Installation of authentication and encryption certificates on the e-mail system
Information Security
Policy Template
Provided By:
National Learning Consortium
The National Learning Consortium (NLC) is a virtual and evolving body of knowledge and tools designed to support healthcare providers and health IT professionals working towards the implementation, adoption and meaningful use of certified EHR systems.
The NLC represents the collective EHR implementation experiences and knowledge gained directly from the field of ONC’s outreach programs (REC, Beacon, State HIE) and through the Health Information Technology Research Center (HITRC) Communities of Practice (CoPs).
Instructions
| Number | Value | Description |
|---|---|---|
| 1 | Company Name/Logo | Company name or logo of organization. |
| 2 | Last Revision Date | Last revision date of the Information Security Policy. |
| 3 | Document Owner | Document owner of the policy. This is usually someone at an executive level. |
| 4 | Approval Date | Date that the policy has been officially approved |
| 5 | Effective Date | Effective date of the policy. This can be a different than the approved date if needed. |
| 6 | Company Name | Company/Practice name. No logo used for this particular part of the policy. |
| 7 | Outside Agencies | List any outside agencies or organizations, if applicable, whose laws, mandates, directives, or regulations were included in the policy, i.e. CMS, DHHS, VHA, etc. |
| 8 | Privacy Officer | List the name and phone number of the person designated as the Privacy Officer. |
| 9 | CST Team | List the title and name of the individuals that will become part of Confidentiality and Security Team. |
| 10 | Contractor Access | For contractors that enter the building, specify what identifying badge is given to them during their visit into your facility. |
| 11 | Screen Lock | When a user leaves a computer unlocked, specify how long until the screen automatically locks. This value will need to be enforced. |
| 12 | Electronic Communication, E-Mail, Internet Usage | Specifies allowable and prohibited uses of electronic communications, e-mail and the Internet. Oftentimes, an organization will maintain computer, Internet and e-mail usage policies in other HR policies or the employee handbook. Please refer to these sources and modify this section accordingly. |
| 13 | Audit of Login ID’s | Specify how often user IDs are audited. This includes network and EHR user accounts. |
| 14 | User Lockout | Specify how many unsuccessful login attempts a user has before the account becomes locked out. |
| 15 | Password Length | Specify the minimum password length. This should be the same for network and EHR access but if different, be sure to specify this. |
| 16 | Password Change | Specify how many days before the password must be changed. |
| 17 | Password Reuse | Specify how many previous passwords cannot be used. |
| 18 | Antivirus Software | Specify the name of the antivirus software being used at the Practice. |
| 19 | Antivirus Company | Specify the name of the antivirus company that makes the product being used. |
| 20 | Antivirus Updates | Specify what time antivirus updates are scheduled to perform. If this is not an option, then ensure it updates at least daily. |
| 21 | Security System | Specify the security method being used to protect the facility during non-working hours. |
| 22 | Business Hours | Specify the business hours of when the reception area is staffed. This may or may not be the hours of operation for the Practice. |
| 23 | Secure Doors | Specify how access to secure areas of the facility is controlled, i.e. swipe cards, standard locks, or cipher locks. |
| 24 | Motion Detectors | Specify whether motion sensors/detectors are used. If not, then just remove this information. |
| 25 | Glass Sensors | Specify whether glass breakage sensors are used. If not, then just remove this information. |
| 26 | Security Cameras | Specify whether security cameras are used. If not, then just remove this information. |
| 27 | Password Change | Specify how many days before the password must be changed for those users who work remotely, if different than internal users. |
| 28 | Provided Equipment | List all the equipment that is provided to users that work from home whether full time or even occasionally. |
| 29 | Screen Lock | When a user leaves a computer unlocked, specify how long until the screen automatically locks for users that work remotely. |
| 30 | Record Retention | Specify how long documents are kept related to uses and disclosures, notice of privacy practices, complaints, etc. |
| 31 | Misc. Values | Values that can be adjusted as necessary as appropriate for the Practice. |
| 32 | Contact Number | Enter the contact number for the Privacy Officer for the purposes of reporting a breach. |
INFORMATION SECURITY POLICY
![MC900439607[1]](https://www.assignmenthelp.net/contentimage/64c0846537776125ea47cdfb_0.png)
Last Revision Date
Date2
Document Owner
Name3
Table of Contents
1.4 Applicable Statutes / Regulations 11
2.3 Electronic Communication, E-mail, Internet Usage12 14
2.9 Internet Considerations 18
2.10 Installation of authentication and encryption certificates on the e-mail system 18
3.3 Confidentiality Agreement 21
5.1 Antivirus Software Installation 26
6.3 Installation of authentication and encryption certificates on the e-mail system 28
9 Specific Protocols and Devices 34
9.1 Wireless Usage Standards and Policy 34
11.2 Requirements Regarding Equipment 38
11.3 Disposition of Excess Equipment 38
17 Security Awareness and Training 48
22 Employee Background Checks 65
23 Discovery Policy: Production and Disclosure 67
Appendix C – Approved Software 86
Appendix D – Approved Vendors 87
Introduction
Purpose
Scope
Acronyms / Definitions
Common terms and acronyms that may be used throughout this document.
CEO – The Chief Executive Officer is responsible for the overall privacy and security practices of the company.
CST – Confidentiality and Security Team
DoD – Department of Defense
FTP – File Transfer Protocol
HIPAA - Health Insurance Portability and Accountability Act
User - Any person authorized to access an information resource.
Privileged Users – system administrators and others specifically identified and authorized by Practice management.
WAN – Wide Area Network – A computer network that enables communication across a broad area, i.e. regional, national.
