Physical Safeguard Standard, Device and Media Controls: Disposal Implementation Specification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard.  Disposal is the first of four implementation specifications, and it is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do A covered entity must implement policies and procedures to address the final disposition of electronic protected health information and…

READ MORE

Physical Safeguard Standard, Workstation Security-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third Physical Safeguard Standard, Workstation Security.  The implementation specification for this standard is defined by the standard title, and is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do A covered entity must implement physical safeguards for all workstations that access electronic protected health information to restrict access…

READ MORE

Physical Safeguard Standard, Workstation Use-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Workstation Use is the second Physical Safeguard Standard.  There is no defined implementation specification for this standard.  Implementation of policies and procedures pertaining to this standard are required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What is Required A covered entity must implement policies and procedures that specify the proper functions to be…

READ MORE

Physical Safeguard Standards of the HIPAA Administrative Simplification Security Rule

There are four physical safeguard standards: facility access controls, workstation use, workstation security, and device and media controls. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. Physical…

READ MORE

Contingency Plan: Emergency Mode Operation Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in the emergency mode. How to Do It Covered entities are required to develop…

READ MORE

Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to restore any loss of data. How to Do It The content and procedures of a covered entity’s disaster recovery plan will be » Outcomes of the covered entity’s identification of vulnerabilities and…

READ MORE

Contingency Plan: Data Backup-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. How to Do It Covered entities must backup electronic protected health information on a regular basis. When a computer system fails, it may…

READ MORE

Contingency Plan: Sample Policy and Procedures

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. HIPAA.com will outline What to do and How to do it for each…

READ MORE

Contingency Plan-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has five implementation specifications:  Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis.  The first three are required; the last two are addressable.  Addressable does not mean optional.  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. If a fire swept through a covered entity’s facility, the covered entity would…

READ MORE

Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is required. What to Do If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Remember, a clearinghouse is defined as a covered entity, but also can serve in the role of a business associate to other covered entities, namely a health plan or healthcare provider. How to Do It This implementation specification is required, but is not likely…

READ MORE