ADVANCED DATA SOLUTIONS
Data Recovery Experts
- HIPAA Complianice-

ADS HIPAA Network Safeguards

ADS HIPAA Account Managment

ADS HIPAA Administration

ADS HIPAA Reallocation & Disposal of Media

ADS HIPAA Risk Analysis


ADS HIPAA Use of Portable Devices


ADS HIPAA EHR

ADS HIPAA Hitech Act








                                                                                 ADS HIPAA Network Safeguards            TOP
                                                                                                      HIPAA Core Policy:
                                                                                   Information Systems and Network Access

 

 Abstract:

This policy establishes the minimum criteria for granting approved access to information systems.

Effective Date:

3/23/2016

Applies to:

Staff.

1. PURPOSE: To establish guidelines for the minimum criteria for granting approved access to information systems involving protected health information (PHI).

2. PHILOSOPHY:   Authorized individuals should be able to access information systems based on minimum necessary privileges.

3. APPLICABILITY:   This policy applies to all ADS staff.

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Appropriate Information Security Officer (ISO): The entity’s ISO who acts in conjunction with the HIPAA Security Office for ADS.

4.1.2. Authentication mechanism: Items including, but not limited to, passwords, tokens, biometrics, and smart cards used for confirming a user’s identity.

4.1.3. Business Associate: A person or entity (other than an employee of ADS) who performs a function or activity involving the use or disclosure of protected health information.
4.1.4. Direct Need-to-Know: Those persons or classes of persons, as appropriate who need access to specific protected health information to carry out their work-related duties.

4.1.5. Electronic Communication Network: This includes things such as the Internet, wireless, or wired network.

4.1.6. Electronic Protected Health Information (ePHI):  Protected health information in electronic form.

4.1.7. HIPAA: Health Insurance Portability and Accountability Act.

4.1.8. Minimum Necessary:  To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

4.1.9. Portable Computing Devices (PCDs): Include, but are not limited to, hand held devices (e.g. laptop computers, tablet PCs, notebook computers), Smart phones, portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the internet, desktop personal computers via some form of interconnection and/or synchronization process.
4.1.10. Portable Storage Devices (PSDs): Include, but are not limited to, external hard disk drives, DVDs, CDs, flash drives, USB drives, tapes, and other portable storage devices capable of acting as a transport agent for digital information.

4.1.11. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.12. Remote Access: Users outside of a covered entity’s network accessing data on the entity’s network.

4.1.13. Sensitive Information: Any information that may only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets and any information that is deemed confidential or that would negatively affect ADS if inappropriately handled.

4.1.14. Strong Passwords: Current industry best practices identify this as a minimum of eight  alpha-numeric characters with at least one upper-case and one special character.

4.1.15. User: Any individual who accesses ADS electronic protected health information assets.

4.1.16. User Account: Information used by a user to gain access to ADS ePHI resources. This includes, but is not limited to, user IDs, passwords, personal identification numbers (PIN), tokens, certificates, biometrics, and smart cards.

4.1.17. User ID: An individual ID used to identify a unique individual when logging into a ADS information resource such as a computer network, service, or application.

5. POLICY:

5.1. Requests for access to ADS's ePHI shall be granted only to individuals with a direct need to know.

5.2. Approval will be based upon minimum necessary privileges and the direct need to know for a specific job function.

 5.3. In situations where work is performed by any non-ADS employee on a system containing ePHI, it is the responsibility of the appropriate manager to seek pre-approval for access and to monitor the individual's activities on the system. Non-ADS employees must have an approved Business Associate Agreement (if there is a possibility of accessing PHI) prior to request for approval to access information resources of a covered entity.

 5.4. Transmission of PHI or other sensitive information over an electronic communication network shall be encrypted.

 5.5. Network personnel shall not open ports through any firewall without pre-approval from appropriate management or information security office. Approved requests shall be documented.

 5.6. Use of portable devices to store ePHI must be pre-approved by the appropriate information security office and must be properly secured with proper physical and software controls in accord with the HIPAA Security Core Policy, "Use of Portable Devices."

 5.7. All requests for phone lines shall be approved by the ADS Communications Department or HSF Telecommunications.

 5.8. Any external access to a ADS network containing ePHI (i.e., dial-in modems) or internal access to outside networks (i.e., DSL lines) that bypasses the ADS and ADSHS firewalls shall be approved by the appropriate information security office.

 5.9. Access for non-ADS personnel must be uniquely identifiable and submitted in writing to the appropriate information security office prior to receiving access. The written request for access shall describe the reason and duration of the need (to include an anticipated termination date). This written request must describe the nature of access, reference the Business Associate Agreement (BAA) if needed, contain sufficient information to identify potential risk, and meet the minimum necessary requirement. If granted, the access must be documented, noting the date when granted.

 5.10. Requests for access to ePHI sytems utilized for Institutional Review Board-approved research shall be reviewed against the above established criteria on a case by case basis.

