Information Access Management: Access Establishment and Modification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Implement policies and procedures that, based upon the covered entity’s…

READ MORE

Information Access Management: Access Authorization-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable.  Remember, addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Implement policies and procedures for granting access to electronic protected…

READ MORE

Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is required. What to Do If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Remember, a clearinghouse is defined as a covered entity, but also can serve in the role of a business associate to other covered entities, namely a health plan or healthcare provider. How to Do It This implementation specification is required, but is not likely…

READ MORE

Security Management Process: Information System Activity Review-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. What to Do Implement procedures to regularly review records of information of system activity, such as audit logs, access reports, and security incident tracking reports. How to Do It Size of the covered entity and complexity of the business operation will be key considerations in the risk analysis and in fulfilling the requirements of this implementation specification. First, regularly review information system activity for inappropriate use or security incidents, such as unauthorized disclosure. Many computer systems now have built-in reporting functionality…

READ MORE

Security Management Process: Sanction Policy-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. What to Do Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. How to Do It The covered entity must determine appropriate internal sanctions or penalties for violation of its security policies and procedures by workforce members. Sanctions should: » Deter noncompliant behavior, such as posting passwords on computer hardware or under a desk pad. » Serve as an incentive for compliance with security policies and procedures. The appropriate sanctions…

READ MORE