hipaa compliance and data protection › wp-content › uploads › 2019 › 09 › ... · hipaa...

HIPAA Compliance and Data Protection

SELF-ASSESSMENT GUIDE AND CHECKLIST

ZZ Servers

Z Z S e r v e r s I T M a n a g e m e n t a n d C o n s u l t i n g w w w . z z s e r v e r s . c o m

7 5 7 - 8 1 9 - 1 5 9 6 C H E S A P E A K E , V A

Copyright © 2019 by Peter Zendzian. All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, including brief quotations embodied in critical reviews and certain other noncommercial uses. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at the address below. ZZ Servers, LLC 809 Professional Pl W STE B104 Chesapeake, VA 23320 www.zzservers.com 757-819-1596

i

Contents

Introduction to HIPAA ............................................................................................................................. 4

Healthcare and information Technology Security .............................................................................. 4

Privacy Rule ......................................................................................................................................... 6

Security Rule ........................................................................................................................................ 6

HITECH Act security-breach notification requirements ...................................................................... 8

Threat and Control Evaluation Methodology ..................................................................................... 8

HIPAA Checklist ..................................................................................................................................... 10

Administrative Safeguards ................................................................................................................ 11

Physical Safeguards ........................................................................................................................... 17

Technical Safeguards ......................................................................................................................... 20

Notification to Individuals ................................................................................................................. 22

Glossary ................................................................................................................................................. 25

Conclusion ............................................................................................................................................. 27

Upgrades and Offers ............................................................................................................................. 28

ABOUT ZZ SERVERS ........................................................................................................................... 31

We are the provider you can trust for a perfect solution to all your needs. ....................................... 31

The advance of technology is based on making it fit in so that you don't really even notice it, so it's part of everyday life.

―BILL GATES

4

S E C T I O N 1

Introduction to HIPAA

he Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national

standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers.

The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's healthcare system by encouraging the widespread use of electronic data interchange in the U.S. healthcare system.

This document focuses on Title II Security Rule and procedures to help protect Protected Health Information (PHI).

Healthcare and Information Technology Security

The number of healthcare data breaches has been steadily increasing year over year. The number of records breached has increased by over 130% from 2017 to 2018. Incredibly, over 1 million individuals have had personal health information exposed, viewed or stolen in the first three months of 2018, compared to 500,000 records during the last three months of 2017.

Main Causes of Healthcare Data Breaches

The healthcare industry is like any other industry when it comes to data breaches—with one exception. In other industries, hacking and information technology incidents are the main cause of data breaches, but in healthcare, insiders cause most data breaches.

Unauthorized access and disclosure incidents, loss of physical records and devices containing electronic personal health information, and improper disposal account for nearly 60% of data breaches in the healthcare industry in the first three months of 2018. The main cause of these breaches was unauthorized access and disclosure, which accounted for 45% of all breaches reported in the first three months of 2018. There

T

H I P AA C O M P L I AN C E AN D D AT A P R O T EC T I O N • 5

were 15 incidents with loss or theft of devices containing electronic personal health information, which with encryption could have been avoided.

Location of Breached Personal Health Information in 2018

Too often more energy is focused on strengthening security at the perimeter and preventing hackers’ access to electronic health information. While it is important not to neglect the perimeter, security often overlooks physical records and internal staff. As shown by the graph below, the distribution of breaches during the first quarter of 2018 contains a vast array of different breach vectors.

Largest Breaches of 2018

Of the breaches that occurred early in 2018, many were from healthcare providers. The following table provides a list of some of the largest provider breaches.

Name of Organization Affected Records Affected Type of Breach

Oklahoma State University Center for Health Sciences 279865 Hacking/IT Incident

St. Peter’s Surgery & Endoscopy Center 134512 Hacking/IT Incident

Middletown Medical P.C. 63551 Unauthorized Access/Disclosure

Onco360 and CareMed Specialty Pharmacy 53173 Hacking/IT Incident

ATI Holdings, LLC and its subsidiaries 35136 Hacking/IT Incident

Mississippi State Department of Health 30799 Unauthorized Access/Disclosure

Decatur County General Hospital 24000 Hacking/IT Incident

Barnes-Jewish Hospital 18436 Unauthorized Access/Disclosure

6 • Z Z S ER V ER S

Barnes-Jewish St. Peters Hospital 15046 Unauthorized Access/Disclosure

Guardian Pharmacy of Jacksonville 11521 Hacking/IT Incident

Primary Healthcare, Inc. 10313 Unauthorized Access/Disclosure

While the above table only lists the largest breaches of 2018, a recently Ponemon Institute survey has revealed 62% of healthcare organizations have experienced a data breach in the last 12 months, with more than half of those reporting data loss as well. Most organizations reported that the biggest thing preventing them from improving security to prevent data breaches was staffing issues. Most reported not having staff qualified to handle or understand the complexities of protecting against the vast array of attacks their organizations face.

Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities" (generally, healthcare clearinghouses, employer-sponsored health plans, health insurers, and medical service providers that engage in certain transactions). It establishes regulations for the use and disclosure of Protected Health Information. Protected health information is interpreted rather broadly and includes any part of an individual's medical record or payment history.

The Privacy Rule requires covered entities to notify individuals of uses of their protected health information. Covered entities must also keep track of disclosures of protected health information and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding protected health information.

