Security Process Worksheets - NARHCnarhc.org/wp-content/uploads/2016/10/HIPAA-Handouts.pdf · Security Process Worksheets . ... application or process): Business and/or Mission Supported:

HIPAA Security Process

Worksheets

Sarah Badahman with HIPAAtrek

Created by HIPAAtrek | www.hipaatrek.com | 314-272-2600

Overall System Imapct

HIGH HIGH HIGH HIGH

Healthcare Communica�on Due to the sensi�ve nature of data being transmi�ed, confiden�ality impact for healthcare communica�on is HIGH.

Due to the nature of the informa�on being communicated, the integrity impact is HIGH.

Due to the poten�al for loss treatment schedules, access to diagnos�c results, and other messaging

between provider and pa�ent, the availability impact is MODERATE.

Final System Categoriza�onConfiden�ality Impact Integrity Impact Availability Impact

Healthcare Delivery Services - Clinical Documenta�on

Confiden�ality impact level for (YOUR ORGANIZATION)'s EHR clinical documenta�on is LOW, provided all safeguards and

controls are properly implemented, trained and adhered to by all its workforce members.

Due the poten�al impact for loss of human life, the provisional integrity impact level is HIGH.

Due to federal and state requirements governing availability of healthcare records, the availability

impact is HIGH.

Healthcare Administra�on Confiden�ality impact level for healthcare administra�on is LOW.Due to the poten�al impact to (YOUR ORGANIZATION)'s financial

health, the poten�al integrity impact is MODERATE. Availability impact is LOW.

Low Impact: The potential impact is low if: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on (YOUR ORGANIZATION)'s operations, organizational assets or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might:

- cause a degradation in mission capability to an extent and duration that (YOUR ORGANIZATION) is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced

- result in minor damage to (YOUR ORGANIZATION)'s assets

- result in minor financial loss

- result in minor harm to individuals

Moderate Impact: The potential impact is moderate if: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on (YOUR ORGANIZATION)'s operations, organizational assets or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: - cause a significant degradation in mission capability to an extent and duration that (YOUR ORGANIZATION) is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced

- result in significant damage to (YOUR ORGANIZATION)'s assets

- result in significant financial loss

- result in significant harm to individuals that does not involve loss of life or serious life threatening injuries

High Impact: The potential impact is High if: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on (YOUR ORGANIZATION)'s operations, organizational assets or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: - cause a severe degradation in mission capability to an extent and duration that (YOUR ORGANIZATION) is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced

- result in major damage to (YOUR ORGANIZATION)'s assets

- result in major financial loss

- result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries

Suppor�ng Control or Process or Func�onConfiden�ality Impact (Low/Moderate/HIGH) - Descrip�on of

impact Integrity Impact (Low/Moderate/HIGH) - Descrip�on of impactAvailability Impact (Low/Moderate/HIGH) -

Descrip�on of impact

Healthcare Communication Provides confiden�al and secure electronic communica�on for all current and former pa�entsHealthcare Administration Provides billing and account services in support of all (YOUR ORGANIZATION)'s ac�vi�es

Complete for every data type, process, and/or system (copy and paste as many times as necessary to create a security categorization for every system, application or process): Business and/or Mission Supported: (List the system, application, or process here - each supporting function, system, application or process will be included in the first grid below)

Supporting Control or Process or Function Supporting Control or Process or FunctionHealthcare Delivery Services - Clinical Documentation Complete medical record informa�on for all current and former pa�ents

Created by HIPAAtrek | www.hipaatrek.com | 314-272-2600

Application/Data Function SupportingITSystems LocationConsequencesofDisruption Workarounds/Alternatives

MaximumDowntime CriticalityLevel

CreatedbyHIPAAtrek

hipaatrek.com314-272-2600

ApplicationsandDataCriticalityAnalysis

Findings Statement Business Risk RecommendationRisk (HIGH, MED,

LOW)

Acceptable Remediation

TimelineRemediation Tracking (Notes)

Estimated Completion Date

Status (Completion Date)

ID Safeguards Standards Specifications Questions Example Doc Use Total %CompCompliance Rating Comments

1 Administrative Safeguard

Security Management Process §164.308(a)(1)

Risk Analysis

Is a Risk Analysis process used to ensure cost-effective security measures are used to mitigate expected losses? If yes, is the Risk Analysis process documented?