 5.11. All networks containing ePHI shall utilize measures to prevent unauthorized devices from connecting to the network.

 5.12. User's responsiblities:

5.12.1. Shall follow the ADS and their department's system security procedures, i.e., security patches, anti-malware protection, anti-spam protection. Exceptions shall be approved by the appropriate information security office.

 5.12.2. Shall not implement systems that function as a bridge between ADS network containing ePHI/sensitive information and an external network, i.e., split tunneling.

 5.12.3. Shall log off applications containing ePHI/sensitive information when not in use. Also shall lock the computer screen or log off windows when not in use.

 5.12.4. Shall not share their access codes or passwords with other individuals.

 5.12.5. Shall not perform unauthorized scanning on a ADS network. Scanning activities must be pre-approved by the appropriate information security office. Examples include but are not limited to Nmap scans, Nessus assessments, port scans, phone sweeps, probing tools, and other similar scanning activities.

 5.12.6. Shall not attempt unauthorized or inappropriate access to any ADS system including those containing ePHI or other sensitive information.

 5.12.7. Shall apply the same security policies and procedures as is required in the workplace when accessing ADS resources containing ePHI regardless of the location (i.e., applying necessary access lists, software or network firewalls, access controls, etc., when at home or other off-site location).

 5.13. System Administrator responsibilities:

5.13.1. Shall report unapproved portable devices to the appropriate manager.

 5.13.2. Shall implement and maintain the latest security patches on the systems under their management.

 5.13.3. Shall implement and maintain anti-malware software on the systems under their management.

 5.13.4. Shall apply automatic logoff/lockout features for inactive user sessions (i.e., 15 minutes logoff in high volume/traffic areas as per industry best practices or local policy).

 5.13.5. Shall use separate, unique user accounts to ensure individual accountability.

 5.13.6. Shall establish user accounts and accounts with higher privilege, i.e., system administrator, supervisor, root, superuser, in a manner that ensures individual accountability.

 5.13.7. Shall not establish group user accounts.

 5.13.8. Shall grant minimum necessary and direct need-to-know access rights as applicable to the person's documented job function. The appropriate i,formation security office shall approve additional access rights.

 5.13.9. Shall establish emergency access procedures for the systems they manage.

 5.13.10. Shall keep and monitor logs in order to detect and document attempts to compromise accounts, password brute force, and other types of abuse.

5.14. Manager responsibilities:

5.14.1. Shall ensure users follow policies for use of portable devices in accord with the HIPAA Security Core Policy, "Use of Portable Devices".

 5.14.2. Shall routinely monitor to ensure users are aware of and in compliance with the security policies including those addressing portable devices and home workstations.

 5.14.3. Shall establish procedures in written or electronic form to cpmply with this policy and if action, activity, or assessment is required by this policy to be documented, maintain a written or electronic record of the action, activity, or assessment.

 5.14.4. Shall ensure Business Associates are aware of and in compliance with all of the HIPAA and HITECH security requirements.

5.15. Business Associates' responsiblities:

5.15.1. All Business Associates shall be required to sign an approved Business Associate Agreement.

 5.15.2. Business Associates must comply with ADS policies and standards applicable to the nature of their work with ADS.

5.16. Remote access:

5.16.1. Requests for remote access must be reviewed and approved. Security control used to safeguard sensitive information will be evaluated. Remote access accounts should be periodically reviewed. Examples of minimum security controls include unique user ID, strong password, two-factor authentication, session timeout, and secure connection.

 5.16.2. Remote users when accessing ePHI systems shall use a ADS-approved Virtual Private Network (VPN) solution.

5.17. Violations

5.17.1. Violations of these policies may result in disciplinary action, up to an including dismissal and civil and criminal penalties.

 5.17.2. Business Associates must comply with ADS policies applicable to the nature of their work with ADS. Business Associates who do not follow applicable requirements could be subject to breach of contract penalties, possible legal prosecution, civil and criminal penalties, and other legal remedies/ramifications as are available to ADS.

 5.18. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.18.1. Your HIPAA Security Officer hippa@adv-data.com or call 619-452-1234.
6. REFERENCES: None

 7. SCOPE: This policy applies to all ADS Staff.

                                                                                      ADS
 HIPAA Account Managment       TOP
                                                                                        HIPAA Core Policy:
                                                                                      Information Systems Account Management

 

Abstract:

This policy sets forth guidelines for establishing minimum criteria for user account management.

Effective Date:

3/23/2016

Applies to:

Staff

 

1. PURPOSE: To establish minimum criteria for user account management.

2. PHILOSOPHY: Data available through ADS information systems, shall be maintain confidentiality, integrity, availability, and accountability.

3. APPLICABILITY: This applies to all ADS staff.

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Account Administrator: Individuals who are charged with adding, disabling, and modifying access granted to users and other types of accounts such as service accounts.

