Guidelines for Academic Medical Centers on Security and Privacy May 2001

Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieter Rechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm

Page 1

AMC/HIPAA Workgroup

Guidelines for Academic Medical Centers

on Security and Privacy

Practical Strategies for Addressing the Health

Insurance Portability and Accountability Act

May 2001

Version 1.0

Based on

HIPAA Security and Electronic Signature

Standards; Proposed Rule 8/12/1998

and

HIPAA Standards for Privacy of Individually

Identifiable Health Information; Final Rule 12/28/2000

Page 2

AMC/HIPAA Workgroup

Abstract

Most health care organizations are now actively interested in implementing the security and

privacy measures called for by the HIPAA regulations and are wondering how to get started with

this complex, long-lived, and expensive task. This document was developed to help Academic

Medical Centers address the HIPAA security and privacy regulations. As we developed this

document, we identified a number of key factors that will facilitate HIPAA compliance work.

These include:

Awareness: Create and run awareness sessions.

Awareness is important at all levels of the organization, but at the early stages it is most essential

for middle and upper management. HIPAA planning cannot move forward in any substantial

way until the stakeholders of the organization are actively engaged in creating plans and

organizational approaches and developing cost estimates.

Start Correctly and Early: HIPAA is a compliance issue; treat it as one.

It is important for everyone, especially senior managers, to understand that HIPAA is a

regulatory compliance project rather than simply an IT initiative. Treating it as a compliance

issue is much more likely to lead to the appropriate organization, attention level, and allocation

of resources. Resources need to be in the budget cycle for the upcoming fiscal year in order to

meet the aggressive timeline.

Standardize your Approach:

Many of the security and privacy requirements can best be met by creating guidelines, principles,

templates, and checklists that are then used consistently in each domain (e.g., system,

department, division). This will save staff time by creating an efficient, consistent approach.

Consistency will make the system more understandable to those who work across various

domains and will make the approach more defensible to those with oversight roles (e.g., risk

managers, external auditors, JCAHO).

Success Requires Cultural Change:

To run a successful HIPAA-compliant operation, most organizations will have to go through a

cultural change in how they manage privacy and security until the new methods become

systematic and reflexive. Responses that are not common now will need to become so for a large

percentage of the workforce. Many of the HIPAA requirements point up the need for this kind

of "new common sense." Widespread cultural change requires commitment and leadership

across an organization.

HIPAA Will Endure:

HIPAA, and the good privacy and security practices it mandates, will require ongoing effort and

commitment. These activities must become part of an organization's ongoing operations and

culture.

HIPAA is an Asset:

Increasingly, the public has significant and pervasive concerns about privacy and confidentiality

in the electronic world. This is especially true where protected health information is involved.

Page 3

AMC/HIPAA Workgroup

iii

AMCs that implement appropriate and comprehensive security and privacy policies will build

and maintain confidence in their enterprises. Demonstrating a commitment to protect security

and privacy will help build patient loyalty and support the research and clinical enterprise.

Page 4

AMC/HIPAA Workgroup

Executive Summary

The HIPAA security and privacy regulations exist for good reasons

Storing and transmitting health information in electronic form exposes it to risks that do not

exist, or exist to a lesser degree, when it is maintained in paper. Health information is a vital

business asset for a healthcare organization, and protecting it preserves the value of this asset. In

addition, securing patients' information protects their privacy and enhances the organization's

reputation for professionalism and trustworthiness. Healthcare organizations have long

recognized the value of health information, and are already taking many of the measures required

by the HIPAA security and privacy regulations. Nevertheless, complying with HIPAA will

require most covered entities (entities subject to the Security and Privacy regulations) to adopt

new policies and procedures for handling protected health information (individually identifiable

health information held by a covered entity) and to make some hard choices about how these

policies will be implemented. This report offers guidance in making those choices, and discusses

good healthcare security and privacy practices.

Covered entities should plan to comply within the next two years

The final HIPAA security and privacy regulations will become effective two years after the date

of their publication in the Federal Register.

The final HIPAA security rule has not been published at this time, so its compliance date has not

been set. Publication of the final security rule in the Federal Register is anticipated in the third

or fourth quarter of 2001; however, covered entities should plan to be in compliance by the

middle of 2003.

The final HIPAA privacy rule was published in the Federal Register on December 28, 2000, but

its official effective date was moved forward due to administrative issues. The compliance date

for large covered entities (such as AMCs) is April 14, 2003.

Many of the regulations' requirements are clear and specific

Although the HIPAA security and privacy regulations are long and complex, many of their

requirements are clear and specific. The major actions the regulations require a covered entity to

take are:

Assign responsibility for security to a person or an organization.

Assess risks and determine the major threats to the security and privacy of protected

health information.

Set up a security management program that addresses physical security, personnel

security, technical security controls, security incident response, and disaster recovery.

Certify the effectiveness of new or existing security controls.

Appoint a privacy officer and a point of contact for receiving privacy complaints.

Adopt a privacy policy and publicize the policy by giving notice. Privacy policies must

have specific provisions for gaining consent and authorization to use protected health

Page 5

AMC/HIPAA Workgroup

information, restricting use and disclosure of protected health information, and receiving

and resolving complaints.

Change contracts and business partner agreements to include a contractual requirement

that partners handle protected health information properly.

Train the covered entity's workforce (and business associates who work on the covered

entity's premises) to follow proper security and privacy policies and procedures.

Document security and privacy policies and procedures, as well as actions taken to ensure

that policies and procedures are enforced.

This document explains these requirements in more detail and gives specific recommendations

on how Academic Medical Centers can implement them.

Some of the regulations' provisions require covered entities to exercise judgment

While many of the provisions of the HIPAA security and privacy regulations require little

interpretation, some deliberately provide room for interpretation to allow covered entities the

flexibility they need to comply without making unnecessarily disruptive changes. This

document points out which of the regulations' requirements a covered entity will have to

interpret, and provides guidance on some of the options Academic Medical Centers should

consider. Topics addressed include:

Assignment of responsibilities

. The regulations require covered entities to assign

specific responsibilities. These requirements could be handled by creating new executive

positions or departments, or they could be handled by allocating new responsibilities to

existing positions and departments. This document discusses how to assign

responsibilities in the context of your existing organizational structure, and includes

sample job descriptions for some of the required positions.

Defining and introducing policies

. A broad range of security and privacy policies and

procedures could be used to safeguard protected health information. This document

discusses processes for defining and introducing policies and procedures that will be

effective in your organization. Sample security and privacy policies are included.

Risk analysis

. The regulations require covered entities to analyze risks to security and

privacy of health information, and to determine whether the risks are "acceptable." This

document discusses how to choose a risk analysis methodology and how to decide what

constitutes "acceptable risk," and gives references to several risk analysis methodologies.

Certification

. The regulation requires covered entities to certify security controls. An

internal organization or a third party can perform the required certification, and the

regulation does not mandate a specific certification process or regime. This report

discusses some of the certification options.

Scalability

. The regulations allow a covered entity to consider "scalability" (in other

words, the cost burden of implementation) when deciding how to implement certain

provisions. This document addresses "scalability" issues.

Minimum necessary information

. The privacy regulation requires covered entities to

restrict use and disclosures of private information to "the minimum use or disclosure

necessary to accomplish the purpose of the request." This document discusses how to

determine what information is necessary in a given situation.

Page 6

AMC/HIPAA Workgroup

Managing consumer requests

. The privacy regulation requires covered entities to

implement a process for receiving and responding to complaints, as well as to requests to

restrict access to information. This document discusses some of the options for managing

these complaints and requests.

Contracts

. The regulations require that security and privacy provisions be incorporated

into contracts with other organizations. This document discusses options for doing so

and includes some model contract terms.

Disclosure

. The privacy regulation offers several options relating to the disclosure and

use of de-identified information. This document addresses how to choose an option.

Key activities for HIPAA security and privacy compliance

In addition to providing information about how to handle specific aspects of HIPAA security and

privacy compliance, this document outlines a framework for addressing the regulations. The

framework includes the following sequence of activities:

1) Recognize that HIPAA security and privacy compliance is a policy and compliance

effort, not a technology effort.

2) Assign responsibility for HIPAA compliance.

3) Consult widely with stakeholders.

4) Formulate job descriptions for the officials required by the HIPAA regulations (security

and privacy officials, complaint receivers).

5) Hire or appoint the required officials.

6) Perform an initial risk analysis, including an asset inventory.

7) Review the results of the risk analysis with senior management.

8) Create a HIPAA security and privacy compliance program. A compliance program must

include written policies and procedures, a compliance office reporting to senior executive

management, compliance training, a complaint process, an internal compliance audit

program, sanctions, and incident response and corrective action procedures.

9) Formulate or update security and privacy policies.

10) Update the risk analysis based on the new policies.

11) Create a detailed HIPAA security and privacy compliance plan, including security and

privacy procedures, security and privacy training, security and privacy evaluation and

certification, and disaster recovery procedures. This report suggests establishing a formal

security management program as part of the HIPAA security and privacy compliance

plan.

12) Review the compliance plan with senior management.

13) Execute the compliance plan (in phases if appropriate).

14) Document the compliance plan and its execution.

15) Operate the compliance plan and the security management program on a continuing

basis. Include regular reports to senior management. Update the risk analysis regularly.

Detailed advice on topics that organizations should consider as they perform these activities is

provided throughout the report.

Many will face serious organizational issues on the way to compliance

Page 7

AMC/HIPAA Workgroup

vii

Compliance with the HIPAA security and privacy regulations will raise a variety of issues. This

report describes some of the issues Academic Medical Centers are most likely to encounter, and

provides some options for dealing with these issues. Specifically, this report addresses:

Organizational structure

. Academic Medical Centers typically have a complex

organizational structure, with many sub-entities and affiliates in a complicated

governance arrangement. This report discusses which entities are covered by the HIPAA

security and privacy regulations and how a covered entity's structure influences the

activities required to bring it into compliance.

Changing practices

. Some HIPAA security and privacy compliance activities require

changing established patterns of thought and behavior. Healthcare workers use protected

health information in their day-to-day job activities. Some information use practices will

have to change in order to comply with the HIPAA security and privacy regulations'

requirements. This report discusses how a covered entity can introduce changes in long-

established information and system use practices by building awareness and encouraging

buy-in.

Financial

. Compliance activities cost money. This report discusses approaches to

funding compliance activities.

Locating resources

. Many healthcare organizations lack security and privacy expertise.

This report discusses where to find information about security and privacy.

Interpretation

. As already discussed, the HIPAA security and privacy regulations leave

room for interpretation in many areas. This report addresses how to interpret the

regulations' gray areas.

Research and education

. The HIPAA security and privacy regulations have special

provisions for research and educational uses of protected health information. This report

addresses how an Academic Medical Center's research and education activities will be

affected by the regulations.

Fundraising and marketing

. The HIPAA security and privacy regulations have

provisions relating to fundraising and marketing activities. This report addresses how an

Academic Medical Center's fundraising and marketing will be affected by the

regulations.

Compliance will carry significant costs, but it will also bring benefits

Complying with the HIPAA security and privacy regulations will require new policies,

procedures, and processes. It will increase the paperwork associated with disclosing protected

health information. It will also require new training and certification activities. None of this

comes for free.

The money and effort spent to comply with the HIPAA security and privacy regulations will,

however, buy significant benefits for the organization even above and beyond avoiding penalties

for non-compliance. Compliance with HIPAA security and privacy standards will play an

important role in preserving patients' trust in the healthcare system, the organization, and

individual healthcare providers. HIPAA security and privacy compliance can help healthcare

organizations avoid the adverse publicity and public image problems which disclosures of

Page 8

AMC/HIPAA Workgroup

viii

personal information have inflicted on web retailers recently. Covered entities should view

security and privacy as yet another benefit they can offer to patients who choose their services.

Compliance with the HIPAA security regulation can also reduce a covered entity's business risks

significantly. A strong security management program reduces the probability of interruption of

business, destruction of the organization's information assets, and damage to brand and

reputation due to vandalism of information systems. Compliance may also shield covered

entities from significant fines, loss of accreditation, and loss of consumer trust. Finally, it can

reduce exposure to liabilities associated with improper handling of protected health information.

Page 9

AMC/HIPAA Workgroup

Contents

Abstract ...........................................................................................................................................ii

Executive Summary .......................................................................................................................iv

Contents..........................................................................................................................................ix

Introduction .....................................................................................................................................1

Purpose........................................................................................................................................2

Scope ...........................................................................................................................................2

Background .................................................................................................................................3

Acknowledgements .....................................................................................................................3

Updates and Errata ......................................................................................................................6

AMC Guidelines .............................................................................................................................7

Organization of the Guidelines ...................................................................................................7

AMC HIPAA Security Guidelines..............................................................................................9

Section One: Requirements for Security Administration...................................................9

SEC.01 Certification � .308(a)(1) ..............................................................................10

SEC.02 Chain of Trust Partner Agreement � .308(a)(2)............................................ 12

SEC.03 Contingency Planning � .380 (a)(3)..............................................................14

SEC.04 Formal Mechanism for Processing Records � .308(a)(4) .............................16

SEC.05 Information Access and Control � .308(a)(5)............................................... 17

SEC.06 Internal Audit � .308(a)(6)............................................................................ 19

SEC.07 Personnel Security � .308(a)(7) .................................................................... 21

SEC.08 Security Configuration Management � .308(a)(8)........................................23

SEC.09 Security Incident Procedures � .308(a)(9) .................................................... 25

SEC.10 Security Management Process � .308(a)(10)...............................................27

SEC.11 Termination Procedures � .308(a)(11).......................................................... 30

SEC.12 Security Training � .308(a)(12) ...................................................................32

Section Two: Requirements for Physical Safeguards ......................................................35

SEC.13 Assigned Security Responsibility � .308(b)(1)............................................. 36

SEC.14 Media Controls � .308(b)(2) .........................................................................38

SEC.15 Physical access controls � .308(b)(3)............................................................ 41

SEC.16 Policy/guideline on workstation use � .308(b)(4).........................................44

SEC.17 Secure work station location � .308(b)(5).................................................... 46

SEC.18 Security Awareness training � .308(b)(6).....................................................48

Section Three: Requirements for Technical Security, Services, and Mechanisms..........49

SEC.19 Access Control � .308(c)(1)(i) ......................................................................50

SEC.20 Audit Controls � .308(c)(1)(ii)...................................................................... 52

SEC.21 Authorization Control � .308 (c)(3)..............................................................54

SEC.22 Data Authentication � .308 (c)(4) .................................................................55

SEC.23 Entity Authentication � .308 (c)(5)...............................................................56

SEC.24 Communications/network controls � .308(d) ...............................................58

AMC HIPAA Privacy Guidelines.............................................................................................61

Section One: Covered Entities .........................................................................................65

PRIV.01 Health care component �164.504(b)........................................................... 66

PRIV.02 Affiliated covered entities �164.504(d) ......................................................68

