Purpose
Glenn County Health and Human Services Agency (HHSA) has adopted this Policy to comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and all other state and federal laws pertaining to the privacy and security of
protected health information. It is our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and
accreditation requirements.
General Security Requirements
Per HIPAA Security Rule regulations, HHSA shall:
1. Ensure the confidentiality, integrity, and availability of all electronic protected health information that the County creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under HIPAA regulations.
4. Ensure compliance by County staff.
Flexibility of Approach
1. HHSA may use any security measures that allow it to reasonably and
appropriately implement the standards and specifications of the HIPAA Security Rule.
2. In determining which measures to use, the County must consider the following factors:
a. The size, complexity, and capabilities of the organization.
b. Its technical infrastructure, hardware, and software security capabilities.
c. The costs of security measures.
d. The probability and criticality of potential risks to ePHI.
*99*
Original: 12/08/06 Revised: 06/24/14 Page 2 of 4
HIPAA 128_Security Standards and Requirements FINAL 06-24-14 2
Security Standards and Implementation Specifications
1. Standards are arranged into three (3) main areas: administrative safeguards, physical safeguards, and technical safeguards.
2. These standards include implementation specifications designed to direct HHSA through the implementation process. Implementation specifications are either required or addressable.
a. Required implementation specifications are specifications that HHSA must implement.
b. If a standard includes addressable implementation specifications, HHSA shall:
(1) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment; and
(2) As applicable,
Implement the implementation specification, or
Document why the implementation specification would not be reasonable and appropriate, and
Implement an equivalent alternative measure if reasonable and appropriate.
3. Administrative Safeguards
a. Security management process: policies and procedures to prevent, detect, contain, and correct security violations. Required implementation specifications include risk analysis, risk management, sanction policy, and information system activity reviews.
b. Assign security responsibility: identify a security officer
c. Workforce security: policies and procedures to ensure that staff members have appropriate access to ePHI, and to prevent those staff members who do not have access from obtaining access to ePHI. Addressable
implementation specifications include authorization and/or supervision, workforce clearance procedures, and termination procedures.
d. Information access management: policies and procedures for authorizing access to ePHI. Required implementation specifications include isolating healthcare clearinghouse functions. Addressable implementation specifications include access authorization and access establishment and modification.
e. Security awareness and training: a security awareness and training program for all staff members, including management. Addressable
*100*
Original: 12/08/06 Revised: 06/24/14 Page 3 of 4
HIPAA 128_Security Standards and Requirements FINAL 06-24-14 3
implementation specifications include security reminders, protection from malicious software, log-in monitoring, and password management.
f. Security incident procedures: policies and procedures to address security incidents. Required implementation specification includes response to and reporting of security incidents.
g. Contingency Plan: policies and procedures for responding to an emergency or natural disaster that damages systems that contain ePHI.
Required implementation specifications include data backup plan, disaster recovery plan, and an emergency mode operation plan. Addressable implementation specifications include testing/revision procedures and applications/data criticality analysis.
h. Evaluation: periodic technical and non-technical evaluation to determine the extent to which the policies and procedures meet the requirements of the HIPAA Security Rule.
i. Business Associate contracts and other arrangements: HHSA may allow a business associate to create, receive, maintain, or transmit ePHI on the behalf of the County, if a contract is in place assuring that the BA will appropriately safeguard the ePHI. Required implementation specifications include written contracts or other arrangements.
4. Physical Safeguards – data and data systems must be physically protected from intrusion and environmental hazards through the following standards:
a. Facility access controls: policies and procedures limiting physical access to information systems containing ePHI, as well as protecting facilities and equipment. Addressable implementation specifications include contingency operations, facility security plan, access control and validation procedures, and maintenance records.
b. Workstation use: policies and procedures specifying proper functions to be performed, appropriate manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
c. Workstation security: physical safeguards for all workstations that access ePHI in order to restrict access to authorized users only.
d. Device and media controls: policies and procedures governing the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, as well as movement of these items within the facility. Required implementation specifications include disposal and
*101*
Original: 12/08/06 Revised: 06/24/14 Page 4 of 4
HIPAA 128_Security Standards and Requirements FINAL 06-24-14 4
media reuse. Addressable implementation specifications include accountability and data backup/storage.
5. Technical Safeguards – software and hardware controls and procedures for stored and transmitted data include:
a. Access control: technical policies and procedures for electronic information systems that maintain ePHI to allow access only to staff or software programs that have been granted access rights. Required implementation specifications include unique user identification and emergency access procedures. Addressable implementation specifications include automatic logoffs and encryption/decryption.
b. Audit controls: hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
c. Integrity: policies and procedures protecting ePHI from improper alteration or destruction. Addressable implementation specifications include mechanisms to authenticate ePHI.
d. Person or entity authentication: procedures to verify that a person or entity seeking access to ePHI is the one claimed.
e. Transmission security: technical security measures guarding against unauthorized access to ePHI that is being transmitted over an electronic communications network. Addressable implementation specifications include integrity controls and encryption.
Additional requirements
1. HHSA shall implement reasonable and appropriate policies and procedures complying with the standards, implementation specifications, and other requirements of the Security Rule.
2. Documentation standards include maintaining the policies and procedures and documenting all actions, activities, or assessments conducted as a requirement of the Security Rule. Required implementation specifications include retention limits, availability of documentation, and periodic updates.
DEFINITIONS
Electronic Protected Health Information (ePHI) means individually identifiable information that is transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium.
*102*
Original: 11/19/02 Revised: 06/24/14 Page 1 of 1
HIPAA 129-Termination of Staff 1