Virus - a software program capable of reproducing itself and usually capable of causing great harm to files or other programs on the computer it attacks. A true virus cannot spread to another computer without human assistance.
Applicable Statutes / Regulations
Privacy Officer
Name – Telephone Number8
Confidentiality / Security Team (CST)
The Practice has established a Confidentiality / Security Team made up of key personnel whose responsibility it is to identify areas of concern within the Practice and act as the first line of defense in enhancing the appropriate security posture.
Title – Name
Title – Name
Company Name or Logo1 Policy and Procedure |
|
|---|---|
| Title: EMPLOYEE RESPONSIBILITIES | P&P #: IS-1.1 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS002, TVS003) |
Employee Responsibilities
Employee Requirements
Unattended Computers - Unattended computers should be locked by the user when leaving the work area. This feature is discussed with all employees during yearly security training. Practice policy states that all computers will have the automatic screen lock function set to automatically activate upon fifteen (15)11 minutes of inactivity. Employees are not allowed to take any action which would override this setting.
Home Use of Practice Corporate Assets - Only computer hardware and software owned by and installed by the Practice is permitted to be connected to or installed on Practice equipment. Only software that has been approved for corporate use by the Practice may be installed on Practice equipment. Personal computers supplied by the Practice are to be used solely for business purposes. All employees and contractors must read and understand the list of prohibited activities that are outlined below. Modifications or configuration changes are not permitted on computers supplied by the Practice for home use.
Prohibited Activities
Introducing, or attempting to introduce, computer viruses, Trojan horses, peer-to-peer (“P2P”) or other malicious code into an information system.
Exception: Authorized information system support personnel, or others authorized by the Practice Privacy Officer, may test the resiliency of a system. Such personnel may test for susceptibility to hardware or software failure, security against hacker attacks, and system infection.
Electronic Communication, E-mail, Internet Usage12
As a productivity enhancement tool, The Practice encourages the business use of electronic communications. However, all electronic communication systems and all messages generated on or handled by Practice owned equipment are considered the property of the Practice – not the property of individual users. Consequently, this policy applies to all Practice employees and contractors, and covers all electronic communications including, but not limited to, telephones, e-mail, voice mail, instant messaging, Internet, fax, personal computers, and servers.
Practice provided resources, such as individual computer workstations or laptops, computer systems, networks, e-mail, and Internet software and services are intended for business purposes. However, incidental personal use is permissible as long as:
Copyright violations – This includes the act of pirating software, music, books and/or videos or the use of pirated software, music, books and/or videos and the illegal duplication and/or distribution of information and other intellectual property that is under copyright.
Illegal activities – Use of Practice information resources for or in support of illegal purposes as defined by federal, state or local law is strictly prohibited.
Generally, while it is NOT the policy of the Practice to monitor the content of any electronic communication, the Practice is responsible for servicing and protecting the Practice’s equipment, networks, data, and resource availability and therefore may be required to access and/or monitor electronic communications from time to time. Several different methods are employed to accomplish these goals. For example, an audit or cost analysis may require reports that monitor phone numbers dialed, length of calls, number of calls to / from a specific handset, the time of day, etc. Other examples where electronic communications may be monitored include, but are not limited to, research and testing to optimize IT resources, troubleshooting technical problems and detecting patterns of abuse or illegal activity.
The Practice reserves the right, at its discretion, to review any employee’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as Practice policies.
Internet Access
Reporting Software Malfunctions
Users should inform the appropriate Practice personnel when the user's software does not appear to be functioning correctly. The malfunction - whether accidental or deliberate - may pose an information security risk. If the user, or the user's manager or supervisor, suspects a computer virus infection, the Practice computer virus policy should be followed, and these steps should be taken immediately:
Stop using the computer
Inform the appropriate personnel or Practice ISO as soon as possible. Write down any unusual behavior of the computer (screen messages, unexpected disk access, unusual responses to commands) and the time when they were first noticed.
Write down any changes in hardware, software, or software use that preceded the malfunction.
Report Security Incidents
Security breaches shall be promptly investigated. If criminal action is suspected, the Practice Privacy Officer shall contact the appropriate law enforcement and investigative authorities immediately, which may include but is not limited to the police or the FBI.
Transfer of Sensitive/Confidential Information
When confidential or sensitive information from one individual is received by another individual while conducting official business, the receiving individual shall maintain the confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing individual. All employees must recognize the sensitive nature of data maintained by the Practice and hold all data in the strictest confidence. Any purposeful release of data to which an employee may have access is a violation of Practice policy and will result in personnel action, and may result in legal action.
Transferring Software and Files between Home and Work
Internet Considerations
The following security and administration issues shall govern Internet usage.
Prior approval of the Practice Privacy Officer or appropriate personnel authorized by the Practice shall be obtained before:
Confidential or sensitive data - including credit card numbers, telephone calling card numbers, logon passwords, and other parameters that can be used to access goods or services - shall be encrypted before being transmitted through the Internet.
The encryption software used, and the specific encryption keys (e.g. passwords, pass phrases), shall be escrowed with the Practice Privacy Officer or appropriate personnel, to ensure they are safely maintained/stored. The use of encryption software and keys, which have not been escrowed as prescribed above, is prohibited, and may make the user subject to disciplinary action.
Installation of authentication and encryption certificates on the e-mail system
Use of WinZip encrypted and zipped e-mail
De-identification / Re-identification of Personal Health Information (PHI)
PHI includes:
Names
Facsimile numbers
Driver’s license numbers
Account numbers, certificate/license numbers
Vehicle identifiers and serial numbers
Full face photographic images and any comparable images
Re-identification of confidential information: A cross-reference code or other means of record identification is used to re-identify data as long as the code is not derived from or related to information about the individual and cannot be translated to identify the individual. In addition, the code is not disclosed for any other purpose nor is the mechanism for re-identification disclosed.