PRIV.03 Business associate contracts �164.504(e)(1)...............................................70

Page 10

AMC/HIPAA Workgroup

PRIV.04 Requirements for group health plans �164.504(f)(1).................................. 74

PRIV.05 Requirements for a covered entity with multiple covered functions

� 164.504(g) ..................................................................................................................78

PRIV.06 Group health plans � 164.530(k).................................................................80

Section Two: Consent and Authorization ........................................................................81

PRIV.07 Consent requirement � 164.506(a)..............................................................82

PRIV.08 Resolving conflicting consents and authorizations � 164.506(e)................86

PRIV.09 Joint consents � 164.506(f) .........................................................................88

PRIV.10 Authorizations for uses and disclosures � 164.508(a) ................................ 90

PRIV.11 Right of an individual to request restriction of uses and disclosures

� 164.522(a)(1)..............................................................................................................96

PRIV.12 Effect of prior consents and authorizations � 164.532(a) ...........................98

Section Three: Uses and disclosures .............................................................................. 101

Sub-Section A: General Uses and Disclosures ..........................................................102

PRIV.13 Uses and disclosures of protected heath information � 164.502(a) .........103

PRIV.14 Uses and disclosures of protected health information subject to an agreed-

upon restriction � 164.502(c) ......................................................................................105

PRIV.15 Uses and disclosures of de-identified protected health information

� 164.502(d) ................................................................................................................107

PRIV.16 Disclosures to business associates � 164.502(e).......................................108

PRIV.17 Deceased individuals � 164.502(f)............................................................ 110

PRIV.18 Personal representatives � 164.502(g) ......................................................111

PRIV.19 Confidential communications � 164.502(h).............................................. 113

PRIV.20 Uses and disclosures consistent with notice � 164.502(i)........................114

PRIV.21 Disclosures by whistleblowers and workforce member crime victims

� 164.502(j) .................................................................................................................115

PRIV.22 Use and disclosure for facility directories � 164.510(a) ...........................117

PRIV.23 Uses and disclosures for involvement in the individual's care and

notification purposes � 164.510(b) .............................................................................119

PRIV.24 Uses and disclosures of protected health information for marketing

� 164.514(e)(1)............................................................................................................121

PRIV.25 Uses and disclosures for fundraising � 164.514(f)(1)...............................123

PRIV.26 Uses and disclosures for underwriting and related purposes � 164.514(g)125

Sub-Section B: Balancing Privacy and Public Responsibility................................... 126

PRIV.27 Uses and disclosures required by law � 164.512(a).................................. 127

PRIV.28 Uses and disclosures for public health activities � 164.512(b)................. 128

PRIV.29 Disclosures about victims of abuse, neglect, or domestic violence

� 164.512(c) ................................................................................................................130

PRIV.30 Uses and disclosures for health oversight activities � 164.512(d)............ 132

PRIV.31 Disclosures for judicial and administrative proceedings � 164.512(e)..... 134

PRIV.32 Disclosures for law enforcement purposes � 164.512(f) ..........................137

PRIV.33 Uses and disclosures about decedents � 164.512(g) .................................141

PRIV.34 Uses and disclosures for cadaveric organ, eye, or tissue donation purposes

� 164.512(h) ................................................................................................................143

PRIV.35 Uses and disclosures for research purposes � 164.512(i) .........................144

Page 11

AMC/HIPAA Workgroup

PRIV.36 Uses and disclosures to avert a serious threat to health or safety

� 164.512(j) .................................................................................................................148

PRIV.37 Uses and disclosures for specialized government functions � 164.512(k)150

PRIV.38 Disclosures for workers' compensation � 164.512(l) ............................... 153

PRIV.39 Minimum necessary � 164.502(b) ............................................................154

PRIV.40 De-identification of protected health information � 164.514 (a) .............. 156

PRIV.41 Minimum necessary requirements � 164.514(d)(1)..................................160

PRIV.42 Verification requirements � 164.514(h)(1) ...............................................163

Section Four: Consumer Controls.................................................................................. 166

PRIV.43 Notice of privacy practices � 164.520(a) .................................................. 167

PRIV.44 Confidential communications requirements � 164.522(b)(1) ...................173

PRIV.45 Access to protected health information � 164.524(a) ...............................175

PRIV.46 Right to amend � 164.526(a).....................................................................181

PRIV.47 Right to an accounting of disclosures of protected health information

� 164.528(a) ................................................................................................................185

Section Five: Administrative requirements....................................................................189

PRIV.48 Privacy Official � 164.530(a)(1)(i) ...........................................................190

PRIV.49 Privacy Contact Person or Office � 164.530(a)(1)(ii)...............................192

PRIV.50 Training on Privacy � 164.530(b)(1) ........................................................194

PRIV.51 Safeguards � 164.530(c)(1)......................................................................196

PRIV.52 Complaints to the covered entity � 164.530(d)(1) ....................................198

PRIV.53 Sanctions � 164.530(e)(1) .........................................................................200

PRIV.54 Mitigation � 164.530(f)............................................................................. 202

PRIV.55 Refraining from intimidating or retaliatory acts � 164.530(g).................. 204

PRIV.56 Waiver of rights � 164.530(h)...................................................................206

PRIV.57 Policies and procedures � 164.530(i)(1) ...................................................207

PRIV.58 Changes to policies or procedures � 164.530(i)(2) ...................................208

PRIV.59 Documentation � 164.530(j) .....................................................................211

General Policy and Management Guidelines..........................................................................213

GEN.01 Roles and Responsibilities in Development and Maintenance ..................214

GEN.02 Organizational Support for HIPAA Security and Privacy Compliance........216

GEN.03 Resources for Development and Maintenance........................................... 217

GEN.04 Evaluation and Monitoring of Development and Maintenance .................218

GEN.05 Reasonableness .......................................................................................... 219

GEN.06 Scalability...................................................................................................220

GEN.07 Limiting Liability Arising from Compliance.............................................221

GEN.08 HIPAA

Accreditation

Intersections ........................................................... 222

GEN.09 Stricter State Law � 160.203......................................................................223

GEN.10 Policy establishment and modification ...................................................... 225

GEN.11 Policy

Usage

Introduction..........................................................................226

GEN.12 Privacy

Culture ..........................................................................................227

GEN.13 Digital

Signature ........................................................................................228

GEN.14 Other Federal Law and HIPAA Privacy ....................................................231

Acronyms ....................................................................................................................................234

Definitions of Terms Used in this Guideline ..............................................................................235

References ...................................................................................................................................243

Page 12

AMC/HIPAA Workgroup

xii

Privacy Standards....................................................................................................................245

TABLES

Table 1. Mapping of Privacy Standards to AMC Guidelines ......................................................61

Page 13

AMC/HIPAA Workgroup

Introduction

The privacy and security regulations mandated by the Health Insurance Portability and

Accountability Act of 1996 (HIPAA) are of great importance to the healthcare community. In an

effort to assist Academic Medical Centers in addressing the new regulations, a series of

workshops were conducted to analyze current health information security and privacy polices, to

make recommendations, and to develop a resource of best practices for healthcare security and

privacy. This document,

Guidelines for Academic Medical Centers on Security and Privacy

, is

the result of a collaborative effort by multiple teaching hospitals and medical schools to address

their unique concerns in this area.

How are Academic Medical Centers different from other health care providers?

The tripartite mission of Academic Medical Centers (AMCs) - education, research, and patient

care - distinguishes them from peer institutions which are concerned primarily with patient

care. In the past two decades, the ability of AMCs to sustain these multiple missions has been

severely tested by changes in health care financing and regulation. Their history, governance,

constituency base, and position in society present unique challenges to successfully navigating

change. Implementation of the HIPAA security and privacy regulations, too, will face unique

barriers. Yet AMCs also have characteristics that give them advantages over other health care

provider organizations in this area, and provide an opportunity for AMCs to lead the effort to

ensure the privacy, security, and confidentiality of patient information. The following lists

summarize these potential barriers and opportunities.

AMCs: Unique Opportunities to Lead HIPAA Compliance

Well-educated, hard-working membership;

Traditionally innovators in health care;

Strong technology and information systems culture;

Active role in national health care policy development.

AMCs: Unique Barriers to HIPAA Compliance

Complex organizational and governance structure:

Multiple entities with a single name;

Unclear or non-existent reporting lines;

Governed by boards with a variable level of understanding of medical center issues.

University affiliation:

Decentralized organization, an inability to act quickly, and decisions by committee;

Academic culture tends to reward individual vs. organizational action;

Non-employee system users (students, trainees);

Often beholden to central university administration, which may have to sign off on

some aspects of compliance activities.

Multiple missions:

Confusion and disagreement about priorities;

Cross-subsidization of non-profitable missions.

Page 14

AMC/HIPAA Workgroup

Purpose

These Guidelines provide a tool for developing policies, procedures, and best practices to assist

AMCs in efficiently and economically addressing the HIPAA security and privacy regulations.

They reference specific HIPAA regulations, provide interpretation, and make recommendations

for implementation and maintenance within healthcare organizations.

Scope

The intent of the workshop series was to provide guidance, within the context of the HIPAA

regulations, in the development of security and privacy policies and procedures that support all

activities of complex academic medical center environments. Depending on organizational

structure, this may include healthcare, research, teaching, learning, administration, and

associated interactions with external entities.

The results of these workshops will assist like-minded organizations in developing more efficient

and inclusive ways of implementing health care security and privacy arrangements. It is

intended that these guidelines be considered for adoption by relevant bodies beyond the covered

entities themselves. WEDI, as part of their role in advising HHS in matters related to HIPAA,

participated in the workshops and will take the final publication into consideration. The

combined talent and experience of the workshop participants have permitted the development of

a concise set of guidelines consistent with these purposes.

The intent of the workshop series was to provide guidance, within the context of the HIPAA

regulations, in the development of security and privacy policies and procedures that support all

activities of complex AMC environments. Depending on organizational structure, this may

include healthcare, research, teaching, learning, administration, and associated interactions with

external entities.

The results of these workshops will assist like-minded organizations in developing more efficient

and inclusive ways of implementing health care security and privacy arrangements. The

combined talent and experience of the workshop participants has permitted the development of a

concise set of guidelines to assist with HIPAA security and privacy regulations.

These guidelines recommend health information security and privacy mechanisms and strategies

for operational implementation of the HIPAA requirements. The recommended strategies are

intended to facilitate cultural change by building upon existing best practice, and are based upon

our common understanding of teaching hospital and medical school processes. This

collaborative effort also identifies implementation barriers that must be overcome, in addition to

benefits or incentives that may be leveraged to deploy adequate resources within teaching

hospitals and medical schools.

This document

does not

provide legal advice. Covered entities must work with their own legal

counsels to address appropriate institutional requirements. This document can provide

information to legal staff tasked with understanding the implications of the HIPAA regulation on

their organization. It may also serve as an aid to understanding the necessary legal actions

needed to address accreditation requirements, as well as federal and state legislation, as HIPAA

has an impact on many aspects of the organization.

Page 15

AMC/HIPAA Workgroup

In addition, this document may be of value to other segments of the healthcare industry,

particularly consultants, payor organizations, general practitioners, group practices, suppliers,

financial organizations, and other organizations that regularly interact with teaching hospitals

and medical schools. Understanding the implications of the HIPAA regulations on AMCs will

be important to many aspects of the healthcare industry.

Background

Guidelines for Academic Medical Centers on Security and Privacy

was developed through a

series of monthly workshops involving the collaborative effort of several major academic and

healthcare related organizations. Several leading teaching hospitals and medical schools had

already developed individual security and privacy policies, as well as strategies to address the

impending HIPAA regulations. No process existed, however, to facilitate the benchmarking of

good practices, policies, and procedures among institutions. Academic Medical Centers needed

to join together and identify consistencies for reasonable HIPAA compliance. Teaching

hospitals and medical schools indicated their willingness and commitment to participate in this

process by submitting a Request for Information (RFI) that was developed by the steering

committee for this activity.

Information was gathered on current security and privacy practices via responses to the RFI.

This information, in addition to the HIPAA regulation, served as the basis for the initial draft.

Finally, individuals with substantial expertise were identified and asked to contribute to the

effort.

In addition to the teaching hospitals and medical schools, a number of industry organizations

joined the group. A series of workshops was identified as the best mechanism to create model

information practices and security guidelines, with a final document (this document) to

communicate the group's recommendations.

The workshops were held from Fall 2000 to Spring 2001. On December 20, 2000, the

Department of Health and Human Services Privacy Regulations were released. When the group

first met and planned its workshops, it was impossible to determine when the draft privacy

regulation would be made final, and how the final regulation might differ from the draft. Shortly

before the fourth workshop, the final privacy regulation was issued. The group opted to hold an

additional session to address any modifications to the guidelines as a result of the final privacy

regulation.

Acknowledgements

This guideline document is the result of many individuals, those who participated in the

workshops and others who helped to facilitate the process to make this document possible. A

group with diverse expertise in security and privacy found their way through a consensus based

process to produce these guidelines. Each participant in the workshops is commended for their

tireless devotion of time and enthusiasm.

Page 16

AMC/HIPAA Workgroup

Special thanks are due to the organizations that hosted the workshops: Kaiser-Permanente, Duke

University, Texas A&M University, the National Library of Medicine, and the University of

Michigan. To all the individuals who coordinated the workshop logistics at each of the host

organizations, the participants in the workshops extend a thank you for creating extremely

productive working environments for this activity.

Thanks to the numerous individuals at each of the participating organizations who helped to

provide participants with input and content and kept the workshop participants on track, helping

its members to put their ideas and analyses into coherent prose. The workgroup is further

indebted to early reviewers of the draft guideline document. Thoughtful comments and

criticisms challenged members to strengthen and refine the guidelines.

Mike Ackerman, assistant director of the High Performance Computing Center at the NLM,

understood the need for this group to assemble. His support, dedication, and understanding

made this report a reality. Thanks to Morgan Passiment and the AAMC staff who provided

much time and attention to facilitating the production of the guidelines. Thanks also to Jim

Schuping at WEDI for help in getting the first set of interested parties together.

The guideline document is a much more readable document due to the efforts of Joseph Saul of

Communications Technology Consultancy, a security and privacy policy expert, who edited the

final version. Special thanks are due to Mike Davis for editorial leadership that kept everyone

organized and ensured that all input was incorporated into the final guidelines. Thanks are also

due to Bob Blakely, OMG, for his dedication to improving security and privacy practices. Bob's

enthusiasm, quick wit, and expert technical facilitation kept things on track, allowing discussions

to unfold when appropriate, and shutting us down when we needed to stop. Finally, Mary Kratz

and the Internet2 staff deserve praise for the great resources that they brought to this project.

The workgroup hopes that this guideline document will assist others in the healthcare industry

struggling with practical strategies for dealing with security and privacy issues and HIPAA

compliance.

