HIPAA/HITECH PRIVACY & SECURITY CHECKLIST ASSESSMENT AND GUIDANCE INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST ASSESSMENT AND GUIDANCE INSTRUCTIONS Thank yu fr taking the time t fill ut the privacy & security checklist. Once cmpleted, this checklist will help us get a better understanding f where we can better assist yu. Belw yu will find sme acrnyms that are shwn thrughut the checklist as well as sme brief instructins fr cmpleting the assessment. This checklist als gives specific guidance fr many f the requirements. Hwever, it is imprtant that any safeguard that is implemented shuld be based n yur risk analysis and part f yur risk management strategy. Instructins 164.308(a)(1)(i) 164.308(a)(1)(ii)(A) TVS004 HIPAA SECURITY RULE - ADMINISTRATIVE SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE Security Management Prcess: Implement plicies and prcedures t prevent, detect, cntain, and crrect security vilatins. 2 3 1 Has a Risk Analysis been cmpleted in accrdance with NIST Guidelines (NIST 800-30)? (R) 4 5 Risk analysis shuld include the fllwing steps System characterizatin Threat identificatin Vulnerability identificatin Cntrl analysis Likelihd determinatin Impact analysis 6 Risk determinatin Cntrl recmmendatins Results dcumentatin 1 - The HIPAA Security Rule specifies a list f required r addressable safeguards. If an (R) is shwn after the safeguard then implementatin f that safeguard is required. If an (A) is shwn then the safeguard must be assessed t determine whether r nt it is a reasnable and apprpriate safeguard in yur envirnment. If nt implemented, then it s required t dcument the reasn why and als implement an equivalent alternative safeguard if reasnable and apprpriate. 2 The reference refers t the C.F.R. (Cde f Federal Regulatins) that maps t the requirement r safeguard t the specific regulatin. The next line, if applicable, references the Threat/Vulnerability Statement (TVSxxx) statement frm the Security Risk Assessment spreadsheet. 3 This field is the requirement r safeguard that is being evaluated. If shwn in bld, then specifying a status fr that particular safeguard is nt necessary because it s an verview f the fllwing rws t be evaluated. 4 Fr any f the highlighted fields, a status is nt required because that rw is just an verview f the fllwing rws t be evaluated. 5 This field is t specify the status f the requirement r safeguard. Please specify the fllwing:,,,, r. Please feel free t add any additinal cmments t the field r n a separate sheet f paper. P a g e 1

6 This area prvides guidance and examples related t many f the safeguards. Sme examples may be specified fr multiple requirements due t having sme relevance in multiple areas. Acrnyms NIST FIPS PHI EPHI BA CE EHR HHS IS Natinal Institute f Standards and Technlgy Federal Infrmatin Prcess Standards Prtected Health Infrmatin Electrnic Prtected Health Infrmatin Business Assciate Cvered Entity Electrnic Health Recrd Health and Human Services Infrmatin System P a g e 2

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST ASSESSMENT & GUIDANCE HIPAA/HITECH REFERENCE HIPAA PRIVACY RULE / HIPAA SECURITY RULE HITECH ACT STATUS, COMPLETE, IN PROGRESS, NOT COMPLETE, UNKNOWN HIPAA PRIVACY RULE 164.502 Develp "minimum necessary" plicies fr: 164.514 - Uses - Rutine disclsures - Nn-rutine disclsures - Limit request t minimum necessary - Ability t rely n request fr minimum necessary 164.504 Develp plices fr business assciate (BA) relatinships and amend business assciate cntracts r agreements: 164.502 164.504 164.506 164.508 164.510 164.512 The cntract must: - Describe the permitted and required uses f prtected health infrmatin by the business assciate - Prvide that the business assciate will nt use r further disclse the prtected health infrmatin ther than as permitted r required by the cntract r as required by law - Require the business assciate t use apprpriate safeguards t prevent a use r disclsure f the prtected health infrmatin ther than as prvided fr by the cntract. Where a cvered entity knws f a material breach r vilatin by the business assciate f the cntract r agreement, the cvered entity is required t take reasnable steps t cure the breach r end the vilatin, and if such steps are unsuccessful, t terminate the cntract r arrangement. If terminatin f the cntract r agreement is nt feasible, a cvered entity is required t reprt the prblem t the Department f Health and Human Services (HHS) Office fr Civil Rights (OCR). Limit disclsures t thse that are authrized by the client, r that are required r allwed by the privacy regulatins and state law. 164.520 Develp and disseminate ntice f privacy practice Ntice shuld include (nt all-inclusive): - The ways that the Privacy Rule allws the cvered entity t use and disclse prtected health infrmatin. It must als explain that the entity will get patient permissin, r authrizatin, befre using health recrds fr any ther reasn. P a g e 3