For example, does the organization use a process to determine cost effective security control measures in relation to the loss that would occur if these measures were not in place.

0 0 0 0% Non-Compliant



Risk Management

Are security measures implemented to reduce risks and vulnerabilities to an appropriate level for the organization?

Each organization must accept a certain level of risk and must be able to determine and document that appropriate level.




Sanction Policy

Do documented policies and procedures exist regarding disciplinary actions (stipulations for misuse or misconduct)? Have they been communicated to all employees?

These would be disciplinary actions for misuse or misappropriation of health information. (e.g. verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment, and contract penalties).




Information System Activity Review

Are audit logs reviewed? If yes, how often? Is there a responsible entity? Is this effort documented? Is audit logging for communications enabled?

Organizations will be required to provide and maintain ongoing analysis/review of the records of system activity (logins, file access, security incidents) to help identify security violations. This will include operating systems, applications, and networked systems.




Assigned Security Responsibility §164.308(a)(2)

No Implementation Specifications

Has the security responsibility for the organization been assigned to an individual or group? If yes, is it documented?

Organizations will be required to assign security responsibility to a particular individual or group. They will be responsible for ensuring security measures to protect data and ensure individuals act accordingly in the protection of data. This is important in providing an organizational focus towards security and the ability to pinpoint responsibility.




Workforce Security §164.308(a)(3)(i)

Authorization and/or Supervision

Are procedures in place to ensure personnel performing technical system maintenance activities are supervised by authorized/knowledgeable individuals, and that operational personnel are appropriately authorized to access systems? Are these procedures documented?

Example, Maintenance personnel are directly monitored by escorts near Health Information. Operational personnel should also have the appropriate access to data or systems.




Workforce Clearance Procedures

Are personnel clearance procedures established and maintained? Are these procedures documented?

For example, a protective measure to determine that an individuals access to sensitive unclassified information and sensitive information is admissible.




Workforce Clearance Procedures

Does the organization follow personnel clearance procedures to verify access privileges before admission? Are these procedures documented?

Organizations will be required to have formal documented policies and procedures for validating the access privileges of an entity before granting those privileges.


Security Management Process Totals

Assigned Security Responsibility Totals



Termination Procedures

Are access lists up-dated in a timely manner when employee accesses change? If yes, are they documented and updated consistently?

Despite the nature of access lists, employees must be removed upon termination or modified to reflect when a job function or role changes.





Does the organization follow termination procedures that include checklists for collecting access-providing materials? If yes, are these procedures followed consistently? Are these termination procedures documented?

Termination procedures will be required to be documented and implemented. These are important to prevent the possibility of unauthorized access to secure data by those who are no longer authorized to access the data (e.g. voluntary or involuntary exit). Organizations will need to collect keys, tokens, and identification cards.





Does the organization follow procedures for changing combination and locking mechanisms? Are these procedures documented?

Documented procedures for changing of combinations and locking mechanisms, on a defined time schedule, and when personnel no longer have a need to know.





Does the organization have documented termination checklists which include procedures for removing user account(s) in a timely manner?

Organizations will be responsible for removing user account(s) from computer system(s) (email), in a timely manner.




Information Access Management §164.308(a)(4)(i)

Isolating Healthcare Clearinghouse Function

If the organization includes a healthcare clearinghouse, what policies and procedures are in place to isolate the clearinghouse electronic Protected Healthcare Information from the rest of the organization?

Organizations are required to implement policies and procedures to protect against unauthorized or inadvertent disclosure of electronic Protected Healthcare Information from the larger organization.




Access Authorization

Are there rules established to determine the initial level of access an individual may have? Are these rules documented?

Organizations will be required to track the establishment of Initial Access through documentation efforts. For example documentation on why the individual will require access.




Access Establishment and Modification

Does the organization follow procedures for governing access to information on a Need-to-Know basis? If yes, who is responsible for maintaining documentation of these procedures?