4.1.2. Authentication mechanism: Items such as, but not limited to, passwords, tokens, biometrics, and smart cards.

4.1.3. Minimum Necessary: To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

4.1.4. Separation: The cessation of an individual’s authority to occupy any role and perform any responsibilities on behalf of ADS. This may occur through the resignation of personnel, the dismissal of personnel or the termination of contractual agreements.

4.1.5. Strong passwords: Current industry best practices identify this as a minimum of eight alphnumeric characters with at least one upper case and one special character.

4.1.6. User account: An established relationship between a user and a computer network, service, or application. User accounts are assigned a user ID and are uniquely identifiable and traceable to one user or entity. 

4.1.7. User ID: An individual ID used to identify a unique individual when logging into an information resource such as a computer, network, service, or application. synonymous with sign-on code.

4.2. Background Information: Access is determined by position, role, and/or responsibility. If an employee’s position, role, and/or responsibility change, system access shall be reevaluated as to its applicability. If the user believes that his/her account has been compromised, the user must contact their information systems help desk to report the occurrence and change his/her account information.

5. POLICY:

5.1. Unique User Identification 

5.1.1. All users must have a standard unique identifier (user ID) assigned for accessing ADS information resources.

5.1.2. Whenever possible, ADS information resources shall prohibit concurrent or simultaneous access by the same user ID except in cases where business use has been deemed necessary and appropriate and authorized by management. 

5.1.3. Generic user IDs shall only be allowed where the functions accessible or activities carried out by the ID do not need to be traced or autdited.

5.1.4 Service accounts used for communications between systems and to operate services within a server environment shall be unique and shall be held confidential by the system administrators. ADSIT and ADSHS HSIS shall establish auditable procedures to securely maintain and access service accounts by systems administrators.

5.2. A user’s account shall be promptly deactivated upon notification of separation of his relationship with ADS.

5.3. Users shall be given the minimal necessary access privileges to perform their duties. If a user’s position, role, and/or responsibility changes the user’s account privileges shall be reevaluated and modified (if necessary) by their manager to match the minimum necessary for the current position’s responsibilities.

5.4. All systems and applications are required to use at least a user identifier (typically a user ID) and an authentication mechanism, i.e. password, token, biometrics, smart card.

5.5. Minimally each department or clinical area shall have a designated written authorization process for granting access to ADS information resources. This process shall include a procedure for validating a user’s identity and notifying the user’s supervisor. Such a process shall include how the person granting access is identified. This person shall be a specifically identified individual who grants others access to resources.

5.5.1. All account requests shall at least include the last four digits of a user’s social security number or an equivalent, such as employee number or logon ID.

5.5.2. All users requesting an account shall be required to provide their name as it appears on their personnel records (if applicable), department, title, phone number, and their supervisor’s name and email address.

5.6. A process to document initial account requests shall be in place for each system.

5.7. Personnel shall notify the appropriate information systems help desk of any account violations.

5.8. Newly implemented systems and current systems with the capability shall comply with the following policies. Existing systems without the capability shall use their maximum available security features and work to comply with the following policies as systems are upgraded.

5.8.1. All systems shall enforce strong password selection.

5.8.2. All systems shall have audit trail capabilities that provide documented evidence of user access.

5.8.3. Passwords shall not be viewable to users or system administrators.

5.8.4. Passwords shall be stored encrypted on the system.

5.8.5. Default passwords and PINs shall be changed.

5.8.6. Guest accounts shall be disabled.

5.8.7. The system shall prompt a user to choose a new password upon initial access to the system or after his account has been reset.

5.9. Users’ Responsibilities:

5.9.1. Users shall protect account information and prevent use of their IDs, passwords, PINs, and tokens by others.

5.9.2. Users shall access information appropriately – with individually-assigned accounts and in compliance with ADS standards and policies.

5.9.3. Users shall not re-use expired passwords for at least 4 password-expiration cycles.

5.9.4. Users shall choose a new password upon initial access to the system and each time the password is reset by the administrator – to the extent that password change capabilities are supported by the system.

5.9.5. Users shall choose strong passwords – to the extent that strong password capabilities are supported by the system.

5.9.6. Users have a responsibility to close or log off applications or lock the workstation immediately after use.

5.9.7. Users shall provide account administrators with their manager’s contact information (name, e-mail and phone number) when directly requesting access to information resources.

5.9.8. Vendors and contractors shall not be granted access to without approval of the ADS sponsoring department. Access requests shall be submitted by the vendor’s/contractor’s assigned ADS management contact.

5.9.9. Users shall contact the appropriate system administrator for password resets and user account issues.

5.9.10 Users shall not verbally reveal their password to the helpdesk or any other person asking for the password. If the helpdesk needs the password, it will be a reset.

5.10. Account Administrators’ Responsibilities:

5.10.1. Account administrators shall notify the user’s manager when the user submits a direct request for access.

5.10.2. Account administrators shall add, modify, and disable user accounts upon notification from the appropriate manager.