Workshop Participants (alphabetical order by organization)

Duke University Health System

Dave Kirby*

Director of the Information Security Office

919-272-1157

Kirby001@mc.duke.edu

Duke University Health System

Lawrence H. Muhlbaier

Assistant Research Professor

Lawrence.muhlbaier@duke.edu

Emory University

Ron Palmich

404-727-4350

ron_palmich@emory.org

Johns Hopkins Medical Institutions

Bob Miller*

Department of Pathology

410-955-5429

rmiller@jhmi.edu

Johns Hopkins Medical

Bill Rider*

brider@jhmi.edu

Kaiser Permanente

Ted Cooper*

510-267-5659

ted.cooper@kp.org

Mayo Clinic

Lee Olson*

Information Security Officer

507-284-0594

olson.lee@mayo.edu

Oregon Health Sciences University

Jere Retzer*

Portland Research and Education Network

Chair

Internet2 Health Sciences Security Lead

503-494-3720

retzerj@ohsu.edu

Osaka Medical College

Ryuichi Yamamoto

Associate Professor Division of Medical

Informatics

+81-726-83-1221(x2265/2888)

yamamoto@art.osaka-med.ac.jp

Page 17

AMC/HIPAA Workgroup

Texas A&M University System Health Science

Center

Larry Flournoy

Interim Chief Information Officer

713-677-7434

flournoy@isc.tamu.edu

Texas A&M University

Michael W. Buckley

Director, Compliance and Administration

Office of the Vice President of Research

979-845-8585

mwbuckley@tamu.edu

Tufts School of Medicine

Davis Damassa

617-636-6603

david.damassa@tufts.edu

University of Alabama at Birmingham

Mike Waldrum*

mwaldrum@uabmc.edu

University of Arizona Medical Center

Patti Redding

HIPAA Compliance and Information

Security

520-694-4760

predding@umcaz.edu

University of Michigan Health System

Leslie H. Kamil

Deputy Compliance Officer and Privacy

Officer

734-615-4400

lkamil@med.umich.edu

University of Pennsylvania

Mary Alice Annecharico

Executive Director, Information Services

215-898-9755

mannecha@mail.upenn.edu

University of Tennessee Health Science

Center

Jack Buchanan

Acting Director, School of Biomedical

Engineering

Internet2 Medical Middleware Lead

Jbuchanan@utmem.edu

North Carolina Healthcare Information and

Communications Alliance, Inc.

W. Holt Anderson

Executive Director

919-558-9258

holt@nchica.org

UT Southwestern Medical Center

Valerie D. Meyer

Information Resources

214-648-1718

Valerie.meyer@utsouthwestern.edu

Veterans Health Administration

Mike Davis (SAIC)*

VHA Security Architect

mikedatsd@home.com

Yale University School of Medicine

Stephen Rimar, MD

Medical Director, Yale Medical Group

stephen.rimar@yale.edu

Sponsoring Organizations

Association of American Medical Colleges

Morgan Passiment*

Staff Associate

202-828-0476

mpassiment@aamc.org

The AAMC (Association of American Medical Colleges) Group on

Information Resources has identified a need for collaboration in policy

development among Academic medical centers and agreed to

participate in the development of this policy framework as a key

component of its program to support the HIPAA implementation

activities of its members.

Internet 2

Mary Kratz*

Health Science Initiatives

734-352-7004

mkratz@internet2@edu

These guidelines serve as a basis for Internet2 Medical Middleware

requirements, ultimately folding into the larger fabric of advanced

services in the emerging common campus middleware infrastructure.

National Library of Medicine

Michael J. Ackerman, PhD*

Assistant Director

301-402-4100

ackerman@nlm.nih.gov

National Library of Medicine

Carol Haberman*

301-435-3267

carol_b_haberman@nih.gov

The National Library of Medicine (NLM)

views its support for this

workshop as part of its mission with the teaching hospital and medical

school community.

<www.nlm.nih.gov>

Object Management Group

Bob Blakley*

Chief Scientist for Security, Tivoli Systems Incorporated

512-458-4037

blakley@tivoli.com

The OMG's charter includes the establishment of industry guidelines

and specifications to provide a common framework for application

development that supports a heterogeneous computing environment

across all major hardware platforms and operating systems.

Supporting Organizations

CPRI-HOST

Pat Wise*

Executive Director

pat@digitalwise.com

North Carolina Healthcare Information and Communications

Association (NCHICA)

Holt Anderson

Page 18

AMC/HIPAA Workgroup

919-558-9258

holt@nchica.org

Health Care Financing Administration

Barbara Clark

410-786-9937

bclark@hcfa.gov

Healthcare Computing Strategies, Inc.

John Parmigiani

Practice Director, Compliance Programs

410-750-2060

jcparmigiani@hcs-is.com

Southeastern University Research Association (SURA)

Sue Fratkin*

202-408-7872

sue@sura.org

Workgroup on Electronic Data Interchange (WEDI)

Jim Schuping*

Executive Vice President

703-391-2716

schups@aol.com

* Denotes members of the Steering Committee

Updates and Errata

For updates and errata, check the www.amc-hipaa.org website.

Page 19

AMC/HIPAA Workgroup

AMC Guidelines

This document provides a summary of the requirements of the HIPAA security and privacy

regulations, with advice to the reader on how to address those requirements. The document's

structure has been designed to make it easy to relate the material in this document to the text of

the HIPAA security and privacy regulations.

Organization of the Guidelines

The document starts with specific information about addressing the detailed requirements of the

HIPAA security and privacy regulations where those regulations are clear and specific. It then

moves on to cover areas in which some interpretation of the regulations' requirements is

necessary. It concludes with a treatment of broader organizational implications of HIPAA

security and privacy compliance; this portion of the document covers issues that the regulations

raise but for which they provide neither specific requirements nor clear guidance.

The Security sections discuss provisions of the HIPAA Security Regulations:

Security Section One discusses what a covered entity needs to do to address the security

administration requirements.

Security Section Two discusses what a covered entity needs to do to address the technical

security services and mechanisms requirements.

The Privacy sections discuss provisions of the HIPAA Privacy Regulations:

Privacy Section One discusses the definition of a covered entity and the application of the

regulations to different types of covered entities.

Privacy Section Two discusses consent and authorization requirements.

Privacy Section Three discusses use and disclosure requirements.

Privacy Section Four discusses consumer control requirements.

Privacy Section Five discusses administrative requirements.

The General Section covers areas of the HIPAA regulation that require a covered entity to make

judgments about how the regulations' requirements apply to the organization (for example,

"minimum necessary disclosure," "scalability," and "reasonableness"). This Section also covers

broader organizational implications of compliance with the regulations (for example, how

HIPAA compliance might influence the structure of the organization, how HIPAA compliance

activities might relate to other similar activities, and what time and resources might be required

to achieve and maintain HIPAA compliance).

Page 20

AMC/HIPAA Workgroup

The Guideline points themselves are organized as follows:

Point Number, Point Name and Citation

X.## Name

�Citation

HIPAA Requirement

The full text of the HIPAA requirement, taken directly from the regulation. This may include

material from multiple portions of the regulations.

AMC Explanation of HIPAA Requirement

This narrative paragraph summarizes the top features of the requirement as seen from the

vantage point of an AMC, concentrating on the significance of the requirements in the AMC

environment.

Key Issues

Issues to consider before taking any proposed action.

Category I Guideline�Action must be taken to address these

Actions that are

mandatory

in order to address the HIPAA Security and Privacy regulations. The

list includes only those actions that, if not addressed, would place a covered entity in substantial

non-compliance with the requirement. Actions included in this item were included only with the

unanimous consent of all members of the AMC Security and Privacy Workgroup.

Category II Guideline�Action should be considered to address these

Actions that workgroup participants considered

helpful

in order to address the HIPAA Security

and Privacy regulations. Actions in this group are recommended by the AMC Security and

Privacy Workgroup but are not direct requirements of HIPAA.

Roadblocks

Any roadblocks to what must or should be done in order to implement the guidelines. The AMC

Security and Privacy Workgroup defines roadblocks as difficulties in implementing these

guidelines that come after the policy is put in place, e.g. AMC culture, program dollars, people,

etc. This definition distinguishes roadblocks from

issues,

which are concerns associated with

framing an AMC policy through the application of the guideline (and therefore come before the

policy). Funding issues and the problems associated with decentralization in AMCs are

universal roadblocks, so they have not been listed for individual guideline points unless there is a

specific point to be made.

Comments

Any comments to clarify or explain this point above or relate it to another.

Page 21

AMC/HIPAA Workgroup

AMC HIPAA Security Guidelines

Section One: Requirements for Security Administration

Page 22

AMC/HIPAA Workgroup

SEC.01

Certification � .308(a)(1)

HIPAA Requirement

...(The technical evaluation performed as part of, and in support of, the

accreditation process that establishes the extent to which a particular computer

system or network design and implementation meet a pre-specified set of security

requirements. This evaluation may be performed internally or by an external

accrediting agency.)

AMC Explanation of HIPAA Regulation

Certification is the process of determining whether technical security controls are implemented

and comply with specified criteria. Each covered entity is required to establish a certification

process that demonstrates and documents that its computer systems and networks meet these

criteria. Either internal staff or external persons may perform certifications. The process should

consider risks identified in the risk assessment process.

Key Issues

What systems and services require certification?

How often should certification occur?

Who or what organization is the certifying authority? Is it internal or external? How will

the certifying authority be selected?

Do reference documents exist to describe the covered entity's secure configuration of

network components, servers, databases, and applications?

Is there a periodic comparison of the actual configuration against the reference

documents to confirm compliance or reveal non-compliance? If there are differences, is

there a process for correction?

Do routine testing, auditing, and change management procedures support the certification

process?

What is the relationship between auditors and certifiers?

With what frequency or upon what event(s) should certification be done?

Category I Guidelines-Actions must be taken to address these

Implement a certification process to determine the extent to which systems and networks

meet established security criteria.

Category II Guidelines-Actions should be taken to address these

Document the network configuration.

Ensure that individuals performing certifications are knowledgeable about security

requirements and best practices.

Ensure that conflicts of interest do not exist in the certification process-specifically that

certifiers are not responsible for the system or network's administration or maintenance.

Perform certification a minimum of once every three years due to the changing nature of

computer systems and accelerating rate of change of IT-related security risks.

Page 23

AMC/HIPAA Workgroup

Prepare a formal "Certification and Accreditation Report" upon the completion of

certification and forward it, along with any recommendations on accreditation, to the

accrediting official.

Maintain records and reports of certification and accreditation activities for the last two

certification efforts to provide for an adequate history of certification information and an

audit trail of certification.

Establish routine testing, auditing, and change management procedures to support the

certification process.

Consider certification for system changes prior to placing such systems into production.

Consider a phased approach to certification in order to encourage continuity of the

process.

Consider linking the certification process to JCAHO Information Management

requirements.

Consider requiring formal security credentials for those conducting the certification

process.

Roadblocks

In complex institutions, it may be difficult to establish the necessary credibility and authority for

the certifier.

Comments

Although the evaluation of the program or one of its parts may be done by outside entities, the

certification is a statement by senior management of the institution. State law on record-keeping

may mandate additional retention requirements. Covered entities should be prepared to budget

for remedial action as necessary if deficiencies are discovered during the certification process.

Page 24

AMC/HIPAA Workgroup

SEC.02

Chain of Trust Partner Agreement � .308(a)(2)

HIPAA Requirement

A chain of trust partner agreement (a contract entered into by two business

partners in which the partners agree to electronically exchange data and protect

the integrity and confidentiality of the data exchanged).

AMC Explanation of HIPAA Regulation

A Chain of Trust Agreement is required between two business partners whenever data is

electronically exchanged. The Agreement requires that the sender and the receiver of the

protected health information work with each other to maintain the information's integrity and

confidentiality. Such contracts provide a legal basis for maintaining consistent levels of data

integrity and confidentiality.

Key Issues

With which persons or organizations is the health care provider, health plan, or health

care clearinghouse required to execute a Chain of Trust Agreement (COT)?

Is there a documented process for identifying all partners with which a COT is required?

Does the COT identify a process or processes to ensure the integrity and confidentiality

of the data transmitted?

How will security responsibilities and accountabilities be determined, drafted, and

monitored?

Does more than one unit have the authority to contract with a business partner?

Is there a process in place to assure that all AMC contracts have the required and

appropriate language?

Is there a process that will identify the data rights of the trading partners and incorporate

such rights in the COT language?

Does the agreement identify appropriate sanctions for failure to abide by its terms?

Is the duration of the agreement appropriate?

Is there a process in place to assure that all AMC contracting officers are aware of the

need for, and know the requisites of, an effective COT?

What organizational unit will be responsible for managing the COT policy

implementation?

Does the COT propagate with any further transfers of information between partners and

their other partners?

Does the COT survive other agreements with the partner?

How do COTs relate to the business associate contractual terms in the Privacy rule?

Category I Guidelines-Actions must be taken to address these

Develop a Chain of Trust Agreement with each party with which protected health

information is shared, including language that states that:

The parties agree to electronically exchange data and protect the transmitted data; and

Each party will maintain the integrity and confidentiality of the transmitted

information.

Page 25

AMC/HIPAA Workgroup

Develop a plan to update all current agreements to ensure that the terms and conditions

do not contain any provisions, including data content and format definitions, that conflict

with the standards outlined in the security regulations

Develop a plan to ensure that all future agreements have appropriate provisions.

Category II Guidelines-Actions should be taken to address these

Engage legal counsel to develop and review contract language for the COT.

Establish monitors to ensure compliance by all parties subject to the agreement.

Train all contracting officials about the nature and intent of the COT.

Devise and promulgate a COT template for all Contracting Officers to use.

Establish a process to determine when/how to activate the sanctions for nonperformance

with regard to COT.

Periodically review all current partnerships for COT need.

Develop process to review partners' COTs for adequacy and fairness.

Roadblocks

It will likely be difficult to get approval for COTs which are inconsistent between partners, or

which are perceived as unbalanced in responsibility. Contracts are frequently negotiated and

approved by various departments within the University or AMC. Each area within the

University and AMC must be trained as to when and with whom this required language should

be used.

Comments

Since the originator of information bears the responsibility for improper disclosure or other

security failures regarding that information, a COT is the only protection most providers will

have once information is turned over to their partners in healthcare provision.

As part of a compliance program, business associates should warrant, and the AMC department

responsible for negotiating and signing the Agreement should verify, that the trading partner is

not excluded from participation in any government program. Contracts should also include a

statement that the trading partner warrants that any subcontractors or agents are not excluded

from participation in any government program.

The Chain of Trust Agreement in the Supplement contains language that can be used to satisfy

both the proposed security regulation (discussed in this point) and the final privacy regulation

(discussed in PRIV.03).

