned computers or workstations used to connect to the Organization’s network. This policy applies to remote access connections used to do work on behalf of the Organization, including reading or sending email and viewing Internet web resources. Remote access means any access to the Organization’s network through a non-Organization controlled network device or medium.Members, contractors, vendors, and agents with remote access privileges to the Organization’s network are required to ensure that their remote access connection is given the same consideration as the user’s on-site connection to the Organization.Please review the encryption policy for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of the Organization’s network.Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication.At no time should any Organization member provide his/her login or email password to anyone, not even family members.Members with remote access privileges must ensure that their Organization owned or personal computer or workstation, which is remotely connected to the Organization’s network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not permitted at any time.All hosts that are connected to the Organization’s internal networks via remote access technologies must use the most up-to-date anti-virus software, which includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.Personal equipment that is used to connect to the Organization’s networks must meet the requirements of the Organization's owned equipment for remote access.Encryption and Decryption of Media: ?AddressableAll EPHI that electronically goes outside the Organization firewall is encrypted with a minimum standard of <128> bit. All EPHI that is on media that is physically taken out of the facility or may easily be taken out of the facility is encrypted with a minimum standard of <128> bit. Decryption keys are maintained separate from the media or electronic transmission of the EPHI. Any member found to have violated this policy may be subject to disciplinary action, up to and including termination of a relationship with the organization.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Mobile Device Management ProcedureMobile Device ProcedureImplementation Specification: ?AddressableRisk Level: ?mediumSecurity Category ePHI = {(confidentiality, medium), (integrity, medium), (availability, low)} - See Security Categorization in Reference Section.Procedure: ??The Security Officer will inspect each Bring Your Own Device (BYOD) and confirm user device: integrity by confirming the latest OS is present with automatic updatesauthentication is present by having unique single user name and passwordprotected storage program to wipe out sensitive data if the phone is lost or stolen. ??The Security Officer will screen all programs or resources which may be used by BYOD brought into the organization and list them on allowed software on the software inventory. References: ?NIST Special Publication 800-164 DRAFTGuidelines on Hardware - Rooted Security in Mobile DevicesNational Institute of Standards and Technology Special Publication 800-164 (Draft)Natl. Inst. Stand. Technol. Spec. Publ. 800-164, 33 pages (October 2012)CODEN : NSPUE2See NIST SP 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise [SP800-124],The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Tabbed Section – TechnicalInformation Technology (IT)TECHNICAL – INFORMATION TECHNOLOGY (IT)IT Tasks Policy and Procedures IT Tasks Policy and ProceduresIT Support for the Organization is provided by:Company Name: <IT intake>Primary Contact: <IT intake> Address: <IT intake>Contact email, phone <IT intake>Website: <intake or remove>The Organization’s Security Officer will work with IT support to ensure complete documentation of the Organization’s IT infrastructure. ??The officer will also work with IT support to ensure size appropriate technologies for: Anti-virus softwareNetwork Integrity AssuranceFirewallsEncryption of backup dataEncryption of online dataAudit Trails for each system and software that may have EPHIData Backup and Testing of Data Back upsDesign and Implementation of User Identification and AuthenticationApproval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:IT Inventory Locations Device and Media ControlsIT Inventory Locations Device and Media ControlsThe Organization maintains IT inventories electronically. ?The Organization recognizes that as part of its risk analysis process, it has identified all systems which store, process, or transmit EPHI. This includes components of the Organization which handle EPHI and the physical location of IT assets that contain EPHI. ?Each system and its information is categorized according to Federal Standards with the following nomenclature: The generalized format for expressing the security category, SC, of an information type is: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE?(see glossary for definitions of all terms). IT Inventories can be found at: <IT Intake>Hardware: Hardware inventory details the physical location including: Is it fixed or mobile? If it is fixed, how is physical access to the device restricted to assure only authorized personnel can access it? If mobile, how is any EPHI encrypted on the device and how are users instructed to physically protect the device? The encryption standard for any EPHI on the hardware. If the hardware is reused or retired, the hardware inventory also contains the method for removal of EPHI or the destruction of the hardware as required. Inventory address the backup method for any EPHI on the said device.Software: Software inventories include:All software that contains EPHI The location of such information The encryption levelNetwork: The Network inventory contains a detailed mapping of all access points to EPHI including:InternetLocal area networksSwitchesRoutersFirewalls ?Protection method for data being transmitted over any networkApproval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: IT TasksIT TasksTaskName of Individual Completing TaskDate Task CompletedNotes and Follow UpSecurity Official InitialsHardware InventoryLocation:Software InventoryLocation:Network MappingLocation:Protection from malicious software – anti-virus install and updateNetwork Scanning for VulnerabilityType:Firewall installedType:Encryption of backup dataLevel:Encryption of online dataLevel:Automatic log offType:Software in use is capable of providing electronic/audit trails; if so…audit trail creationCreate one for each system and/or software with EPHI.Location of log:Audit trail on computer systemsCreate one for each system and/or software with EPHI.Location of log:Design and Implement User ID and Authentication ProceduresWritten Passwords biometrics RFID etc.Data backup and testingCreate one for each system and/or software with EPHI.Location of log:IT