Organizations will be required to support a users given access level information. A user should have access only to the data needed to perform a particular function.





Does the organization have different levels of access to health information/data? Are there rules established for granting access and authorization? If yes, are these rules documented?

Organizations will be required to maintain policies and procedures for identified access levels of access to a terminal, transaction, program, process or X of that user?





Are there rules established for the modification of individual accesses? If yes, are these rules documented?

Organizations will be required to track the modification of an individuals access. For example, procedures for why access for an existing individual may change.



Workforce Security Totals

Information Access Management Totals


Security Awareness and Training §164.308(a)(5)(i)

Security Reminders

Are periodic security reminders issued to all employees? If yes, are these reminders documented and do you feel that it is effective?

It's purpose is to refresh knowledge of policies and procedures and to keep all employees alert to the latest types of security threats (occurring incidents or CERT alerts).




Security Reminders

Is formal information security awareness training conducted for all employees, agents, and contractors? If yes, how often is it performed and is periodic re-attendance required? Is the security awareness training program documented?

The information security awareness training should include at a minimum: virus protection, password use and protection.




Security Reminders

Does the organization conduct customized training sessions, based on job responsibilities, that focus on issues regarding the use of health information? Does the organization include the employees responsibilities regarding confidentiality and security?

Information security training should address issues that are directly related to employee duties (e.g. appropriate handling of individual health information and unattended workstation procedures).




Protection from Malicious Software

If Security Awareness Training is conducted does it include (at a minimum): (A) Virus protection, (B) Importance of monitoring login success/failure, and (C) Password management? Are these minimal requirements for Security Awareness Training documented?

Employees must understand virus protection efforts, why logins are monitored, and how to effectively manage their passwords.





Are procedures in place to make sure virus checking software is installed and running on all computer systems within the organization?

Virus Protection will be required on computer system(s), that can detect virus programs that attach to other files or programs to replicate, a code fragment that can reproduce by attaching itself to another program, or an embedded code that can copy or insert itself into one or more programs.





Do these procedures include the requirement that virus definitions be consistently updated? If yes, what procedure do you use to update them and how often?

Accurate virus protection relies on the update of definitions in a timely manner. 0 0 0 0% Non-Compliant




Do the procedures call for periodic scanning for viruses? How often is the virus software configured to scan for viruses?

Accurate virus protection is based on the constancy of updating definition files, and scanning.




Log-in monitoring

Are procedures implemented that provide for monitoring of failed log-in attempts in an organization's servers?

Procedures must be implemented to provide methods of monitoring attempts to access servers containing sensitive information.




Log-in monitoring

What procedures are in place to ensure failed log-in attempts are reported to the proper authority?

Procedures requiring the monitoring of failed log-in attempts must contain instructions on reporting discrepancies.




Password Management

What password guidelines exist and what procedures are followed to ensure the user makes a good selection?

Guidelines would be (minimum length, minimum time, maximum time, prevention of re-use, force of change for default and initial passwords, maximum number of change times). It is a good practice to run password crackers and verification tools to ensure that users have selected solid passwords.




Password Management

Do users sign a security statement when issued a password?

This statement should explain appropriate use and selection, along with change management procedures for the password.




Password Management

What password guidelines are in place to protect the integrity of administrator type accounts?

Guidelines and restrictions should be placed on the use of administrator, root, and default accounts. Minimal numbers of employees should be allowed access to these types of accounts, different levels of access should be used, and tracking should be enforced for the use of these types of accounts.




Security Incident Procedures §164.308(a)(6)(i)

Response and Reporting

Is there a formal process in place to allow the reporting of security breaches? If yes, to whom are these breaches reported to and are these processes documented?

These procedures will allow employees to effectively report security incidents or breaches. The organization's will be required to document these procedures, and the employees should be aware of the policies and procedures and willing to use them.





Are formal procedures followed for responding to incidents? If yes, which entity is responsible and are they handled in a timely manner? Are these procedures documented?

The organization will be required to document reporting, review, and response policies and procedures in relation to security violations and should handle security violations promptly.