5.10.3. Account administrators shall periodically analyze system logs to determine accounts that may have been compromised.

5.10.4. Account administrators shall not accept access requests from vendors or contractors. Access requests for vendors and contractors shall be submitted by ADS management with oversight for the vendors’/contractors’ activities.

5.10.5. Account administrators shall ensure that systems are configured to comply with this policy.

5.11. Managers’ Responsibilities:

5.11.1. Managers shall ensure and justify appropriate access for those under their supervision – including employees, vendors, contractors, and other third parties.

5.11.2. Managers shall provide account administrators with a projected separation date or contract termination date when requesting user accounts for temporary employees, vendors, contractors, and other third parties.

5.11.3. Managers shall ensure that access rights are the minimum necessary and commensurate with current job responsibilities for all individuals under their supervision.

5.11.4. Managers shall review, approve, and submit requests for the user accounts of those individuals under their supervision.

5.11.5. Managers shall ensure that individuals under their supervision are trained to access and use ADS information resources.

5.11.6. Managers shall enforce standards, policies, and procedures associated with the use of ADS information resources.

5.11.7. Managers shall notify relevant account administrators upon an employee’s termination or transfer and upon a vendor’s, a contractor’s, or another third-party’s completion of service.

5.12. ADS employees who do not follow the above policies may be subject to disciplinary action up to and including dismissal.

5.13. Vendors or contractors who do not follow the above policies may be subject to breach of contract penalties.

5.14. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.14.1. Your HIPAA Security Officer hippa@adv-data.com or call 619-452-1234.

6. ENFORCEMENT: Any user found to have violated this policy maybe subject to disciplinary action, up to and including termination of employment or assignment, depending on the severity of the infraction. In addition, ADS may report the matter to civil and criminal authorities as may be required by law.

7. REFERENCES: None

8. SCOPE: This standard applies to all ADS staff.

9. ATTACHMENTS: None

                                                                                  ADS HIPAA Administration       TOP
                                                                                                     HIPAA Core Policy:
                                                                                                    HIPAA Administration

 

 Abstract:

This policy ensures that ADS staff, implement certain human resources requirements to protect against the wrongful use or disclosure of protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act ("HIPAA").

Effective Date:

6/7/2016

Responsible Party:

Applies to:

Staff

​1. PURPOSE: To ensure that ADS staff, implement certain administrative requirements to protect against the wrongful use or disclosure of protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).

2. PHILOSOPHY: ADS values and promotes business practices among its staff members, to provide privacy and security of PHI.

3. APPLICABILITY: This policy applies to all ADS staff.

4. DEFINITIONS: ADS adopts the definitions set forth in the HIPAA regulations 164.308 Administrtrative Safeguards.

5. POLICIES:

5.1. Identifying HIPAA Covered Entities

5.1.1. When a new unit, department, is established, Legal Counsel will assess and deterine whther or not the new entitie will be designates as a HIPAA covered entity, according to the definition and other guiding documentation provided by the Federal HIPAA regulations.

5.1.2. Upon review of a HIPAA Privacy Core Policy, Legal Counsel and the Privacy Officer will reassess each ADS HIPAA covered entity identified in the "applicability" section of the policy to ensure that each continues to qualify as a HIPAA covered entity.

5.2. Personnel Designations 

5.2.1. ADS shall designate a HIPAA Privacy Officer who is responsible for maintaining the policies and procedures regarding health information privacy. The Privacy Officer will work with the ADS HIPAA Covered Entities’ Entity Privacy Coordinators to communicate and implement these policies and procedures.

5.2.2. ADS shall designate a HIPAA Security Officer who is responsible for maintaining the policies and procedures regarding health information security. The Security Officer will work with the ADS HIPAA Covered Entities’ Entity Security Coordinators to communicate and implement these policies and procedures.

5.3. Workforce Training

5.3.1. ADS shall train all staff members on its HIPAA-related policies and procedures. 

5.3.2. This training is required for all workforce members of ADS. It should be completed within the first 30 days (for VIVA, 60 days) of employment or assignment.

5.3.3. Successful completion of this training will be documented.

5.4. Disciplinary Actions

5.4.1. ADS, through its Human Resources Departments, shall apply disciplinary actions against members of the workforce who fail to comply with ADS’s HIPAA policies and procedures or applicable laws regarding PHI.

5.4.2. The Human Resources Department will consider all relevant factors in determining the nature and severity of the disciplinary action: the type of violation, the intent of the workforce member at the time of the violation, and the number and frequency of any prior violations. Cumulative disciplinary actions may be imposed on an individual who commits more than one violation.

6. REFERENCES: None

7. SCOPE: This standard applies to all ADS Covered Entities.

8. ATTACHMENT: None

                                                                                 ADS HIPAA Reallocation & Disposal of Media  TOP

                                                                                                    HIPAA Core Policy:
                                                                                                   Media Reallocation and Disposal

 

 Abstract:

This policy establishes guidelines for the secure reallocation and disposal of media that contain sensitive data.

