DOC

HIPAA SECURITY RULE ASSESSMENT

By Lori Hunter,2014-10-17 12:35
8 views 0
HIPAA SECURITY RULE ASSESSMENT

    HIPAA SECURITY RULE ASSESSMENT

DATE COMMENCED _________________

    Name of Entity _______________________________________________________

    Security Officer _______________________________________________________

****SEE NOTES AT END FOR DEFINITIONS AND GUIDANCE

    Organization

A. Principles and Guidelines

     B. Administrative Safeguards

     C. Physical Safeguards

     D. Technical Safeguards

     E. Business Associates

     F. Group Health Plans

     G. Policies and Procedures/Documentation

A. Principles and Guidelines.

______We ensure the confidentiality, integrity, and availability of all EPHI the

    covered entity creates, receives, maintains, or transmits.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

    _______________________________________________________________

____ We protect against any reasonably anticipated threats or hazards to the

    security or integrity of EPHI.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

    ____ We protect against any reasonably anticipated uses or disclosures of EPHI that are not permitted or required by the HIPAA Privacy Rule.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

    _______________________________________________________________

    ____ We ensure compliance with the Security Rule by the members of our workforce.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

    _______________________________________________________________

A. Principles and Guidelines

     B. Administrative Safeguards

     C. Physical Safeguards

     D. Technical Safeguards

     E. Business Associates

     F. Group Health Plans

     G. Policies and Procedures/Documentation

    B. Administrative Safeguards

     Actions, and policies and procedures, to manage the selection, development,

    implementation, and maintenance of security measures to protect [EPHI] and to

    manage the conduct of our workforce in relation to the protection of that information.”

    45 C.F.R. ? 164.304

    Administrative Safeguards

     8 categories

     Security Management Process

     Assigned Security Responsibility

     Workforce Security

     Information Access Management

     Security awareness and training

     Security incident procedures

     Contingency Plan

     Evaluation

Standard

    _____We have implemented policies and procedures to prevent, detect, contain and correct security violations.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

Required Implementation Specification

    ____Risk analysis: We have conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by our organization.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Risk management and sanctions: We have implemented security measures and workforce sanctions sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Information system activity review: We have implemented procedures to regularly review records of information system activity (such as audit logs, access reports, and security incident tracking reports not synonymous with audit trails).

     “security incident” - attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operation in an information system. 45 C.F.R. ? 164.304.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    Administrative Safeguards

     8 categories

     Security Management Process

     Assigned Security Responsibility

     Workforce Security

     Information Access Management

     Security awareness and training

     Security incident procedures

     Contingency Plan

     Evaluation

Standard

____We have identified the security official who is responsible for development and

    implementation of security policies and procedures. The same person could fill the role for both security and privacy.” 68 Fed. Reg. 8,347.

     More than one individual may be given specific security responsibilities, especially

    within a large organization, but a single individual must be designated as having the

    overall final responsibility for the security of the entity’s [EPHI].” 68 Fed. Reg. at 8,347.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

    _______________________________________________________________

    Administrative Safeguards

     8 categories

     Security Management Process

     Assigned Security Responsibility

     Workforce Security

     Information Access Management

     Security awareness and training

     Security incident procedures

     Contingency Plan

     Evaluation

Standard

    ____We have implemented policies and procedures to ensure that all members of our workforce have appropriate access to EPHI and to prevent those workforce members who should not have access from obtaining access.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

Addressable Implementation

    ____Authorization and/or supervision: We have assessed whether it is reasonable and appropriate to implement procedures for the authorization and/or supervision of workforce members (including, for example, operations and maintenance personnel) who work with EPHI or in locations where it might be accessed.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Workforce clearance procedure: We have assessed whether it is reasonable and appropriate to implement procedures to determine that the access of a workforce member to EPHI is appropriate.

     DHHS explains that “[t]his feature was not intended to be interpreted as an absolute requirement for background checks. … The need for and extent of a screening

    process is normally based on an assessment of risk, cost, benefit and feasibility as well as other protective measures in place.” 68 Fed. Reg. at 8,348.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Termination procedures We have assessed whether it is reasonable and appropriate to implement procedures for terminating access to EPHI when the employment of a workforce member ends or as required by the workforce clearance procedure.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    Administrative Safeguards

     8 categories

     Security Management Process

     Assigned Security Responsibility

     Workforce Security

     Information Access Management

     Security awareness and training

     Security incident procedures

     Contingency Plan

     Evaluation

    4. Information access management

Standard

    ____We have implemented policies and procedures for authorizing access to EPHI that are consistent with the minimum necessary requirements of the Privacy Rule.

Addressable

    ____Access authorization: We have assessed whether it is reasonable and

    appropriate to implement policies and procedures for granting access to EPHI (for

    example, through access to a workstation, transaction, program, process, or other

    mechanism).

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Access establishment and modifications: We have assessed whether it is reasonable and appropriate to implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review and modify a user’s right of access to a workstation, transaction, program, or process.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    Administrative Safeguards

     8 categories

     Security Management Process

     Assigned Security Responsibility

     Workforce Security

     Information Access Management

     Security awareness and training

     Security incident procedures

     Contingency Plan

     Evaluation

    5. Security Awareness and Training

Standard

    ____We have implemented a security awareness and training program for all members of its workforce (including management).

     Length and frequency of the training is scalable based on a person’s access to EPHI.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

________________________________________________

Addressable

    ____Security reminders: We have assessed whether it is reasonable and appropriate to implement periodic security updates.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Protection from malicious software: We have assessed whether it is reasonable and appropriate to implement procedures for guarding against, detecting, and reporting malicious software.

     (1) “Malicious software” is defined as software “designed to damage or disrupt a system,” such as a virus or worm. 45 C.F.R. ? 164.304.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Log-in monitoring: We have assessed whether it is reasonable and appropriate to implement procedures for monitoring log-in attempts and reporting discrepancies.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    ____Password management: We have assessed whether it is reasonable and appropriate to implement procedures for creating, changing, and safeguarding passwords.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

    Administrative Safeguards

     8 categories

     Security Management Process

     Assigned Security Responsibility

     Workforce Security

     Information Access Management

     Security awareness and training

     Security incident procedures

     Contingency Plan

     Evaluation

    6. Security incident procedures

    Standard

    ____ We have implemented policies to address security incidents. “Security incident” -attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operation in an

    information system. 45 C.F.R. ? 164.304.

     External incident reporting is not required - dependent upon business and legal

    considerations.” 68 Fed. Reg. at 8,350.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

Required

____Response and reporting: We have:

     (1) Identified and responded to suspected or known security incidents; (2) Mitigated, to the extent practicable, harmful effects of security incidents that are

    known to the covered entity; and

     (3) Documented security incidents and their outcomes.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

    _______________________________________________________________

    Administrative Safeguards

     8 categories

     Security Management Process

     Assigned Security Responsibility

     Workforce Security

     Information Access Management

     Security awareness and training

     Security incident procedures

     Contingency Plan

     Evaluation

    7. Contingency Plan

Standard

____We have established (and implement as needed) policies and procedures for

    responding to an emergency or other occurrence (for example, fire, vandalism, system

    failure, and natural disaster) that damages systems that contain EPHI.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

_______________________________________________________________

Required

____Data backup plan: We have established and implemented procedures to create

    and maintain exact copies of EPHI.

Date Assessed ___________

Description of Implementation

    _______________________________________________________________

Report this document

For any questions or suggestions please email
cust-service@docsford.com