Security Rule

The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information, including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information. It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individually covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The standards and specifications are as follows:

Administrative Safeguards

Policies and procedures designed to clearly show how the entity will comply with the act • Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy

procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures.

• The policies and procedures must reference management oversight and organizational buy-in to ensure compliance with the documented security controls.

• Procedures should clearly identify employees or classes of employees who will have access to electronic pro-tected health information. Access to electronic protected health information must be restricted to only those employees who require it to complete their job functions.


• The procedures must address access authorization, establishment, modification, and termination. • Entities must show that an appropriate ongoing training program regarding the handling of protected health

information is provided to employees performing health plan administrative functions. • Covered entities that outsource some of their business processes to a third party must ensure that their

vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further outsources any data handling functions to other vendors and to monitor whether appropriate contracts and controls are in place.

• A contingency plan should be in place to respond to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures.

• Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based.

• Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.

Physical Safeguards

Controlling physical access to protect against inappropriate access to protected data

• Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired, it must be disposed of properly to ensure that protected health information is not compromised.)

• Access to equipment containing health information should be carefully controlled and monitored. • Access to hardware and software must be limited to properly authorized individuals. • Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts. • Policies are required to address proper workstation use. Workstations should be removed from high traffic

areas and monitor screens should not be in direct view of the public. • If the covered entities utilize contractors or agents, they too must be fully trained on their physical access

responsibilities.

Technical Safeguards

Controlling access to computer systems and enabling covered entities to protect communications containing protected health information transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.

• Information systems housing protected health information must be protected from intrusion. When

information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.

• Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.

8 • Z Z S ER V ER S

• Data corroboration, including the use of checksum, double-keying, message authentication, and digital signature, may be used to ensure data integrity.

• Covered entities must also authenticate entities they communicate with. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callbacks, and token systems.

• Covered entities must make documentation of their HIPAA organizations available to the government to determine compliance.

• In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.

• Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PROTECTED HEALTH INFORMATION from being used for non-health purposes.)

HITECH Act Security Breach Notification Requirements

The Health Information Technology for Economic and Organizational Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, imposes notification requirements on covered entities, business associates, vendors of personal health records (PHR) and related entities in the event of certain security breaches relating to protected health information. The U.S. Department of Health and Human Services (HHS) issued guidance on the subject; HHS and the Federal Trade Commission (FTC) are working to harmonize their respective regulations and are seeking public comment with a view to issuing interim final regulations.

Threat and Control Evaluation Methodology

Threats

A threat is any agent (person, activity, or event) with the potential to cause harm to the information system that could result directly or indirectly in a financial or data loss. The first step in evaluating a threat is to understand how the system will function, with regards to implemented technologies, and in what environment it will function. These two areas will then dictate which threats are present and to what extent the system is exposed to present threats. It would be impossible to list every technology/environment scenario and attempt to state exactly which threats apply and to what level the system is exposed. The best approach is to fully understand the system variables as stated previously and then evaluate each granular threat with the following questions.

• “Is this system exposed to this threat?” • “Is this system exposed to this threat less than or greater than normal?”


Controls

Controls are the active processes, procedures, and system features that are used to detect, reduce, or eliminate the probability of a threat, thereby reducing system risk. Controls are usually categorized as administrative, operational, or technical. Administrative controls address threats created by human behavior (users, administrators, vendors, attackers). Operational controls address threats created by the system’s operational or physical environment (server location, operating system, disasters). Technical controls address threats that are created by the use of certain types of computer or communications technology (remote access, public networks, peer computing, wireless).

There are a large number of potential controls that can be used singularly or in combination to protect against threats.

If you understand the system variables as previously stated, you can then begin to evaluate the controls of the system. It is common to understand a system and still not know the specifics around a control. If this is the case, ask the vendor or appropriate contact how the control has been implemented, if at all. Based on the information provided by the project IT personnel describing how a control will be implemented and managed, the risk manager also rates the effectiveness of each implemented control using the following process maturity scale:

• Minimal – Control is not fully implemented or is used in a way that requires reliance on individual discretion for

its implementation. • Repeatable – Control is implemented in a consistent manner that can be repeated by different individuals and

in different situations, although not all associated procedures may be formally documented. • Defined – Control is implemented and managed according to a standardized procedure that is well

documented. • Benchmarked – Control is implemented using repeatable, defined methods that conform to industry best

organizations. • Optimized – Control is implemented using repeatable, defined methods that conform to industry best

organizations and which are routinely monitored to ensure control remains appropriate to a changing environment. At this level, controls are subject to continuous process improvement.

10

S E C T I O N 2

HIPAA Checklist

his checklist provides a detailed review of the compliance requirements under HIPAA Security and the HITECH Act. The checklist has been designed to help you understand what is required of each item and evaluate if you are compliant. Each section includes:

• Review of required standards • Implementation specifications under each standard • Guidance and easy to understand explanations • Assessment guidelines to ensure appropriate compliance

Legal Notice

The HIPAA Compliance Checklist does not constitute legal advice, and we are not acting as your attorney. The materials being provided are for informational purposes only and should not be used as a substitute for the advice of competent legal counsel. Successfully completing this checklist DOES NOT certify that your organization is HIPAA compliant.

T


Administrative Safeguards

Security management – 164.308

The Security Management standard is intended to establish implementation of policies and procedures to prevent, detect, contain, and correct security violations.

