HIPAA Security and the Administrative Safeguards—Part 2
October 2003 Issue
In the last article, we discussed the first four administrative safeguard standards in detail. In this article, we will cover the remaining administrative safeguard standards in detail and how each one will affect your O&P organization. Prepare yourself, as we have a lot of important information to cover!
1. Security Awareness and Training Standard
The Security Awareness and Training standard requires the implementation of a security awareness and training program for all members of your workforce, including management.
Security Reminders (Addressable)
Implementation specifications: Your organization must implement periodic security updates.
Protection from Malicious Software (Addressable)
Implementation specifications: Your organization must provide training on guarding against, detecting and reporting malicious software.
Log-in Monitoring (Addressable)
Implementation specifications: Your organization must provide training on monitoring login attempts and reporting discrepancies.
Password Management (Addressable)
Implementation specifications: Your organization must provide training on procedures for creating, changing, and safeguarding passwords.
What do all of the above implementation specifications means to your organization: Your organization must provide initial training to all of your employees that have access to electronic protected health information (PHI) prior to the compliance date, and to new employees upon hire after the compliance date. This requirement applies even to part-time or individuals who may be on site for a limited time period (for example, a single day).
The US Department of Health & Human Services (DHHS) sees security awareness training as a critical activity, regardless of an organization's size. Training can be tailored to job need if your organization so desires, or it can be a single program that all employees take. Remember, to be on the safe side, it is better to have your employees be aware of all security rules and regulations. This type of training is easier to track as employees move around within an organization, because you do not have to be concerned with knowing whether their job-specific training covers their new position.
2. Security Incident Procedures Standard
The Security Incident Procedures standard establishes policies and procedures to address security incidents.
Response and Reporting (Required)
Implementation specifications: Your organization must establish policies and procedures to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
What it means to your organization: Your organization will develop a list of what constitutes a security incident in the context of your business operations as you do your risk assessment and risk management procedures and the privacy standards. Your organization will have to implement accurate and current security incident procedures for those items you have identified as incidents. The procedures will need to include formal, documented report-and-response procedures. The security incident procedures relate to internal reporting of security incidents and do not specifically require you to report the incident to any outside entity, except if they are dependent upon business or legal considerations.
3. Contingency Plan Standard
The Contingency Plan standard establishes policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic PHI.
Data Backup Plan (Required)
Implementation specifications: Your organization must establish and implement procedures to create and maintain retrievable exact copies of electronic PHI.
What it means to your organization: Basically you must follow the implementation specifications. The thing to remember is that this will need to be implemented with all of the contingency plan standards.
Disaster Recovery Plan (Required)
Implementation specifications: Your organization must establish and implement procedures to restore any loss of data.
What it means to your organization: Once you have made your exact copies of electronic protected health information, how do you get them restored? That is what this plan entails: the what, who, and how to restore data after an emergency.
Emergency Mode Operation Plan (Required)
Implementation specifications: Your organization must establish and implement procedures to enable continuation of critical business processes for protection of the security of electronic PHI while operating in emergency mode.
What it means to your organization: Once you have restored your data, this plan details how the electronic PHI is protected. This will include who has access to the emergency restored data, how is the access secured, etc.
Testing and Revision Procedure (Required)
Implementation specifications: Your organization must implement procedures for periodic testing and revision of contingency plans.
What it means to your organization: All of the above are basically contingency plans, so this procedure puts all of the previous plans together to test that they actually work. This usually involves taking your copies of electronic protected information, restoring it, and attempting to access it as required in your plan. Without testing your contingency plan, your organization would have no assurance that its critical data could survive an emergency situation.
Applications and Data Criticality Analysis (Required)
Implementation specifications: Your organization must perform an analysis to assess the relative criticality of specific applications and data in support of other contingency plan components.
What it means to your organization: Basically, your organization must determine what applications and data need to be available for emergency mode operations to provide the proper security protection of the electronic PHI.
4. Evaluation Standard (Required)
Implementation specifications: Your organization must perform a periodic technical and non-technical evaluation--based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic PHI--that establishes the extent to which your security policies and procedures meet the requirement of this rule.
What it means to your organization: Basically, your organization should conduct an evaluation of all your security safeguards to ensure that the organization is still in compliance. This is a required standard, as your organization will go through changes since the last evaluation or implementation of the security rule. For example, new technology or an organizational change may expose your organization to new risks.
This evaluation may comply with this standard either by using your own workforce or an external accreditation agency, which would be acting as a business associate. External evaluation may be too costly an option for small entities. Also note that DHHS does not define certification criteria other than compliance with the Security Rule itself, as the criteria would have to address the large number of different business environments.
5. Business Associate Contracts and Other Arrangement (Required)
Implementation specifications: Your organization may permit a business associate to create, receive, maintain, or transmit electronic PHI on your behalf only if you obtain satisfactory assurance that the business associate will appropriately safeguard the information.
What it means to your organization: Your organization will have to document that the satisfactory assurance has been met through a written contract or other arrangement with the business associate.
In the next article, we will look at the physical safeguard standards in detail and how each one will affect your O&P organization.
This article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult an attorney.
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. For more information, visit www.provaliant.com