Effective Date:

3/21/2016

 

Applies To:

ADS Staff.

1. PURPOSE: To establish policy for the secure reallocation and disposal of media that contain sensitive data.

2. PHILOSOPHY: Information in all forms and throughout its life cycle should be protected from unauthorized access, modification, destruction, or disclosure, whether accidental or intentional. Improper handling and disclosure of information poses a significant risk to ADS.

3.APPLICABILITY: This-policy-applies-to-ADS-staff-members.
 4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.2. Sensitive information or data: Any information that may only be accessed by authorized personnel. It includes PHI, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect ADS if inappropriately handled.

4.1.3. Media: Physical objects on which data can be stored such as hard drives, disks, CDs, tapes, paper, and other storage devices.

4.1.4. Reallocate: The assignment of media from one party within ADS to another party within ADS so it can be used for a different purpose.

4.1.5. Disposal: The permanent removal of media as a ADS information asset.

4.1.6. Authorized Personnel: Persons appointed or given authority by ADS Administration to take a given action or serve in a given role.

4.1.7. Secure Disposal Vendor: A third party contracted to sanitize media on the behalf of ADS. The media to be sanitized, shall be placed in the vendor’s specially marked containers. Note: ADS’s various secure disposal vendors have specific guidelines regarding the amount of non-paper products that may be placed in the vendors’ containers.

4.1.8. Clean: To render information on media inaccessible, unless special software or techniques are used. Some examples include formatting and re-imaging media.

4.1.9. Sanitize: To expunge data from media or to render it in such a state that recovery of said data is reasonably impossible. Formatting and re-imaging the media are not acceptable forms of sanitization. The use of overwriting software in accord with provisions in this policy is an acceptable form of sanitization.

4.1.10. Physical Destruction: To render media in such a state that recovery of information from the media is reasonably impossible. This is a form of sanitization. Some examples include pulverizing, mangling, and the use of an appropriate shredder. A secure disposal vendor may also be used.

4.1.11. Damage: To render media in such a state that it cannot be accessed by standard methods. However, data on the media may be accessed using special techniques. For example, bending a disk such that it cannot be read by the drive does not comply with provisions in this policy. Damaging media is not an acceptable form of sanitization.

4.1.13. Secure Location: An area or place with restricted and monitored access.

5. POLICY:

5.1. Sensitive information shall not be removed from its designated ADS area without the approval of ADS Administration.

5.2. Media shall be cleaned or sanitized only by authorized personnel.

5.3. Media containing non-sensitive information shall be cleaned or sanitized prior to being reallocated.

5.4. Media containing sensitive information must be sanitized prior to being reallocated.

5.5. Equipment containing mass storage devices, either removable or non-removable media (including hard disks, flash memory, optical discs, magnetic tape, etc.), with sensitive data shall be reasonably secured at all times to reduce the risk of data and equipment loss.

5.6. Unused equipment containing mass storage devices (including desktop and laptop computers, servers, printers, copiers, fax machines, biomedical equipment, cameras, smartphones (e.g., IPhone, etc.) that is slated for disposal or reallocation shall be sanitized and processed as soon as possible to reduce the risk of data and equipment loss.

5.7. A log shall be kept to verify sanitization or destruction of the media containing sensitive information.

5.8. Sanitization methods include:

5.8.1. Use of overwriting software to expunge all data from the media.

5.8.2. Physically destroying the media.

5.8.3 Use of a degausser to reduce the magnetic flux of the media to virtually zero, thereby expunging all data from the media. The degausser used shall be appropriate for the media being sanitized.

5.9. Media containing sensitive information shall not be placed in the regular trash.

5.10. Secure disposal vendor services shall only be used for the disposal of sensitive information.

5.11. Non-sensitive information shall be placed in regular trash disposal containers.

5.12. ADS employees, vendors, and contractors shall report policy violations to the appropriate Data Security Office.

5.13. ADS employees who do not follow the above policies may be subject to disciplinary action up to and including dismissal.

5.14. Vendors or contractors who do not follow the above policies may be subject to breach of contract penalties.

5.15. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.15.1. Your HIPAA Security Officer hippa@adv-data.com or call 619-452-1234.

6. REFERENCES: None

7. SCOPE: This standard applies to all ADS staff covered under HIPAA and their systems that maintain PHI.

8. ATTACHMENTS: None.

ADS HIPAA Masters Training Certification

 
 
 
 
 
 
 
 
 

                                                           ADS HIPAA Risk Analysis  TOP
                                                                                                        HIPAA Core Policy:
                                                                                              Risk Analysis and Management of ePHI

 

 Abstract:

This policy establishes guidelines for ongoing risk analysis and management of ePHI, which will assist in determining the value of assets and the corresponding exposure to threats and vulnerabilities.