Specification Guidance Assessment Y/N Risk Analysis Organizations are required to conduct an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. This process is intended to identify current security risks.

Required The risk assessment should include the following: • Identifies potential security risks to electronic

protected health information • Rates the likelihood of occurrence for security risk. • Rates the extent of damage each risk might cause. • Description of controls the organization has

implemented to limit any vulnerability or reduce risk. In addition to the risk analysis, the organization should include an inventory of all IT equipment and systems used (software, hardware) and who has access to each system.

The organization has conducted and documented a risk assessment to evaluate and identify any vulnerabilities and their impact on electronic protected health information within the last three years.

As part of the risk assessment, the organization maintains an inventory of all information technology assets/equipment.

The designated security official annually reviews, updates, and approves the risk analysis.

Risk Management Organizations are required to implement security measures sufficient to reduce risks and vulnerabilities identified during the risk analysis and to stay compliant with HIPAA security standards. This process is intended to ensure ongoing control of security risks.

Required A one-time comprehensive HIPAA security training is required for all employees. Ongoing education of employees pertaining to HIPAA updates throughout the year should be provided, and employers should keep employees updated on any significant policy or procedure changes. All employees should receive annual re-training of HIPAA standards.

Regularly review all HIPAA Security policies and procedures and update them as needed.

Employees have received training and awareness of security measures. Additionally, employees should date and initial updates throughout the year and these forms should be kept in a file.

Sanction Policy An organization is required to apply appropriate sanctions against employees who fail to comply with the organization’s security policies and procedures.

Required The policy should incorporate penalties that are based on and appropriate for the severity of the violation and also outline the process for reporting non-compliant employees.

The organization has a formal, documented disciplinary policy.

Any disciplinary action taken is documented and maintained in the employee's file.

Assign Security Responsibility Organizations are required to identify a security official who is responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule.

Required Primary responsibilities of the medical organization privacy security officer should include:

• Establishing a security program and overseeing its implementation and compliance with regulatory standards.

• Ensuring purchases of information technology are consistent with the organization's security policies.

• Investigating security incidents and regularly review IT system activity to ensure compliance.

• Ensure appropriate security training and awareness among organization staff.

• Annual review of compliance with security requirements, policies, and standards.

The organization has designated a Privacy Security Officer and has an appropriate job description and a list of duties documented. It can be the same person as the HIPAA Compliance Officer.

12 • Z Z S E R V ER S

Workforce Security – 164.308(a)(3)

The workforce security standard is intended to establish the implementation of policies and procedures to ensure all members of the organization workforce that have appropriate access to electronic protected health information according to regulation and to prevent workforce members who do not have access from obtaining access to electronic protected health information. Only those staff members or workforce members who need access to particular information should be able to view and/or modify electronic protected health information.

Specification Guidance Assessment Y/N

Authorization and/or Supervision Organizations should implement procedures for the authorization and/or supervision of employees who work with electronic protected health information or in locations where it might be accessed.

Not required (Addressable) Access to electronic protected health information should be based on the staff member's job responsibilities and qualifications. Authorization should be limited to the information the individual needs to fulfill his or her job responsibilities.

The organization has implemented procedures for the authorization or supervision of employees working with electronic protected health information.

The organization has job descriptions for each job type, which includes job responsibilities and what access to electronic protected health information is appropriate for that position.

The administrator or security officer is responsible for reviewing access rights and determining appropriate access levels. A list is maintained documenting what systems employees have access to along with their usernames.

Staff members not authorized to access electronic protected health information are supervised when they have an opportunity to obtain or access such information. (e.g., maintenance personnel working on computer).

All employees have signed a confidentiality statement. The organization maintains a list.

Workforce Clearance Procedures Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Not required (Addressable) The organization should evaluate potential employees to determine their character is suitable to adhere to your policies and procedures for protecting electronic protected health information.

The organization has a formal process for screening job candidates and conducting background checks as part of the hiring process.

Termination Procedures Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.

Not required (Addressable) The organization is responsible for ensuring all access privileges are no longer active when an employee or contractor leaves (voluntarily or involuntarily). This includes access to data, networks, email accounts, Workstation, and servers, as well as any physical access or keys to access areas where electronic protected health information may be located.

The organization has developed and utilizes a termination checklist which includes terminating IT system privileges.

A process is in place for disabling an employee’s password and access privileges upon termination. This should occur immediately upon notifying the employee of termination.

Return of any related equipment, keys, security badges, PDAs is tracked and logged as part of the termination process.



A process is in place to ensure employees upon termination do not retain or remove from the organization any information, computer files, or equipment belonging to the organization.

Information Access Management – 164.308(a)(4)

The information access management standard is intended to establish within organizations policies and procedures for authorizing access to electronic protected health information that is consistent with HIPAA security requirements.


Isolating Healthcare Clearinghouse Function Requires clearinghouses that are part of larger organizations to implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

Required. Only applicable to organization that may include clearinghouse services as part of their organization.

Electronic protected health information processed by the clearinghouse is isolated from the other information that the organization processes.

Access Authorization Implement policies and procedures for granting access to electronic protected health information, for workstations, transactions, programs, processes, or other mechanisms.

Not required (addressable) This can be covered under the workforce security standard for authorization and supervision.

Computers, terminals, or other devices where electronic protected health information can be accessed require a user ID and password or supervision when being used.