Are procedures followed for mitigating incidents that may occur? Do the procedures also identify a team assigned to handle these incidents?

Procedures should be developed and implemented that provide guidance on selected type of incidents and how to mitigate them.





At the conclusion of an incident, are procedures followed to document the outcome of the incident investigation? Are the results maintained in an historical file for subsequent review?

Incident reporting should include documenting the results of the incident investigation. These results should be reviewed and maintained to assist in future investigations.




Contingency Plan §164.308(a)(7)(i)

Data Backup Plan

Has a Data Backup Plan been implemented and followed within your organization? If yes, is the Data Backup Plan documented?

For example, a formally documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information for the organization.




Data Backup Plan

Does the Data Backup Plan contain procedures for testing and revision? If so, are these procedures documented?

For example, formally documented and regularly maintained testing and revision procedures.


Security Awareness and Training Totals

Security Incident Procedures Totals



Data Backup Plan

Does the organization follow Data Backup Plan procedures that allow for an exact copy of information to be retrieved? If yes, are Data Backup Plan policies and procedures formally documented?

Organizations must be able to retrieve an exact copy of data while maintaining accountability and access control integrity.




Data Backup Plan

What type of backups does the Data Backup plan call for? Full or incremental?

Incremental and Full backups should be specified within the Data Backup Plan, each serves a different purpose and these timeframes should be planned appropriately. (Interviewer note: incremental backups may only be performed in a mainframe environment).




Data Backup Plan

Where is backup media stored? For how long?

Backup tapes should be stored offsite or in a safe. (e.g. Media types may be tape, CD, diskettes)




Data Backup Plan

What physical protection mechanisms exist for local and remote copies of backups? What handling instructions are in place?

Data Backups should not be left in an insecure environment, as it contains sensitive network and system data.




Disaster Recovery Plan

Has a Disaster Recovery Plan been developed? If yes, is the Disaster Recovery Plan documented?

Most specifically, the Disaster Recovery Plan should address IT and Information Security Breaches and allow for the restore of data loss to the entity in the event of fire, vandalism, natural disaster, or system failure.




Emergency Mode Operation Plan

Has an Emergency Mode Operation Plan been tested to determine continual operations? If yes, is the Emergency Mode Operation Plan documented?

For example, formally documented plans and processes to enable the continuing operation of the organization in the short term (48 hours or less). This may be the result of fire, vandalism, minor natural disaster, or system failure.




Emergency Mode Operation Plan

Does the emergency mode operation plan and disaster recovery plan address physical access to appropriate personnel? Is the emergency mode operations plan and procedures formally documented?

For example, formally documented plans and processes to enable the continuing operation of the organization in the short term (48 hours or less).




Testing and Revision Procedure

Is the Disaster Recovery Plan periodically tested to insure adequacy? If yes, is the testing documented? What types of testing are accomplished?

Regularly maintained testing and revision of disaster recovery procedures provides the organization the ability to react quickly in the event of an actual crisis.




Applications and Data Criticality Analysis

Have Critical Systems been identified within your organization, and documented within the Contingency Plan?

Critical systems include those systems that provide services that if lost could result in significant backlog and monetary loss.




Applications and Data Criticality Analysis

What other types of mechanisms are in place to allow for mission critical hosts or systems to property shutdown?

A proper shutdown will allow current sessions, applications and transactions to close before the system powers off .


0 0 0 0% Non-CompliantContingency Plan Totals


Evaluation §164.308(a)(8)


Has an internal or external entity performed an assessment on any network or individual system(s) within the network to determine if they meet a pre-specified set of security standards? If yes, has the assessment(s) been documented?

Such as a technical member of your Internal Audit team, or IT team responsible for evaluation, and testing. Technical evaluations include vendor certification of applications prior to go-live. External entities include any accrediting agency completing annual external penetrations, and/or infrastructure integrity testing to ensure they meet industry best practices for information security.



Evaluation §164.308(a)(8)


Does the organization maintain a history of Technical Evaluations for computer system(s) and network(s)?