Effective Date:

3/23/2016

 

Applies To:

Staff.

1. PURPOSE: To establish policy for risk analysis and management of ePHI. Information produced during the risk analysis will be utilized to determine and manage countermeasures critical for assurance of our ePHI resources. Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities. 

 2. PHILOSOPHY: Security of our ePHI resources require an effective risk management program which includes continual assessment and the acceptance or mitigation of discovered risks.

 3. APPLICABILITY: This policy applies to all ADS staff.

 4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Information Security Officer – A designated individual responsible for the management of information security.

4.1.2. Electronic Protected Health Information (ePHI): PHI in electronic form.

4.1.3. HIPAA Security Officer – A designated individual responsible for HIPAA related information security issues.

4.1.4. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually
                                                                                             
                                                                                       ADS HIPAA Use of Portable Devices         TOP

                                                                                                   HIPAA Core Policy:
                                                                                               Use of Portable Devices

                                                               

Abstract:

This policy establishes guidelines for ADS staff, engaged in administration, that utilize portable computing devices and/or use portable storage devices or who are considering their implementation in the future.

Effective Date:

3/23/2016

 

Applies To:

ADS Staff.

1. PURPOSE: To establish policy for ADS staff members engaged in the administration of portable computing devices and/or use portable storage devices (now referred to as portable devices) or being considered for use in the future.

 2. APPLICABILITY: This policy applies to all ADS staff. Therefore, use of portable devices by ADS staff, by all affiliated individuals, such as third party users of ePHI or other sensitive information, is governed by this policy. In addition, this policy addresses the use of portable devices in each of, but not limited to, the following device ownership scenarios:

  • Originally purchased by and ownership retained by ADS.

  • Originally purchased by ADS with ownership transferred to an ADS staff member, or affiliated individual accepting the device.

  • Originally purchased and ownership retained by the ADS staff member, resident, vendor, or affiliated individual.

*ADS staff members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management and used in accordance with ADS policies and procedures.

 3. PHILOSOPHY: To protect information and information technology, the data integrity, confidentiality, and availability must be guarded. The unsanctioned transport of information via portable devices puts our mission and patient safety at risk. Portable devices, including personally owned devices, should not be used for computing and/or storing ePHI. Requests to use portable devices to store ePHI shall be limited to rare situations that require special consideration and justification. If their use is unavoidable and is approved by senior management, the security measures contained in this core policy must be followed.

 4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Portable Computing Devices (PCD): Include, but are not limited to, hand held devices, pen pads, cell phones, smart phones, iPhones, Android devices, iPads, portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the Internet, desktop personal computers via some form of interconnection and/or synchronization process.

4.1.2. Portable Storage Devices (PSD): Include, but are not limited to, removable or external hard disk drives, DVDs, CDs, flash drives, pen drives, USB drives, tapes, and other portable storage devices capable of acting as a transport agent for digital information.

4.1.3. Sensitive Information:  Any information that may only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect ADS if inappropriately handled.

4.1.4. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies an individual, or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.
The following identifiers of an individual or of relatives, employers, or household members of the individual, are considered PHI:

1. Name

2. Geographic subdivisions smaller than a state; (street address, city, county, precinct, zip code, and equivalent geocodes)

3. All elements of dates (except year) including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age

4. Telephone numbers

5. Fax numbers

6. Electronic mail address

7. Social security number

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/License numbers

12. Vehicle identifiers and serial numbers including license plate numbers 

13. Device identifiers and serial numbers

14. Web Universal Resource Locator (URLs)

15. Internet protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code, except as allowed under the re-identification specifications (164.514(c)).

4.1.5. Electronic Protected Health Information (ePHI): PHI in electronic form.

4.1.6. Strong Passwords: Current industry best practices identify this as a minmum of eight alphanumeric characters with at least one upper-case and one special character.

4.1.7. Workforce members: Any individual (physician, resident, employee, student, volunteer, contracted employee, visiting faculty, or clinical or research fellow) who accesses ADS electronic protected health information or is considered a ADS workforce member within the federal HIPAA regulations.

4.1.8. Senior Management: Persons in the positions of mamagement or persons specifically designated by a mamagement person, that makes executive decisions and are authorized to accept risks for the administrative unit in the area of information security.

4.2. Background Information: There is a growing number of applications, both commercial and institutionally developed, that allow individuals to store, view, and interact with sensitive data on a portable device. Many Federal regulations and guidelines require institutions to develop policies and protections to secure electronic information stored on or accessed from any computing device, including portable devices. This policy addresses this requirement when portable devices are used to access and/or store ADS ePHI or other sensitive information. Such devices pose great risk to ADS if not adequately safeguarded and appropriate handling techniques are not utilized. Therefore, any portable electronic device or storage mechanism that may contain ePHI or other sensitive information or interface with a system containing ePHI or other sensitive information, are subject to this policy.