InventoryHARDWAREHardwareIs the hardware fixed or mobile?If it is fixed, how is physical access to the device restricted?If it is mobile, how are users instructed to physically protect the device?Encryption standard for any EPHI on the hardwareIf hardware is reused or retired, what is the method for removal of EPHI or the destruction of the hardwareBackup method for any EPHI on the deviceSOFTWARESoftwareLocation of softwareEncryption level of softwareNETWORKThe Network inventory contains a detailed mapping of all access points to EPHI including: InternetLocal area networksSwitchesRoutersFirewalls ?Protection method for data being transmitted over any networkNetwork Map (Sample)-33401026289000Tabbed Section – Logs and Event RecordsLOGS AND EVENT RECORDSAudit Trail Event RecordAudit Trail Event RecordEvent TypeTime and Date of EventUser ID Associated with EventComputer System Component InvolvedFollow UpSecurity Official InitialsSAMPLE: Employee who was not authorized accessed billing system4:00pm4/4/2012SjonesBilling software- Meeting with sjones regarding unauthorized access- Verbal warning- Employee understands that she will receive written warning for repeat offenceSecurity Incident Report – Anti-VirusSecurity Incident Report – Anti-VirusIncidentTime & Date of EventUser ID Associated with EventComputer System Component InvolvedAnti-virus Log TextResolution/ResponseSecurity Official InitialsSAMPLE4:00pm4/4/2012SjonesLab ComputerRemoval of virusSecurity Incident Log Security Incident Log RecordIncidentTime & Date of EventUser ID Associated with EventComputer System Component InvolvedAnti-virus Log TextResolution/ResponseSecurity Official InitialsFacilities Maintenance LogFacilities Maintenance LogDateMaintenance IssueHow AddressedDate ResolvedNotes / Security Officer InitialsSecurity Official InitialsBackup Testing and Recovery LogBackup Testing and Recovery LogDatabase TestedData Backup Location / EncryptionRestore Successful DateModifications if UnsuccessfulNext Due Security Official InitialsSAMPLE:EHROn site external drive, 256 bit3/6/20123/5/2013Training ChecklistTraining ChecklistDate of Training:Date of Review:ItemPolicy ReviewedNotesSecurity Official InitialsIntroduction to HIPAA and Security RuleSecurity Official and Overview of Security Official Job ResponsibilitiesExplanation of Workforce Confidentiality AgreementWorkstation UseWorkstation SecurityVirus ProtectionLogging On and OffPassword ManagementData BackupContingency PlansWho can access EPHISanctionsEmployees PresentTermination ChecklistTermination ChecklistTaskName of Individual Completing TaskDate Task CompletedNotesSecurity Officer InitialsContact a locksmith to change the locks, if necessarySecure a full computer backupRecover external hard drivesKeys – outside doorsKeys- inside doorsSecure booksSecure written recordsChange security keypad code numbersCirculate new keypad code numbers and keys to officeChange applicable passwords to the computer workstation, network, and all email/internet accounts to prevent access through outside meansPrepare pre-termination and post-termination audit trails documenting employers workstation/password activity pre and post terminationConduct limited audit of patient information and financial information. (Contingent upon employee’s degree of access.)Data Breach LogData Breach LogEvent TypeTime and Date Event OccurredWhat type of protected health information was impermissibly used or disclosed?Who impermissibly used the information or to whom was the information impermissibly disclosed?Was the protected health information actually accessed?What actions have been taken to mitigate or eliminate the risk of harm?Number of Persons AffectedCommunication To:Communication Method:Date of Communication:Security Officer InitialsSanction LogSanction LogDateEmployeeDescription of ViolationSanctionNotesSecurity Official InitialsContingency PlanningContingency Plan/Restoration ChecklistContingency Plan / Restoration ChecklistItemEquipment NeededPerson Responsible For:NotesEstablish an immediate and controlled presence at the organizationMeet relocation addressPrepare room for patientsPrepare office area for server and workstationsDesktop, laptopConfirm data restorationDesktop, laptopIpad for billingIpadPhone forwarding to cell phoneCell phonesNotify patients via website and constant contactDesktop, laptopEmergency Mode Operations RolesRolePrimary ResponsibilitiesPersonnelSignatureBy signing below, I understand my role as defined under “Primary Responsibilities”Security OfficialDetermine the type, extent, and impact of the disasterInitiate the emergency mode operations planNotify vendors of disaster occurrenceBegin operations at determined site (on-site or an alternate site)Attempt to bring computer systems back to operational levelEnsure that periodic backup is being doneContinue attempts for restoration of regular servicesTrain workforce for emergency mode operationsDocument Team LeadersNotify team members of disaster occurrenceDirect team members per direction from Security OfficialPhysicians:Nursing:Front Desk:All EmployeesBe familiar with and adhere to policies, plans, and proceduresMeet at relocation facility (if necessary)Support Security Official in completion of tasks as necessary, which may include:Preparing a room for patients in relocation facilityPreparing an office area for computer(s) and server(s) at relocation facilityConfirming data restorationMaintaining billingNotifying patients* If person is unavailable, authority will pass to the next person on the list. Emergency Mode Workforce Contact ListNameHome PhoneCell PhoneEmailTeamEmergency Mode – Emergency Assembly PointThe Emergency Assembly point is a large, open area, away from power lines, falling debris and other hazards where people can assemble to be accounted for, receive minor first aid, receive instructions and obtain information. Consider assigning a designated person to be in charge at the Emergency Assembly Point.Designated Person in charge at Emergency Assembly PointEmergency Assembly PointLOCATION:Emergency Mode Alternate Location/Command CenterThe alternate location must be able to accommodate the necessary critical resources and equipment required for disaster recovery: hardware, software, electrical support, telecommunications support, desks, chairs, tables, lights.Alternate LocationFacility Name:Address:Floor/Room:Phone Number:Fax Number:Contact Person:Alternate Contact:Directions from Organization address:Security Considerations:Emergency Mode – Necessary MaterialsRecovery Resources Supply ChecklistWorkspaceDesk, Chairs, Table, LightsElectrical SupportTelecommunication SupportDocumentationHIPAA Security ManualHardware Inventory ListSoftware Inventory ListNetwork MapBusiness Associate AgreementsHardwarePC’s/LaptopsPrintersScannersOther SuppliesOffice Supplies (pens, paper, folders, paper