Hello dmaestro22-ga,
It sounds like you have a good understanding of the HIPAA requirements
that impact your operation and you have many of the requirements
covered. I’ve collected some resources to help you review all the
topics in the HHS HIPAA Security Matrix that is the summary outline of
the requirements in the law and the steps and methodologies necessary
to implement them. I’ve organized the research into the two categories
you specified – physical security and technical security. In addition,
I’ve included some general information to help you give an overview
and context to your plan of action.
This is a complex law and there are lots of resources available.
Please ask for clarification if you need additional information on
anything I’ve provided. Wishing you a smooth and easy HIPAA
implementation.
czh
===================
GENERAL INFORMATION
===================
http://www.idg.net/ic_1311671_10320_1-5449.html
How to ensure security compliance with HIPAA
MAY 01, 2003
This is a short article that gives brief highlights of what is
included in the three chief areas of data security: administrative,
physical and technical.
http://www.aahp.org/Content/NavigationMenu/Inside_AAHP/Healthplan_Magazine/January_February_2003__HIPAA_Security_Requirements.htm
Healthplan (January/February 2003)
HIPAA Security Requirements Plans prepare to comply
HIPAA Security Requirements -- Specific Requirements
The security rule's requirements are organized into four major
categories: Administrative procedures, physical safeguards, technical
security services, and technical security mechanisms. Implementation
features are provided for each category.
Administrative Procedures. These requirements are intended to guard
data integrity, confidentiality, and availability….
Physical Safeguards. These requirements are intended to protect
computer systems and the buildings in which they are housed. The
covered entity must assign responsibility for physical security to a
specific individual or organization. Covered entities must have media
control policies and procedures for a covered entity's incoming and
outgoing hardware and software - for example, diskettes and tapes.
Controls must also be implemented to prevent unauthorized physical
access to information. These should include such measures as "need to
know" procedures for personnel access and sign-in for visitors and
escort, if appropriate. ….
Technical Security Services. Among these requirements are audit
controls, so that the organization can identify suspect data access
activities, and controls that limit access to health information to
employees who have a business need to do so.
Implementation features that must be met are either context-based
access, role-based access, or user-based access, as well as procedures
for access in emergency situations….
Technical Security Mechanisms. Organizations are required to protect
health care information transmitted electronically over open networks,
such as the Internet, from hackers or other intruders. If
communications networks are used, covered entities must comply with
implementation features including integrity controls, to ensure that
stored or transmitted data are valid, and message authentication, to
assure that the messages sent and received are the same. …
http://www.sentineldata.com/hipaalinks.html
This is a large collection of links to help you with HIPAA
implementation
Other Standards Recognized by HIPAA
In an attempt to identify other existing security related standards,
as a component of the proposed security standard, HHS developed an
HIPAA Security Matrix. At some point, there will exist a unified
national standard. In the mean time, listed below are existing
standards that deal with Administrative Procedures to Guard Data
Integrity, Confidentiality, and Availability (superscript numbers
refer to identifiers in the HIPAA Security Matrix document).
http://www.healthtech.net/hipaa/hss-security-matrix/
HIPAA SECURITY MATRIX
This is a grid that sets out the Requirements of the four security
categories and for each lists the necessary Implementation action
steps.
http://www.computersecuritysolutions.net/SECMATRIX.htm
Security Matrix
This is a different, somewhat more detailed, version of the security
matrix.
http://www.hipaadvisory.com/sitemap/
HIPAAdvisory.com from Phoenix Health Systems
This is a very comprehensive site that gives you information about
every aspect of HIPAA compliance. You can scan the site index and find
the topics that are of special interest to you.
===================
PHYSICAL SAFEGUARDS
===================
You described some of the physical safeguards you have in place. These
articles give you bulleted lists of all elements that are included
under the physical safeguards requirements. Media controls, access
controls, risk assessment and disaster recovery are some major areas
that you should take a look at.
http://www.bricker.com/legalservices/practice/hcare/hipaa/164.310.asp
HHS Security Regulations -- Physical Safeguards - § 164.310
http://www.physicianofficemanager.net/hipaa.asp
HIPAA FAQs
Q: Does HIPAA require medical records to be under lock and key?
