| Table
1 provides a brief summary of the objective
of each security policy and associated
procedures. Note that all HIPAA Security
Rule categories (sections) are identified
in color rows, standards are identified
in bold and implementation specifications
are shown as regular text. |
| HIPAA
Security Policy/Procedure |
Description |
Administrative
Safeguards |
| Security
Management Process |
The
purpose is to implement policies and procedures
to prevent, detect, contain, and correct
security violations. |
| Risk
Analysis |
The
purpose is to conduct an accurate and
thorough assessment of the potential risks
and vulnerabilities to the confidentiality,
integrity, and availability of electronic
protected health information. |
| Risk
Management |
The
purpose is to implement security measures
sufficient to reduce risks and vulnerabilities
to a reasonable and appropriate level.
|
| Sanction
Policy |
The
purpose is to apply appropriate sanctions
against workforce members who fail to
comply with the security policies and
procedures of the organization. |
| Information
System Activity Review |
The
purpose is to implement procedures to
regularly review records of information
system activity, such as audit logs, access
reports, and security incident tracking
reports. |
| Assigned
Security Responsibility |
The
purpose is to identify the security official
who is responsible for the development
and implementation of the HIPAA security
policies and procedures. |
| Workforce
Security |
The
purpose is to implement policies and procedures
to ensure that all members of the workforce
have appropriate access to electronic
protected health information and to prevent
those workforce members who do not have
access from obtaining access to electronic
protected health information. |
| Authorization
and/or Supervision |
The
purpose is to implement procedures for
the authorization and/or supervision of
workforce members who work with electronic
protected health information or in locations
where it might be accessed. |
| Workforce
Clearance Procedure |
The
purpose is to implement procedures to
determine that the access of a workforce
member to electronic protected health
information is appropriate. |
| Termination
Procedures |
The
purpose is to implement procedures for
terminating access to electronic protected
health information when the employment
of a workforce member ends. |
| Information
Access Management |
The
purpose is to implement policies and procedures
for authorizing access to electronic protected
health information. |
| Access
Authorization |
The
purpose is to implement policies and procedures
for granting access to electronic protected
health information, for example, through
access to a workstation, transaction,
program, process, or other mechanism.
|
| Access
Establishment and Modification |
The
purpose is to implement policies and procedures
that, based upon the entity’s access
authorization policies, establish, document,
review, and modify a user’s right
of access to a workstation, transaction,
program, or process. |
| Security
Awareness and Training |
The
purpose is to implement a security awareness
and training program for all members of
its workforce, including management. |
| Security
Reminders |
The
purpose is to provide periodic security
updates to members of the workforce. |
| Protection
from Malicious Software |
The
purpose is to develop procedures for guarding
against, detecting, and reporting malicious
software. |
| Log-in
Monitoring |
The
purpose is to develop procedures for monitoring
log-in attempts and reporting discrepancies. |
| Password
Management |
The
purpose of this policy is to establish
a standard for creation of strong passwords,
the protection of passwords, and the frequency
of change. |
| Security
Incident Procedures |
The
purpose is to implement policies and procedures
to address security incidents. |
| Response
and Reporting |
The
purpose is to identify and respond to
suspected or known security incidents;
mitigate, to the extent practicable, harmful
effects of security incidents that are
known to the covered entity; and document
security incidents and their outcomes.
|
| Contingency
Plan |
The
purpose is to establish (and implement
as needed) policies and procedures for
responding to an emergency or other occurrence
(for example, fire, vandalism, system
failure, and natural disaster) that damages
systems that contain electronic protected
health information. |
| Data
Backup Plan |
The
purpose is to establish and implement
procedures to create and maintain retrievable
exact copies of electronic protected health
information. |
| Disaster
Recovery Plan |
The
purpose is to establish (and implement
as needed) procedures to restore any loss
of data. |
| Emergency
Mode Operation Plan |
The
purpose is to establish and implement
as needed procedures to enable continuation
of critical business processes for protection
of the security of electronic protected
health information while operating in
emergency mode. |
| Testing
and Revision Procedures |
The
purpose is to implement procedures for
periodic testing and revision of contingency
plans. |
| Applications
and Data Criticality Analysis |
The
purpose is to assess the relative criticality
of specific applications and data in support
of other contingency plan components.