IT systems are set up to automatically logout a user after a short period of inactivity and require a password to re-enter the application.

IT system is configured to only allow the user access to predetermined sets or areas of information relevant to their job duties.

Access Establishment and Modification Implement policy and procedures, based on access authorization policies, to establish, document, review, and modify user's rights of access to workstations, transactions, programs, or processes.

Not required (addressable) This can be covered under the workforce security standard for authorization and supervision.

Changes to staff members' access privileges are done using a formal written request, which is reviewed and authorized by the appropriate security official.


Security Awareness and Training – 164.308(a)(5)

Organizations are required to implement a security awareness and training program for all members of its workforce, including management.


Security Reminders Implement periodic reminders of security and information safety best organizations.

Not required (addressable) An organization is required to provide a formal initial training for all members of its workforce, as well as any new employees. Periodic training is also required whenever the organization makes significant changes to any policies or procedures affecting electronic protected health information security or if/when changes to HIPAA Security regulations occur.

The organization has a formal training program regarding HIPAA security rules.

All employees have received formal training to understand and meet the provisions of the Security Rule (documented training log).

The organization provides periodic updates and reminders to employees through memos, emails, or signs in the organization.

A mechanism is in place to notify employees of any changes to IT systems or updates to security policies and procedures. All updates should be documented and dated.

Protection from Malicious Software Implement procedures for guarding against, detecting, and reporting malicious software.

Not required (addressable) Computer viruses and attacks pose a significant risk to any business or medical organization. Organizations need to be vigilant regarding limiting the use of the internet and downloading software programs by their employees.

The organization has installed anti-virus malware detection software such as Bitdefender, Symantec, Norton, or McAfee on workstations and servers.

Anti-virus and malware detection software in use is a current version.

A log is maintained of any virus infection detections and status of its successful eradication and removal.

Appropriate policies and procedures are in place, limiting computer and email use that could pose a risk of infection to the organization.

Log-in Monitoring Implement procedures for monitoring and reporting log-in attempts and discrepancies.

Not required (addressable) This can be covered under the security management standard for information system activity review. For added protection, it is recommended that the organization set up its system to lock out users after a specified failed number of attempts (if the system has the capability).

An audit log or exception report (indicating when there has been a problem logging in by a user) is generated and reviewed periodically

A record is maintained documenting any investigations that may have resulted.

Password Management Implement procedures for creating, changing, and safeguarding appropriate passwords.

Not required (addressable) A portion of this standard can be covered under the workforce security standard for authorization and supervision.

Each employee with access to any IT system is assigned a unique user ID and required to create a password to access the system.

A list is maintained documenting what systems employees have access to along with their usernames. This list is only accessible by appropriate individuals.

The system requires employees to periodically change their passwords (minimum every 6 months).

A process is in place for immediate termination of an individual’s password and access privileges

Passwords are not written down by employees and are not shared with others.



Security Incident Procedures Organizations are required to identify and respond to suspected or known security incidents and mitigate, if possible, any harmful effects, and document such incidents and their outcomes.

Required. A security incident is the “attempted or successful unauthorized access, use or disclosure, modification, or destruction of information or IT operating systems. Examples may include stolen passwords, corrupted backup tapes, virus attacks, accounts being used by another individual, failure to terminate an account of a former employee.

Procedures are in place for reporting any potential or real security incident. All staff have been trained in these procedures.

The organization maintains a security incidents report, which includes a record of actions taken to resolve the issue and mitigate any future recurrence.

Contingency Planning – 164.308(a)(7)

Requires organizations to establish (and implement as needed) policies and procedures for responding to an emergency or natural disaster (for example, fire, vandalism, system failure, and natural disaster) that may damage systems that contain electronic protected health information. This standard is intended to ensure an organization can recover its electronic protected health information in the event of an emergency or disaster.


Data Backup Plan Establish (and implement as needed) procedures to create and maintain retrievable, exact copies of electronic protected health information.

Required. As part of the overall contingency plan, the organization should create and maintain copies of its electronic protected health information. Backups should typically occur each day, and tangible copies should be stored offsite.

The organization has identified what information must be backed up, the method of backup, and frequency.

Verify backup copies are being created and stored according to the data backup plan.

Backup copies of data and electronic protected health information are stored in a secure but accessible location and manner that prevents unauthorized access.

Disaster Recovery Plan Establish (and implement as needed) procedures to restore any loss of data.

Required. As part of the overall contingency plan, the disaster recovery plan should outline what data must be restored and how it is to be restored. A copy of the recovery plan should be kept offsite along with the organization’s copies of backup data.

The organization has established procedures for restoring electronic protected health information that is inadvertently destroyed or corrupted. These procedures are documented in the organization’s contingency plan.

The organization has established procedures for replacing critical equipment and applications as part of the disaster recovery plan.

The disaster recovery plan includes provisions for taking an inventory of any loss of or damage to equipment or data.

Emergency Mode Operation Plan Establish (and implement as needed) procedures to enable the continuation of critical business processes for protection of electronic protected health information while operating in emergency mode.

Required. As part of the overall contingency plan, the emergency mode operations plan should include an emergency contact list including a list of individuals to be notified in an emergency. This should include a list of police, fire, building maintenance, plumbing, and electrician numbers. Paper forms should be readily available in case of a power outage (i.e., registration, consent forms, and progress notes).

The contingency plan includes operating procedures during an emergency, including what essential information will be made available.