 5. POLICY:

5.1. Workforce member responsibilities:

5.1.1. All ePHI or other sensitive information must be stored in secure server environments only, as in a directory on a secure network file server. In addition, analysis and research work shall be conducted in the secure server environment. Storing ePHI or other sensitive information in any other environment requires documented permission from senior management.

5.1.2. No workforce member should copy or download ePHI or other sensitive information to a local hard drive, CD, DVD, flash drive, laptop, or other storage device without documented prior approval from senior management.

5.1.3. In the event prior approval has been granted for downloading ePHI or other sensitive information, workforce members shall be responsible for the protection from improper use or disclosure of all ePHI or other sensitive information contained on their portable device and personal computer.

5.1.3.1. Security of data maintained and stored on such devices is subject to the provisions of relevant local, state, and federal statutes and regulations, including the provisions of the ADS HIPAA core policies and other ADS and ADSHS policies.

5.1.4. Workforce members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management. If use of a personal portable device is approved by senior management, then the device must comply with all applicable policies and standards and must be made available to ADS for routine or special analyses. In addition, the device must be set-up in English.

5.1.5. In the event senior management authorizes the use of a portable device for the transfer or use of ePHI or other sensitive information, the device must be purchased by ADS or receive approval from ADS's  Information Security Officer prior to operation.

5.1.6. ePHI or other sensitive information stored on portable devices shall be protected from unauthorized access in accordance with applicable ADS policies through the use of effective and necessary approved measures. These shall include, but are not limited to, the following:

5.1.6.1. Password protection using approved strong password techniques.

5.1.6.1.1. Portable devices such as cell phones and portable storage that support the clearing of memory/storage after a number of failed login attempts shall erase their contents after a minimal of 10 failed login attempts.

5.1.6.1.2. BIOS and/or boot passwords shall be used for all portable devices incapable of meeting password complexity.

5.1.6.2. Encryption software shall be approved by ADS’s Information Security Officer.

5.1.6.3. Up-to-date anti-malware software shall be installed and maintained with frequent updates.

5.1.6.4. Appropriate hardware or software firewall protection shall be utilized if the portable device containing sensitive information is connected to the Internet via an “always on” broadband connection.

5.1.7. If ePHI or other sensitive information is uploaded from the portable device to a computer, the workforce member shall be responsible for safeguarding such ePHI or other sensitive information on that computer in accordance with all applicable policies and procedures including the ADS HIPAA core policies and the requirements of the HIPAA security rule.

5.1.8. Use of portable devies shall employ approved ADS or ADS VPN technology when establishing connection to the ADS network via public networks.

5.1.9. Portable devices accessing wireless networks must meet the following criteria:

5.1.9.1. Portable devices must use encryption for secure information transfers.

5.1.9.2. Portable devices using only WEP encryption technology will not be approved for the transfer of ePHI or other sensitive information.
5.1.9.3. Portable devices using publically accessible wireless infrastructures and accessing ePHI or other sensitive information shall employ two factor authentication as defined in the HIPAA Guidance for Remote Access and in accordance iwth ADS practices.

5.1.10. Sanctioned use of email on portable devices is only approved if the PCD employs ADS or ADSHS mobile device management software and configurations. Access to email systems in any other method is prohibited.

5.1.10.1. Portable devices storing email locally within the device shall have mechanisms that encrypt the email stored on the device, encryption of the email during transport, and the ability to erase the device after a number of failed login attempts.

5.1.11. Portable devices using a browser or other software for Internet access/activity shall follow ADS policies and standards for securing the browser and appropriate use policies.

5.1.12. Portable devices shall be backed up on a routine basis. The workforce member shall work with the appropriate IT department to maintain these backups in conformance with ADS, and HIPAA policies and standards. Workforce members shall not backup or synchronize devices on public workstations, servers, or home computers (including laptops).

5.1.13. Prior to disposal or transfer to a new owner, all ePHI and another sensitive information o nthat device must be destroyed. See the ADS HIPAA core security policy, "Media Allocation and Disposal."

5.1.14. Portable devices shall not be shared among family members or outside parties.

5.1.15. Removal of portable device hardware and electronic media from a ADS facility shall follow the guidelines below:

5.1.15.1. Workforce members shall not remove from a ADS facility any hardware or electronic media containing ePHI or other sensitive information (portable device), nor download ePHI or other sensitive information to any computer, device, or network that is not located in a ADS facility without documented senior management approval.

5.1.15.2. Workforce members shall promptly (within 2 hours of the discovery of the loss) report the loss or theft of any portable device, hardware, electronic media, or any ePHI or other sensitive information data stored on the portable device or electronic media to their appropriate supervisor, ADS Security Officer.
5.2. System administrator responsibilities:

5.2.1. Final Disposal of Electronic sensitive information.

5.2.1.1. System Administrators shall ensure that ePHI or other sensitive information subject to final disposition is disposed of by using a method that ensures the ePHI or other sensitive information cannot be recovered or reconstructed. See the ADS HIPAA security core standard regarding media disposal and reallocation.