clips, scissors, tape, etc.)Office EquipmentBackup MediaFlashlights and spare batteriesTelephone logSoftwareBackup Copies of Data FilesOtherCommunicationTelephonesCell Phones with ChargersFaxDedicated Phone LinesRadios (walkie-talkie) as requiredOrganizational Contact Information/DirectoriesTelephone DirectoriesTelephone LogContingency Testing and RevisionOrganizations must implement periodic testing and revision of contingency plansTesting the contingency and disaster plans will validate your ability to respond to a crisis in a coordinated, timely, and effective mannerDate of TestObjectives of TestDescription of TestResultsRecommendationsLog and Record ReviewThe Security Officer’s initials at the bottom of this page indicate that the Security Officer has read and reviewed the following logs and event records: Audit Trail and Event RecordSecurity Incident Report – Anti-VirusSecurity Incident Log RecordFacilities Maintenance LogBackup Testing and Recovery LogContingency Plan / Restoration ChecklistBusiness Associate ListingTraining ChecklistTermination ChecklistData Breach RecordSanction LogThe Security Officer’s initials at the bottom of this page indicate that the Security Officer has read, reviewed, and/or completed the records associated with Contingency Planning:Emergency Mode Operation ROLESWorkforce Member Contact ListEmergency Assembly PointAlternate Location/Command CenterNecessary Materials ChecklistTraining ReportTesting and Revision**** ??Manual is not complete until all documents in the log section are filled out completely or electronic versions of such logs are updated.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review: Tabbed Section – Job DescriptionsJOB DESCRIPTIONSTHIS PAGE INTENTIONALLY BLANKInsert Job DescriptionsTabbed Section – ReferenceREFERENCESecurity Risk AnalysisSecurity Risk Analysis and References§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) – Risk Analysis - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. ??§164.308(a)(8) Evaluation - Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an organization s security policies and procedures meet the requirements of this subpart.Implementation Specification: ?RequiredRisk Level: ?ModerateFinancial Impact: ?n/aThe organization conducts a risk analysis annually or when there is a change to the organization environment or a significant advance in technology applicable to the organization. the resulting risk assessment should be approved by management, e.g., managing physician, Board of Directors.This manual reflects?the initial evaluation per the HIPAA Security Rule – “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.” ???Each policy has a level of risk assigned to it based on the likelihood of a threat occurrence and resulting impact if the threat occurred. The organization has evaluated: ?Administrative, physical and technical safeguards, remote access, organizational policies and procedures as well as documentation requirements of the Security Rule. ???The organization uses the NIST Risk Management Framework: Categorization of Information SystemsSee InventoriesSelection and Implementation of ?Security ControlsSee policiesAssessment of ?Security controlsSee policiesAuthorization of Information SystemsSee policiesMonitoring of ?Security StatesSee Audit policies and logsOrganization Size: <Org Intake> (Solo / Small 2-4 FTE providers / Medium: 5-10 FTE providers / Large: More than 10 FTE providers)Complexity: ??Number of employees: <Org Intake>Number of Information Systems: <Org Intake>Number of Business Associates: <Org Intake>Capabilities: <Org Intake – Outsource IT?>Criticality of the system and its data: Patient Clinical Information Critical Identify Threats to the system: Minimal with IT infrastructure maintenanceFire?Flood?Other Natural DisastersPower FailuresSoftware Failures?Hardware FailureTheft/VandalismIdentify Vulnerabilities on the system: ?Natural disasters unlikelyPersonnelAnalyze the controls that have been implemented, or are planned for implementation: Detailed in IT section. The probability that vulnerability may be exploited: ?Malicious attack unlikelyOffice personnel exploitation (specify per organizational size - unlikely in a small organization size (1 provider) – CUSTOMIZE STATEMENTS PER ORG SIZEThe organization has performed a risk assessment and sought recommendations and suggested remediation from the appropriate consultants as detailed. ??The organization maintains a copy of the organization, IT and Vendor intake information forms used in customizing this manual as well as documentation of any verbal interviews. Included in this manual are audit results that were not corrected at the time of the manual creation. ??The covered organization will address all areas of the audit results. Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Audit Results§164.308(a)(8): Evaluation - requires covered entities to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity's security policy and the requirements of this subpart. Covered entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation, for example, new technology adopted or responses to newly recognized risks to the security of their information.CMS Audit Protocol Specification: Inquire of management as to whether formal or informal security policies and procedures specify that evaluations will be repeated when environmental and operational changes are made that affect the security of ePHI. Obtain and review the entity's formal or informal security policies and procedures and evaluate the content in relation to the specified criteria to determine the process for repeat evaluations. Determine if formal or informal security policies and procedures are reviewed on a periodic basis.At the date of the audit, the Organiztion’s HIPAA Security Manual was missing the following information, policy or procedure.As part of your periodic required Security Risk Analysis, these identified items must be addressed with documentation of remediation. PageDocumentItem MissingCorrective Action TakenDateThe manual is not complete until all documents in the log section are filled out completely or electronic versions of such logs are updated.Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:Addressable Specificationscenter000Security CategorizationSecurity ObjectiveThe Federal Information Security Management Act of 2002 (FISMA) defines three security objectives for information and information systems:Confidentiality: A loss of confidentiality is the unauthorized disclosure of information.Integrity: ?A loss of integrity is the unauthorized modification or destruction of information.Availability: ?A loss of availability is the disruption of access to or use of information or an information system.Security ObjectiveThe potential impact is LOW if…The potential impact is MODERATE if…The potential impact is HIGH if…CONFIDENTIALITY Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.