Page 26

AMC/HIPAA Workgroup

SEC.03

Contingency Planning � .380 (a)(3)

HIPAA Requirement

...a routinely updated plan for responding to a system emergency, that includes

performing backups, preparing critical facilities that can be used to facilitate

continuity of operations in the event of an emergency, and recovering from a

disaster. The plan must include all of the following implementation features:

(i) An applications and data criticality analysis [an entity's formal assessment of

the sensitivity, vulnerabilities, and security of its programs and information it

receives, manipulates, stores, and/or transmits).

(ii) Data backup plan (a documented and routinely updated plan to create and

maintain, for a specific period of time, retrievable exact copies of information).

(iii) A disaster recovery plan (the part of an overall contingency plan that

contains a process enabling an enterprise to restore any loss of data in the event

of fire, vandalism, natural disaster, or system failure).

(iv) Emergency mode operation plan (the part of an overall contingency plan that

contains a process enabling an enterprise to continue to operate in the event of

fire, vandalism, natural disaster, or system failure).

(v) Testing and revision procedures (the documented process of periodic testing

of written contingency plans to discover weaknesses and the subsequent process

of revising the documentation, if necessary).

AMC Explanation of HIPAA Regulation

Each covered entity is required to maintain a contingency plan for responding to system

emergencies involving systems that contain protected health information. The covered entity is

required to perform periodic backups of data, have critical facilities for continuing operations in

the event of an emergency, and have disaster recovery procedures in place for such systems.

Systems that do not involve protected health information are not required to have contingency

plans.

Key Issues

What will be needed to recreate each data element in the event of an emergency? Has an

assessment been performed?

What is the appropriate frequency and depth of backups?

Where should backup data be located?

How easy is restoration of backup data?

How timely would such a restoration be?

How is security of data assured at the backup location?

What is the mechanism for testing the plans and procedures?

How long will backups be retained?

How is overall integrity of data assured?

How often will various levels or types of tests be performed?

Page 27

AMC/HIPAA Workgroup

Category I Guidelines-Actions must be taken to address these

Assess all systems with protected health information for reasonably anticipated risks,

focusing on the potential impact of the lack of availability of specific applications and

data on the secure operation of the covered entity.

Prepare a data backup plan that details how data will be maintained and duplicated in

order to prevent its loss during a natural or man-made disaster.

Prepare a disaster recovery plan that details how data and operations would be restored in

a timely fashion following a catastrophic event or unanticipated interruption of

operations.

Prepare a plan to use for emergency operations following a catastrophic event until

normal operations can be restored.

Test these procedures periodically and revise them accordingly to address any

weaknesses discovered during testing.

Category II Guidelines-Actions should be considered to address these

Develop a data storage plan that ensures that the medium and location of backup storage

are secure from physical damage and that backup storage is separated in some way from

the main site.

Dispose of information in a manner that maintains its security. Shred paper and wipe

magnetic or optical media.

Make backups at regular intervals.

Develop a procedure covering the scope (full, incremental, and differential) of backups.

Provide adequate facilities to support recovery operations.

Test contingency and disaster recovery plans regularly, specifically including restoration

of data.

Protect backup information at the same level as the original data.

Roadblocks

Identifying and testing critical components may be more realistic and cost effective than testing

plans sufficiently often to ensure that they are viable.

Formal disaster recovery/contingency plans usually occur at the level of central IT within an

AMC. The distributed nature of support and systems within an AMC may serve as a roadblock

to ensuring consistent planning.

Comments

The security regulations (unlike the privacy regulations) supersede conflicting state laws. Non-

conflicting state laws, however, still apply and may affect various aspects of this plan.

Also see: AMC.09 Stricter State Law, SEC.14 Media Controls

Page 28

AMC/HIPAA Workgroup

SEC.04

Formal Mechanism for Processing Records � .308(a)(4)

HIPAA Requirement

Formal mechanism for processing record (documented policies and procedures

for the routine and non-routine receipt, manipulation, storage, dissemination,

transmission, and/or disposal of health information).

AMC Explanation of HIPAA Regulation

Covered entities are required to maintain documented policies and procedures for the routine and

non-routine receipt, manipulation, storage, dissemination, transmission, and/or disposal of

protected health information.

Key Issues

Do clear lines of authority and responsibilities exist that fit the structure and function of

entities (Hospital, Departments, Sections)?

Are there provisions for evaluating and improving policies and procedures at all levels?

Category I Guidelines-Actions must be taken to address these

Develop and document processes to govern the creation of protected health information.

Establish policies and procedures on storage of data, including administrative policies

governing the length of time to various types of data are to be stored and policies for the

archiving and destruction of data.

Establish policies for data dissemination within and external to the covered entity. (See

Comments.)

Develop policies for secure disposal of protected health information, including

information contained on media and systems that are replaced.

Category II Guidelines-Actions should be taken to address these

Protect records to a degree commensurate with the risk associated with them.

Consider standardizing record management policies across the enterprise.

Roadblocks

The presence of already existing unofficial systems may act as a barrier to change, as these will

need to be brought under the umbrella of protection. If staff do not accept needed changes, then

implementation may be delayed.

Redundancy of records in multiple systems presents a challenge, with updates in one system not

always filing or updating correctly in other systems downstream.

Comments

Policies external to the covered entity may be problematic in terms of generality or specificity.

Standards, such as message types (HL7, XML, etc.) may help in this regard.

Page 29

AMC/HIPAA Workgroup

SEC.05

Information Access and Control � .308(a)(5)

HIPAA Requirement

...(formal, documented policies and procedures for granting different levels of

access to health care information) that includes all of the following

implementation features:

(i) Access authorization (information-use policies and procedures that establish

the rules for granting access, for example, to a terminal, transaction, program,

process, or some other user.)

(ii) Access establishment (security policies and rules that determine an entity's

initial right of access to a terminal, transaction, program, process or some other

user).

(iii) Access modification (security policies and rules that determine the types of,

and reasons for, modification to an entity's established right of access, to a

terminal, transaction, program, process, or some other user.)

AMC Explanation of HIPAA Regulation

Each covered entity is required to establish and maintain formal, documented policies and

procedures for granting different levels of access to protected health information. These policies

and procedures must, at a minimum, include:

Access authorization policies and procedures;

Access establishment policies and procedures; and

Access modification policies and procedures.

Key Issues

Does the covered entity currently have a documented access control policy?

Is there a process to establish an individual right-to-know and/or need-to-know?

Does the access control policy consider all means of access?

Do procedures define the authorization requirements for various forms of protected

health information, and is special authorization required for more sensitive information

(e.g., psychiatry, infectious diseases, genetic disorders)?

Is access authorization documented and maintained?

Is there a documented process for revoking access?

How does the covered entity authorize, implement, and revoke emergency access?

Category I Guidelines-Actions must be taken to address these

Establish documented policies and procedures to assign, implement, revoke, and modify

access to protected health information.

Category II Guidelines-Actions should be taken to address these

Create a process for determining access needs for individuals and other entities such as

law enforcement and public health.

Grant access on the basis of need-to-know and/or right-to-know.

Page 30

AMC/HIPAA Workgroup

Provide a means to review the effectiveness of access management and control.

Assign responsibility for implementing the policy to specific individuals or organizations

within the covered entity.

Enact a process to modify access, taking into account the types of, and reasons for,

previously established access.

Require implementation of technical means to control information access.

Require execution of a grantor-grantee agreement to honor information security

requirements before access is granted.

Establish a process to ensure that system access is available at appropriate times for

repair and other maintenance purposes.

Establish a documented plan to ensure that all workforce members can demonstrate

knowledge of access control responsibilities and how to obtain access authorization.

Establish a process whereby termination of a workforce member or other entity's need

for data access will trigger timely revocation of access.

Require data owners or stewards to list functions that will require access to data for

which they are responsible.

Roadblocks

Any part of the access control process can be rendered ineffective if those with access do not

respect the process - if the users do not understand their responsibilities and buy in to the

program, it will not work.

Comments

Also see: SEC.19 Access Control

Access control requirements appear throughout the security regulations in a number of different

contexts relating to personnel security requirements, physical safeguards, technical security

services, and technical security mechanisms. Access control is an integral part of almost every

element of information security. Vulnerabilities in this area include

ad hoc

practices and/or

incomplete policies and procedures for authorizing and establishing access to organizational

systems, failure to include smaller departmental systems in access control policies and practices,

and broken processes to address the modification and revocation of user access following job

changes or termination.

Page 31

AMC/HIPAA Workgroup

SEC.06

Internal Audit � .308(a)(6)

HIPAA Requirement

...in-house review of the records of system activity (such as logins, file accesses,

and security incidents) maintained by an organization.

AMC Explanation of HIPAA Regulation

This requirement calls for periodic reviews of a covered entity's internal security controls,

including records of logins, file accesses, and security incidents.

Key Issues

At what level in data structures should audits be maintained? Table? Record? Field?

How will this degrade system performance?

For what data will logs be maintained, and for how long?

Who will review the records? (The log itself may have protected health information in it.)

How much of the review can be done by software?

How often will audits occur?

What logged activity will be considered suspicious?

What actions will be taken in response to suspicious audit information?

Category I Guidelines-Actions must be taken to address these

Maintain, and periodically review, audit trails or activity logs for critical application

systems, including user-written applications.

Category II Guidelines-Actions should be taken to address these

Follow up on suspicious entries such as unauthorized accesses and access attempts.

Identify and resolve inappropriate activity.

Ensure that audit procedures validate the necessity for data input, processing, and output.

Ensure that audit requirements and activities do not disrupt important business processes.

Agree to and control the scope of the checks.

Explicitly identify resources for performing the checks and ensure that they are available.

Identify and agree to requirements for special or additional processing, such as

prospective audits of user activity.

Document all procedures, requirements, and responsibilities.

Consider making logs of access to individuals' health information available to the

subjects of the records via a "patient portal."

Develop an audit process to ensure that users comply with access control procedures.

Roadblocks

Users, in carrying out their respective duties, should never feel threatened by an audit. In most

cases, information systems personnel are checking a system for problem-solving purposes and it

remains transparent to the user. If the user is made aware, it is usually for the purpose of

problem solving or procedure correction.

Page 32

AMC/HIPAA Workgroup

Comments

The logs themselves may contain protected health information and should be appropriately

secure. Additional controls may be required for systems that process or have an impact on

sensitive, valuable, or critical organizational assets. Such controls should be determined on the

basis of security requirements and a formal risk assessment. Audit trails may become evidence

in legal proceedings, so care should be taken to protect their integrity in order to preserve their

usefulness for such purposes. Take the possibility of using audit trails as evidence into account

when deciding how long they should be retained. Prospective audits are onerous and usually

require clinician input to resolve need-to-know issues; they should be performed sparingly and

only with good cause as determined through the risk analysis process.

Audits can be a significant cost consideration and logging records could have an unreasonable

cost impact. A cost/benefit and risk analysis would be in order to determine what systems

should employ logging and how long the records should be stored.

Formal audit log retention standards are prudent. Destruction of log data should not appear to be

an attempt to destroy evidence in the case of legal action.

Also see: SEC.20 Audit Controls.

Page 33

AMC/HIPAA Workgroup

SEC.07

Personnel Security � .308(a)(7)

HIPAA Requirement

...(all personnel who have access to any sensitive information have the required

authorities as well as all appropriate clearances) that includes all of the following

implementation features:

Assuring supervision of maintenance personnel by an authorized, knowledgeable

person. These procedures are documented formal procedures and instructions for

the oversight of maintenance personnel when the personnel are near health

information pertaining to an individual.

Maintaining a record of access authorizations (ongoing documentation and

review of the levels of access granted to a user, program, or procedure accessing

health information).

Assuring that operating and maintenance personnel have proper access

authorization (formal documented policies and procedures for determining the

access level to be granted to individuals working on, or near, health information).

Establishing personnel clearance procedures (a protective measure applied to

determine that an unclassified automated information is admissible).

Establishing and maintaining personnel security policies and procedures (formal,

documentation of procedures to ensure that all personnel who have access to

sensitive information have the required authority as well as appropriate

clearances).

Assuring that system users, including maintenance personnel, receive security

awareness training.

AMC Explanation of HIPAA Regulation

Each covered entity must establish a personnel security clearance process to administratively

determine that persons and computers are trustworthy before giving them access to protected

health information. This process must account for, and document, levels of access granted to

individuals, programs, and procedures. The process must also address persons who fill roles

where incidental access to protected health information may occur, such as system and network

support and maintenance personnel. Supervision of uncleared or unauthorized personnel, such as

support and maintenance personnel, is necessary unless their access to protected health

information can be precluded. Awareness training on these policies and procedures is required

both for those who are cleared for and given access and those who have incidental access.

Key Issues

How closely must maintenance personnel be supervised?

How often should procedures, instructions, and levels of access be reviewed?

How broad, or how specific, should security training be? What should it cover?

How often should security training be repeated for employees? For vendors and other

contracting personnel?

Page 34

AMC/HIPAA Workgroup

Category I Guidelines-Actions must be taken to address these

Establish written personnel clearance procedures for determining the appropriateness of

access to protected health information or systems.

Maintain documentation regarding the levels of access granted to each individual,

program, and procedure.

Review access levels periodically.

Review access levels when the status of the workforce member changes.

Ensure that system users and technical maintenance staff receive security awareness

training.

Ensure that maintenance and vendor personnel are supervised when working on or near

protected health information.

Category II Guidelines-Actions should be taken to address these

Conduct records checks on applicants for employment, including residence, employment,

criminal history, and education, when job requires access to protected health information.

(See Comments.)

Require staff and maintenance/vendor employees to sign non-disclosure statements

before being given access to protected health information.

Roadblocks

Workforce member status changes can be difficult to track in a large covered entity. Consistent

application of personnel access policies may be problematic when protected health information is

shared between institutions.

Comments

The personnel clearance process is an administrative determination of trustworthiness. Human

Resources normally performs this function in AMCs. A nominal records check should ascertain

that an individual is not falsifying identity, previous employment or education, or any

professional certifications. Additionally, any potentially disqualifying criminal activity should

be discovered. Federal criminal records are centralized in the FBI database, but state and local

records are largely unlinked. It is therefore necessary to determine where individuals have

resided in order to check state and local criminal records in disparate jurisdictions. Arrest and

conviction data is public information and available on request.

Page 35

AMC/HIPAA Workgroup

SEC.08

Security Configuration Management � .308(a)(8)

HIPAA Requirement

...(measures, practices, and procedures for the security of information systems

that must be coordinated and integrated with each other and other measures,

practices, and procedures of the organization established in order to create a

coherent system of security) that includes all of the following implementation

features:

(i) Documentation (written security plans, rules, procedures, and instructions

concerning all components of an entity's security).

(ii) Hardware and software installation and maintenance review and testing for

security features (formal, documented procedures for connecting and loading new

equipment and programs, periodic review of the maintenance occurring on that

equipment and programs, and periodic security testing of the security attributes of

that hardware/software).

(iii) Inventory (the formal, documented identification of hardware and software

assets).

(iv) Security testing (process used to determine that the security features of a

system are implemented as designed and that they are adequate for a proposed

applications environment; this process includes hands-on functional testing,

penetration testing, and verification).