The emergency mode operations plan includes a list of individuals and contact information to be notified in case of an emergency, their roles and responsibilities, and alternate means of security during restoration.

All staff has been trained on their responsibilities in the event of an emergency.


Business Associate Contracts and Other Arrangements – 164.308(b)(1)

A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information in accordance with §164.314(a). Specification Guidance Assessment Y/N

Written Contract or Other Arrangements Satisfactory assurances required by the business associate contract standard are documented in a written contract or other arrangement that allows business associates PROTECTED HEALTH INFORMATION access and confidential access of the organization.

Required. Ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements by entering into a contract or other arrangement that complies with this section; and report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information.

The organization has identified all individuals or entities that are business associates and required them to sign a business associate agreement.

The organization has a backup power source that allows for maintaining system integrity in the event of a power disruption. Red outlets should be installed to indicate those outlets provide electricity by a backup power source.

Testing and Revision Procedures Organizations should implement procedures for periodic testing and revision of contingency plans.

Not required (addressable) Each component of the contingency plan (data backup, disaster recovery, and emergency mode operations) should be tested periodically to ensure its effectiveness and revised if needed to address any discrepancies.

The organizations’ contingency plan has been reviewed and tested within the last 12 months and updated (if applicable).

Backup data has been tested to ensure the accuracy of data and information and that it can be successfully restored/retrieved.

Emergency power supplies are tested on a routine basis.

Fire alarms and suppression equipment has been tested to confirm they function properly.

Staff has reviewed the contingency plan, including roles and responsibilities within the last 12 months.

Applications and Data Criticality Analysis If applicable, organizations should assess the relative criticality of specific applications and data in support of other contingency plan components.

Not required (addressable) This list should be maintained as part of your Disaster Recovery Plan.

The organization has conducted a review of which applications, equipment, and data are most critical for providing patient care.

Based on the review, the organization maintains a prioritized list to ensure the most critical applications or equipment is restored first. The list is updated annually.

Evaluation Policy Perform periodic technical & nontechnical evaluations, to establish how well security policy and procedures meet the requirements of this subpart.

Required. Organization must periodically evaluate their security plans and procedures to ensure their continued effectiveness. A technical evaluation should be conducted by IT experts or your vendor due to the complexity of computer systems.

The organization’s compliance with security standards and implementation specifications has been evaluated within the last 12 months.


Physical Safeguards

Facility Access Controls – 164.310(a)(1)

An organization is required to implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.


Contingency Operations Procedures Establish (and implement as needed) procedures that ensure facility access to support the restoration of lost data in the event of an emergency.

Not required (addressable) Implementation of this control will vary from organization to organization. The organization should develop a plan that may best in motion immediately following a disaster or emergency. It is important to maintain physical security and needed access to electronic personal health information.

Procedures in place to allow facility access while restoring data in case of an emergency, such as power loss, hardware failure, etc.

Procedures can be followed by personnel responsible for data restoration. Procedures identify personnel allowed to enter the facility to restore data. Staff responsible for implementing contingency plans can physically obtain backup data sets.

Facility Security Plan An organization should have policies and procedures to safeguard the facility and its equipment from unauthorized physical access, tampering, and theft.

Not required (addressable) Some common controls that can be used to prevent unauthorized access, tampering, or theft that an organization may wish to consider: • Locked doors, warning signs, cameras, and alarms. • Property control tags, asset tags, equipment engraving • Identification badges for staff, visitors, and escorts. • Security guards

Records or computer equipment other than workstations are kept in locked areas or cabinets.

Only staff members authorized to use or maintain IT equipment or servers have access to secure areas (e.g., keys to locked areas are only issued to authorized individuals).

Backup media stored offsite is stored in a manner that prevents physical access by anyone lacking proper authorization.

Contractors and maintenance personnel who are not members of the staff have signed a business associate agreement.

Contractors and maintenance personnel are given a unique user ID and password that enables the organization to monitor their access to the medical organization's IT resources. Ideally the system should be able to create a one-time access password.

Before a user ID is activated, the security official reviews with the contractor the organization's security policies and procedures and the provisions of the business associate agreement related to security.

The organization has appropriate fire suppression systems in place that are compliant with all safety and building codes.

The organization has appropriate security alarm or surveillance systems in place.


Access Control and Validation Procedures An organization should have procedures to control and validate individual access to facilities based on role or function, including visitor control and access control for software testing and revision.

Not required (addressable) Implementation of this control will vary from organization to organization. A common practice is to get proof of identity for anyone entering the facility by validating a picture ID or badge. Small organizations may have more intimate knowledge of staff and patients and may not need to check identity every time they visit.

All visitors to the medical organization register with the receptionist and sign a visitor log and are required to wear a visitor’s badge.

Procedures to identify methods for controlling and validating employee access to the facility are implemented. Routine reviews of lists of individuals with physical access to sensitive information are completed.

Maintenance Records An organization is required to document repairs and modifications to the physical components of its facility, which are related to security.

Not required (addressable) Examples of applicable repairs may include but are not limited to any repairs or modifications done to facility hardware, security systems, walls, doors, and locks.

All repairs and/or modifications made to the building that are related to security are documented.

Workstation Use – 164.310(b)

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.


This standard does not have corresponding implementation specifications. However, compliance with the standard itself is required.