[44 U.S.C., SEC. 3542]The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.INTEGRITYGuarding against improperinformation modificationor destruction, and includes ensuring information non-repudiation and authenticity.[44 U.S.C., SEC. 3542]The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.AVAILABILITYEnsuring timely and reliable access to and use of information.[44 U.S.C., SEC. 3542]The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.Levels of Potential ImpactIf there is a security breach, the following outlines the levels of potential impact as defined by Federal Information Processing Standards (FIPS) Publication 199POTENTIAL IMPACTAbility to Perform FunctionsAssetsFinancial LossHarm to IndividualsLIMITEDAble to perform; effectiveness of functions is reducedMinor damageMinor lossMinor harmSERIOUSSignificant degradation in capability to perform; effectiveness is significantly reducedSignificant damageSignificant lossSignificant harmSEVERE or CATASTROPHICNot able to perform one or more of its primary functionsMajor damageMajor financial lossSevere or catastrophic hard to individuals; loss of life or serious life threatening illnessSecurity CategorizationThe security category of an information type can be associated with both user information and system information.Is applicable to information in electronic or non-electronic formCan be used as input in considering the appropriate category of an information systemEstablishing an appropriate security category of information type requires determining the potential impact for each security objective associated with the particular information type.The generalized format for expressing the security category, SC, of an information type is:SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}The acceptable value for impact is LOW, MODERATE, or HIGHDetermining the security category of an information system requires more analysisMust consider the security categories of all information types resident on the information systemAfter each security category has been determined, the potential impact values shall be the highest values There is no “not applicable” value due to the fundamental requirement to protect the system-level processing functions and information critical to the operation of the information systemEXAMPLE: ?An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. The management within the contracting organization determines that: (i) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and (ii) for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low. The resulting security categories, SC, of these information types are expressed as:SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},andSC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.The resulting security category of the information system is expressed as:SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},representing the high water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system.REFERENCES:FIPS Publication 199 - Standards for Security Categorization of Federal Information and Information SystemsContingency Planning Threats, Preventive Measures and ResponsesThreats Affecting Contingency PlanningPotential ThreatsNatural Hazards:EarthquakeTornadoFloodingLightningSmoke, dirt, dustWindstormSnow/ice stormAccidents:Disclosure of confidential informationElectrical disturbanceElectrical interruptionSpill of toxic chemicalEnvironmental Failure:Water damageStructural failureFireHardware failureWater leakageOperator/user errorSoftware errorTelecommunications interruptionIntentional Acts:Alteration of dataAlteration of softwareComputer virusBomb ThreatDisclosure of confidential informationEmployee sabotageExternal sabotageFraudTheftUnauthorized useVandalismPotential Disaster Threats, Preventive Measures and ResponsesPotential Disaster ThreatPreventive MeasuresResponsePower Failure(Power outage)Purchase a generatorTest generator periodically to ensure that the generator is functionalUse emergency back-up generatorsUPS (uninterruptible power supply) unit – an electrical apparatus that provides energy power to load when power fails – near instantaneous protection by supplying energy stored in batteries or a flywheelUtility Failure(Heating, ventilation, and air conditioning)Have contact information for utility companies easily assessableContact maintenance and/or utility company to restore utilityIf necessary, rent or purchase a backup temporary utility unitWater Damage/Flooding(Fire suppression, roof damage, plumbing failures, chemical spills, or natural disasters)Do not store anything on the floor (furniture and durable equipment excluded)Stock emergency supplies for water damagePlastic TarpsAbsorbent Towels/WipesWet-vacFloor squeegeesInstall fire and smoke detectorsSwiftly tarp computer, equipment, files, and other critical componentsDetermine emergency backup priorities and strive for resumption of operations to the fullest extent possibleFire/Smoke DamageInstall fire suppression systems (sprinkler system)Install fire and smoke detectorsEquip with fire extinguishersPeriodically test the fire prevention equipmentTrain staff in fire safetyIf possible, determine where the fire is locatedIf the area is filled with smoke, leave the area for a safer locationCall authoritiesStay out of the area until the smoke is cleared and the area is securedIf the fire is not out of control and you are not in dangerTrained staff should use fire extinguishers if it is safeSound the alarm (if applicable)Call authoritiesIf the fire is out of control, all personnel should evacuateCall authoritiesStay at least 300 feet from the areaOnce outside, proceed to the Emergency Assembly PointDo not leave the premisesSnow EmergencyContract for snow removalHave salt and shovels stored and available for useMonitor news broadcastsCall for snow removal Monitor snow removal to ensure that walkways, parking lots, and driveways are clearReferencesReferencesCFR 45 HIPAA Security Rule 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act;Other Modifications to the HIPAA Rules; Final Rule Published in the Code of Federal Register Volume 78, Number 17, pages 5566 to 5702NIST (National Institute of Standards and Technology) Web SiteCMS Web Site ONC ?Web siteOffice of E Health Standards and Services (OESS) Web Site"2009 HIPAA Compliance Review Analysis And Summary of Results""Guidance on Risk Analysis Requirements under the ?HIPAA Security Rule "Information request for on-site compliance CMSNIST Guidance for mapping ?information and IS to security levels"The HIPAA Security Rule: Health Insurance Reform: Security Standards, February 20,2003, 68 CFR 8334."Section 13401(c) ?of the Health Information Technology for Economic and Clinical (HlTECH) Act.NIST Special