(v) Virus checking. (The act of running a computer program that identifies and

disables:

(A) Another "virus" computer program, typically hidden, that attaches itself to

other programs and has the ability to replicate.

(B) A code fragment (not an independent program) that reproduces by attaching

to another program.

(C) A code embedded within a program that causes a copy of itself to be inserted

in one or more other programs.)

AMC Explanation of HIPAA Requirement

A covered entity is required to have written security plans and procedures guiding its security

efforts so as to create a comprehensive security program. The security program must include an

inventory of system assets, formal procedures for installing and testing new systems, a regular

security testing schedule, and virus checking.

Key Issues

How can a covered entity identify all components of its security features?

How should inventory be reviewed and updated-when assets are added and removed or

on a routine schedule?

At what levels should virus scans be run? Servers? Mail hubs?

How often should virus scans be run?

How often should virus detection programs be updated?

How frequently should security testing, such as penetration testing, occur?

Page 36

AMC/HIPAA Workgroup

Category I Guidelines-Actions must be taken to address these

Develop written security plans, procedures, and instructions to cover all areas of the

covered entity's information security needs.

Create and document procedures for installing and maintaining software and hardware

and periodic testing of that software and/or hardware's security attributes.

Develop a written inventory of hardware and software assets and keep the inventory

current.

Conduct security testing to ensure that the covered entity's security features are adequate;

security testing must include a manual or automated process of identifying

vulnerabilities, functional and penetration testing, and verification.

Ensure that virus scans are run on a regular schedule.

Category II Guidelines-Actions should be taken to address these

Establish a team representing diverse perspectives to plan security controls.

Have written procedures to report equipment malfunctions and any remedial actions

taken.

Require departmental systems not managed centrally to comply with the same security

configuration requirements as centrally managed systems.

Employ anti-virus countermeasures at multiple levels, for example on servers, e-mail

hosts, and desktops.

Maintain a separate test environment and test system changes for security integrity there

before moving them to the production systems.

Roadblocks

A single, well-integrated security plan is difficult to establish in an institution with hundreds of

distributed, heterogeneous systems using a wide range of technologies. The plan should be

multi-tiered and well coordinated. Even identifying all departmental systems with patient

information may be difficult in a decentralized AMC.

Comments

AMCs may want to consider coordinating their inventory reviews with accreditation agency

standards and reviews.

Page 37

AMC/HIPAA Workgroup

SEC.09

Security Incident Procedures � .308(a)(9)

HIPAA Requirement

...(formal documented instructions for reporting security breaches) that include

all of the following implementation features:

(i) Report procedures (documented formal mechanism employed to document

security incidents).

(ii) Response procedures (documented formal rules or instructions for actions to

be taken as a result of the receipt of a security incident report).

AMC Explanation of HIPAA Regulation

The covered entity must have written procedures for reporting security breaches to ensure that

security violations are handled promptly and appropriately. These must include:

Procedures for reporting security incidents.

Procedures describing response, i.e. actions to take when a security incident is reported.

Key Issues

What constitutes a security incident?

How should the covered entity define levels of incidents and sanctions for each (e.g.,

accessing protected health information as opposed to sharing protected health

information)?

How can security awareness be kept "hot?"

How can a covered entity determine when access to protected health information is

inappropriate?

Category I Guidelines-Actions must be taken to address these

Implement an incident reporting and response procedure and document it.

Category II Guidelines-Actions should be taken to address these

Tell workforce members when, how, and to whom to report a security incident.

Require workforce members to acknowledge that they have received security incident

training.

Require workforce members to report the incident if they inadvertently access protected

health information they should not have accessed.

Ensure that workforce members know that they should report security violations to a

supervisor, system administrator, security, internal audit, or others as appropriate.

Require workforce members to report instances of noncompliance.

Ensure that the teams of people who are typically involved in responding to a security

incident have a well-understood working arrangement that ensures that the incident is

handled efficiently, expeditiously, and with respect for law and individual rights.

Roadblocks

Communications between different organizational units within an AMC can be poor. Covered

entities should make sure that their IT organizations share information about security incidents

Page 38

AMC/HIPAA Workgroup

with each other in a timely manner, and may need to set up mechanisms to ensure that this

happens.

Determining where potential security breaches may occur is challenging. For instance,

physicians may download medical data onto personal digital assistants. They often purchase

such devices themselves, and Security Management has no way of knowing about the purchase

or whether the physicians are adhering to security standards.

Comments

Also see: PRIV.53 Sanctions.

Page 39

AMC/HIPAA Workgroup

SEC.10

Security Management Process � .308(a)(10)

HIPAA Requirement

...(creation, administration, and oversight of policies to ensure the prevention,

detection, containment, and correction of security breaches involving risk

analysis and risk management). It includes the establishment of accountability,

management controls (policies and education), electronic controls, physical

security, and penalties for the abuse and misuse of its assets (both physical and

electronic) that includes all of the following implementation features:

(i) Risk analysis, a process whereby cost-effective security/control measures may

be selected by balancing the costs of various security/control measures against

the losses that would be expected if these measures were not in place.

(ii) Risk management (process of assessing risk, taking steps to reduce risk to an

acceptable level, and maintaining that level of risk).

(iii) Sanction policies and procedures (statements regarding disciplinary actions

that are communicated to all employees, agents, and contractors; for example,

verbal warning, notice of disciplinary action placed in personnel files, removal of

system privileges, termination of employment, and contract penalties). They must

include employee, agent, and contractor notice of civil or criminal penalties for

misuse or misappropriation of health information and must make employees,

agents, and contractors aware that violations may result in notification to law

enforcement officials and regulatory, accreditation, and licensure organizations.

(iv) Security policy (statement(s) of information values, protection

responsibilities, and organization commitment for a system). This is the

framework within which an entity establishes needed levels of information

security to achieve the desired confidentiality goals.

AMC Explanation of HIPAA Regulation Key Issues

An overall information security management process is necessary to establish policy, provide

oversight, and administer operational aspects of the program. The process must function in a

proactive, risk-appropriate manner and establish the framework for safeguarding protected health

information within the AMC. An over-arching information security policy that commits the

AMC to safeguard protected health information, to establish goals, and to assign responsibility is

necessary. Supporting policy statements and procedures are required to facilitate the prevention,

detection, containment, and correction of security breaches. Specific areas that the security

management process must cover are: risk analysis process, risk management process, sanction

process, and security policy.

Key Issues

What are the covered entity's values with regard to protecting information?

What are the covered entity's security goals?

How does the covered entity's security policy demonstrate commitment to these goals?

How will values, policy, and process be effectively communicated to those covered by

them?

Page 40

AMC/HIPAA Workgroup

What activities can not be managed in a secure way?

Category I Guidelines-Actions must be taken to address these

Establish a management structure that identifies roles and responsibilities for security

oversight and operational aspects.

Establish an overall information security policy that articulates the organization's

priorities and expectations with respect to safeguarding protected health information.

Identify and communicate security responsibilities of workforce member who access or

manage access to protected health information.

Employ risk analysis to identify information assets, threats, and the likelihood and costs

of adverse occurrences.

Manage risk by applying cost-effective security solutions to reduce likelihood and extent

of losses due to adverse occurrences.

Develop a sanctioning process for violators and communicate it to all workforce

members. In addition to institutional corrective action, the policy must include notices of

civil or criminal penalties and notices that violations may result in notification of law

enforcement, and/or regulatory, accreditation, and licensure organizations.

Category II Guidelines-Actions should be taken to address these

Develop and apply a data criticality/sensitivity classification scheme.

Make risk analysis and risk management ongoing.

Consider establishing progressive sanctions, such as verbal warning, written warning,

suspension, and employment termination.

Ensure that the sanction policy provides for swift and strong action when appropriate.

Establish a process to document and evaluate trends in breaches and sanctions in order to

identify potential improvements in security, e.g. changes to policy, procedures, training,

or technical measures.

Require all who have, or may have, access to protected health information to sign

security, confidentiality, and computer usage agreements.

Roadblocks

Developing and implementing consistent policies and procedures for sanctions and security

policy may be hindered by the typical AMC's decentralized structure and culture of autonomy

(academic freedom). At some AMCs, these policies may also have to be coordinated with the

associated university's central administration, especially its legal counsel's office and human

resources department.

Comments

The reader is referred to the following additional references:

Carnegie Mellon University

Software Engineering Institute

Computer Emergency Response Team Coordination Center (Cert/CC)

http://www.cert.org/octave/

Page 41

AMC/HIPAA Workgroup

Information Security Risk Evaluation

CPRI-Toolkit for Managing Information Security in Healthcare

http://www.3com.com/healthcare/securitynet/hipaa/toc.html

Health Information Risk Assessment and Management

Page 42

AMC/HIPAA Workgroup

SEC.11

Termination Procedures � .308(a)(11)

HIPAA Requirement

...(formal documented instructions, which include appropriate security measures,

for the ending of an employee's employment or an internal/external user's access)

that include procedures for all of the following implementation features:

(i) Changing locks (a documented procedure for changing combinations of

locking mechanisms, both on a recurring basis and when personnel

knowledgeable of combinations no longer have a need to know or require access

to the protected facility or system).

(ii) Removal from access lists (physical eradication of an entity's access

privileges).

(iii) Removal of user account(s) (termination or deletion of an individual's access

privileges to the information, services, and resources for which they currently

have clearance, authorization, and need-to-know when such clearance,

authorization and need-to-know no longer exists).

(iv) Turning in of keys, tokens, or cards that allow access (formal, documented

procedure to ensure all physical items that allow a terminated employee to access

a property, building, or equipment are retrieved from that employee, preferably

before termination).

AMC Explanation of HIPAA Regulation

Entities must revoke physical access to controlled areas and remove user accounts when

employees terminate employment or when others, such as contractors and vendors, no longer

require access. Academic medical centers can reduce risk by implementing procedures to ensure

prompt collection of the items that enable access: e.g., identification cards, keys, and physical

tokens, and by changing locks or lock combinations, and by revoking computer accounts.

Although this point is entitled "termination," the text includes provisions for other occasions in

which removal of access rights is called for.

Key Issues

Is access disabled in a timely and consistent manner for terminated users?

Is there timely notification to: human resources, central security administration,

decentralized security administrators, when an employee is terminated?

Is there a way to deal with terminations of individuals who are not employees, e.g.

physicians, contractors, vendors, volunteers? Are there provisions to modify/remove

access when workforce members change roles in ways that imply change in access

privileges?

Category I Guidelines-Actions must be taken to address these

When workforce members either terminate employment or lose clearance, or their

authorization or need-to-know no longer exists, take the following actions:

Recover keys, identification cards, physical tokens, and any other objects that

facilitate physical access to property, buildings, and equipment;

Page 43

AMC/HIPAA Workgroup

Change locks and/or combinations that control physical access to areas and

equipment (this must also be done on a recurring basis);

Revoke user accounts that provide access to information, services, and resources;

Remove them from lists that document authorized access to controlled areas and

information, services, and resources;

Document these processes as formal instructions.

Category II Guidelines-Actions should be taken to address these

Establish a policy and process to promptly report all terminations and ensure that the

revocation process works promptly.

Document explicit maximum time intervals that are permissible for:

Reporting terminations;

Communicating terminations to security administrators;

Disabling access.

Develop and document a process to ensure that, in instances of involuntary termination,

the action is immediately reported to security administrators and that items that enable

access are collected or inactivated immediately.

Consider revoking access prior to employment termination, particularly in instances of

involuntary termination.

Consider conditions in which people put on administrative leave (e.g. pending an

investigation of misuse of access) should have their access privileges altered.

Revise access when roles change.

Disable access privileges for any user account that shows no activity for a pre-determined

period of time (e.g. three months).

Review all suspended accounts for activity or attempted activity and report any such

activity for investigation as a potential breach.

Periodically audit the effectiveness of the process for disabling access in the event of a

termination to ensure that procedures and guidelines are being followed.

Record the completion of inactivation activities.

Perform exit interviews for any termination in which a potential security concern has

been identified.

Maintain a record of any changes made to an individual's access privileges, and retain it

long enough so it is possible to determine the extent of an individual's historic access in

case it is relevant to an investigation.

Roadblocks

AMCs often have a decentralized structure and culture, and thus have many computer systems

with decentralized management. Take into consideration that AMCs often have many sites with

controlled physical access.

Comments

Linkage of HR, Payroll, and IT systems is a major step in resolving this difficult issue.

Education, procedures, and checklists for managers on terminating staff are essential for a

successful termination process.

Page 44

AMC/HIPAA Workgroup

SEC.12

Security Training � .308(a)(12)

HIPAA Requirement

...(education concerning the vulnerabilities of the health information in an

entity's possession and ways to ensure the protection of that information) that

includes all of the following implementation features:

(i) Awareness training for all personnel, including management personnel (in

security awareness, including, but not limited to, password maintenance, incident

reporting, and viruses and other forms of malicious software).

(ii) Periodic security reminders (employees, agents, and contractors are made

aware of security concerns on an ongoing basis).

(iii) User education concerning virus protection (training relative to user

awareness of the potential harm that can be caused by a virus, how to prevent the

introduction of a virus to a computer system, and what to do if a virus is

detected).

(iv) User education in importance of monitoring log-in success or failure and how

to report discrepancies (training in the user's responsibility to ensure the security

of health care information).

(v) User education in password management (type of user training in the rules to

be followed in creating and changing passwords and the need to keep them

confidential).

AMC Explanation of HIPAA Regulation

Security training is necessary for all workforce members who access protected health

information. This training must include overall security awareness, periodic reminders, virus

awareness, password management, and user-specific topics necessary for individual workstation

security.

Key Issues

How will the security training program be updated to reflect changes in the security

environment and security responsibilities of workforce members?

How is the training program tailored to support the various classes of system users and

the level of information sensitivity to which each class of user has access?

Are all system users included in the training program, including those accessing

organizational systems from remote sites?

How is training documented?

How is training effectiveness evaluated?

Does the training content meet all of the HIPAA training requirements?

How often should reminders or refresher courses be provided?

Category I Guidelines-Actions must be taken to address these

Establish a formal, documented security awareness training program for all workforce

members that addresses, at a minimum, the following topics:

Protection against, and reporting of, viruses;

Page 45

AMC/HIPAA Workgroup

Reporting security incidents;

Managing individual passwords.

Establish a formal, documented security awareness program tailored to system users that

addresses, at a minimum:

Virus protection;

Potential harm viruses can cause;

How to prevent the introduction of viruses into a computer system;

What to do if a virus is detected;

The importance of monitoring log-in success or failure;

How to report discrepancies in the log-in process;

Rules for creating and changing passwords;

Safeguarding passwords.

Provide periodic security awareness reminders to all workforce members.

Category II Guidelines-Actions should be taken to address these

Make training role and/or job-specific.

Assign responsibility for security training.

Document the training that has been provided to each individual.

Develop a training program that demonstrates mastery of the material presented.