The information maintained should support the certification of the computer system(s) or network design(s) as having implemented appropriate security.




Business Associate Contracts and Other Arrangements §164.308(b)(1)

Written Contract or Other Arrangement

Has an inventory of all electronic data exchanges with third parties, vendors or business partners taken place? If yes, has a Business Associate agreement been executed? Is the inventory and agreement documented?

If data is processed through a third party, the parties must enter into a Business Associate Agreement. This contract states the agreement to exchange data electronically and assurance of data transmission integrity, and storage. Third parties are vendors, business partners, or internal entities that have access to your computer systems and infrastructure. These third parties will require a Business Associate Agreement. For example, a provider may contract with a clearinghouse to transmit claims.



Business Associate Contracts and Other Arrangements §164.308(b)(1)

Written Contract or Other Arrangement

Are you aware of any trusted internal or external business connections, or any third party connections or accesses? What are they?

Third parties are vendors, business partners, or internal entities that have access to your computer systems and infrastructure. These third parties types of accesses are considered less-trusted and will require a Business Associate Agreement.



50 Physical Safeguards

Facility Access Controls §164.310(a)(1)

Contingency Operations

Have procedures been implemented that provide for facility access and other business functions during contingency operations?

These procedures would assist the organization in recovering the business functions after a crisis. This is completely separate from recovering the business data and involves planning for office space, communications, equipment needs, etc.




Facility Security Plan

Does the organization have a facility security plan? Is the facility security plan formally documented?

Facility Security is a group of plans that encompass all aspects of the identified facility (e.g. cameras, perimeter protection).




Facility Security Plan

Has the organization implemented procedures within the facility to sign in visitors and provide escorts, if appropriate? Are there formally documented procedures for visitor escort and sign in?

Organizations will be required to have formally documented procedures governing the reception and hosting of visitors. For example: vendors, maintenance personnel.


Evaluation Totals

Business Associate Contracts and Other Arrangements Totals



Access Control and Validation Procedures

What procedures are in place to ensure that maintenance personnel have proper access and authorization? Are these procedures documented?

The organization will be required to maintain ongoing documentation for granting access to individuals working on or near Health Information.




Maintenance Records

Does the organization retain system maintenance records? Is there formal documentation for this procedure?

Organizations will be required to have documentation of repairs and modifications to hardware/software, and computer systems. Interviewer Note: a helpdesk tracking system may be used to record maintenance records.




Maintenance Records

Does the organization retain facility maintenance records? Is there formal documentation for this procedure?

Organizations will be required to have documentation of repairs and modifications to the physical components of a facility. (e.g. walls, doors, lights, locks)




Maintenance Records

Does the organization maintain access authorization records? If so, how long are these records retained? Are these authorizations documented?

The organization will be required to retain ongoing documentation of levels of access granted to user, program procedures, assessing health information.




Workstation Use §164.310(b)


Does the organization follow procedures for defined acceptable workstation use? Are documented procedures which outline proper functions?

Each organization will be required to have guidelines delineating the proper functions to be performed, and the manner in which the functions are performed.




Workstation Security §164.310(c)


Has the organization implemented physical safeguards to eliminate or minimize unauthorized access/viewing of health information on workstations?

Each organization will be required to put in place physical safeguards for workstations that will prevent public areas from accidentally dispensing patient identifiable health information from workstations. For example, privacy screens, monitor position, cubicle walls, or locked rooms.



Workstation Security §164.310(c)


Does the organization implement console locking features?

Different systems will allow for the use of different types of mechanisms to be used to lock workstations. (e.g. MONITOR.NLM, screen savers with passwords).




Device and Media Controls §164.310(d)(1)

Disposal

Does the organization follow procedures for the final disposition of electronic data (including PHI) and the hardware that it resides on? Are these procedures documented?

Organizations will be required to document policies and procedures for the disposition of electronic data and the hardware on which it resides. (e.g. wiping hard drives, or other method of destruction)




Media Re-use

Have procedures been developed for removing electronic Protected Health Information from media before it is scheduled for re-use?

These procedures would include some form of sanitization process for the media and a form of written verification that the media has been cleansed prior to re-use.


