Security Management Process § .308(a)(10)
...(creation, administration, and oversight of policies to ensure the prevention,
detection, containment, and correction of security breaches involving risk
analysis and risk management). It includes the establishment of accountability,
management controls (policies and education), electronic controls, physical
security, and penalties for the abuse and misuse of its assets (both physical and
electronic) that includes all of the following implementation features:
(i) Risk analysis, a process whereby cost-effective security/control measures may
be selected by balancing the costs of various security/control measures against
the losses that would be expected if these measures were not in place.
(ii) Risk management (process of assessing risk, taking steps to reduce risk to an
acceptable level, and maintaining that level of risk).
(iii) Sanction policies and procedures (statements regarding disciplinary actions
that are communicated to all employees, agents, and contractors; for example,
verbal warning, notice of disciplinary action placed in personnel files, removal of
system privileges, termination of employment, and contract penalties). They must
include employee, agent, and contractor notice of civil or criminal penalties for
misuse or misappropriation of health information and must make employees,
agents, and contractors aware that violations may result in notification to law
enforcement officials and regulatory, accreditation, and licensure organizations.
(iv) Security policy (statement(s) of information values, protection
responsibilities, and organization commitment for a system). This is the
framework within which an entity establishes needed levels of information
security to achieve the desired confidentiality goals.
AMC Explanation of HIPAA Regulation Key Issues
An overall information security management process is necessary to establish policy, provide
oversight, and administer operational aspects of the program. The process must function in a
proactive, risk-appropriate manner and establish the framework for safeguarding protected health
information within the AMC. An over-arching information security policy that commits the
AMC to safeguard protected health information, to establish goals, and to assign responsibility is
necessary. Supporting policy statements and procedures are required to facilitate the prevention,
detection, containment, and correction of security breaches. Specific areas that the security
management process must cover are: risk analysis process, risk management process, sanction
process, and security policy.