HIPAA Guard Herald - Your Monthly Newsletter on Surviving HIPAA

More documents

Recommendations

Info

Access Control: What This <strong>HIPAA</strong> Security Rule Technical Safeguard Standard Is All About In your facility, does every member of the workforce have the same access rights or access levels to those electronic protected health information or ePHI? The access level of say a Front Desk staff is similar to the access of a Laboratory technician? The rightful answer is NO. <strong>HIPAA</strong> law has mandated that policies and procedures be placed to provide appropriate access to the ePHI to every workforce of the facility and this is covered by the “Information Access Management Standard”. But not all access will be the same. As mentioned earlier, there must be some form of control on who accesses what ePHI, when and how. This is covered by the ACCESS CONTROL STANDARD. There are four commonly used approaches to controlling who will have access to information and when access to this information is available. It depends on the outcome of the facility’s risk assessments as to which approach is most suitable to use. More information about these approaches provided in NIST 7316 Assessment of Access Control Systems. Access Control List (ACL) User Based Access Control (UBAC) Role Based Access Control (RBAC) Context Based Access Control (CBAC) Source: <strong>HIPAA</strong>.com, NIST & hhs.gov Access Control: UNIQUE USER IDENTIFICATION Technical Standard § 164.312(a)(2)(i) Covered entity must “Assign a unique name and/or number for identifying and tracking user identity.” Unique User Identification is a required implementation specification and it is a way a covered entity could track : 1. Who accessed the information system 2. When and How often was the ePHI accessed 3. What ePHI or data in the information system was accessed 4. Where was the ePHI or data specifically accessed How this is done? It depends on the structure of the workforce and their operations how the format of the unique user identification will be designed. It could be one of the following: 1. Employee name or a variation of the name e.g. ebgesmundo 2. Random combinations of numbers and letters e.g. EB6200014 3. Combination of the above two e.g. EGesmundo3780 Security Officer must manage and monitor this. IT Manager or Office Manager must coordinate with the Security Officer the implementation & documentation of this policy and procedure especially when: 1. New employees are hired 2. Existing employees changed job or roles 3. Existing employees change names 4. Employees gets terminated or resigned
Access Control: EMERGENCY ACCESS PROCEDURE Technical Standard § 164.312(a)(2)(ii) Covered entity must “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” This is the second implementation specification that is considered required. Emergency situations like fire, natural disaster, total system shutdown or failure, and terrorism attacks could result to delay in the access of crucial information or data in the information system of a healthcare provider which consequently lead to delay in the provision of health and medical treatment of patients and could cause danger in someone’s health. Covered entities are mandated to prepare for such emergency as such emergency access procedures and policies be created. The Security Officer in coordination with IT Manager, Office Managers and Information System as well as software suppliers in coming up with such Emergency Access Procedures and that these are to be part of the Risk Analysis that the organization will conduct. The following must be considered: 1. Determine the type of emergency situations that would warrant the use of the Emergency Access Procedures in the information system or applications that contain ePHI 2. Coordinate such policies and procedures with the policies and procedures created for Administrative Safeguards: Contingency Plan (Standard § 164.308(a)(7)) 3. Document these policies and procedures that will be created to address this implementation specification Access Control: AUTOMATIC LOGOFF Technical Standard § 164.312(a)(2)(iii) Covered entity must “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” This is the third implementation specification that is considered as addressable i.e. optional. The covered entity must reasonable and appropriate measures to meet this standard. The main purpose of this standard is to prevent unauthorized viewing and accessed to electronic protected health information (ePHI) from unattended electronic information system devices such as computers or laptops in workstations. After a pre-determined period of inactivity the device containing ePHI will automatically log-off. This automatic log-off system would require the user to enter a unique password to regain access to the ePHI. All workstations must be installed with such configurations and the time out or log off period depends areas where the device is placed and the size of the facility. Example, highly populated areas such as that of the Front Desk must have a automatic log off period of 2 to 3 minutes. But areas that has limited access and controlled like the Laboratory or Radiology Offices might have 5 to 10 minutes of time out period configurations. It is the responsibility of the Security Officer to document this procedure and policies as well as manage this implementation. He must also coordinate with software or application vendors on how and what configurations are appropriate for each device or workstation. The Security Officer must also take into account how these devices or workstations moved from one place to another. Source: <strong>HIPAA</strong>.com, NIST & HHS.gov
Page 1 and 2: HIPAA Guar
Page 3: Interview with Regional General Hos

HIPAA Guard Herald - Your Monthly Newsletter on Surviving HIPAA

Create successful ePaper yourself

Delete template?

Save as template?