Workstation Security Totals

Facility Access Controls Totals

Workstation Use Totals



Accountability

Does the organization follow procedures for taking hardware and software into or out of a facility? Are these procedures documented? Who is accountable for the movement of media?

Organizations will be required to govern the receipt, movement, and removal of hardware/software and data into and out of the facility. This includes the marking, handling, and disposal of hardware and storage media. This will impact your offsite backup procedures.




Data Backup and Storage

Does the organization follow data storage procedures for electronic retention of individual health care information? Are there formally documented policies and procedures?

Organizations will be required to document electronic data retention policies and procedures. This is to include length of time, storage, receipt, and format.



64 Technical Safeguards

Access Control §164.312(a)(1)

Unique User Identification

Are unique user id(s) in place/use (network and application)? If yes, for which systems and are they governed by written security procedures?

Unique user IDs are a combination name/number assigned to identify and track individuals.





Are there any shared ID's or non-unique ID's in use?

High profile shared accounts could be a LAN Admin ID or a business unit that is highly impacted by login/logout inefficiencies (nurses).





Do all end users of network resources have a unique user ID?

Organizations will be required to irrefutably identify authorized users and processes, and to deny access to those unauthorized. An example best practice would be "no group User ID's are permitted". Entity authentication can be done through name and password through the network or application, and by IP address, service or protocol at the firewall).




Emergency Access Procedures

Is an emergency access procedure documented and followed?

Emergency Access can include access to a system or application immediately for a user without current access (normal channels bypassed). Also, short system outages requiring manual procedures.




Automatic Logoff

Are controls in place and configured to allow for automatic logoffs (network and application)?

Applications will be required to provide automatic user logoff (example: 15 minutes).




Automatic Logoff

Are controls in place to ensure that data has not been altered or destroyed during transmission?

Organizations will be required to provide corroboration that data in its possession has not been altered or destroyed in an unauthorized manner. For example: check sums, double keying, message authentication code, digital signature applied to files or data.




Encryption and Decryption

Is encryption currently in use with any access control solutions that are in place? If yes, how?

Encryption is optional within the proposed regulation for section 142.308C in relation to access control methods. Encryption with access control examples are VPNs, SSL, SSH.





Are access controls or encryption technologies used to secure transmission of sensitive information? If yes, what and for which systems?

For example, PKI, IPSEC, VPN, Smart Cards, or SSL 0 0 0 0% Non-Compliant

Device and Media Controls Totals




Are encryption technologies used to secure data at rest? If yes, for which systems?

For example, database contents, file contents, directory contents containing sensitive data.




Audit Controls §164.312(b)


Are networked systems configured to allow event reporting? If yes, which types of systems?

Different types of systems will allow for different types of logging to take place. (e.g. syslog server, application event logs (IIS, Exchange), specific service use (ftp, http)), specific activities, NT Event logging, Firewall events, or Intrusion Detection.





Are auditing capabilities enabled for file/record accesses, modifications, or deletions? If yes, for which systems and what activities are audited?

Audit will be required to record and examine system activity such as who has read, accessed, or changed a file. (e.g. system actives could be audited for applications, operating systems, or network devices).





Are software or hardware solutions in place that will provide notification of abnormal conditions that may occur in a networked system?

Any software or hardware device that can sense an abnormal condition within the system and provide a signal. The signal can be a contact, auto shutdown, or restart. For example: intrusion detection system, Firewalls, NT event logging).




Integrity §164.312(c)(1)

Mechanism to Authenticate EPHI

What process exist to determine who will have the authority to change or manipulate health information? Is this process documented?

Changes to health information should be audited to ensure proper use and accesses.




Person or Entity Authentication §164.312(d)


How is the signature on the document/data verified as trust-worthy? Is online or offline validation as well as entity or non-entity certificate used?

Online validation or offline validation. Online Validation allows the user to ask the CA directly about a certificates validity every time it is used. Offline validation gives a validity period, a pair of dates defining the valid range of the certificate. Entity certificates are known as identity certificates (characteristics), and non-entity certificates are known as credential certificates (e.g. X is a doctor, or permissions to certain systems).