Required. The organization should have guidelines and policies in place to ensure the appropriate use of workstations located throughout the organization, including in private office areas.

Workstations located in common but non-public areas are not used to perform security-related administrative functions.

Workstations are set up to restrict the functions it can perform based on the level of permissions assigned to each user.

Users are required to log off all workstations rather than leaving them unattended. This includes workstations in private offices.

All workstations and monitors are positioned so that they are visible only to the person using them, or the organization uses privacy screens.

Workstation areas are kept clean and well organized. Paper or confidential material is securely stored.


Workstation Security – 164.310(c)

Implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.



Required. Implementation of this control will vary from organization to organization. One way to meet this requirement is to restrict access to workstations with electronic personal health information by keeping it in a secure location where only authorized personnel have access.

Workstations are located in physically secure areas where they are not vulnerable to theft or unauthorized removal from the office.

Device and Media Controls – 164.310(d)(1)

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility and the movement of these items within the facility.


Disposal The organization has policies and procedures for removing electronic protected health information from hardware or electronic media on which it is stored prior to disposal.

Required. Electronic media may include but is not limited to things such as PDAs, thumbnail drives, computers, disks, cell phones, etc.

The organization has a process for erasing or purging electronic protected health information on equipment and other media that is going to be disposed of.

The Security Officer checks all media or equipment to ensure electronic protected health information has been properly removed prior to any disposal.

Re-use The organization has policies and procedures for removing electronic protected health information from hardware or electronic media on which it is stored prior to reuse.

Required. Electronic media may include but is not limited to things such as PDAs, thumbnail drives, computers, disks, cell phones, etc.

The organization has a process for erasing or purging electronic protected health information on equipment and other media that is going to be re-used.

The Security Officer checks all media or equipment to ensure electronic protected health information has been properly removed prior to any reuse.

Accountability The organization is required to maintain records of the movements of hardware and electronic media and any person responsible therefore.

Not required (addressable) Electronic personal health information is getting smaller and less expensive, and it is becoming more important to track movement, use, and access to it. This becomes especially important when data is moved between facilities.

The organization maintains an inventory of all equipment and property (e.g., fax, copiers, and computers) by location and person responsible for it.

Authorization forms and receipts are required for all major property or equipment transactions.

Any personal devices or laptop computers that can be removed from the organization are properly managed/monitored. Authorization is required before any electronic protected health information can be downloaded onto these devices.

Fax machines are in a secure or supervised area.



Data Backup and Storage Create a retrievable, exact copy of electronic protected health information, when needed, before the movement of equipment.

Not required (addressable) The organization should make a copy of electronic protected health information prior to moving any equipment such as computers that contain protected health information.

Before moving any equipment, the organization creates backup copies of electronic protected health information, which are retained until the equipment has been moved and restarted.

Technical Safeguards

Access Controls – 164.312(a)(1)

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.


General specifications regarding email use.

Required. Sample Language: “This email, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this email is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message and delete this email immediately.”

All emails sent from the organization contain a confidentiality/privacy statement.

Web-based email accounts such as (but not limited to) Yahoo and Hotmail are not allowed to be used for transmitting any type of electronic protected health information.

The organization has a policy restricting or minimizing the use of personal email accounts from work.

The organization restricts the use of instant messaging, particularly regarding any transmission of electronic protected health information.

Unique User Identification Assign a unique name and/or number for identifying and tracking user identity.

Required. Many organizations share accounts, move account names between staff members or have one account for all users to access sensitive information. It is important to be able to know who has access to information and sharing access controls removes any ability to control access to information.

All employees of the organization are given a unique username and password for email accounts and accessing computer and technology systems.

Guest accounts for accessing computer and technology systems do not permit access to electronic protected health information or grant any administrative controls.

Sharing passwords or user accounts is strictly prohibited.

Passwords require the use of letters, numbers, and/or symbols and optionally multi-factor authentication to ensure effective protection.

Emergency Access Procedure Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Required. The organization can access user accounts and reset passwords in the event of an emergency.



Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Not required (addressable) While this control is not strictly required, it is highly recommended. Implementing this control helps secure workstations when a user is no longer accessing it after a period of time. Insecure workstations may allow an unauthorized user to access sensitive information.

Users are automatically logged off after a period of inactivity and required to log back into the system.

Encryption and Decryption Implement an appropriate mechanism to encrypt and decrypt electronic protected health information.

Not required (addressable) While encrypting is not strictly required, it is highly recommended, especially for mobile devices.

Electronic protected health information that is transmitted via email is encrypted.

Mobile devices are not used to transmit or receive electronic protected health information unless they have been encrypted.

Audit Controls – 164.312(b)

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.



Required. Most information systems contain audit controls that allow for tracking of system use and resources. When looking for security issues, things like failed login attempts can help alert to any possible issues.

Information systems used by the organization maintain a log of activity, including user access and transmissions of electronic protected health information such as billing transactions.

Activity logs are periodically reviewed to identify any potential security issues.

Integrity Controls Policy – 164.312(c)

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.


Mechanism to authenticate electronic protected health information Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Not required (addressable) Only authorized individuals can access and alter electronic protected health information.


Person or Entity Authentication – 164.312(d)

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.



Required. All systems used by the organization containing electronic protected health information require the user to authenticate themselves prior to accessing the system (e.g., such as a password or PIN).

Transmission Security – 164.312(e)

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.