Identification and Authentication
User Logon IDs
Each user shall be assigned a unique identifier.
Users shall be responsible for the use and misuse of their individual logon ID.
Passwords
User IDs and passwords are required in order to gain access to all Practice networks and workstations. All passwords are restricted by a corporate-wide password policy to be of a "Strong" nature. This means that all passwords must conform to restrictions and limitations that are designed to make the password difficult to guess. Users are required to select a password in order to obtain access to any electronic information both at the server level and at the workstation level. When passwords are reset, the user will be automatically prompted to manually change that assigned password.
Password Length – Passwords are required to be a minimum of eight characters15.
Restrictions on Recording Passwords - Passwords are masked or suppressed on all online screens, and are never printed or included in reports or logs. Passwords are stored in an encrypted format.
Confidentiality Agreement
Users of Practice information resources shall sign, as a condition for employment, an appropriate confidentiality agreement (Appendix D). The agreement shall include the following statement, or a paraphrase of it:
Access Control
Rules for access to resources (including internal and external telecommunications and networks) have been established by the information/application owner or manager responsible for the resources. Access is granted only by the completion of a Network Access Request Form (Appendix C). This form can only be initiated by the appropriate department head, and must be signed by the department head and the Security Officer or appropriate personnel.
This guideline satisfies the "need to know" requirement of the HIPAA regulation, since the supervisor or department head is the person who most closely recognizes an employee's need to access data. Users may be added to the information system, network, or EHR only upon the signature of the Security Officer or appropriate personnel who is responsible for adding the employee to the network in a manner and fashion that ensures the employee is granted access to data only as specifically requested.
User Login Entitlement Reviews
No less than annually, the IT Manager shall facilitate entitlement reviews with department heads to ensure that all employees have the appropriate roles, access, and software necessary to perform their job functions effectively while being limited to the minimum necessary data to facilitate HIPAA compliance and protect patient data.
Termination of User Logon Account
Upon termination of an employee, whether voluntary or involuntary, employee’s supervisor or department head shall promptly notify the IT Department by indicating “Remove Access” on the employee’s Network Access Request Form (Appendix C) and submitting the Form to the IT Department. If employee’s termination is voluntary and employee provides notice, employee’s supervisor or department head shall promptly notify the IT Department of employee’s last scheduled work day so that their user account(s) can be configured to expire. The employee’s department head shall be responsible for insuring that all keys, ID badges, and other access devices as well as Practice equipment and property is returned to the Practice prior to the employee leaving the Practice on their final day of employment.
| Title: NETWORK CONNECTIVITY | P&P #: IS-1.3 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology |
Network Connectivity
Dial-In Connections
Access to Practice information resources through modems or other dial-in devices / software, if available, shall be subject to authorization and authentication by an access control system. Direct inward dialing without passing through the access control system is prohibited.
Dial-up numbers shall be unlisted.
Dial Out Connections
Telecommunication Equipment
phone lines
fax lines
cell phones
Blackberry type devices
long distance lines
800 lines
Permanent Connections
Emphasis on Security in Third Party Contracts
Access to Practice computer systems or corporate networks should not be granted until a review of the following concerns have been made, and appropriate restrictions or covenants included in a statement of work (“SOW”) with the party requesting access.
Applicable sections of the Practice Information Security Policy have been reviewed and considered.
A description of each service to be made available.
Each service, access, account, and/or permission made available should only be the minimum necessary for the third party to perform their contractual obligations.
The right to monitor and revoke user activity should be included in each agreement.
Language on restrictions on copying and disclosing information should be included in all agreements.
Mechanisms should be in place to ensure that security measures are being followed by all parties to the agreement.
Because annual confidentiality training is required under the HIPAA regulation, a formal procedure should be established to ensure that the training takes place, that there is a method to determine who must take the training, who will administer the training, and the process to determine the content of the training established.
Firewalls
Malicious Code
Antivirus Software Installation
Antivirus software is installed on all Practice personal computers and servers. Virus update patterns are updated daily on the Practice servers and workstations. Virus update engines and data files are monitored by appropriate administrative staff that is responsible for keeping all virus patterns up to date.
New Software Distribution
Although shareware and freeware can often be useful sources of work-related programs, the use and/or acquisition of such software must be approved by the Privacy Officer or appropriate personnel. Because the software is often provided in an open distribution environment, special precautions must be taken before it is installed on Practice computers and networks. These precautions include determining that the software does not, because of faulty design, “misbehave” and interfere with or damage Practice hardware, software, or data, and that the software does not contain viruses, either originating with the software designer or acquired in the process of distribution.
All data and program files that have been electronically transmitted to a Practice computer or network from another location must be scanned for viruses immediately after being received. Contact the appropriate Practice personnel for instructions for scanning files for viruses.
Retention of Ownership
Policy and Procedure |
|
|---|---|
| Title: ENCRYPTION | P&P #: IS-1.5 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS012, TVS015) |
Encryption
Definition
Encryption Key
Installation of authentication and encryption certificates on the e-mail system
Use of WinZip encrypted and zipped e-mail
This software allows Practice personnel to exchange e-mail with remote users who have the appropriate encryption software on their system. The two users exchange private keys that will be used to both encrypt and decrypt each transmission. Any Practice staff member who desires to utilize this technology may request this software from the Privacy Officer or appropriate personnel.