Transmission Security §164.312(e)(1)

Integrity Controls

What policies, procedures, and technical mechanisms are in place to protect health information as it is transmitted across internal and external networks? Are these policies, procedures, and technical mechanisms documented?

Policies and procedures would ensure that security of the health information as it is transmitted from start, middle, to end point.




Integrity Controls

What technical and administrative processes, and mechanisms are in place to ensure secure storage of health information? Are these processes documented?

Storage of health information should be secure, and follow appropriate retention guidelines.


Access Control Totals

Audit Controls Totals

Integrity Totals

Person or Entity Authentication Totals



Encryption

Is the message encrypted, signed, or signed and encrypted? What practices are in place for the storage of private (secret) keys?

Encrypted message is encrypted by the symmetric key and the public key encrypts the symmetric key. Signed Message is hashed and encrypted with the senders private key. Signed and Encrypted is signed by the senders private key, and the message is encrypted with the senders public key.




Encryption

What cryptographic methods and parameters are used to ensure the integrity of the message during transmission is unaltered?

For example, please describe the parameters used for signing a message (e.g. hash algorithms (md5, or SHA-1), and encrypting the message (DES, Diffie Hellman, RSA, EIGamal or elliptic curve)?



82Organizational Requirements

Business Associate Contracts and Other Arrangements §164.314(a)(1)

Business Associate Contracts

Are Business Associate contracts in place between the organization and any business associate that might come in contact with the organizations electronic Protected Health Information?

These contracts should stipulate the business associate implement reasonable and appropriate safeguards to protect this sensitive information.




Other Arrangements

Are both the organization and the business associate a government agency? If yes, does a memorandum of understanding exist between the organization and the business associate that requires the business associate implement reasonable and appropriate administrative, physical, and technical safeguards to protect electronic Protected Health Information?

The memorandum of understanding should detail the measures the business associate has in place to provide reasonable and appropriate security protections for electronic Protected Health Information.




Other Arrangements

Is the business associate required by law to perform a function or activity on behalf of the organization? If yes, describe what steps the organization completed in order to ensure the business associate complied with the provisions of the HIPAA security rule.

When the business associate is required by law to perform certain activities, the organization needs to document its attempts to ensure the business associate has reasonable and appropriate security measures to protect the organizations electronic Protected Health Information.




Requirements for Group Health Plans §164.314(b)(1)

Plan Documents

Does the organization have a group health plan? If yes, do the plan documents require the plan sponsor reasonably and appropriately safeguard electronic Protected Health Information?

The plan documents must require the plan sponsor to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information.



86

Policies, Procedures, and Documentation Requirements

Policy and Procedures §164.316(a)


Does the organization have formal documented and approved information security policy statements that encompass information values, information protection, and an overall organizational commitment?

Security Policy Statements ensure a framework for the organization to achieve desired confidentiality goals.


Business Associate Contracts and Other Arrangements Totals

Requirements for Group Health Plans Totals

Transmission Security Totals

87


Policy and Procedures §164.316(a)


Does the organization have a process for developing, approving and publishing formal security policies?

A formal security policy process ensures the right people in the organization assist in the development, approval, and dissemination of the organization's security policies.



89

Policies, Procedures, and Documentatio

Documentation §164.316(b)(1) Time Limit

Are documents related to electronic Protected Health Information maintained for the time period proscribed by this rule?

The final HIPAA security rule calls for documentation related to electronic Protected Health Information to be maintained for a period of six years from


90


Documentation §164.316(b)(1) Availability

Is this documentation available to those persons responsible for implementing the various procedures required by the HIPAA security rule?

Either written and electronic forms of all documentation should be available to those persons responsible for implementing the procedures described in the HIPAA security rule.


91


Documentation §164.316(b)(1) Updates

Are the policies and procedures reviewed on a periodic basis to ensure adequacy and timeliness?

All policies and procedures should undergo a periodic review to ensure the organization remains current in its security posture in order to protect electronic Protected Health Information.



RequiredAddressable

Policy and Procedures Totals

Documentation Totals