Evaluate the effectiveness of training.

Roadblocks

Security training is generally not given a high priority in orientation and training for new hires,

so the time available may be inadequate. It is also often difficult to arrange security training for

third-party agents and sub-contractors with access to health information. Without centralized

responsibility for the development of content for the security program, it will be difficult to

ensure consistent training across the AMC.

Comments

Using experts in this field will enhance the content of security training programs. Some AMCs

reduce the costs of security training by weaving training into ongoing training activities.

Consider including a security training curriculum for residents, as well as for medical and

nursing students.

Also see: SEC.18 Security Awareness Training.

The reader is referred to the following additional references:

American Health Information Management Society

https://secure.ahima.org/commerce/

Faxing Safeguards: Guidelines For Transmitting Patient Health Information

Security And Access: Guidelines For Managing Electronic Patient Information

Information Security: HIPAA Sets The Standard Program In A Box

Carnegie Mellon University

Page 46

AMC/HIPAA Workgroup

Software Engineering Institute

Computer Emergency Response Team Coordination Center (Cert/CC)

http://www.cert.org/nav/training.html

Computer Security Institute, Manager's Guide to Computer Security Awareness

http://www.gocsi.com/

CPRI-Toolkit for Managing Information Security in Healthcare

http://www.3com.com/healthcare/securitynet/hipaa/toc.html

CPRI Guide - Information Security Education

Instructor Guide

Slides for Training Program

MIS Training Institute

http://www.misti.com/

National Institutes of Health Web Security Links

http://www.alw.nih.gov/Security/security.html

National Institute of Standards and Technology (NIST)

Computer Security Resource Center

http://csrc.ncsl.nist.gov/

Page 47

AMC/HIPAA Workgroup

Section Two: Requirements for Physical Safeguards

Page 48

AMC/HIPAA Workgroup

SEC.13

Assigned Security Responsibility � .308(b)(1)

HIPAA Requirement

...(practices established by management to manage and supervise the execution

and use of security measures to protect data and to manage and supervise the

conduct of personnel in relation to the protection of data).

AMC Explanation of HIPAA Regulation

The governing body of each covered entity must designate a security officer or group to oversee

the safeguarding of protected health information and assign the necessary responsibility and

accountability to that role. This person or group will manage the execution and use of security

measures and supervise the conduct of personnel in relation to data protection.

Key Issues

Will the covered entity instill this responsibility in an individual role or charge a

committee?

How will the covered entity empower the security officer or group to effectively

accomplish security goals?

How will multiple facility entities assign oversight?

How will multiple entity systems assign oversight?

Category I Guidelines-Actions must be taken to address these

Assign overall responsibility for securing protected health information to an individual

security officer or a group specifically charged to do so.

Make this person or group accountable for the information security program to include:

Processes employed to safeguard protected health information;

Technologies and architectures employed to safeguard protected health information;

Conduct of personnel in relation to the safeguarding of protected health information.

Category II Guidelines-Actions should be taken to address these

Have the organization's governing body assign this responsibility and instill the authority

to effectively accomplish the task.

Ensure that the security officer possesses the necessary body of knowledge, skill set, and

experience to effectively oversee the security program.

Extend the security officer's responsibility to the entire entity.

If the organization has multiple security officers, coordinate their efforts.

Avoid combining the responsibilities of the security officer and the privacy official, as

the knowledge bases and skill sets required for each differ.

Roadblocks

Security officers with the knowledge, skills, and experience necessary to effectively manage an

information security program in an AMC are few and difficult to recruit. On the other hand,

training a person with a general or non-healthcare information security background on the job

takes a good deal of time.

Page 49

AMC/HIPAA Workgroup

Comments

None.

Page 50

AMC/HIPAA Workgroup

SEC.14

Media Controls � .308(b)(2)

HIPAA Requirement

...(formal, documented policies and procedures that govern the receipt and

removal of hardware/software (such as diskettes and tapes) into and out of a

facility) that include all of the following implementation features:

Access control.

Accountability (the property that ensures that the actions of an entity can be

traced uniquely to that entity).

Data backup (a retrievable, exact copy of information).

Data storage (the retention of health care information pertaining to an individual

in an electronic format).

Disposal (final disposition of electronic data, and/or the hardware on which

electronic data is stored).

AMC Explanation of HIPAA Regulation

While this item states that it is focused upon the transfer of hardware and software media into

and out of a facility, it also requires consideration of the larger issue of how to handle record

copies of protected media from creation to destruction. Each entity will need to decide how to

categorize, annotate, account for, store, and dispose of protected health information in record

form.

Key Issues

How and by whom is new media introduced into the record environment?

How are working materials created, marked, controlled, and destroyed?

How are media and computer equipment controlled when entering and leaving the

facility?

Is equipment properly inventoried?

Is media disposed of properly?

Do the use of unofficial and "shadow" record systems undermine accountability and

controls and, if so, how can they be brought into line with media controls?

Category I Guidelines-Actions must be taken to address these

Establish accountability and access controls for media containing protected health

information, including equipment with media installed and hardcopies containing

protected health information, from creation to disposition.

Ensure that policies and procedures address access control, accountability, data backup,

data storage, and data disposal.

Category II Guidelines-Actions should be taken to address these

Establish uniform terminology and guidelines for classifying and marking materials as

"confidential," "proprietary," "patient-confidential," etc.

Page 51

AMC/HIPAA Workgroup

Establish procedures for assigning accountability for newly created media, including

hardcopy when created and recording/removing the media from accountability when

properly destroyed.

Establish guidelines to restrict the use of "unofficial" or "shadow" records to ensure the

integrity and protection of protected health information.

Mark temporary working materials, whether on computer media or hard copy, that

contain protected health information appropriately when created and establish a date for

either destroying the working materials or bringing them under control as record

documents.

Ensure that appropriate secure storage and destruction facilities, such as shredders, are

readily available, clearly marked, and used.

Ensure that protected health information in hardcopy format is disposed of properly.

Responsible personnel should authorize the shipping and receiving of protected media

and maintain appropriate records. Establish a formal system for shipping and

transporting materials containing protected health information with receipts to ensure that

shipped materials have been properly received and accountability has been transferred to

the receiving office. Establish standards for wrapping and marking shipped media that

both minimize the likelihood of its being identified as containing protected health

information and prevent tampering.

Set a standard for purging protected health information from magnetic media, and adhere

to it. Degaussing and overwriting are acceptable methods. (See Comments.)

Before releasing any magnetic media that may contain protected health information

outside the entity, process it to purge any information residing on it.

If media is left unattended, secure it and use reasonable care.

Do not leave printed versions (hardcopy) of protected health information unattended and

open to compromise, and do not copy it indiscriminately.

Establish and maintain accountability for all equipment used to process protected health

information, including requirements for regular inventory and resolving any loss of

accountability.

Ensure that essential patient care information is properly backed up in a secure location.

Periodically check to ensure that data can be restored from backup media.

Consider periodic audits by outside agencies to ensure that appropriate media controls are

maintained.

Roadblocks

Unlike many business environments, there is no real control over movement of people and

equipment on and off campus. While establishing controls for centrally managed data is

relatively straightforward, the issue of enforcing media controls for "shadows" and other

unofficial systems is a significant one.

Comments

A reasonable standard for purging magnetic media containing protected health information by

overwriting is a one-time bit-by-bit method that wipes the entire piece of media. The

government standard for declassifying media is a three-time overwrite: First overwrite with a

Page 52

AMC/HIPAA Workgroup

character or character string, second overwrite with the binary compliment of the first, and the

third overwrite may consist of any character or character string.

Page 53

AMC/HIPAA Workgroup

SEC.15

Physical access controls � .308(b)(3)

HIPAA Requirement

...(limited access) (formal, documented policies and procedures to be followed to

limit physical access to an entity while ensuring that properly authorized access is

allowed) that include all of the following implementation features:

(i) Disaster recovery (the process enabling an entity to restore any loss of data in

the event of fire, vandalism, natural disaster, or system failure).

(ii) An emergency mode operation (access controls in place that enable an entity

to continue to operate in the event of fire, vandalism, natural disaster, or system

failure).

(iii) Equipment control (into and out of site) (documented security procedures for

bringing hardware and software into and out of a facility and for maintaining a

record of that equipment. This includes, but is not limited to, the marking,

handling, and disposal of hardware and storage media.)

(iv) A facility security plan (a plan to safeguard the premises and building

(exterior and interior) from unauthorized physical access and to safeguard the

equipment therein from unauthorized physical access, tampering, and theft).

(v) Procedures for verifying access authorizations before granting physical

access (formal, documented policies and instructions for validating the access

privileges of an entity before granting those privileges)

(vi) Maintenance records (documentation of repairs and modifications to the

physical components of a facility, such as hardware, software, walls, doors, and

locks).

(vii) Need-to-know procedures for personnel access (a security principle stating

that a user should have access only to the data he or she needs to perform a

particular function).

(viii) Procedures to sign in visitors and provide escorts, if appropriate (formal

documented procedure governing the reception and hosting of visitors).

(ix) Testing and revision (the restriction of program testing and revision to

formally authorized personnel).

AMC Explanation of HIPAA Regulation

Each covered entity is required to establish formal, documented policies and procedures for

limiting physical access while ensuring that properly authorized access is allowed. Mandatory

implementation features also include plans for emergency operation and disaster recovery as well

as for testing and revision.

Key Issues

None.

Category I Guidelines-Actions must be taken to address these

House critical or sensitive protected health information processing facilities in secure

areas, protected by a defined security perimeter, with appropriate security barriers and

Page 54

AMC/HIPAA Workgroup

entry controls. Physically protect them from unauthorized access, damage, and

interference.

Establish and maintain a specific disaster recovery plan.

Supervise or clear contractors and other visitors to secure areas, and record their date and

time of entry and departure.

Control access to protected health information and information processing facilities, and

restrict it to authorized persons only.

Provide security for off-site equipment that is equivalent to that provided for on-site

equipment used for the same purpose, taking into account the risks of working outside the

covered entity's premises.

Keep records of maintenance of equipment.

Restrict testing and revision to authorized personnel.

Category II Guidelines-Action should be considered to address these

Provide protection commensurate with the identified risks.

Regularly review and update access rights to secure areas.

Grant contractors and visitors access only for specific, authorized purposes and issue

them with instructions on the security requirements of the area and on emergency

procedures.

Require all workforce members to wear some form of visible identification and

encourage them to challenge unescorted strangers and anyone not wearing visible

identification.

Physically protect equipment from security threats and environmental hazards.

Maintain equipment in accordance with the supplier's recommended service intervals and

specifications.

Use authentication controls, e.g. swipe card plus PIN, to authorize and validate all access.

Maintain a secure audit trail of all access.

Require management authorization for the use of any equipment outside a covered

entity's premises for processing of protected health information.

Ensure that only authorized maintenance personnel carry out repairs and service

equipment.

Maintain records of all suspected or actual faults and all preventative and corrective

maintenance.

Establish appropriate controls when sending equipment off premises for maintenance.

Comply with all requirements imposed by insurance policies.

Check all items of equipment containing storage media, e.g. fixed hard disks, to ensure

that any protected health information and licensed software has been removed or

overwritten prior to disposal.

Require authorization in order to take any equipment, protected health information, or

software off site. Where necessary and appropriate, require equipment to be logged out

and logged back in when returned. Perform spot checks to detect unauthorized removal

of property, and make individuals aware that spot checks will take place.

Forbid users to connect unauthorized devices to the enterprise network.

Escort and supervise maintenance personnel; assign knowledgeable persons to this task.

Page 55

AMC/HIPAA Workgroup

Roadblocks

Those responsible for implementation and enforcement may be slow to accept the need for new

policies.

Comments

Also see: SEC.14 Media Controls

Page 56

AMC/HIPAA Workgroup

SEC.16

Policy/guideline on workstation use � .308(b)(4)

HIPAA Requirement

...(documented instructions/procedures delineating the proper functions to be

performed, the manner in which those functions are to be performed, and the

physical attributes of the surroundings of a specific computer terminal site or type

of site, dependent upon the sensitivity of the information accessed from that site).

AMC Explanation of HIPAA Regulation

Each covered entity is required to establish a policy/guideline on secure workstation use. These

documents will establish the rules for minimizing the risk of exposing protected health

information to unauthorized access. They will include technical measures (automatic logoff) as

well as behavioral rules (no sharing of passwords).

Key Issues

Is there a documented procedure for siting workstations (including both printers and data

entry/display terminals) in such a way as to minimize shoulder surfing?

Is there a process for determining automatic logoff intervals for each site?

Is there a process for activating and deactivating passwords?

Is there a documented process to train users about their responsibilities in maintaining

workstation security?

Category I Guidelines-Actions must be taken to address these

Develop a Workstation Use Policy.

Position workstations to minimize unauthorized viewing of protected health information

either by shoulder surfing or by other direct physical means of obtaining access to data

present on the workstation.

Grant workstation access only to those who need it in order to perform their job function.

Category II Guidelines-Actions should be taken to address these

Develop a policy/guideline to protect the workstations from exposure to physical threats

including theft.

Consider establishing automatic logoff to minimize opportunities for unauthorized use of

a workstation.

Educate users about their responsibilities for workstation security.

Monitor workstation sites for good user practice including logoff and password usage.

Consider two-factor login for user authentication.

Avoid login methods that may require the use of multiple passwords by an individual.

Roadblocks

In many institutions, guarding passwords and workstations is of secondary importance to the

need to accomplish the goal of providing healthcare. Procedures that substantially impede the

use of data entry and data retrieval will meet resistance.

Page 57

AMC/HIPAA Workgroup

Comments

When interpreting this rule, consider that a workstation may include any or all of several devices

such as data terminals, printers, and fax machines. Printouts may contain the most sensitive

information in a patient's file and are as great a security risk as any other source of information.

Since turnover may be high among those who have broad access to protected health information,

it is important to have a facile and flexible way to manage granting and revocation of access

privileges.

Training users about their security responsibilities as well as functional aspects is vital,

especially in AMCs.

Page 58

AMC/HIPAA Workgroup

SEC.17

Secure work station location � .308(b)(5)

HIPAA Requirement

...(physical safeguards to eliminate or minimize the possibility of unauthorized

access to information; example, locating a terminal used to access sensitive

information in a locked room and restricting access to that room authorized

personnel, not placing terminal used to access patient information in any area of

a doctor's office where the screen contents can viewed from the reception area).

AMC Explanation of HIPAA Regulation

Each covered entity is required to implement physical safeguards to eliminate or minimize the

possibility of unauthorized access to protected health information. This is especially important

in public buildings, provider locations, and other areas where there is heavy pedestrian traffic.

Key Issues

What are the trade-offs between workstation accessibility and protection of protected

health information?

How will potential workstation location changes impact workflow?

Category I Guidelines-Actions must be taken to address these

Establish workstation location criteria to eliminate or minimize the possibility of

unauthorized access to protected health information.