File Transfer Protocol (FTP)
Files may be transferred to secure FTP sites through the use of appropriate security precautions. Requests for any FTP transfers should be directed to the Privacy Officer or appropriate personnel.
Secure Socket Layer (SSL) Web Interface
Building Security
It is the policy of the Practice to provide building access in a secure manner. Each site, if applicable, is somewhat unique in terms of building ownership, lease contracts, entranceway access, fire escape requirements, and server room control. However, the Practice strives to continuously upgrade and expand its security and to enhance protection of its assets and medical information that has been entrusted to it. The following list identifies measures that are in effect at the Practice. All other facilities, if applicable, have similar security appropriate for that location.
Description of building, location, square footage, and the use of any generator.
The reception area is staffed at all times during the working hours of 8:00 AM to 5:00 PM22.
Any unrecognized person in a restricted office location should be challenged as to their right to be there. All visitors must sign in at the front desk, wear a visitor badge (excluding patients), and be accompanied by a Practice staff member. In some situations, non-Practice personnel, who have signed the confidentiality agreement, do not need to be accompanied at all times.
Fire Protection: Use of local building codes will be observed. Manufacturer’s recommendations on the fire protection of individual hardware will be followed.
Company Name or Logo1 |
|
|---|---|
| Title: TELECOMMUTING | P&P #: IS-1.7 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology |
Telecommuting
General Requirements
Need to Know: Telecommuting Users will have the access based on the same ‘need to know’ as they have when in the office.
Password Use: The use of a strong password, changed at least every 90 days27, is even more critical in the telecommuting environment. Do not share your password or write it down where a family member or visitor can see it.
Required Equipment
Practice Provided:
A cable lock to secure the workstation to a fixed object.
If using VPN, a Practice issued hardware firewall is required.
Employee Provided:
Secure office environment isolated from visitors and family,
A lockable file cabinet or safe to secure documents when away from the home office.
Hardware Security Protections
Data Security Protection
Data Backup: Backup procedures have been established that encrypt the data being moved to an external media. Use only that procedure – do not create one on your own. If there is not a backup procedure established, or if you have external media that is not encrypted, contact the appropriate Practice personnel for assistance. Protect external media by keeping it in your possession when traveling.
Transferring Data to the Practice: Transferring of data to the Practice requires the use of an approved VPN connection to ensure the confidentiality and integrity of the data being transmitted. Do not circumvent established procedures, nor create your own method, when transferring data to the Practice.
Hard Copy Reports or Work Papers: Never leave paper records around your work area. Lock all paper records in a file cabinet at night or when you leave your work area.
Data Entry When in a Public Location: Do not perform work tasks which require the use of sensitive corporate or patient level information when you are in a public area, i.e. airports, airplanes, hotel lobbies. Computer screens can easily be viewed from beside or behind you.
Disposal of Paper and/or External Media
Return all external media to your supervisor
External media must be wiped clean of all data. The Privacy Officer or appropriate personnel has very definitive procedures for doing this – so all external media must be sent to them.
Specific Protocols and Devices
Wireless Usage Standards and Policy
Due to an emergence of wireless access points in hotels, airports, and in homes, it has become imperative that a Wireless Usage policy be developed and adopted to ensure the security and functionality of such connections for Practice employees. This policy outlines the processes and procedures for acquiring wireless access privileges, utilizing wireless access, and ensuring the security of Practice laptops and mobile devices.
Approval Procedure - In order to be granted the ability to utilize the wireless network interface on your Practice laptop or mobile device you will be required to gain the approval of your immediate supervisor or department head and the Privacy Officer or appropriate personnel of the Practice. The Network Access Request Form (found in Appendix A) is used to make such a request. Once this form is completed and approved you will be contacted by appropriate Practice personnel to setup your laptop and schedule training.
Appropriate VPN Client, if applicable
Internet Explorer 6.0 SP2 or Greater
Use of Transportable Media
The use of transportable media in various formats is common practice within the Practice. All users must be aware that sensitive data could potentially be lost or compromised when moved outside of Practice networks. Transportable media received from an external source could potentially pose a threat to Practice networks. Sensitive data includes all human resource data, financial data, Practice proprietary information, and personal health information (“PHI”) protected by the Health Insurance Portability and Accountability Act (“HIPAA”).
USB key devices are handy devices which allow the transfer of data in an easy to carry format. They provide a much improved format for data transfer when compared to previous media formats, like diskettes, CD-ROMs, or DVDs. The software drivers necessary to utilize a USB key are normally included within the device and install automatically when connected. They now come in a rugged titanium format which connects to any key ring. These factors make them easy to use and to carry, but unfortunately easy to lose.
Non-Practice workstations and laptops may not have the same security protection standards required by the Practice, and accordingly virus patterns could potentially be transferred from the non-Practice device to the media and then back to the Practice workstation.
Example: Do not copy a work spreadsheet to your USB key and take it home to work on your home PC.
Before initial use and before any sensitive data may be transferred to transportable media, the media must be sent to the Privacy Officer or appropriate personnel to ensure appropriate and approved encryption is used. Copy sensitive data only to the encrypted space on the media. Non-sensitive data may be transferred to the non-encrypted space on the media.
Report all loss of transportable media to your supervisor or department head. It is important that the CST team is notified either directly from the employee or contractor or by the supervisor or department head immediately.
Policy and Procedure |
|
|---|---|
| Title: RETENTION / DESTRUCTION of PAPER DOCUMENTS | P&P #: IS-1.9 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS020, TVS021) |
Retention / Destruction of Medical Information
Disposal of External Media / Hardware
Disposal of External Media
When no longer needed all forms of external media are to be sent to the Privacy Officer or appropriate personnel for proper disposal.
