Policy Title: HIPAA Access Control



Similar documents
Policy Title: HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

CHIS, Inc. Privacy General Guidelines

How To Write A Health Care Security Rule For A University

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

HIPAA Security Series

LogMeIn HIPAA Considerations

HIPAA Security Alert

Credit Card Security

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

How To Protect Decd Information From Harm

C.T. Hellmuth & Associates, Inc.

Copyright Telerad Tech RADSpa. HIPAA Compliance

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Verizon Remote Access User Guide

Wellesley College Written Information Security Program

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Information Security Overview

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

ADM:49 DPS POLICY MANUAL Page 1 of 5

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

State HIPAA Security Policy State of Connecticut

Designing a security policy to protect your automation solution

How To Protect A Wireless Lan From A Rogue Access Point

Information Technology Security Procedures

Policies and Compliance Guide

General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

Information Technology Branch Access Control Technical Standard

8.03 Health Insurance Portability and Accountability Act (HIPAA)

VMware vcloud Air HIPAA Matrix

Data Network Security Policy

IT Security Procedure

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

HIPAA. considerations with LogMeIn

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Newcastle University Information Security Procedures Version 3

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Estate Agents Authority

MCOLES Information and Tracking Network. Security Policy. Version 2.0

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Network Protection and Information Security Policy

White Paper. Support for the HIPAA Security Rule PowerScribe 360

itrust Medical Records System: Requirements for Technical Safeguards

ISLAND COUNTY SECURITY POLICIES & PROCEDURES

Checklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014)

AASTMT Acceptable Use Policy

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Catapult PCI Compliance

HIPAA Audit Risk Assessment - Risk Factors

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security Training Manual

HIPAA Assessment HIPAA Policy and Procedures

'Namgis Information Technology Policies

Network Security Policy

Miami University. Payment Card Data Security Policy

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Consensus Policy Resource Community. Lab Security Policy

HIPAA and Mental Health Privacy:

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

HIPAA Security Matrix

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PrintFleet Enterprise 2.2 Security Overview

NETWORK AND INTERNET SECURITY POLICY STATEMENT

Network Security Policy

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Payment Card Industry Self-Assessment Questionnaire

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

HIPAA Privacy and Security Risk Assessment and Action Planning

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Vital Records Electronic Registration System (ERS-II) Technical Resource Guide and Support Procedures

Transcription:

Policy Title: HIPAA Access Control Number: TD-QMP-7018 Subject: Ensuring that access to EPHI is only available to those persons or programs that have been appropriately granted such access. Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy: 9/23/2011 Last Reviewed by TennDent Quality Monitoring/Improvement Committee: 9/23/2011 Secondary Department: TennDent/Administration Prior Policy or Cross Reference(s): 10/1/2010 Date Policy Last Revised: 9/23/2011 Review Frequency: Annually Next Scheduled Review: 7/1/2012 TennDent Quality Monitoring/Improvement Committee Approval: OIn File Approval Date: 9/23/2011 Scope: TennDent staff, employees of Delta Dental of Tennessee (DDTN), TennDent/IT Purpose: TennDent is committed to conducting business in compliance with all applicable laws, regulations and TennDent policies. This Policy covers the unique user identification and password, emergency access, automatic logoff, encryption and decryption, firewall, and remote and wireless access procedures that will apply to electronic information systems that maintain Electronic Personal Health Information (EPHI) to assure that such systems are accessed only by those persons or software programs that have been granted access rights under the HIPAA Security Policy -- Information Access Management Policy. Authoritative Reference: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191) HIPAA Security Rule [HIPAA Technical Safeguards] [see 164.312(a)(1) & (2)] Policy: 1) Unique User Identification and Password Policy: HIPAA Access Control 1