Employ physical safeguards as determined by risk analysis, such as locating workstations

in controlled access areas or installing covers or enclosures to preclude passerby access to

protected health information.

Category II Guidelines-Actions should be taken to address these

When practical, locate workstations used to access protected health information in areas

that are continuously monitored by cleared personnel when open for business and

otherwise securely locked and alarmed with a 24 hour security monitoring service.

Locate workstations to minimize the possibility of unauthorized personnel viewing

screens or data.

Establish workstation inactivity timeouts and use timed, password-protected screen

savers.

Consider the use of proximity detectors to reduce exposure at unattended workstations.

Roadblocks

No roadblocks specific to this point.

Comments

Ideally, workstations used to access protected health information would be located only in

controlled areas - but this may unacceptably restrict access to and use of electronic patient

records. In these cases, consider additional controls such physical devices to limit viewing,

Page 59

AMC/HIPAA Workgroup

timeout/lockout of individual sessions, use of password-protected screensavers, and other

procedures to provide adequate confidentiality.

Page 60

AMC/HIPAA Workgroup

SEC.18

Security Awareness training � .308(b)(6)

HIPAA Requirement

...(information security awareness training programs in which all employees,

agents, and contractors must participate, including, based on job responsibilities,

customized education programs that focus on issues regarding use of health

information and responsibilities regarding confidentiality and security).

AMC Explanation of HIPAA Regulation

Covered entities are required to establish security awareness training programs customized to

individual job responsibilities. Training for all workforce members in the use of protected health

information and its confidentiality and security is required.

Key Issues

How will the covered entity tailor security awareness training to hundreds of separate

roles?

How will the covered entity merge privacy training (use of information) with security

training to address this requirement?

Category I Guidelines-Actions must be taken to address these

Provide job-specific security awareness training to all workforce members.

Focus the training on use of protected health information (privacy) and security.

Category II Guidelines-Actions should be taken to address these

Make this aspect of training a supervisory or departmental responsibility, as appropriate.

Consider the security guidelines in this document-Category I and Category II

Guidelines-and determine which pertain to each job class. Develop a training program

to communicate them.

Roadblocks

Developing meaningful job-specific training programs in large organizations is difficult. Making

supervisors responsible and accountable for training at this level is an approach that should

maximize the likelihood of success.

Comments

Also see: SEC.12, as covered in �.308(a)(12). SEC.12 Security Training is general in nature,

establishing high-level expectations for all staff and somewhat more focused expectations for the

system user community. This Security Awareness Training point focuses on customized

education tailored to individual job responsibilities.

Page 61

AMC/HIPAA Workgroup

Section Three: Requirements for Technical Security, Services, and Mechanisms

Page 62

AMC/HIPAA Workgroup

SEC.19

Access Control � .308(c)(1)(i)

HIPAA Requirement

The technical security services must include...Access control that includes:

(A) A procedure for emergency access (documented instructions for obtaining

necessary information during a crisis) and

(B) At least one of the following implementation features:

1) context-based access (an access control procedure based on the context of a

transaction as opposed to being based on attributes of the initiator or target)

2) role-based access

3) user-based access

(C) The optional use of encryption

AMC Explanation of HIPAA Regulation

Each covered entity is required to maintain a mechanism for access control that restricts access

to resources and allows access only by privileged entities, providing access only to those

workforce members with a business need for it. Possible types of access control include

mandatory access control, discretionary access control, time-of-day, classification, and subject-

object separation. In addition, a mechanism to enable emergency access is required.

Key Issues

Is there a documented procedure for emergency access?

Is there a process for screening unwarranted demands for access?

Do systems and applications have technical capability to implement user, role, or context-

based access?

Do systems prohibit or allow simultaneous access of the same user id/concurrent

connections? Why or why not?

Does the organization allow group, shared, trusted, or generic logon?

How does encryption impact access control?

Category I Guidelines-Actions must be taken to address these

Define a context-based, role-based, and/or user-based access policy as appropriate for

each of the various situations in the covered entity and adopt implementation procedures

to enforce need-to-know accordingly.

Enact a clearly stated and widely understood "break the glass" procedure for allowing

access via alternate and/or manual methods in the event of an emergency requiring access

to protected health information.

Category II Guidelines-Actions should be taken to address these

Establish a centrally administered service to define access profiles-context-based, role-

based, or user-based-and oversee consistent implementation of access control

mechanisms.

Document and test the emergency access procedure.

Page 63

AMC/HIPAA Workgroup

Evaluate information technology projects, proposals, contracts, and existing services for

access control features and implementation.

Consider adopting ASTM-defined healthcare roles.

Roadblocks

Centrally administered access control services are difficult to implement in the diverse IT

environments typical of Academic Medical Centers. Take into consideration that reduced logon

solutions, PKI, Kerberos, password brokering services, and the like are expensive, complicated,

and often require expertise not found in the healthcare industry. Testing emergency access

procedures in a realistic fashion is often cumbersome. Controlling contractor and business

partner access is challenging, particularly when remote network connections are involved and

accountability is necessary on the remote end. Modifying access profiles when staff change

roles within the covered entity will require efficient communication between personnel and IT.

Comments

Also see: SEC.05 Information Access and Control, SEC.10 Security Management Process, and

SEC.11 Termination Procedures

A user-based access model would require the organization to determine appropriate access for

each individual user. A role-based access model would require the organization to develop an

access profile for each role; for example, nurses, doctors, and desk attendants each have different

access needs dependent upon their role in the organization. A context-based access model

would, for example, allow all staff working in Endocrinology to access Endocrinology records.

Some AMCs may choose to implement combinations of access models.

Page 64

AMC/HIPAA Workgroup

SEC.20

Audit Controls � .308(c)(1)(ii)

HIPAA Requirement

The technical security services must include...(mechanisms employed to record

and examine system activity).

AMC Explanation of HIPAA Regulation

System activity logging is required in order to recreate pertinent system events and actions taken

by system users and administrators. An audit process of examining logged information is

required in order to identify questionable data access activities, investigate breaches, respond to

potential weaknesses, and assess the security program.

Key Issues

What activities need to be monitored?

What level of logging detail is necessary?

How long should covered entities retain audit log data?

How should covered entities protect audit log data?

Who may access audit log data?

How can a covered entity identify inappropriate access?

How can a covered entity best use audit tools to assess its security program?

When should prospective audits be used?

Category I Guidelines-Actions must be taken to address these

Employ event logging on systems that process or store protected health information

where warranted by risk analysis.

Category II Guidelines-Actions should be taken to address these

Log system administration events:

Creation and removal of accounts;

Assigning and changing of privileges;

Installation, maintenance, and changing of software;

Changes in hardware configurations.

Log user activities:

Logon and logoff, both successful and unsuccessful;

Read, write, create, and delete actions at the file level;

Individual user access to individual patient records;

Attempts to access unauthorized data and/or services.

Perform prospective audits of user activity where risk levels warrant.

Maintain log data for a specified period of time.

Protect system logs, especially those containing personally identifiable healthcare

information, from unauthorized access or alteration.

Employ audit reduction tools and/or "intelligent" methods of correlating log data to

detect unauthorized activity and reduce volumes to manageable size.

Page 65

AMC/HIPAA Workgroup

Roadblocks

Be aware that system audit logs can quickly become voluminous and require additional

maintenance time. Prospective auditing and determining appropriateness of access and actions

taken is an expensive, time consuming, and difficult process.

Comments

The purpose of system event logging is to be able to recreate pertinent events should a security

violation or compromise occur. Log data is typically examined reactively, when indications of

unauthorized activity are reported. How entities interpret and respond to findings is a measure of

compliance. Because prospective audits are onerous and usually require the input of clinicians to

resolve need-to-know issues, they should be performed sparingly and with good cause in

accordance with risk and threat levels as determined through the risk analysis process.

Enterprise systems are normally subject to audit controls. Departmental systems and those with

limited numbers of users and lower functionality, such as laboratory systems or those that feed

data up to enterprise systems, are normally not subject to audit controls unless the risk analysis

process determines otherwise. The risk analysis process should consider track records of

violations. Logging and audit strategies should reflect levels of abuse. Logging to a high level

of detail, such as individual keystroke capture, is generally not necessary.

The required retention period for audit log data may vary. In general, at least several months of

data are necessary to adequately investigate instances of inappropriate access. The National

Industrial Security Program, which oversees the protection of U.S. government classified

information, requires at least six months of log data. This may be a reasonable and defensible

goal for Academic Medical Centers as well.

Also see: SEC.06 Internal Audit, SEC.09 Security Incident Procedures, PRIV.53 Complaints,

and PRIV.54 Sanctions.

Page 66

AMC/HIPAA Workgroup

SEC.21

Authorization Control � .308 (c)(3)

HIPAA Requirement

...(the mechanism for obtaining consent for the use and disclosure of health

information) that includes at least one of the following implementation features:

(A) Role-based access

(B) User-based access

AMC Explanation of HIPAA Regulation

Covered entities must implement a mechanism to authorize the privileged use of protected health

information available via systems and applications. The mechanism must limit these privileges

to the maximum practical extent commensurate with professional needs.

Key Issues

How can a covered entity determine which type of authorization mechanism-role-based

or user-based-is appropriate?

Category I Guidelines-Actions must be taken to address these

Employ a system or application-based mechanism to authorize activities within system

resources in accordance with the Least Privilege Principle. (See Comments.)

Implement:

A role-based mechanism where users with common information needs are provided

access and privileges through common security authorization classes; or

A user-based mechanism where users' information access and privilege needs are

determined and provided on an individual basis.

Maintain individual accountability for actions taken by forbidding group (shared, generic,

trusted, etc.) logons.

Category II Guidelines-Actions should be taken to address these

None.

Roadblocks

Implementing a data stewardship model is prudent but will likely be difficult in large covered

entities. Individuals or groups sometimes perform stewardship functions but may not understand

the concept of accountability for usage and disclosure.

Comments

The Least Privilege Principle pertains to one's ability to perform specified system functions.

Users should not have system capabilities not required of their positions. For example, a user

who requires only read access to medical information should not have the ability to change or

delete it. AMCs will almost certainly use the role-based authorization approach given the large

numbers of users typical of these organizations. Covered entities are cautioned to avoid

developing too many authorization profiles in a role-based model, as management of a large

number of profiles is unwieldy.

Page 67

AMC/HIPAA Workgroup

SEC.22

Data Authentication � .308 (c)(4)

HIPAA Requirement

...(The corroboration that data has not been altered or destroyed in an

unauthorized manner. Examples of how data corroboration may be assured

include the use of a check sum, double keying, a message authentication code, or

digital signature.)

AMC Explanation of HIPAA Regulation

Each covered entity must be able to provide corroboration that protected health information in its

possession has not been altered or destroyed in an unauthorized manner. Data corroboration

methods include, but are not limited to, the use of checksums, double keying, message

authentication codes, and digital signatures.

Key Issues

Is the use of digital signatures a cost effective approach?

Are technical integrity controls a reasonable expectation for more than certain critical

functions?

Can trusted procedures supplant technical controls in some respects?

Category I Guidelines-Actions must be taken to address these

Employ technical controls such as checksums, digital signatures, double keying, and

message authentication codes where feasible and appropriate to the level of risk.

Category II Guidelines-Actions should be taken to address these

Employ technical integrity controls for critical automated functions such as physicians'

orders and prescriptions.

Procedural aspects closely related to technical authentication and integrity:

Maintain separation of duties. Avoid overlapping responsibilities of application and

system programmers, data center operators, data base administrators, network

operations, and user functions.

Establish and demonstrate change management discipline.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 68

AMC/HIPAA Workgroup

SEC.23

Entity Authentication � .308 (c)(5)

HIPAA Requirement

...(the corroboration that an entity is the one claimed) that includes:

(A) Automatic logoff (a security procedure that causes an electronic session to

terminate after a predetermined time of inactivity, such as 15 minutes), and

(B) Unique user identifier (a combination name/number assigned and maintained

in security procedures for identifying and tracking individual user identity).

(C) At least one of the following implementation features:

(1) Biometric identification (an identification system that identifies a human from

a measurement of a physical feature or repeatable action of the individual (for

example, hand geometry, retinal scan, iris scan, fingerprint patterns, facial

characteristics, DNA sequence characteristics, voice prints, and handwritten

signature)).

(2) Password.

(3) Personal identification number (PIN) (a number or code assigned to an

individual and used to provide verification of identity).

(4) A telephone callback procedure (method of authenticating the identity of the

receiver and sender of information through a series of ``questions'' and

``answers'' sent back and forth establishing the identity of each). For example,

when the communicating systems exchange a series of identification codes as part

of the initiation of a session to exchange information, or when a host computer

disconnects the initial session before the authentication is complete, and the host

calls the user back to establish a session at a predetermined telephone number.

(5) Token.

AMC Explanation of HIPAA Regulation

Entities (an entity may be a person, system, or process) must be authenticated prior to accessing

protected health information. Authentication is the process of corroborating that an entity is who

or what it claims to be; it may occur through a trusted process such as the provision of a secret

password, a personal identification number, or a token. Dial-up remote access users are subject

to stronger, or two-tiered, authentication that may include telephone call-back or other strong

authentication methods. Automatic log offs, or inactivity time-outs, can help enforce

authentication by precluding others from accessing unattended sessions.

Key Issues

Is a unique user ID with password authentication secure enough?

Should alternative authentication methods such as biometrics be considered?

What standards are necessary to make a public key infrastructure (PKI) interoperable and

truly useful?

Category I Guidelines-Actions must be taken to address these

Uniquely identify each user and authenticate identity.

Implement at least one of the following methods to authenticate a user:

Page 69

AMC/HIPAA Workgroup

Password;

Biometrics;

Personal Identification Number (PIN);

Physical token;

Call-back or strong authentication for dial-up remote access users.

Implement automatic log-offs to terminate sessions after set periods of inactivity.

Determine appropriate periods based on the levels of risk and exposure.

Category II Guidelines-Actions should be taken to address these

Include procedures for initiating user access, resetting passwords/tokens, and providing

administrative access in the authentication system, and ensure it is fully documented.

Employ a formal risk management methodology to identify risks and threats to the

authentication process.

Employ secure architectures, where risk appropriate, to authenticate entities. These may

include Kerberos, RADIUS, TACACS, PKI, or similar methods.

Encrypt hard-coded passwords that reside on client machines or in applications.

Securely authenticate contractors. Device-to-device or firewall-to-firewall authentication

is acceptable provided the contractor demonstrates individual accountability for access.

Change passwords periodically.

Specify time-out intervals based on business need and levels of risk and exposure.

Allow users to select and change their own passwords.

Roadblocks

No roadblocks specific to this point.

Comments

Dial-back has been largely replaced by more robust architectures such as Remote Dial-In User

Authentication (RADIUS). Most covered entities will continue to employ user ID and password

authentication. Managed properly this is adequate, but processing speeds and wide availability

of hacker tools and techniques have made this method obsolete for all but internal authentication.