Publication 800-30: Risk Management Guide for Information Technology SystemsNIST Special Publication 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) ImplementationsNIST Special Publication 800-66: An Introductory Resource Guide for Implementing the HIPAA Security RuleNIST Special Publication 800-77: Guide to IPsec VPNsNIST Special Publication 800-88: Computer SecurityNIST Special Publication 800-111: Guide to Storage Encryption Technologies for End User DevicesNIST Special Publication 800-113: Guide to SSL VPNsFederal Information Processing Standards Publication 140-2 CMS Security Series: ?Security 101 for Covered EntitiesCMS Security Series: ?Administrative Safeguards CMS Security Series: ?Physical Safeguards CMS Security Series: ?Technical Safeguards CMS Security Series: ?Organizational, Policies and Procedures and Documentation RequirementsCMS Security Series: ?Basics of Risk Analysis and Risk Management CMS Security Series: ?Security Standards: Implementation for the Small Provider CMS Audit ProtocolNIST SP 800-66, Section #4 "Considerations When Applying the HIPAA Security Rule."Approval: ??????????????????????????????Date of Approval: Reviewed: ????????????????????????????Date(s) of Review:GlossaryGlossaryAccess: ?The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource that creates, maintains, or transmits EPHI.Access Authorization: Process by which rules are established for granting and/or restricting access to a user, terminal, transaction, program, or process for the purpose of creating, maintaining, or transmitting EPHI. ?For example, the billing staff usually only needs access to the current visit notes, not the entire clinical record.Access Control: ?A method of restricting access to resources; allowing only privileged entities access. ?Types of access control include mandatory access control, discretionary access control, time-of-day, classification. ?For example, passwords can provide a certain level of access control.Addressable Specification: One of two types of implementation specifications addressed by the Security Rule. ?An organization must implement IF it is reasonable and appropriate OR, if not, either document why it’s not reasonable and appropriate AND implement an “equivalent alternative measure if reasonable and appropriate.” ?(See also Required Specification.) See also addressable specifications matrix. Administrative Safeguards: Formal documented practices to protect EPHI. ?This includes the selection and execution of security measures and the management of personnel as it relates to protecting EPHI.Audit Trail: Data collected and potentially used to facilitate a security audit to include the who (login ID), what (read-only, modify, delete, add, etc.), and when (date/time stamp).Audit Controls: Mechanisms employed to record and examine system activity.Authentication: Corroboration that a person is the one he or she claims to be.Authorization Form: A form that a healthcare provider must obtain from the individual patient or patient’s legal guardian in order to use or disclose the individual’s protected health information (PHI) for purposes other than for treatment, payment, or healthcare operations (TPO) or for specific purposes listed in the Privacy Rule, such as public health or health oversightAutomatic Logoffs: A process that a computer server uses to disconnect a connection to the computer server when no data has been transmitted for a given period of time.Availability: The property that data or information is accessible and useable upon demand by an authorized person.Biometric Identification: ?Identification system that identifies a human with measurement of a physical feature of the individual. ?(e.g., hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature) (§ 142.308(c)(1)(v) HHS HIPAA Security NRPM).Business Associate: With certain exceptions, a person or entity that is not a member of your practice’s workforce who: (1) creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule or (2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a Covered Entity, or to or for an Organized Health Care Arrangement in which the Covered Entity participates, where the provision of the service involves the disclosure of protected individually identifiable health information from such Covered Entity or Arrangement, or from another Business Associate of such Covered Entity or Arrangement, to the person. Centers for Medicare & Medicaid Services (CMS): ?The federal agency within DHSS responsible for the enforcement of the HIPAA Security Rule.Confidentiality: ?The property by which data or information is not made available or disclosed to unauthorized persons or processes.Consent Form: A form that a healthcare provider having a direct treatment relationship with an individual may obtain from the individual in order to use or disclose the individual’s protected health information (PHI) for treatment, payment and healthcare operations (TPO). USE OF THIS FORM IS OPTIONAL AND NOT REQUIRED UNDER HIPAA.Covered Entity: ? Health plans, healthcare clearinghouses and any healthcare providers (physicians, hospitals, nursing homes, etc.) that transmit any health information in electronic form in connection with a HIPAA transaction. Criticality: ?Addresses those assets that are critical to the function of a practice and expresses the significance given to a functional failure of those important assets.Critical: ?These functions cannot be performed unless the same capabilities (i.e., computer systems) are found to replace the damaged system. ?Critical applications cannot be replaced by manual methods under any circumstances. ?Tolerance to interruption is very low and the recovery cost is very high. Cryptographic Key: A special type of password created by a computer outfitted with encryption technology, that when used, will secure data (encrypt) being transmitted over a network or the Internet. ?The receiving computer of the data must also know the password in order to display the secured data (decrypt). ?There are two types of cryptographic keys, private (symmetric) and public (asymmetric). ?Once the encryption software is loaded, the cryptographic key is part of the practice’s computer system. ?When e-mail is sent, the “key” performs its function without any extra effort on the part of the person sending the e-mail.Cryptography: The study of encoding (putting message into a code) and decoding (converting a message from a code into plain text).Data Resolution: The process by which data is restored.Data Use Agreement: An agreement that sets forth the permitted uses and disclosures oflimited data sets, including who may use or receive the data and limitations on the receivingparty’s ability to re- identify or contact the individuals who are subjects of the limited data sets.Decryption: ?Decoding data that has been encrypted into a secret format. ?Decrypting encrypted messages requires a secret key or password. ?