a. To uniquely identify and track each user for the purpose of access control to all networks, systems, and applications that contain EPHI, and the monitoring of access to the aforementioned networks, systems, and applications, TennDent must comply with the measures outlined in this Policy. b. Any user that requires access to any network, system, or application that access, transmits, receives, or stores EPHI, must be provided with a unique user identification string. c. When requesting access to any network, system, or application that accesses, transmits, receives, or stores EPHI, a user must supply his or her previously assigned unique user identification in conjunction with a secure password to gain access. d. Each user s password should meet the requirements as outlined in TennDents Password Best Practices Policy. Each user's password must meet the following minimum requirements: Passwords must be a minimum of eight characters in length Passwords must not be words found in a Dictionary Passwords must not include easily guessed information such as personal information, names, pets, birth dates, etc e. If a system does not support the minimum structure and complexity as detailed in the aforementioned guidelines, one of the following procedures must be implemented: The password assigned must be adequately complex to ensure that it is not easily guessed and the complexity of the chosen alternative must be defined and documented. The legacy system must be upgraded to support the requirements of (letter d) as soon as administratively possible. All EPHI must be removed and relocated to a system that supports the foregoing security password structure. f. Users must not allow another user to use their unique user identification or password. g. Users must ensure that their user identification is not documented, written, or otherwise exposed in an insecure manner. h. Each user must ensure that their assigned User Identification is appropriately protected and only used for legitimate access to networks, systems, or applications. i. If a user believes their user identification has been comprised, they must report that security incident to their manager, who will contact the appropriate HIPAA Officer. 2) Emergency Access a. To ensure that access to critical EPHI is maintained during an emergency situation, each Department must establish and implement procedures to ensure that access to a system that contains EPHI and is used to provide treatment to an individual is made available to any Policy: HIPAA Access Control 2

caregiver in the case of an emergency, if the denial or strict access to that EPHI could inhibit or negatively affect an individual s care. b. EPHI repositories that do not affect an individual s care are not subject to the foregoing emergency access requirement. 3) Automatic Logoff a. Servers, workstations, or other computer systems containing EPHI repositories that have been classified as high risk must employ inactivity timers or automatic logoff mechanisms. b. The aforementioned systems must terminate a user session after a maximum of 15 minutes of inactivity. c. Servers, workstations, or other computer systems located in open, common, or otherwise insecure areas, that access, transmit, receive, or store EPHI must employ inactivity timers or automatic logoff mechanisms. (i.e., password protected screensaver that blacks out screen activity.) The aforementioned systems must terminate a user session after a maximum of 15 minutes of inactivity. d. Applications and databases using EPHI, such as electronic claims records, must employ inactivity timers or automatic session logoff mechanisms. The aforementioned application sessions must automatically terminate after a maximum of 30 minutes of inactivity. e. Servers, workstations, or other computer systems that access, transmit, receive, or store EPHI, and are located in locked or secure environments need not implement inactivity timers or automatic logoff mechanisms. f. If a system that otherwise would require the use of an inactivity timer or automatic logoff mechanism does not support an inactivity timer or automatic logoff mechanism, one of the following procedures must be implemented: The system must be upgraded or moved to support the required inactivity timer or automatic logoff mechanism. The system must be moved into a secure environment. All EPHI must be removed and relocated to a system that supports the required inactivity timer or automatic logoff mechanism. g. When leaving a server, workstation, or other computer system unattended, Users must lock or activate the systems automatic logoff mechanism (e.g. CNTL, ALT, DELETE and Lock Computer) or logout of all applications and database systems containing EPHI. 4) Encryption and Decryption a. Encryption of EPHI as an access control mechanism is not required unless the custodian of said EPHI deems the data to be highly critical or sensitive. Encryption of EPHI is required in some instances as a transmission control and integrity mechanism. 5) Firewall Use a. All networks housing EPHI repositories must be appropriately secured. To ensure that all networks that contain EPHI-based systems and applications are appropriately secured, each connection to outside the network must follow the steps outlined below. Policy: HIPAA Access Control 3