Integrity Controls Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Not required (addressable) Ensuring appropriate controls to help maintain the integrity of records and prevent any accidental or intentional alteration or destruction of electronic protected health information during the transmission process.

The organization has implemented mechanisms that can be used to confirm electronic protected health information has not been altered.

Encryption Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Not required (addressable) Based on your organization's required risk analysis to determine if encryption is needed to protect the transmission of electronic protected health information between your office and outside organizations. This should be addressed under Encryption and Decryption 164.312(a)(2)(iv)

NA

Notification to Individuals

Standard – 164.404(a)

The Breach Notification rule establishes the requirements that a medical organization must follow in the event of a breach (unauthorized disclosure or use) of unsecured protected health information. Specification Guidance Assessment Y/N

General Rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.

Required. The organization has a policy and

procedure in place outlining notification protocols in case of a breach related to protecting health information.


Timeless of Notification – 164.404(b)

Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.



Required. An organization is required to provide notification no later than 60 calendar days after discovery of a breach.

The organization has a policy and procedure in place outlining notification protocols in case of a breach related to protecting health information.

Content of Notification – 164.404(c)

Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.


Elements (A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (C) Any steps individuals should take to protect themselves from potential harm resulting from the breach; (D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, email address, website, or postal address.

Required. Individual Notification Requirements Your organization is deemed responsible for beginning the first day that a breach is discovered. The organization is required to notify each individual whose protected health information has been or is reasonably believed to have been accessed or used as a result of the breach.

The organization maintains a file on all documented incidents using an Incident and Resolution Form.

Required. Media Notification Requirements If a breach entails more than 500 individuals, then the Media is required to be notified in the form of a press release, otherwise there is no requirement to notify the media.

The media was notified of any breaches entailing 500 or more individuals (if applicable).

Required. Secretary Notification Requirements If a breach includes individuals of 500 or less, the organization must notify the Secretary of the Department of Health and Human Services through the HHS website. The report can be made annually. For breaches involving 500 or more individuals, the report must be filed within 60 days.

The organization maintains a summary log of all documented incidents. The log is used to provide the required report to HHS annually for all incidents involving less than 500 individuals.

Plain language requirement The notification required by this section shall be written in plain language.


Methods of Individual Notification – 164.404(d)


Written Notice (i) Written notification by first-class mail to the individual at the last known address of the individual or by electronic mail (if the individual agrees to electronic notice and such agreement has not been withdrawn). The notification may be provided in one or more mailings as information is available. (ii) If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual (as specified under § 164.502(g)(4) of subpart E), then send written notification by first-class mail to either the next of kin or personal representative of the individual. The notification may be provided in one or more mailings as information is available.

Required. Notification should be sent via first-class mail to the last known address (if approved by the individual) or electronic mail. If the individual is deceased, notice should be sent to their next of kin or personal representative.

Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in which there is insufficient or out-of-date contact information that precludes written notification to the next of kin or personal representative of the individual.

Additional notice in urgent situations. In any case, deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to other notices.

25

S E C T I O N 3

Glossary

Addressable – The covered entity must do one of the following:

• Implement one or more of the addressable implementation specifications;

• Implement one or more alternative security measures;

• Implement a combination of both; or

• Not implement either an addressable implementation specification or an alternative security measure, after documenting that the cost of the proposed security measures exceeds the value of the content being secured.

An Implementation Specification marked as Addressable does NOT mean it is optional.

Electronic Medical Record – A computer-based record containing healthcare information. This record may contain some, but not necessarily all, of the information that is in an individual's paper-based medical record. One goal of HIPAA is to protect identifiable health information as the system moves from a paper-based to an electronic medical record system.

Electronically Transmitted Protected Health Information (ELECTRONIC PROTECTED HEALTH INFORMATION) – Is any information, regardless of form, about a patient (current, former, or applicant) that contains both personal identity and information about the individual’s past, present or future health status, condition, diagnosis, or treatment or for the payment of healthcare services. In addition, any separately maintained file of member/applicant protected health information that includes personal identity would also be included.

Health Information – Information in any form (oral, written, or otherwise) that relates to the past, present, or future physical or mental health of an individual. That information could be created or received by a healthcare provider, a health plan, a public health authority, an employer, a life insurer, a school or university or a healthcare clearinghouse.

HIPAA – The Health Insurance Portability and Accountability Act of 1996. HIPAA is a federal law that was designed to allow the portability of health insurance between jobs. In addition, it required the creation of federal law to protect personally identifiable health information. DHHS has issued HIPAA privacy regulations (the HIPAA Privacy Rule) as well as other regulations under HIPAA.

Indirectly Identifiable – Data that do not include personal identifiers but link the identifying information to the data through the use of a code. These data are still considered identifiable by the Common Rule.

Individually Identifiable Health Information – A subset of health information that identifies the individual or can reasonably be used to identify the individual.

Minimum Necessary – A HIPAA Privacy Rule standard requiring that when protected health information is used or disclosed, then only the information that is needed for the immediate use or disclosure should be made available by the healthcare provider or other covered entity. This standard does not apply to uses and disclosures for treatment purposes (so as not to interfere with treatment) or to uses and disclosures that an individual has authorized, among other limited exceptions. Justification regarding what constitutes the minimum necessary will be required in some situations (e.g., disclosures with a waiver of authorization and non-routine disclosures).