The media will be secured until appropriate destruction methods are used based on NIST 800-88 guidelines.
Requirements Regarding Equipment
Disposition of Excess Equipment
Older machines are used for testing new software.
Older machines are used as backups for other production equipment.
| Title: CHANGE MANAGEMENT | P&P #: IS-1.11 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS024) |
Change Management
Statement of Policy
To ensure that Practice is tracking changes to networks, systems, and workstations including software releases and software vulnerability patching in information systems that contain electronic protected health information (“ePHI”). Change tracking allows the Information Technology (“IT”) Department to efficiently troubleshoot issues that arise due to an update, new implementation, reconfiguration, or other change to the system.
The employee implementing the change shall also be familiar with the rollback process in the event that the change causes an adverse effect within the system and needs to be removed.
Audit Controls
Procedure
See policy entitled Information System Activity Review for the administrative safeguards for auditing system activities.
| Title: INFORMATION SYSTEM ACTIVITY REVIEW | P&P #: IS-1.13 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS014, TVS017, TVS019) |
Information System Activity Review
Statement of Policy
To establish the process for conducting, on a periodic basis, an operational review of system activity including, but not limited to, user accounts, system access, file access, security incidents, audit logs, and access reports. Practice shall conduct on a regular basis an internal review of records of system activity to minimize security violations.
Such reviews shall be conducted annually. Audits also shall be conducted if Practice has reason to suspect wrongdoing. In conducting these reviews, the Information Technology Services shall examine audit logs for security-significant events including, but not limited to, the following:
Logins – Scan successful and unsuccessful login attempts. Identify multiple failed login attempts, account lockouts, and unauthorized access.
The Information Technology Services shall forward all completed reports, as well as recommended actions to be taken in response to findings, to the Security Officer for review. The Security Officer shall be responsible for maintaining such reports. The Security Officer shall consider such reports and recommendations in determining whether to make changes to Practice’s administrative, physical, and technical safeguards. In the event a security incident is detected through such auditing, such matter shall be addressed pursuant to the policy entitled Employee Responsibilities (Report Security Incidents).
Data Integrity
Procedure
To the fullest extent possible, Practice shall utilize applications with built-in intelligence that automatically checks for human errors.
Practice will install and regularly update antivirus software on all workstations to detect and prevent malicious code from altering or destroying data.
To prevent exposing magnetic media to a strong magnetic field, workforce members shall keep magnetic media away from strong magnetic fields and heat. For example, computers should not be left in automobiles during the summer months.
| Title: CONTINGENCY PLAN | P&P #: IS-1.15 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS026) |
Contingency Plan
Practice is committed to maintaining formal practices for responding to an emergency or other occurrence that damages systems containing ePHI. Practice shall continually assess potential risks and vulnerabilities to protect health information in its possession, and develop, implement, and maintain appropriate administrative, physical, and technical security measures in accordance with the HIPAA Security Rule.
Procedure
The Security Officer shall test backup procedures on an annual basis to ensure that exact copies of ePHI can be retrieved and made available. Such testing shall be documented by the Security Officer. To the extent such testing indicates need for improvement in backup procedures, the Security Officer shall identify and implement such improvements in a timely manner.
Disaster Recovery and Emergency Mode Operations Plan
Current copies of the information systems inventory and network configuration developed and updated as part of Practice’s risk analysis.
Current copy of the written backup procedures developed and updated pursuant to this policy.
Retrieving lost data.
Identifying and implementing appropriate “work-arounds” during such time information systems are unavailable.
Facilities at which backup data is stored,
Information systems vendors, and
Review the written disaster recovery and emergency mode operations plan and make appropriate changes to the plan. The Security Officer shall be responsible for convening and maintaining minutes of such meetings. The Security Officer also shall be responsible for revising the plan based on the recommendations of the disaster recovery team.
Security Awareness and Training
Procedure
Security Training Program
The Security Officer shall generate and distribute special notices to all workforce members providing urgent updates, such as new threats, hazards, vulnerabilities, and/or countermeasures.
Protection from Malicious Software
Recognizing signs of a potential virus that could sneak past antivirus software or could arrive prior to an update to anti-virus software,
The importance of backing up critical data on a regular basis and storing the data in a safe place,
Passwords must be changed every 90 days.
A user cannot reuse the last 12 passwords.
Passwords must not be written down, posted, or exposed in an insecure manner such as on a notepad or posted on the workstation.
Employees should refuse all offers by software and/or Internet sites to automatically login the next time that they access those resources.
| Title: SECURITY MANAGEMENT PROCESS | P&P #: IS-1.17 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology |
Security Management Process
To ensure Practice conducts an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Practice.
Practice shall conduct an accurate and thorough risk analysis to serve as the basis for Practice’s HIPAA Security Rule compliance efforts. Practice shall re-assess the security risks to its ePHI and evaluate the effectiveness of its security measures and safeguards as necessary in light of changes to business practices and technological advancements.
Update/develop information systems inventory. List the following information for all hardware (i.e., network devices, workstations, printers, scanners, mobile devices) and software (i.e., operating system, various applications, interfaces): date acquired, location, vendor, licenses, maintenance schedule, and function. Update/develop network diagram illustrating how organization’s information system network is configured.
Update/develop facility layout showing location of all information systems equipment, power sources, telephone jacks, and other telecommunications equipment, network access points, fire and burglary alarm equipment, and storage for hazardous materials.
