VIRGINIA ASSOCIATION OF COMMUNITY SERVICES BOARDS HIPAA READINESS STEERING COMMITTEE

Transcription

1 VIRGINIA ASSOCIATION OF COMMUNITY SERVICES BOARDS HIPAA READINESS STEERING COMMITTEE HIPAA CHECKLIST FOR INFORMATION TECHNOLOGY AND COMPUTER SYSTEMS SECURITY AREA OF CONCERN QUESTIONS Workstations Software/Hardware a policy and procedure on desktop use? Does your policy include security of protected health information? Does your CSB have physical safeguards to eliminate or minimize unauthorized access to information? Does your CSB have regularly scheduled training on workstation security for users? Does the training include the following topics: tracking certain transactions, back-up, disposal of old information, password management, automated log-off time frames, screensavers with passwords to log back on, unattended computers, prohibition of unauthorized software, wireless connections, electronic certificates/digital signatures? Do you have policies and procedures for the security management of the paper medical record? Business Associate/Chain of Trust agreements with software vendors Is the organization working with Y, N OR N/A Location of Documentation

2 Internet Security and Use its software vendor to insure HIPAA compliance and existence of BA/COT agreements? Does the organization use an electronic billing vendor? Has the organization surveyed its vendors/business relationships to determine who falls into the BA/COT realm? Media Management and Disposal a policy and procedure defining the disposal of all computers (desktops, servers, handheld palm computers, etc? Does the procedure include the destruction of hard drives? Does the procedure track computers to new employees or to outside recipients? Does the organization maintain an inventory of computers and software? procedures for disposing of ribbons, cartridges, diskettes, cds, dictaphone cassettes, audiocassettes, videocassettes, etc.? policies and procedures for management of fax machines, voice mail, video and audio tapes of client sessions? policies and procedures regarding access to and use of the Internet? Does the policy clearly state that Internet traffic is not secure nor confidential? methods or procedures for monitoring Internet traffic?

3 Transaction Codes Does the organization limit use of the Internet to specifically authorized users? an policy and procedure that defines the use of internal and Internet ? Do users have passwords protecting their accounts? Does the policy establish agency ownership of any ? Does the policy prohibit the transmittal of threatening, offensive, harassing or otherwise, inflammatory statements? Does the policy and procedure define the use of for transmission of client information? Does the agency use encryption or digital signatures on extremely sensitive ? a policy and procedure regarding the download of materials from the Internet? Is the organization monitoring the vendor activity related to upgrades of software? Is the organization monitoring the progress of DMAS regarding transaction codes? If the organization does its own programming, has it established a plan of action for the reprogramming?

4 Disaster Recovery Plan Has the organization developed a disaster recovery plan? Does the plan address the following elements? I. Overview II. Information Technology Structure A. Depts. supported by IT Reimbursement, A/R, Purchasing, Clinical/Case Mgmt staff, Support staff/client Records, Admin, Management B. Major Systems supported by IT C. Major Systems supported by IT Primary Client Data systems (Anasazi, CMHC, BTI, etc), electronic Medicaid billing system, payroll, financial accounting, acquisition/ purchasing, CARS, budgeting, state Comprehensive Plan software, POMS software, Microsoft Office, Outlook III. Information Processing Equipment and Software A. Software (ex. NT 4.0, Service Pack 4, Seagate Backup, Netshield Antivirus, NT File system B. Hardware (ex. servers, tape backup hardware, MEGARaid controller, uninterrupted power supplies IV. Network Connectivity Hardware (ex. switches, routers, hubs, broadband modems

5 V. Information storage A. Server storage config B. Data replication VI. Security A. Physical security B. Network access C. Resources (printers, directories) D. File access VII. VIII. Data Archiving (back up procedures for both desktops and servers) Data warehousing IX. System Disaster Recovery A. Hardware B. Software and Data Appendices including Appendices including procedures for backup configuration, restore configuration, configuring resource sharing/ permission procedures, configuring directory/file permission procedures Other CSB Identified areas of concern