|
| Evaluation |
The
purpose is to perform a periodic technical
and non-technical evaluation, based
initially upon the standards implemented
under this rule and subsequently, in
response to environmental or operational
changes affecting the security of electronic
protected health information, which
establishes the extent to which an entity's
security policies and procedures meet
the requirements of the HIPAA Security
Rule. |
| Business
Associate Contracts and Other Arrangements |
The
purpose is to establish a contract that
may permit a business associate to create,
receive, maintain, or transmit electronic
protected health information on the covered
entity’s behalf only if the covered
entity obtains satisfactory assurances
that the business associate will appropriately
safeguard the information. |
| Physical
Safeguards |
| Facility
Access Controls |
The
purpose is to implement policies and procedures
to limit physical access to its electronic
information systems and the facility or
facilities in which they are housed, while
ensuring that properly authorized access
is allowed. |
| Contingency
Operations |
The
purpose is to establish and implement
as needed procedures that allow facility
access in support of restoration of lost
data under the disaster recovery plan
and emergency mode operations plan in
the event of an emergency. |
| Facility
Security Plan |
The
purpose is to implement policies and procedures
to safeguard the facility and the equipment
therein from unauthorized physical access,
tampering, and theft. |
| Access
Control and Validation Procedures |
The
purpose is to implement procedures to
control and validate a person’s access
to facilities based on their role or function,
including visitor control, and control
of access to software programs for testing
and revision. |
| Maintenance
Records |
The
purpose is to implement policies and procedures
to document repairs and modifications
to the physical components of a facility
which are related to security (for example,
hardware, walls, doors, and locks). |
| Workstation
Use |
The
purpose is to implement policies and procedures
that specify the proper functions to be
performed, the manner in which those functions
are to be performed, and the physical
attributes of the surroundings of a specific
workstation or class of workstation that
can access electronic protected health
information. |
| Workstation
Security |
The
purpose is to implement physical safeguards
for all workstations that access electronic
protected health information and restrict
access to authorized users only. |
| Device
and Media Controls |
The
purpose is to implement policies and procedures
that govern the receipt and removal of
hardware and electronic media that contain
electronic protected health information
into and out of a facility, and the movement
of these items within the facility. |
| Disposal |
The
purpose is to implement policies and procedures
to address the final disposition of electronic
protected health information, and/or the
hardware or electronic media on which
it is stored. |
| Media
Re-use |
The
purpose is to implement procedures for
removal of electronic protected health
information from electronic media before
the media are made available for re-use.
|
| Accountability |
The
purpose is to maintain a record of the
movements of hardware and electronic media
and any person responsible therefore.
|
| Data
Backup and Storage |
The
purpose is to create a retrievable, exact
copy of electronic protected health information,
when needed, before movement of equipment.
|
| Technical
Safeguards |
| Access
Control |
The
purpose is to implement technical policies
and procedures for electronic information
systems that maintain electronic protected
health information to allow access only
to those persons or software programs
that have been granted access rights.
|
| Unique
User Identification |
The
purpose is to assign a unique name and/or
number for identifying and tracking user
identity. |
| Emergency
Access Procedure |
The
purpose is to establish (and implement
as needed) procedures for obtaining necessary
electronic protected health information
during an emergency. |
| Automatic
Logoff |
The
purpose is to implement electronic procedures
that terminate an electronic session after
a predetermined time of inactivity. |
| Encryption
and Decryption |
The
purpose is to implement a mechanism to
encrypt and decrypt electronic protected
health information. |
| Audit
Controls |
The
purpose is to implement hardware, software,
and/or procedural mechanisms that record
and examine activity in information systems
that contain or use electronic protected
health information. |
| Integrity |
The
purpose is to implement policies and procedures
to protect electronic protected health
information from improper alteration or
destruction. |
| Mechanism
to Authenticate Electronic Protected Health
Information |
The
purpose is to implement electronic mechanisms
to corroborate that electronic protected
health information has not been altered
or destroyed in an unauthorized manner.
|
Person
or Entity Authentication
|
The
purpose is to implement procedures to
verify that a person or entity seeking
access to electronic protected health
information is the one claimed. |
Transmission
Security |
The
purpose is to implement technical security
measures to guard against unauthorized
access to electronic protected health
information that is being transmitted
over an electronic communications network. |
Integrity
Controls |
The
purpose is to implement security measures
to ensure that electronically transmitted
electronic protected health information
is not improperly modified without detection
until disposed of. |
Encryption
|
The
purpose is to implement a mechanism to
encrypt electronic protected health information
whenever deemed appropriate. |
| Organizational
Framework |
| Policies
and Procedures |
The
purpose is to implement reasonable and
appropriate policies and procedures to
comply with the standards, implementation
specifications and other requirements
of the HIPAA Security Rule. |
| Documentation |
The
purpose is to maintain the policies and
procedures implemented to comply with
the HIPAA Security Rule in written (or
electronic) form and if an action, activity
or assessment is required to maintain
a written (which may be electronic) record.
|
| Table
1: HIPAA Academy InfoSec Policies
and Procedures for Small Practitioners |