Determine whether the data is maintained within the organization only or transmitted to third parties. If data is transmitted to a third party, identify that party and the purpose and manner of transmission.
Define the criticality of the application and related data as high, medium, or low. Criticality is the degree of impact on the organization if the application and/or related data were unavailable for a period of time.
Environmental threats, e.g., fire and smoke damage, power outage, utility problems.
Human threats
Identify and document vulnerabilities in Practice’s information systems. A vulnerability is a flaw or weakness in security policies and procedures, design, implementation, or controls that could be accidentally triggered or intentionally exploited, resulting in unauthorized access to ePHI, modification of ePHI, denial of service, or repudiation (i.e., the inability to identify the source and hold some person accountable for an action). To accomplish this task, conduct a self-analysis utilizing the standards and implementation specifications to identify vulnerabilities.
Determine and document probability and criticality of identified risks.
Assign criticality level.
"High" (3) is defined as having a catastrophic impact on the medical practice including a significant number of medical records which may have been lost or compromised.
Develop and document an implementation strategy for critical security measures and safeguards.
Determine timeline for implementation.
Evaluate effectiveness of measures and safeguards following implementation and make appropriate adjustments.
The Security Officer shall be responsible for identifying appropriate times to conduct follow-up evaluations and coordinating such evaluations. The Security Officer shall identify appropriate persons within the organization to assist with such evaluations. Such evaluations shall be conducted upon the occurrence of one or more of the following events: changes in the HIPAA Security Regulations; new federal, state, or local laws or regulations affecting the security of ePHI; changes in technology, environmental processes, or business processes that may affect HIPAA Security policies or procedures; or the occurrence of a serious security incident. Follow-up evaluations shall include the following:
Emergency Operations Procedures
Electronic Health Record (EHR) – Electronic records of patient encounters in a healthcare delivery setting. An electronic health record typically consists of information including: patient demographics, progress notes, medication history, vital signs and laboratory results.
Practice Management (PM) – A practice Management System is usually a computer based system used to manage the day-to-day operations of a healthcare practice. Tasks typically performed by a PM system include: scheduling appointments, maintaining patient and insurance information, billing functions and generating various reports.
unexpected outage of EHR systems, and
resumption of EHR services following an outage such that normal operations may resume.
Telephone encounters should be entered onto the paper telephone encounter form and transferred to a nurse for triage.
Out folders should be used as temporary charts.
Paper progress note templates should be used to record usual nurse intake.
Out folder is placed on exam room door as before, using the flag system to notify provider that the patient is ready.
System Restoration:
Patient encounters occurring during system downtime should be entered into the system via the following procedures:
Scheduling telephone calls should be returned. A telephone encounter does not need to be entered into the EHR.
Telephone encounters for all other issues should be entered into the system and routed as appropriate.
All other phone/fax information will be scanned into the patient’s record when the EHR system is operational and normal operations have resumed.
Company Name or Logo1 Policy and Procedure |
|
|---|---|
| Title: Emergency Access “Break the Glass” | P&P #: IS-3.0 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS026) |
Emergency Access “Break the Glass”
Definitions
Medical emergency means medically necessary care which is immediately needed to preserve life, prevent serious impairment to bodily functions, organs, or parts, or prevent placing the physical or mental health of the patient in serious jeopardy.
1. Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
2. Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet, extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
Identifying and defining which the Practice workforce members authorized to access EPHI during an emergency.
Identifying and defining manual and automated methods to be used by authorized Practice workforce members to access EPHI during a medical emergency.
Scope/Applicability
This policy is applicable to all divisions and workforce members that use or disclose electronic protected health information for any purposes. This policy’s scope includes all electronic protected health information, as described in definitions below.
Rule Language:
“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information (EPHI) during a medical emergency.”
Procedures
Mechanism to Provide Emergency Access to EPHI
Job title
Reason for emergency access
The emergency access will be tracked and documented based on capabilities of the EHR. The tracking documentation will be reviewed by the Security Officer to determine that emergency access was appropriate.
At the conclusion of the event that precipitated the granting of emergency access, the Security Officer ensures the breakglass accounts are disabled, and new ones created in anticipation of the next emergency.
Creating an extremely complicated password (but one an employee will be able to enter while under the stress of an emergency situation).
Securing the password.
Sanction Policy
Policy
It is the policy of the Practice that all workforce members must protect
the confidentiality, integrity, and availability of sensitive
information at all times. The Practice will impose sanctions, as
described below, on any individual who accesses, uses, or discloses
sensitive information without proper authorization.
The Practice will take appropriate disciplinary action against employees, contractors, or any individuals who violate the Practice’s information security and privacy policies or state, or federal confidentiality laws or regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Sensitive information, includes, but not limited to, the following:
Protected Health Information (PHI) – Individually identifiable health information that is in any form or media, whether electronic, paper, or oral.
Other information that is confidential – Any other information that is sensitive in nature or considered to be confidential.
Availability refers to data or information is accessible and useable upon demand by an authorized person.
| Level | Description of Violation |
|---|---|
| 1 |
|
| 2 |
|
| 3 |
|
In the event that a workforce member violates the Practice’s privacy and security policies and/or violates the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or related state laws governing the protection of sensitive and patient identifiable information, the following recommended disciplinary actions will apply.
Important Note: The recommended disciplinary actions are identified in order to provide guidance in policy enforcement and are not meant to be all-inclusive. If formal discipline is deemed necessary, the Practice shall consult with Human Resources prior to taking action. When appropriate, progressive disciplinary action steps shall be followed allowing the employee to correct the behavior which caused the disciplinary action.