Inactivity time-outs are secondary controls and users should not rely on them to end their

sessions. Password standards must be risk appropriate. Covered entities will need to address

password length, complexity, change frequency, user selection, etc. This will continue to be a

moving target.

Page 70

AMC/HIPAA Workgroup

SEC.24

Communications/network controls � .308(d)

HIPAA Requirement

(1) If an entity uses communications or network controls, its security standards

for technical security mechanisms must include the following:

(i) The following implementation features:

(A) Integrity controls (a security mechanism employed to ensure the validity of the

information being electronically transmitted or stored).

(B) Message authentication (ensuring, typically with a message authentication

code, that a message received (usually via a network) matches the message sent).

(ii) One of the following implementation features:

(A) Access controls (protection of sensitive communications transmissions over

open or private networks so that they cannot be easily intercepted and interpreted

by parties other than the intended recipient).

(B) Encryption.

(2) If an entity uses network controls (to protect sensitive communication that is

transmitted electronically over open networks so that it cannot be easily

intercepted and interpreted by parties other than the intended recipient), its

technical security mechanisms must include all of the following implementation

features:

(i) Alarm. (In communication systems, any device that can sense an abnormal

condition within the system and provide, either locally or remotely, a signal

indicating the presence of the abnormality. The signal may be in any desired form

ranging from a simple contact closure (or opening) to a time-phased automatic

shutdown and restart cycle.)

(ii) Audit trail (the data collected and potentially used to facilitate a security

audit).

(iii) Entity authentication (a communications or network mechanism to irrefutably

identify authorized users, programs, and processes and to deny access to

unauthorized users, programs, and processes).

(iv) Event reporting (a network message indicating operational irregularities in

physical elements of a network or a response to the occurrence of a significant

task, typically the completion of a request for information).

AMC Explanation of HIPAA Regulation

Covered entities that use external communication systems, such as the public switched telephone

system, or open networks, such as the Internet, are required to safeguard protected health

information that traverses them. The specified technical security services address network risks

of message interception and interpretation by parties other than the intended recipient.

Additionally, these services protect information systems from intruders attempting to exploit

external communication points such as Internet host systems and telephone switches. In addition

to the other listed precautions, some form of encryption is required when using open networks.

Key Issues

How is relative risk determined?

Page 71

AMC/HIPAA Workgroup

How much encryption is enough?

When should encryption be used?

Category I Guidelines-Actions must be taken to address these

If the covered entity employs an internal, private, or value-added network, the covered

entity must:

Employ alarms to sense abnormal conditions;

Enact an audit trail to recreate events in the instance of violations or compromises;

Identify and authenticate authorized users, programs, and processes;

Deny access to unauthorized users, programs, and processes;

Employ event reporting to identify operational irregularities and occurrences of

significant tasks.

If the covered entity employs the public switched telephone system, the covered entity

must:

Enact integrity controls to ensure the validity of protected health information

transmitted;

Enact message authentication to ensure that content is not altered in transmission;

Enact access controls or risk appropriate encryption to preclude unauthorized access,

interception, or interpretation.

If the covered entity employs the public Internet, the covered entity must enact the

controls listed for the public switched telephone system as well as using risk appropriate

encryption. (See Comments.)

Category II Guidelines-Actions should be taken to address these

Do not store or transmit system passwords in the clear.

Control network access through individual identification and authentication.

Employ encryption keys of the length specified by the HCFA Internet Security

Policy.

Roadblocks

Encryption is often difficult to implement. Hardware-based encryption is generally costly but

fast because it does not require CPU cycles, while software-based encryption is generally less

costly but tends to be system or application dependent and impedes performance.

Comments

Threats to data transmissions are difficult to quantify and widely misunderstood. Threat levels

vary and are sometimes based on factors such as geography. For example, the threat of

eavesdropping on the public switched telephone system within the United States is very low, but

the threat rises dramatically when international communications are considered. State-sponsored

eavesdropping is the norm in some parts of the world-particularly when U.S. interests are

involved.

In November of 1998, the Healthcare Finance Administration (HCFA) released an Internet

Security Policy describing appropriate encryption key lengths for public, private, and elliptical

Page 72

AMC/HIPAA Workgroup

curve algorithms. Required key lengths are, of course, subject to change as technology

improves. Academic Medical Centers should use strong encryption with key lengths at least as

long as those specified by HCFA for Internet transmissions.

AMCs may need further advice from communications experts and national

agencies/organizations.

Page 73

AMC/HIPAA Workgroup

AMC HIPAA Privacy Guidelines

This part provides AMC guidelines for the use and disclosure of protected health information in

accordance with the DHHS Final Privacy Rule [45 CFR 160]. The standards have been

reorganized from the order that they appear in the rule in order to combine like topics into

congruent sections, and in some cases to allow one guideline to address multiple standards where

appropriate. Hopefully, the reorganization will be useful for covered entities seeking to

implement and understand the relationship among the various standards. Guidelines are

consolidated into sections as follows:

Section One addresses guidelines involving covered entities (PRIV.01-PRIV.06).

Section Two addresses guidelines for consent and authorization (PRIV.07-PRIV.12).

Section Three addresses uses and disclosures (PRIV.13-PRIV.42).

Section Four addresses consumer controls (PRIV.43-PRIV.47)

Section Five addresses administrative requirements (PRIV.48-PRIV.59)

Table 1, Mapping of Privacy Standards to AMC Guidelines, provides a lookup table mapping

each privacy standard to the corresponding AMC guideline.

Table 1. Mapping of Privacy Standards to AMC Guidelines

Privacy Rule

Standard

AMC Guideline

�164.502 (a)

Uses and disclosures

PRIV.13

�164.506 (e)

Resolving conflicting consents

and authorizations

PRIV.08

�164.506 (f)

Joint consents

PRIV.09

�164.502 (b)

Minimum necessary

PRIV.39

�164.502 (c)

Uses and disclosures of

protected health information

subject to an agreed-upon

restriction

PRIV.14

�164.502 (d)

Uses and disclosures of de-

identified protected health

information

PRIV.15

�164.502 (e)

Disclosures to business

associates

PRIV.16

�164.502 (f)

Deceased individuals

PRIV.17

�164.502 (g)

Personal representatives

PRIV.18

Page 74

AMC/HIPAA Workgroup

Privacy Rule

Standard

AMC Guideline

�164.502 (h)

Confidential communications PRIV.19

�164.502 (i)

Uses and disclosures

consistent with notice

PRIV.20

�164.502 (j)

Disclosures by whistleblowers

and workforce member crime

victims

PRIV.21

�164.504 (b)

Health care component

PRIV.01

�164.504 (d)

Affiliated covered entities

PRIV.02

�164.504 (e)(1)

Business associate contracts

PRIV.03

�164.504 (f)(1)

Requirements for group health

plans

PRIV.04

�164.504 (g)

Requirements for a covered

entity with multiple covered

functions

PRIV.05

�164.506 (a)

Consent requirement

PRIV.07

�164.506 (e)

Resolving conflicting consents

and authorizations

PRIV.08

�164.508 (a)

Authorizations for uses and

disclosures

PRIV.10

�164.510 (a)

Use and disclosure for facility

directories

PRIV.22

�164.510 (b)

Uses and disclosures for

involvement in the

individual's care and

notification purposes

PRIV.23

�164.512 (a)

Uses and disclosures required

by law

PRIV.27

�164.512 (b)

Uses and disclosures for

public health activities

PRIV.28

�164.512 (c)

Disclosures about victims of

abuse, neglect or domestic

violence

PRIV.29

�164.512 (d)

Uses and disclosures for

health oversight activities

PRIV.30

�164.512 (e)

Disclosures for judicial and

administrative proceedings

PRIV.31

Page 75

AMC/HIPAA Workgroup

Privacy Rule

Standard

AMC Guideline

�164.512 (f)

Disclosures for law

enforcement purposes

PRIV.32

�164.512 (g)

Uses and disclosures about

decedents

PRIV.33

�164.512 (h)

Uses and disclosures for

cadaveric organ, eye, or tissue

donation purposes

PRIV.34

�164.512 (i)

Uses and disclosures for

research purposes

PRIV.35

�164.512 (j)

Uses and disclosures to avert a

serious threat to health or

safety

PRIV.36

�164.512 (k)

Uses and disclosures for

specialized government

functions

PRIV.37

�164.512 (l)

Disclosures for workers'

compensation

PRIV.38

�164.514 (a and b)

De-identification of protected

health information

PRIV.40

�164.514 (d)(1)

Minimum necessary

requirements

PRIV.41

�164.514 (e)(1)

Uses and disclosures of

protected health information

for marketing

PRIV.24

�164.514 (f)(1)

Uses and disclosures for fund-

raising

PRIV.25

�164.514 (g)

Uses and disclosures for

underwriting and related

purposes

PRIV.26

�164.514 (h)(1)

Verification requirements

PRIV.42

�164.520 (a)

Notice of privacy practices

PRIV.43

�164.522 (a)(1)

Right of an individual to

request restriction of uses and

disclosures

PRIV.11

�164.522 (b)(1)

Confidential communications

requirements

PRIV.44

�164.524 (a)

Access to protected health

information

PRIV.45

Page 76

AMC/HIPAA Workgroup

Privacy Rule

Standard

AMC Guideline

information

�164.526 (a)

Right to amend

PRIV.46

�164.528 (a)

Right to an accounting of

disclosures of protected health

information

PRIV.47

�164.530 (a)(1)(i)

Personnel designations

PRIV.48 (Privacy Official)

�164.530 (a)(1)(ii)

Personnel designations

PRIV.49 (Contact Person)

�164.530 (b)(1)

Training

PRIV.50

�164.530 (c)(1)

Safeguards

PRIV.51

�164.530 (d)(1)

Complaints to the covered

entity

PRIV.52

�164.530 (e)(1)

Sanctions

PRIV.53

�164.530 (f)

Mitigation

PRIV.54

�164.530 (g)

Refraining from intimidating

or retaliatory acts

PRIV.55

�164.530 (h)

Waiver of rights

PRIV.56

�164.530 (i)(1)

Policies and procedures

PRIV.57

�164.530 (i)(2)

Changes to policies or

procedures

PRIV.58

�164.530 (j)

Documentation

PRIV.59

�164.530 (k)

Group health plans

PRIV.06

�164.532 (a)

Effect of prior consents and

authorizations

PRIV.12

Page 77

AMC/HIPAA Workgroup

Section One: Covered Entities

Page 78

AMC/HIPAA Workgroup

PRIV.01

Health care component �

164.504(b)

HIPAA Requirement

Standard: health care component. If a covered entity is a hybrid entity, the

requirements of this subpart, other than the requirements of this section, apply

only to the health care component(s) of the entity, as specified in this section.

(c)

(1)

Implementation specification: application of other provisions. In applying

a provision of this subpart, other than this section, to a hybrid entity:

(i) A reference in such provision to a "covered entity" refers to a health care

component of the covered entity;

(ii) A reference in such provision to a "health plan," "covered health care

provider," or "health care clearinghouse" refers to a health care component of

the covered entity if such health care component performs the functions of a

health plan, covered health care provider, or health care clearinghouse, as

applicable; and

(iii) A reference in such provision to "protected health information" refers to

protected health information that is created or received by or on behalf of the

health care component of the covered entity.

(2)

Implementation specifications: safeguard requirements. The covered

entity that is a hybrid entity must ensure that a health care component of the

entity complies with the applicable requirements of this subpart. In particular,

and without limiting this requirement, such covered entity must ensure that:

(i) Its health care component does not disclose protected health information to

another component of the covered entity in circumstances in which this subpart

would prohibit such disclosure if the health care component and the other

component were separate and distinct legal entities;

(ii)

A component that is described by paragraph (2)(i) of the definition of

health care component in this section does not use or disclose protected health

information that is within paragraph (2)(ii) of such definition for purposes of its

activities other than those described by paragraph (2)(i) of such definition in a

way prohibited by this subpart; and

(iii) If a person performs duties for both the health care component in the

capacity of a member of the workforce of such component and for another

component of the entity in the same capacity with respect to that component, such

workforce member must not use or disclose protected health information created

or received in the course of or incident to the member's work for the health care

component in a way prohibited by this subpart.

(3)

Implementation specifications: responsibilities of the covered entity. A

covered entity that is a hybrid entity has the following responsibilities:

(i) For purposes of subpart C of part 160 of this subchapter, pertaining to

compliance and enforcement, the covered entity has the responsibility to comply

with this subpart.

(ii) The covered entity has the responsibility for complying with

� 164.530(i),

pertaining to the implementation of policies and procedures to ensure compliance

Page 79

AMC/HIPAA Workgroup

with this subpart, including the safeguard requirements in paragraph (c)(2) of

this section.

(iii) The covered entity is responsible for designating the components that are

part of one or more health care components of the covered entity and

documenting the designation as required by

� 164.530(j).

AMC Explanation of HIPAA Regulation

A hybrid entity is a single legal entity that is a covered entity, but one where its covered

functions are not its primary function. While the HIPAA Privacy regulations classify the entire

hybrid entity as a covered entity, the HIPAA privacy information disclosure and use

requirements apply only to the entity's healthcare components. The hybrid entity is responsible

for designating which of its components are healthcare components, and for ensuring that those

components comply with the HIPAA privacy requirements.

Healthcare components of an entity must treat non-healthcare components of the entity as

separate entities for the purposes of disclosure of protected health information. Individuals who

work for both a healthcare component and other components of the entity must adhere to the

HIPAA privacy information disclosure and use requirements when handling any protected health

information they encounter as part of their duties in the healthcare component.

Key Issues

What are the components of your entity?

Which components are healthcare components?

Do any members of your workforce work for more than one component of your hybrid

entity?

Category I Guidelines-Actions must be taken to address these

If your entity is a hybrid entity, designate which components of your entity are healthcare

components. Document this designation.

Ensure that all healthcare components of your entity comply with HIPAA privacy

requirements.

Identify any individuals who work for both healthcare components and non-healthcare

components of your entity and ensure that they treat protected health information in

accordance with the HIPAA privacy requirements. Make sure this is done on a regular

basis, as workforce members change jobs.

Category II Guidelines-Actions should be taken to address these

Make specialized training available to help workforce members who work for both

healthcare and non-healthcare components be aware of their responsibilities.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 80

AMC/HIPAA Workgroup

PRIV.02

Affiliated covered entities �

164.504(d)

HIPAA Requirement

(1) Standard: affiliated covered entities. Legally separate covered entities that are

affiliated may designate themselves as a single covered entity for purposes of this

subpart.

(2) Implementation specifications: requirements for designation of an affiliated

covered entity. (i) Legally separate covered entities may designate themselves

(including any health care component of such covered entity) as a single affiliated

covered entity, for purposes of this subpart, if all of the covered entities

designated are under common ownership or control.

(ii) The designation of an affiliated covered entity must be documented and the

documentation maintained as required by