(See Encryption)De-identified: Health information that meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. Department of Health and Human Services (DHHS): The department of the executive branch of the federal government that has overall responsibility for implementing HIPAA.Device Owner: An organization that has purchased and maintains ownership of a mobile rmation Owner is an organization whose information is stored and/or processed on a device.Direct Treatment Relationship: ?A treatment relationship between the individual and a healthcare provider in which the provider delivers healthcare directly to an individual rather than through another healthcare provider. ?(See “Indirect Treatment Relationship” definition.)Disaster Recovery: Process whereby a practice would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.Disclosure: ?The release, transfer, provision of, access to, or divulging in any other manner of information outside the organization holding the information.Electronic Protected Health Information (EPHI): Protected health information (PHI) transmitted by electronic media or maintained by electronic media.Electronic Media: (1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.Emergency Mode Operation: Procedures that enable an organization to continue to operate in the event of fire, vandalism, natural disaster, or system failure.Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.Facility Security Plan: Plan to safeguard the premises and building(s) (exterior and interior) of an organization from unauthorized physical access and to safeguard the equipment therein from unauthorized physical access, tampering, and theft.First Responder: First organization member on site during an emergencyHealth Information: Any information, including genetic information, whether oral or recorded in any form or medium, created or received by a provider that relates to the past, present, or future physical or mental health condition of a patient; the provision of healthcare to a patient; or the past, present or future payment for the provision of healthcare to a patient.Health Insurance Portability and Accountability Act of 1996 (HIPAA): A federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships and which gives the U.S. Department of Health and Human Services (DHHS) the authority to: (1) mandate the use of standards for the electronic exchange of healthcare data; (2) specify what medical and administrative code sets should be used within those standards; (3) require the use of national identification systems for healthcare patients, providers, payers (or plans), and employers (or sponsors); and (4) specify the types of measures required to protect the security and privacy of personally identifiable healthcare information.Health Plan: An individual or group plan that provides or pays the cost of medical care.Healthcare Clearinghouse: An entity that processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or that receives a standard transaction from another entity and processes or facilitates the processing of that information into a nonstandard format or nonstandard data content for a receiving entity.Healthcare Operations: Activities related to your practice’s business, clinical management and administrative duties. ?Some examples of these activities are the use of PHI or EPHI to obtain a referral, quality assurance, quality improvement, case management, training programs, licensing, credentialing, certification, accreditation, compliance programs, business management, and general administrative activities of the practice. ?Healthcare operations include the sale, transfer, merger, or consolidation of all or part of a Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity. and the due diligence related to such activity.Healthcare Provider: A person or organization that provides medical or health services and any other person or organization who furnishes, bills or is paid for healthcare in the normal course of business.High Vulnerability – may result in highly costly loss of major tangible assets or resources; may significantly violate, hard or impede an organization mission reputation or interests; may result in human death or serious injuryIdentification: The process that enables a computer system to recognize a computer user. The most common form of identification is a User ID.Implementation Specification: Specific requirements or instructions for implementing a standard. ?Specifications are designated as either Required or Addressable per the Security Rule (e.g., Covered entities are required to perform a security risk assessment. ?Covered entities must address the necessity of implementing facility access controls.)Incidental Use or Disclosure: A secondary use or disclosure of PHI that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure.Indirect Treatment Relationship: A relationship between an individual and a healthcare provider in which: (1) ??The healthcare provider delivers healthcare to the individual based on the orders of another healthcare provider; and (2) ??The healthcare provider typically provides healthcare services or products, reports the diagnosis or results associated with the health care directly to another healthcare provider who uses this information to provide care to the individual.Individually Identifiable Health Information (IIHI): Any health information (including demographic information) that is collected from the patient and(1) ??is created or received by a healthcare provider or other Covered Entity or employer and(2) ??that relates to the past, present or future physical or mental health or condition of an individual; OR the provision of healthcare to an individual, OR the past, present or future payment for the provision of healthcare at your practice; AND that identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.Institutional Review Board or IRB or Privacy Board: Within the provisions of the institutional review board (IRB) rules (21 CFR, Part 56) are requirements that the IRB ensure that there are adequate provisions to protect the privacy of research subjects and to maintain the confidentiality of research data. Information system: A computer system including a desktop, laptop, or a PDA loaded with software that maintains rmation type: ?An information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.Integrity: ?The trait that data or information have not been altered or destroyed in an unauthorized manner.Internal Audits: The in-house review of the records of system activity (for example, logins, file accesses, security incidents) maintained by an organization.IT: ?Information technology or information technologist.Jailbreak: The process of removing the limitations imposed by Apple on devices