U.S. Department of Health and Human Services
Health Information Privacy. Retrieved April 24, 2009, from
I, the undersigned employee or contractor, hereby acknowledges receipt of a copy of the Sanction Policy for Practice Name1.
Dated this ________ day of _________________, 20____.
Policy and Procedure |
|
|---|---|
| Title: EMPLOYEE BACKGROUND CHECKS | P&P #: IS-4.1 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Human Resources (TVS007) |
Employee Background Checks
The Practice will conduct employment reference checks, investigative
consumer reports, and background investigations on all candidates for
employment prior to making a final offer of employment, and may use a
third party to conduct these background checks. The Practice will obtain
written consent from applicants and employees prior to ordering reports
from third-party providers, and will provide a description of applicant
and employee rights and all other documentation as required by law to
each applicant or candidate in accordance with FCRA and applicable state
and federal statutes (Appendix G). All background checks are subject to
these notice and consent requirements.
An investigative consumer report compiles information on a candidate’s
general reputation, personal characteristics, or mode of living. This
information may be gathered online including social networking sites,
through public or educational records, or through interviews with
employers, friends, neighbors, associates, or anyone else who may have
information about the employee or potential employee. In the
pre-employment process, investigative consumer reports typically include
such things as criminal records checks, education verification checks,
and employment verification checks.
The type of information that will be collected by the Practice in
background checks may include, but is not limited to, some or all of the
following:
Private and government agency reports related to any history of criminal, dishonest, or violent behavior, and other reports that relate to suitability for employment
Credit reports
Social security number scans
Discovery Policy: Production and Disclosure
Policy
It is the policy of this organization to produce and disclose relevant
information and records in compliance with applicable laws, court
procedures, and agreements made during the litigation process.
Procedure
Accurate Patient Identification
| Responsible | Action |
|---|---|
| HIM | For litigation involving an individual’s medical records, verify the patient’s identity in the master patient index, including demographic information and identifiers including the medical record number. [Note: When conducting searches, it is critical to accurately identify the correct patient and relevant information.] |
| HIM | Note multiple medical record numbers, identifiers, aliases, etc., that will be used during the search process to find relevant information. |
| Responsible | Action |
|---|---|
| Litigation Response Team |
|
| Litigation Response Team, continued |
|
| HIM, Data Owners | |
| IT | Provide assistance to HIM and Data Owners in the search and retrieval process for various systems and data sources. |
| HIM, Data Owners | Screen or filter the search results, eliminating inappropriate information (e.g., wrong patient, outside the timeframe, not relevant to the proceeding, etc.). |
| Legal Services | Review the content of the data/data sets found to determine relevancy to the proceeding and identify information that is considered privileged. |
| Legal Services, HIM, Data Owners | Determine the final list of relevant data/data sets, location, and search methodology. |
Charges for Copying and Disclosure
| Responsible | Action |
|---|---|
| HIM, Data Owners, IT | For the information searched and disclosed, calculate the costs for search, retrieval, and disclosure methods using the organization’s established formula and governmental formulas for reproduction charges. |
| HIM | Invoice requesting parties for allowable charges related to the reproduction of health information and records. |
| Legal Services | Determine whether other expenses may be charged in accordance with the discovery plan or negotiation with litigants and/or judge. |
| Responsible | Action |
|---|---|
| Litigation Response Team | Determine the procedures for allowing an attorney or third party to review the electronic records and search results on-line. This includes where the review will occur, system access controls, monitoring during the review session, and the charges, if any. |
| Legal Services, IT, HIM, Data Owners | Mask, redact, or retract non-relevant, privileged, or confidential information (such as on a different patient) as appropriate. |
| HIM, Data Owners | Verify the outside party is allowed access to the record and systems by reviewing all supporting documentation (e.g., signed consent, credentials from retained firm, etc.). |
| HIM, Data Owners | Prepare for access by identifying the types of information that party is allowed to access. If an authorization has been signed by a patient or legal representative, allow access to legal medical records and/or other information as outlined in the authorization. If other types of information will be reviewed, access is allowed based on the subpoena, court order, state/federal statutes, or agreed-upon discovery plan. |
APPROVALS:
| Legal Department Approval: | Date: | ||
|---|---|---|---|
| HIM Department Approval: | Date: | ||
| IT Department Approval: | Date: | ||
| [Specify Other Departments] 31 | Date: |
e-Discovery Policy: Retention
This policy applies to all enterprise health information and records whether the information is paper based or electronic. It applies to any health record, regardless of whether it is maintained by the Health Information Management Department or by the clinical or ancillary department that created it.
Definitions
Unauthorized Destruction: The unauthorized destruction, removal, alteration, or use of health information and records is prohibited. Persons who destroy, remove, alter or use health information and records in an unauthorized manner will be disciplined in accordance with the organization’s Sanction Policy.