5.2.1.2. System Administrators shall maintain a log of such data destruction that lists the device, the date of destruction, the workforce personnel authorizing the destruction, general description of the ePHI or other sensitive information (if available), and the identity of the workforce personnel performing the destruction.

5.2.1.3. System Administrators shall provide assistance in backing up portable devices according to applicable ADS, and ADS HIPAA core policies and standards. Backups should not be made from a portable device to another portable device as the sole backup. Backups shall (at a minimum) be made to a secure server environment.

5.2.1.4. System administrators shall report to the ADS HIPAA Security Officer (within 2 hours) the loss or theft of any portable device containing or possibly containing ePHI or other sensitive information.

5.2.1.5. Devices containing hard drives shall use ADS aproved encryption technologies.

5.2.1.6. Disposal of the portable device containing a hard drive shall follow ADS policies.

5.3. Senior Management Responsibilities

5.3.1. If senior management approves copying or downloading ePHI or other sensitive information to a workforce member’s local hard drive, CD, DVD, flash drive, laptop, or other storage device, then senior management shall record the following minimal information about the approval:

5.3.1.1. Date of request.

5.3.1.2. Purpose of and rationale for request.

5.3.1.3. Date of approval.

5.3.1.4. Name of workforce member.

5.3.1.5. Type of device.

5.3.1.6. Date to reevaluate need of ePHI or other sensitive information.

5.3.1.7. Date ePHI or other sensitive information on device removed/destroyed.

5.3.1.8. Tracking information of device.

5.3.1.9. Data sources being utilized on device.

5.3.1.10. Date device is expected back or to be reviewed by responsible IT department.

5.3.2. If senior management consents to allowing contractors, business associates, or workforce members under contract to copy, download, or remove ADS ePHI or other sensitive information to any portable device, then senior management shall record the following minimal information about the approval:

5.3.2.1. Date of request.

5.3.2.2. Purpose of and rationale for request.

5.3.2.3. Date of approval.

5.3.2.4. Name of workforce member, contractor, or business associate.

5.3.2.5. Type of device.

5.3.2.6. Date to reevaluate need of ePHI or other sensitive information.

5.3.2.7. Date ePHI or other sensitive information on device removed/destroyed.

5.3.2.8. Tracking information of device.

5.3.2.9. Data sources being utilized on device.

5.3.2.10. Confirm appropriate contract language and Business Associate Agreements are properly executed.

5.3.2.11. Confirm appropriate confidentiality agreements and policy acknowledgements are properly executed and copies are retained within the department.

5.3.2.12. Document safeguards present on the device.

5.4. Contractor, Business Associates, and other temporary/contract workforce member’s responsibilities:

5.4.1. Contractors, business associates, or workforce members under contract may not copy, download, or remove ADS ePHI or other sensitive information to any portable device without documented consent from the appropriate ADS senior management. In the event ADS senior management consents to allow a contractor or business associate to use ePHI or other sensitive information on a portable device, the consenting party is responsible for the tracking, retrieval, and removal of the ePHI or other sensitive information materials and conformance to the policy statements in this policy.

5.4.2. Contractors, associates, and workforce members under contract shall employ safeguards equivalent to ADS safeguards prior to removal of any material.

5.4.3. Contractors and associates shall not share ePHI or other sensitive information with other parties or internal to their company without written approval from ADS.

5.4.4. This policy applies to workforce members within this class as it does to all ADS employees.

  6. REFERENCES: None

7. SCOPE: This standard applies to all ADS staff menbers, applicable business associates, and their systems that maintain ePHI or other sensitive information. This standard applies to any and all means by which ADS protected health information (PHI) or electronic protected health information (ePHI) is used in a portable context.

 8. ATTACHMENTS: None

                                                     ADS HIPAA EHR              TOP
                                                 EHR- Electronic Health Record
 

An electronic health record (EHR) (also electronic patient record (EPR) or computerised patient record) is an evolving concept defined as a systematic collection of electronic health information about individual patients or populations. It is a record in digital format that is capable of being shared across different health care settings, by being embedded in network-connected enterprise-wide information systems. Such records may include a whole range of data in comprehensive or summary form, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats like age and weight, and billing information.

 Its purpose can be understood as a complete record of patient encounters that allows the automation and streamlining of the workflow in health care settings and increases safety through evidence-based decision support, quality management, and outcomes reporting.


                                                                                               ADS HIPAA Hitech Act                   TOP

                                                                                               HIPPA's BIG BROTHER!
 

Notice of Proposed Rulemaking to Implement HITECH Act Modifications

HHS issued a notice of proposed rulemaking to modify the HIPAA Privacy, Security, and Enforcement Rules. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions

Toll Free USA CANADA

1-855-SOS-DATA (767-3282)
International / Local 1-619-452-1234

24/7 EMERGENCY SERVICE - Live Engineer