HIPAA Security and the Administrative Safeguards—Part 2

By Jay Masci

In the last article, we discussed the first four administrative safeguard standards in detail. In this article, we will cover the remaining administrative safeguard standards in detail and how each one will affect your O&P organization. Prepare yourself, as we have a lot of important information to cover!

1. Security Awareness and Training Standard

The Security Awareness and Training standard requires the implementation of a security awareness and training program for all members of your workforce, including management.

Security Reminders (Addressable)

Implementation specifications: Your organization must implement periodic security updates.

Protection from Malicious Software (Addressable)

Implementation specifications: Your organization must provide training on guarding against, detecting and reporting malicious software.

Log-in Monitoring (Addressable)

Implementation specifications: Your organization must provide training on monitoring login attempts and reporting discrepancies.

Password Management (Addressable)

Implementation specifications: Your organization must provide training on procedures for creating, changing, and safeguarding passwords.

What do all of the above implementation specifications means to your organization: Your organization must provide initial training to all of your employees that have access to electronic protected health information (PHI) prior to the compliance date, and to new employees upon hire after the compliance date. This requirement applies even to part-time or individuals who may be on site for a limited time period (for example, a single day).

The US Department of Health & Human Services (DHHS) sees security awareness training as a critical activity, regardless of an organization's size. Training can be tailored to job need if your organization so desires, or it can be a single program that all employees take. Remember, to be on the safe side, it is better to have your employees be aware of all security rules and regulations. This type of training is easier to track as employees move around within an organization, because you do not have to be concerned with knowing whether their job-specific training covers their new position.

2. Security Incident Procedures Standard

The Security Incident Procedures standard establishes policies and procedures to address security incidents.

Response and Reporting (Required)

Implementation specifications: Your organization must establish policies and procedures to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

What it means to your organization: Your organization will develop a list of what constitutes a security incident in the context of your business operations as you do your risk assessment and risk management procedures and the privacy standards. Your organization will have to implement accurate and current security incident procedures for those items you have identified as incidents. The procedures will need to include formal, documented report-and-response procedures. The security incident procedures relate to internal reporting of security incidents and do not specifically require you to report the incident to any outside entity, except if they are dependent upon business or legal considerations.

3. Contingency Plan Standard

The Contingency Plan standard establishes policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic PHI.

Data Backup Plan (Required)

Implementation specifications: Your organization must establish and implement procedures to create and maintain retrievable exact copies of electronic PHI.

What it means to your organization: Basically you must follow the implementation specifications. The thing to remember is that this will need to be implemented with all of the contingency plan standards.

Disaster Recovery Plan (Required)

Implementation specifications: Your organization must establish and implement procedures to restore any loss of data.

What it means to your organization: Once you have made your exact copies of electronic protected health information, how do you get them restored? That is what this plan entails: the what, who, and how to restore data after an emergency.

Emergency Mode Operation Plan (Required)

Implementation specifications: Your organization must establish and implement procedures to enable continuation of critical business processes for protection of the security of electronic PHI while operating in emergency mode.

What it means to your organization: Once you have restored your data, this plan details how the electronic PHI is protected. This will include who has access to the emergency restored data, how is the access secured, etc.

Testing and Revision Procedure (Required)

Implementation specifications: Your organization must implement procedures for periodic testing and revision of contingency plans.

What it means to your organization: All of the above are basically contingency plans, so this procedure puts all of the previous plans together to test that they actually work. This usually involves taking your copies of electronic protected information, restoring it, and attempting to access it as required in your plan. Without testing your contingency plan, your organization would have no assurance that its critical data could survive an emergency situation.

Applications and Data Criticality Analysis (Required)

Implementation specifications: Your organization must perform an analysis to assess the relative criticality of specific applications and data in support of other contingency plan components.

What it means to your organization: Basically, your organization must determine what applications and data need to be available for emergency mode operations to provide the proper security protection of the electronic PHI.

4. Evaluation Standard (Required)

Implementation specifications: Your organization must perform a periodic technical and non-technical evaluation--based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic PHI--that establishes the extent to which your security policies and procedures meet the requirement of this rule.

What it means to your organization: Basically, your organization should conduct an evaluation of all your security safeguards to ensure that the organization is still in compliance. This is a required standard, as your organization will go through changes since the last evaluation or implementation of the security rule. For example, new technology or an organizational change may expose your organization to new risks.

This evaluation may comply with this standard either by using your own workforce or an external accreditation agency, which would be acting as a business associate. External evaluation may be too costly an option for small entities. Also note that DHHS does not define certification criteria other than compliance with the Security Rule itself, as the criteria would have to address the large number of different business environments.

5. Business Associate Contracts and Other Arrangement (Required)

Implementation specifications: Your organization may permit a business associate to create, receive, maintain, or transmit electronic PHI on your behalf only if you obtain satisfactory assurance that the business associate will appropriately safeguard the information.

What it means to your organization: Your organization will have to document that the satisfactory assurance has been met through a written contract or other arrangement with the business associate.

In the next article, we will look at the physical safeguard standards in detail and how each one will affect your O&P organization.

This article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult an attorney.

Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. For more information, visit www.provaliant.com

	HIPAA Security and the Organizational Safeguards - April 2004 DC Direct
	HIPAA Security and the Physical Safeguards - November 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 1 - August 2003
	HIPAA and the Business Associate Puzzle - July 2003 Exclusively Online
	HIPAA Security – Required or Addressable - July 2003 DC Direct
	Here Comes HIPAA Security - May 2003 DC Direct
	HIPAA: How to Handle a Vendor Selling HIPAA Services and Products - April 2003 So what do you say when sales representatives call to sell their company’s HIPAA services and products? DC Direct
	HIPAA Privacy: Are You Ready to Comply? - March 2003 Exclusively Online

Table Of Contents - October 2003

	Prosthetic Knees: What’s Currently New and Impressive? What makes the continuing search for that perfect knee so interesting is the myriad widely divergent approaches designers are now exploring—hydraulic, mechanical, and computerized—as reflected in the variety of available knee designs currently regarded as state-of-the-art. Feature
	Prosthetic Knees: What’s on the Way? Feature
	Geriatric Patients: Are They Getting the Best Prosthetic Choices? Classifying geriatric patients appropriately is crucial to providing beneficial components. Geriatric Patients
	Superb Customer Service: Increase Referrals Without Deep Discounting! Leading EDGE
	Scoliosis Symposium Success In an imperfect world, sometimes things do come together almost perfectly. This was the case at a symposium on idiopathic scoliosis presented at the Portland, Oregon, Shriners Hospital for Children, which brought together leading experts in the field.
	Optimum Thoracic Pad Placement
	Got FAQs? Got FAQs?
	Project Hope: Aiding Disabled Children in Russia Salute!
	Teen Expands Lifestyle After Amputation Today's Consumer
	HIPAA Security and the Administrative Safeguards—Part 2 DC Direct
	VASI Offers Advanced Pediatric Hand Technology Innovations
	Ramona Okumura, CP Profiles
	Hospital Undercover Agent Perspective
	From The Editor Viewpoints