Procedure
| Responsible | Action |
|---|---|
| Data Owner/Departments | Data owners/departments will designate records coordinator for their areas and report that designation to the Records Committee and Litigation Response Team. |
| Record Committee | |
| HIM |
|
| IT/HIM/Data Owners | IT/HIM/Data Owners will ensure that electronic storage of enterprise health information and records is carried out in conjunction with archiving and retention policies. |
| Records Coordinators | They will organize and manage online records management control forms relating to enterprise records and information in their areas of responsibility to accomplish the following:
Record coordinators will obtain (if not already trained) and maintain records management skills. |
| Legal Services | Legal Services serves as subject matter expert and provides counsel regarding records designations and legal and statutory requirements for records retention and pending legal matters. |
| Active/Inactive Records | Active stage is that period when reference is frequent and immediate access is important. Records should be retained in the office or close to the users. Data Owners, through their Records Coordinator, are responsible for maintaining the records in an orderly, secure, and auditable manner throughout this phase of the record life-cycle. |
|---|---|
| Active/Inactive Records, continued | Inactive stage is that period when records are retained for occasional reference and for legal reasons. Inactive records for which scheduled retention periods have not expired or records scheduled for permanent retention will be cataloged and moved to the designated off-site storage facility. |
| Storage of Inactive Records | All inactive records identified for storage will be delivered with the appropriate Records Management Forms to the designated off-site storage facility where the records will be protected, stored, and will remain accessible and cataloged for easy retrieval. Except for emergencies, the designated off-site storage facility will provide access to records during normal business hours. |
| Records Destruction | Destruction of Non-Records Containing Confidential Information: Destruction Non-Records containing personal health information or other forms of confidential corporate, employee, member, or patient information of any kind shall be rendered unrecognizable for both source and content by means of shredding, pulping, etc., regardless of media. This material shall be deposited in on-site, locked shred collection bins or boxed, sealed, and marked for destruction. Disposal of Electronic Storage Media: Electronic storage media must be assumed to contain confidential or other sensitive information and must not leave the possession of the organization until confirmation that the media is unreadable or until the media is physically destroyed. |
| Records Destruction, continued |
Policy and Procedure |
|
|---|---|
| Title: Reporting and Managing a Privacy Breach Procedure | P&P #: IS-6.0 |
| Approval Date: Date4 | Review: Annual |
| Effective Date: Date5 | Information Technology (TVS025) |
Breach Notification Procedures
Purpose
To outline the process for notifying affected individuals of a breach of protected information under the Privacy Act, unsecured protected health information (PHI) for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and/or state breach notification purposes.
Personal Information – Personal Information has many definitions including definitions by statute which may vary from state to state. Most generally, Personal Information is a combination of data elements which could uniquely identify an individual. Please review applicable state data breach statutes to determine what definition of Personal Information is applicable for purposes of the document.
HIPAA Breach – Unauthorized acquisition, access, use, or disclosure of unsecured PHI.
Protected Health Information (PHI) – Individually identifiable health information except for education records covered by FERPA and employment records.
Procedure
You may call the Privacy Officer directly at _____-_____32.
Provide the Privacy Officer with as much detail as possible.
The Privacy Officer will take the following steps to limit the scope and effect of the breach.
Work with department(s) to immediately contain the breach. Examples include, but are not limited to:
Correcting weaknesses in security practices
Notifying the appropriate authorities including the local Police Department if the breach involves, or may involve, any criminal activity
The Privacy Officer, in collaboration with the Practice’s Legal Counsel, will consider several factors in determining whether to notify individuals affected by the breach including, but not limited to:
Contractual obligations
Number of individuals affected
Notification
What happened
Types of PHI involved
If law enforcement authorities have been contacted, those authorities will assist in determining whether notification may be delayed in order not to impede a criminal investigation.
The required elements of notification vary depending on the type of breach and which law is implicated. As a result, the Practice’s Privacy Officer and Legal Counsel should work closely to draft any notification that is distributed.
Notices must be provided without reasonable delay and in no case later than sixty (60) days after discovery of the breach.
Business associates must cooperate with the Practice in investigating and mitigating the breach.
Once immediate steps are taken to mitigate the risks associated with the breach, the Privacy Officer will investigate the cause of the breach.
If necessary, this will include a security audit of physical, organizational, and technological measures.
Compliance and Enforcement
All managers and supervisors are responsible for enforcing these procedures. Employees who violate these procedures are subject to discipline up to and including termination in accordance with the Practice’s Sanction Policy.
Appendix A – Network Access Request Form
Employee or Contractor Request for Network Access
| NAME | SIGNATURE | DATE |
|---|---|---|
Department Head (Print Name)
|
||
Appendix B – Confidentiality Form
Date Signature
______________________________________
Appendix C – Approved Software
Appendix D – Approved Vendors
| Vendor | Primary Contact | Main Number | Product / Service | Description/Comments |
|---|---|---|---|---|
Appendix E – Incident Response Tools
Appendix F – Background Check Authorization
Under the provisions of the Fair Credit Reporting Act (15 U.S.C. §1681 et seq.), the Americans with Disabilities Act, and all applicable federal, state, and local laws, I hereby authorize and permit to obtain a consumer report and/or an investigative consumer report which may include the following:
My employment records;
I agree that a copy of this authorization has the same effect as an original.
I understand that information obtained in this authorized investigative consumer report and background investigation may result in not being offered a position of employment. I hereby release and hold harmless any person, firm, or entity that discloses information in accordance with this authorization, as well as from liability that might otherwise result from the request for use of and/or disclosure of any or all of the foregoing information except with respect to a violation of the Act. I authorize <Company Name> (“Practice”) and its designated agent and all associated entities to receive any criminal history information or credit report pertaining to me in the files of any state or local criminal justice agency. I authorize all corporations; companies; former employers; supervisors; credit agencies; educational institutions; law enforcement/ criminal justice agencies; city, state, county and federal courts; state motor vehicle bureaus; and other persons and entities to release information they may have about me to the Practice or their designated agent.
Other Names Used _____________________________________________
Social Security Number _____/___/_____ Date of Birth _______________Driver's License # ___________________ State _____________________
Adapted from http://www.softechinternational.com/SampleReleaseForm.pdf and
http://www.national-employment-screening.com/background-check-release.htm.
Appendix G – Change Management Tracking Log
Appendix H – Employee Hiring and Termination Checklist
Worksheet: Excel Version Attached