b. Networks containing EPHI-based systems and applications must implement perimeter security and access control with a firewall. c. Firewalls must be configured to support the following minimum requirements: Limit network access to only authorized TennDent users and entities. Limit network access to only legitimate or established connections. An established connection is return traffic in response to an application request submitted from within the secure network. Console and other management ports must be appropriately secured or disabled. Implement mechanism to log failed access attempts. Must be located in a physically secure environment. d. TennDent must document its configuration of firewalls used to protect networks containing EPHI-based systems and applications. This documentation should include a configuration plan that outlines and explains the firewall rules. e. The configuration of firewalls used to protect networks containing EPHI-based systems and applications must be submitted to and approved by the Information Security Officer. 6) Remote Access a. To ensure that all networks that contain EPHI based systems and applications are appropriately secured, each user must follow the remote access policies and procedures outlined below. b. Dialup connections (if allowed), directly into secure networks are considered to be secure connections and do not require a VPN connection. This implementation of secure remote access extends the secure network to the remote user using a secure PSTN (Public Switched Telephone Network) connection. c. Authentication and encryption mechanisms are required for all remote access sessions to networks containing EPHI via an ISP (Internet service provider) or dialup connection. Examples of such mechanisms include VPN clients, authenticated SSL web sessions, and secured Citrix client access. d. The following security measures must be implemented for any remote access connection into a secure network containing EPHI: Mechanisms to bypass authorized remote access mechanisms are strictly prohibited. For example, remote control software and applications, such asgotomypc.com, are not permitted. Remote access workstations must employ a virus detection and protection mechanism. e. Users of remote workstations must comply with HIPAA Security Policy Workstation Acceptable Use Policy. f. All encryption mechanisms implemented to comply with this policy must support a minimum of, but not limited to, 128-bit encryption. Policy: HIPAA Access Control 4

g. Any user requesting remote access to a secure network containing EPHI-based systems and applications must be approved by the Security Officer to ensure that the remote workstation device being used by said user meets the security measures detailed in HIPAA Security Policy -- Server, Desktop, and Wireless Computer System Security. The owner of the secure network (IS or managing department) must ensure that the previous requirement has been satisfied before access is granted. h. TennDent must establish a formal, documented procedure to ensure that remote workstations and mobile devices used by their users to remotely access secure networks containing EPHI-based systems and applications continue to meet the security measures detailed in HIPAA Security Policy -- Server, Desktop, and Wireless Computer System Security. 7) Wireless Access a. To ensure that all networks that contain EPHI based systems and applications are appropriately secured, TennDent must follow the wireless access policies and procedures outlined below. b. Wireless access to networks containing EPHI-based systems and applications is permitted so long as the following security measures have been implemented: Encryption must be enabled. MAC-based or User ID/Password authentication must be enabled. MAC-based(Media Access Control) authentication is based on a permitted list of hardware addresses that can access the wireless network. MAC addresses are hard coded on each network interface card and typically cannot be changed.\ All console and other management interfaces have been appropriately secured or disabled. Unmanaged, ad-hoc, or rogue wireless access points ARE NOT PERMITTED on any secure network containing EPHI-based systems and applications. All wireless LANs do not utilize standard 2.4GHz, 5.0GHz or microwave radio frequencies. Wireless LANs and devices may utilize infrared frequencies and may not support the typical wireless LAN encryption and security mechanisms. For instance, the use of infrared ports on PDAs, laptops, and printers to transmit EPHI may not allow encryption of that data stream. It has been determined that this is low risk because this implementation of infrared is very short distance and low power. All encryption mechanisms implemented to comply with this policy must support a minimum of, but not limited to, 128-bit encryption. c. Any user requesting access to a secure wireless network containing EPHI-based systems and applications must ensure that the wireless device being used by said user meets the security measures detailed in HIPAA Security Policy -- Server, Desktop, and Wireless Computer System Security. The owner (managing entity) of the secure wireless network must ensure that the previous requirement has been satisfied before access is granted. d. TennDent must establish a formal, documented procedure to ensure that wireless devices used by their users to access secure networks containing EPHI-based systems and Policy: HIPAA Access Control 5

applications continue to meet the security measures detailed in HIPAA Security Policy -- Server, Desktop, and Wireless Computer System Security. Violations Any individual, found to have violated this policy, may be subject to disciplinary action up to and including termination of employment. Related Policies and Procedures: Document and Records Management Policy Document and Records Management Procedure HIPAA Device and Media Control Policy HIPAA Device and Media Control Procedure HIPAA Facility Access Controls Policy HIPAA Information Access Management Policy HIPAA Information Access Management Procedure HIPAA Password Policy HIPAA Periodic Evaluation of Security Policies and Procedures Policy HIPAA Personal Health Information Policy HIPAA Security Awareness and Training Policy HIPAA Security Awareness Training Procedure HIPAA Security Compliance Policy HIPAA Security Verification and Validation Policy HIPAA Server, Desktop and Wireless Computer System Policy HIPAA System Security Procedure HIPAA Workforce Security Policy HIPAA Workforce Security Procedure Related Documents: Policy: HIPAA Access Control 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information