Privacy – For purposes of the HIPAA Privacy Rule, privacy means an individual's interest in limiting who has access to personal healthcare information.

Privacy Notice – Institution-wide notice describing the organization of the covered entity regarding protected health information. Healthcare providers and other covered entities must give notice to patients and research subjects and should obtain signed acknowledgments of receipt. Internal and external uses of protected health information are explained. It is the responsibility of the researcher to provide a copy of the Privacy Notice to any subject who has not already received one. If the researcher does provide the notice, the researcher should also obtain the subject's written acknowledgment of receipt.

Protected Health Information (PHI) – Individually identifiable health information transmitted or maintained in any form.

Required – Covered entity must implement the standard as stated.


S E C T I O N 4

Conclusion

HIPAA compliance is one of the greatest challenges facing covered entities, though it’s just one of the many barriers to success. A vast majority of organizations required to be HIPAA compliant are small, with little to no internal information technology support. ZZ Servers stands ready with the right technology and industry knowledge to provide solutions for success.

For more information on ZZ Servers HIPAA Solutions

To help you meet your HIPAA compliance regulations, schedule a free consultation with one of our CPAs at ZZ Servers. Visit www.zzservers.com or call 1-800-796-3574.

For more information on HIPAA rules, go to:

Specific compliance questions should be directed to the U.S Department of Health & Human Services. Their website contains a wealth of knowledge and resources.

HHS: www.hhs.gov/hipaa/for-professionals/index.html

Cornell Law School www.law.cornell.edu/cfr/text/45/chapter-A

HIPAA Journal: www.hipaajournal.com

HIPAA Survival Guide: www.hipaasurvivalguide.com

Thank you for taking the time to use this workbook. If you have any comments, questions, or suggestions, please don’t hesitate to reach out and let us know. Any feedback will be used to improve and make this a more robust resource to aid organizations of all sizes to achieve HIPAA compliance.


S E C T I O N 5

Upgrades and Offers

HIPAA Compliant Technology Management Solutions

We understand why your critical business services are so important to your daily operations. This is why we spend so much time aligning our technology to support your initiatives. Building a program that relies on 24x7x365 network monitoring coupled with an aggressive preventative maintenance component ensures optimum uptime for your business.

Flat Rate Managed IT Services

Total network peace of mind.

Total IT support and management for a fixed monthly price.

ENDPOINT WORKSTATION MANAGEMENT INCLUDES:

• Unlimited Help Desk Access • Predictable Monthly IT Costs • Operational Efficiencies • Proactive Network Monitoring • Desktop Optimization • Regular Software Updates • Reduced Costs in Flat-Fee Billing • 24-Hour Support Services • Minimal Downtime • Preventative Network Maintenance

When you rely on ongoing third-party support for critical IT functions, the likelihood of business continuity increases. Processes are streamlined, systems are maintained, and experts who deal with IT everyday are managing your IT infrastructure.


Get the most from Office with Office 365

Office 365 Business Office 365 Business Premium

Office 365 Business Essentials

Best for businesses that need Office applications plus cloud file storage and sharing on PC, Mac, or mobile.

Business email not included.

Best for businesses that need business email, Office applications, and other business services on PC,

Mac, or mobile.

Best for businesses that need business email and other business

services on PC, Mac, or mobile. Desktop versions of Office applications not included.

Office applications included Office applications included Office applications included

Outlook

Word

Excel

PowerPoint

Access (PC

only)

Outlook

Word

Excel

PowerPoint

Access (PC

only)

(Web and mobile versions only)

Services included Services included Services included

OneDrive

Exchange

OneDrive

SharePoint

Teams

Exchange

OneDrive

SharePoint

Teams

31

ABOUT ZZ SERVERS

Since 2006, our team has succeeded in understanding the needs of the industry and creating reliable solutions to serve them all.

Our commitment to a high level of customer service and belief in personalized customer service for every client is an integral component of our business protected health information philosophy. Our goal is to work collaboratively with industry professionals, our clients, and consumers to provide not just a source for affordable and secure hosted network infrastructures but also provide a friendly family-oriented customer support experience.

We specialize in providing business solutions for the Business, Industrial, Government, and Enterprise markets of all industries.

Quality comes first! We make sure that every minute detail is investigated while working with our clients. Our focus is 100% on client needs and satisfaction.

INNOVATIVE SOLUTIONS

ZZ Servers offers innovative solutions that meet the specialized needs of our customers. By combining firsthand experience with our datacenter, infrastructure, and integration expertise, we have developed comprehensive solutions that are effective, efficient, and affordable.

Whether it’s providing advanced compliance-based datacenter solution to Fortune 100 firms, offering clear technical solutions to local businesses, or fully outsourcing and managing business technology solutions, ZZ Servers delivers proven solutions that are business-ready and business testing.

QUALITY UNSURPASSED

Improving Productivity, Maximizing Business Responsiveness, and Reducing Costs. We have a team of experienced engineers and technicians to develop solutions that integrate with your business. We support a standard method for infrastructure management and design, which will enable us to provide comprehensive solutions that are well-organized and efficient for almost any industry. This ensures that our solutions meet the standards of the highest quality, unsurpassed reliability and service excellence.

We are the provider you can trust for a perfect solution to all your needs.

[email protected] 800-796-3574 www.zzservers.com

hipaa compliance and data protection › wp-content › uploads › 2019 › 09 › ... · hipaa...

Documents