A: The proposed security rule lists the required physical safeguards
in section 142.308(b). The proposed security rule requires
organizations to implement the following physical safeguards and
security features:
1. Assigned security responsibility: The rule requires providers to
assign security responsibility to a specific individual or
organization and document that assignment. This responsibility
includes the management and supervision of: (1) the use of security
measures to protect data, and (2) the conduct of personnel in relation
to the protection of data.
2. Media controls: Providers must develop formal, documented policies
and procedures that govern the receipt and removal of hardware and
software (such as diskettes, tapes, computers). These controls include
the following mandatory implementation features:
· Controlled access to media
· Accountability (tracking mechanism)
· Data backup
· Data storage
· Disposal
3. Physical access controls: Providers must document formal policies
and procedures for limiting physical access, while ensuring that
properly authorized personnel can work freely. These controls include
the following mandatory implementation features:
· Disaster recovery
· Emergency mode operation
· Equipment control (into and out of site)
· A facility security plan
· Procedures for verifying access authorizations prior to physical
access
· Maintenance records
· Need-to-know procedures for personnel access
· Sign-in for visitors and escorts, if appropriate
· Testing and revision
4. Policy regarding workstation use: Each organization must have a
policy on workstation use which outlines the proper functions to be
performed (i.e., logging off before leaving a terminal unattended).
5. Secure workstation: Each organization must put into place physical
safeguards to eliminate or minimize the possibility of unauthorized
access to information. Make sure your computer systems require
log-ins and that screensavers kick in if there is even a very short
period of inactivity. Software systems that track access may become
necessary, and plans and providers probably will be required to keep
track of all external disclosures.
6. Security awareness training: All employees, agents, and
contractors must be trained about security issues and the policies and
procedures in place to prevent breaches.
Q: How do I delete electronic medical records in compliance with HIPAA
?
A: The proposed security rule requires that providers outline a formal
process for removal of electronic data and the hardware on which it's
stored. Before your organization disposes, recycles, or donates any
magnetic computer media (floppy disks, tapes, hard drives, etc.), the
electronic data must be permanently removed. Permanent data removal
can be accomplished either by degaussing, using a strong magnetic
field to scramble the media, or by a process referred to as
Zeroization where zeros are written over the entire media record area.
Reformatting or deleting the data is not sufficient because it is not
permanent as there is technology that can rebuild file structure and
recover deleted data.
==========================================
TECHNICAL SECURITY SERVICES AND MECHANISMS
==========================================
http://www.oz-systems.com/Documents/HIPAA%20Compliance%20-%20External.pdf
Oz Systems Secure Data Center – Outlining HIPAA Compliance
This is a 6-page implementation plan for a data center from a
particular vendor. The requirements and possible solutions offered
will help you review your own situation and what you have in place and
what may need to be enhanced.
http://www.hipaadvisory.com/regs/securityandelectronicsign/technicalsecur.htm
3. Technical Security Services to Guard Data Integrity,
Confidentiality, and Availability
Covers requirements and implementation for Access control, Audit
controls, Authorization control, Data Authentication and Entity
authentication.
http://www.hipaadvisory.com/regs/securityandelectronicsign/technical.htm
4. Technical Security Mechanisms to Guard Against Unauthorized Access
to Data that is Transmitted over a Communications Network
Communications/network controls (If communications or networking is
employed, the following implementation features must be implemented:
Integrity controls, Message authentication. In addition, one of the
following implementation features must be implemented: Access
controls, Encryption. In addition, if using a network, the following
four implementation features must be implemented: Alarm, Audit trail,
Entity authentication, Event reporting).
===============
SEARCH STRATEGY
===============
HIPAA data security requirements
HIPAA physical security requirements
HIPAA technical services mechanisms implementation
HIPAA security matrix |