running the iOS operating system through the use of hardware/software exploits – such devices include the iPhone, iPod touch, iPad, and second generation Apple TV. Jailbreaking allows iOS users to gain root access to the operating system, allowing them to download additional applications, extensions, and themes that are unavailable through the official Apple App Store.Law Enforcement Official: An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: (1) investigate or conduct an official inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law. Malicious Software: Software designed to damage or disrupt a system (e.g., virus).May: ?This word, or the adjective "OPTIONAL", mean that an item is truly optional. ?One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)Minimum Necessary: The principle that at Covered Entity, to the extent practical, , when using or disclosing PHI, or when requesting PHI from another Covered Entity, must limit such PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. HHS will issue guidance on what constitutes the “minimum necessary”.Must: ?This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.Must Not: ?This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.Need-To-Know: ?A “minimum necessary” principle stating that a user should have access only to the data he or she needs to perform a particular function And which must be addressed within the workforce job description.Non-Critical – These applications may be interrupted for an extended period, at little or no cost to the organization , and require little or no catching up when restored. ?Software applications such as the Microsoft office suite used to provide email communication, word processing, etc. are considered non-critical. Not Recommended: ?This phrase, or the phrase "SHOULD NOT" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.Office for Civil Rights (OCR): The federal agency within DHHS responsible for the enforcement of the HIPAA Privacy Rule and Data Breach Notification RuleOperations: ?See Healthcare OperationsOptional: ?This word, or the adjective "OPTIONAL", mean that an item is truly optional. ?One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)Organized Health Care Arrangement (OHCA): A clinically integrated healthcare setting in which individuals typically receive healthcare from more than one provider, or an organized system of healthcare in which more than one Covered Entity participates and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement, and participate in joint activities that include at least one of the following, as further defined in 45 CFR §160.103:A. ???Utilization reviewB. ???Quality assessment and improvement activitiesC. ???Payment activities.Overwriting: The act of changing the value of the bits on the disk that make up a file by overwriting existing data with random charactersPassword: ?A confidential numeric and/or character string used in conjunction with a user ID to verify the identity of the individual attempting to gain access to a computer system (see Authentication).Payer: ?In healthcare, an organization that assumes the risk of paying for medical treatments. ?This can be a self-pay patient, a self-insured employer, a health plan, or an HMO (also, “Payor”).Payment: ?The activities by the practice to obtain reimbursement for healthcare services. ?This includes, among others, billing, claims management, collection activities, verification of insurance coverage, and precertification of services. Personal Identification Number (PIN): ?A number or code assigned to an individual used to provide verification of identity.Physical Safeguards: Physical measures, policies and procedures to protect computer systems, written records, buildings, and equipment from fire and other natural and environmental hazards, as well as from unauthorized access.Protected Health Information (PHI): ?With few exceptions, includes individually identifiable health information (IIHI) held or disclosed by a practice regardless of how it is communicated (e.g., electronically, verbally, or written).Recommended: ?This word, or the adjective “SHOULD", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.Required : ?This word, or the terms "MUST" or "SHALL", mean that the definition is an absolute requirement of the specification.Required Specification: An implementation specification that a Covered Entity is required to implement based on the Security Rule (e.g., covered entities are required to perform a security risk assessment).Required by Law: A mandate contained in law that compels a Covered Entity to make a use or disclosure of PHI and that is enforceable in a court of law, e.g., court orders, court-ordered warrants, subpoenas, and summons; a civil investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. Risk: ?"The net mission impact considering (1) the probability that a particular [threat} willexercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2)the resulting impact if this should occur .. .. [R]isks arise from legal liability or mission lossdue to-1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or manmade disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.Roots of Trust (RoTs): ?Security primitives composed of hardware, firmware and/or software that provide a set of trusted, security-critical functions.Sandbox: ?A security mechanism for separating running programs. (example - Applications for Apple's mobile operating system iOS are sandboxed. They are only able to access files inside their own respective storage areas, and cannot change system settings.)Scalable: ?Capable of being scaled. ?The HIPAA Security Rule is scalable to the needs of the individual practices (see Addressable Specification).Screensaver: A screensaver is a computer file that was originally designed to protect a computer monitor from discoloring. ?Screensavers have multiple uses today, one of which is security. ?If an employee leaves his/her workstation for a period of time, the computer can be programmed to launch the screensaver program. ?Screensavers can also be password-protected to prevent unauthorized individuals from accessing sensitive information.Secure Electronic Environment: An environment that has administrative procedures, physical safeguards, and technical security services and mechanisms in place to prevent unauthorized access to EPHI.Security or Security Measures: Encompasses all of the administrative, physical, and technical safeguards in an information system (e.g., passwords, firewalls, backups, etc.).Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.Shall: ?This word, or the terms "REQUIRED" or "MUST", mean that the definition is an absolute requirement of the specification. Shall Not: ?This phrase, or the phrase "MUST NOT", mean that the definition is an absolute prohibition of the specification.Should: ?This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood andcarefully weighed before choosing a different course.Should Not: ?This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.Smart Card: A type of plastic card similar to a credit card, but embedded with a computer chip that stores data. ?Users can be authenticated and authorized to have access to specific information based on preset privileges stored on the chip. ?Only computers that have a reader as part of its system read the data stored on the card.Subcontractor: A person or entity that creates, receives, maintains or transmits protected health information on behalf of a Business Associate. Superuser: ?The superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator, admin or supervisor. In some cases the actual name is not significant, rather an authorization flag in the user's profile determines if administrative functions can be performed.System: ?Normally includes hardware, software, data, applications, and means of communication.System Administrator: A person or persons responsible for administering rights and privileges within an information system.Technical Safeguards: Processes that are implemented to control and monitor access to EPHI such as passwords, as well as limit unauthorized access to data that is transmitted over a communications network (Internet, Intranet, fax, etc.)Third Party Administrator (TPA): An organization that processes healthcare claims and performs related business functions for a health plan.Threat: ?An adapted definition of threat, from NIST SP 800-30, is "[t]he potential for a person orthing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability."Threat Modeling: ?Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added.Time-Of-Day Access Control: Access to data is restricted to certain periods, e.g., Monday through Friday, 8:00 a.m. to 6:00 p.m. ?This is a function of audit controls that allows the practice to determine exactly when the system was accessed.Trading Partner: ?(see Business Associate)Treatment: ?The provision, coordination, or management of healthcare and related services by one or more healthcare providers, or the referral of a patient for healthcare from one provider to another.Use: ?With respect to individually identifiable health information (IIHI), the sharing, employment, application, utilization, examination, or analysis of such information within an organization that maintains such information.User: ?A person or organization with authorized access.User ID: A unique identifier given to an individual allowing that individual access to a computer system. ?A User ID is usually accompanied by a password.Vendor: One that sells or vends to the organizationVital: Functions which cannot be performed by manual means or can be performed manually for only a very brief period. ?There is a somewhat higher tolerance for interruption, and a somewhat lower cost for recovery, provided that functions are restored within a certain time, usually only a few days. ?For applications classified as “vital,” a brief suspension of processing can be tolerated, but a considerable amount of “catching up” will be needed to restore data to current or useable form.Vulnerability: ? A flaw orweakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's ?security policy. See NIST Special Publication (SP) 800-30.Workforce: ?Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.Workstation: ?A computer used for running software applications, storing, and transmitting data. ?In networking, workstation refers to any computer connected to a local area network.Abbreviations or AcronymsCMS - Center for Medicare and Medicaid ServicesCEHR – Certified Electronic Health Record TechnologyEHR – Electronic Health RecordEPHI – Electronic Protected Health InformationEMR – Electronic Medical RecordFIPS - ?Federal Information Processing Standards PublicationHIPAA ?- Health Insurance Portability and Accountability ActHITECH - Health Information Technology for Economic and Clinical Health ActMU – Meaningful UseNPRM – Notice of Proposed Rule MakingOS – Operating SystemPMS – Practice Management SystemTabbed Section – Vendor SpecificVENDOR SPECIFIC PROCEDURESInsert Vendor Specific Policies and Procedures HERE Include all encryption levels where applicable for data at rest or in transit. User and Role AssignmentEmergency AccessPassword SettingLogoff SettingAudit PolicyPatient Requests for Disclosures of EPHI through an Electronic Health RecordBackup ModelIntegrity of EPHIStandard Architecture of Network MappingRemote Online BackupINDEXAAddressable Specifications ReferenceAnti-Virus Administrative Policies Audit / Risk Analysis ResultsReferenceAudit PolicyVendor Specific Procedures Audit Trail Event RecordLogs & Event Records Audit Trails Administrative PoliciesBBack Up ModelVendor Specific ProceduresBackup Testing and Recovery LogLogs & Event RecordsBusiness Associates Agreement TemplateAdministrative PoliciesBusiness Associates Decision TreeReferenceBusiness Associates ListingsVendor Specific ProceduresBusiness Associates PolicyAdministrative PoliciesCComputer BackupPhysical Safeguards & PoliciesComputer Workstation UsePhysical Safeguards & PoliciesContingency Plan ChecklistLogs & Event RecordsContingency & Emergency Mode PlanPhysical Safeguards & PoliciesContingency Policy & ProceduresPhysical Safeguards & PoliciesDData Breach Administrative PoliciesData Breach RecordLogs & Event RecordsFFacilities Physical Safeguards & PoliciesFacility Maintenance LogLogs & Event RecordsGGlossaryReferenceIIntegrity of EPHIVendor Specific ProceduresIT Locations - Device and Media ControlsIT (Information Technology)IT Tasks HIPAA SpreadsheetIT (Information Technology)IT Tasks Policy & ProceduresIT (Information TechnologyJJob DescriptionsJob DescriptionsLLog Off SettingVendor Specific ProceduresNNetwork MappingIT (Information Technology)OOrganizational IT TasksIT (Information Technology)PPassword SettingVendor Specific ProceduresPatient Requests for Disclosures of Vendor Specific Procedures???ePHI through an Electronic Health RecordRReferencesReferenceRole Assignment Vendor Specific ProceduresSSanctionsAdministrative PoliciesSecurity Anti-Virus Event RecordLogs & Event RecordsSecurity IncidentAdministrative PoliciesSecurity Incident LogLogs & Event RecordsSecurity Officer Job DescriptionAdministrative PoliciesSecurity Risk Analysis & ReferencesReferenceTTraining Administrative PoliciesTraining Checklist and Documentation FormLogs and Event RecordsUUser Identification, Authentication, & AccessPhysical Safeguards & PoliciesWWorkforce Clearance Procedures Physical Safeguards & PoliciesWorkforce Confidentiality Agreement TemplateAdministrative PoliciesWorkforce TerminationAdministrative PoliciesWorkforce Termination RecordLogs & Event Records ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download