- The cvered entity s duties t prtect health infrmatin privacy. - Patient privacy rights, including the right t cmplain t HHS and t the cvered entity if believed that their privacy rights have been vilated. - Patient s right t inspect and btain a cpy f their PHI upn written ntice - Hw t cntact the entity fr mre infrmatin and t make a cmplaint. 164.522 Develp plicies fr alternative means f cmmunicatin requests. 164.524 Develp plicies fr access t designated recrd sets: - Prviding access - Denying access 164.526 Develp plicies fr amendment requests: - Accepting an amendment - Denying an amendment - Actins n ntice f an amendment - Dcumentatin 164.528 Develp plicies fr accunting f disclsures. 164.530 Implementatin f Privacy Rule Administrative requirements, including: - Appint a HIPAA privacy fficer. - Training f wrkfrce - Sanctins fr nn-cmpliance - Develp cmpliance plicies. - Develp anti-retaliatin plicies. - Plicies and Prcedures 164.308(a)(1)(i) 164.308(a)(1)(ii)(A) TVS004 HIPAA SECURITY RULE - ADMINISTRATIVE SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE Security Management Prcess: Implement plicies and prcedures t prevent, detect, cntain, and crrect security vilatins. Has a Risk Analysis been cmpleted in accrdance with NIST Guidelines (NIST 800-30)? (R) Risk analysis shuld include the fllwing steps P a g e 4

164.308(a)(1)(ii)(B) TVS004 164.308(a)(1)(ii)(C) TVS003 System characterizatin Threat identificatin Vulnerability identificatin Cntrl analysis Likelihd determinatin Impact analysis Risk determinatin Cntrl recmmendatins Results dcumentatin Has the Risk Management prcess been cmpleted in accrdance with NIST Guidelines (NIST 800-30)? (R) Risk management invlves Initiatin Develpment r acquisitin Implementatin Operatin r maintenance Dispsal D yu have frmal sanctins against emplyees wh fail t cmply with security plicies and prcedures? (R) A frmal sanctin plicy shuld include: Types f vilatins that require sanctins, including: Accessing infrmatin that yu d nt need t knw t d yur jb. Sharing cmputer access cdes (user name & passwrd). Leaving cmputer unattended while yu are lgged int PHI prgram. Disclsing cnfidential r patient infrmatin with unauthrized persns. Cpying infrmatin withut authrizatin. Changing infrmatin withut authrizatin. Discussing cnfidential infrmatin in a public area r in an area where the public culd verhear the cnversatin. Discussing cnfidential infrmatin with an unauthrized persn. Failing/refusing t cperate with the cmpliance fficer, ISO, r ther designee Failing/refusing t cmply with a remediatin reslutin r recmmendatin Recmmended disciplinary actins include Verbal r written reprimand Retraining n privacy/security awareness, plicies, HIPAA, HITECH, P a g e 5

164.308(a)(1)(ii)(D) TVS014, TVS017, TVS019 164.308(a)(2) TVS003 164.308(a)(3)(i) and civil and criminal prsecutin Letter f reprimand r suspensin Terminatin f emplyment r cntract Have yu implemented prcedures t regularly review recrds f IS activity such as audit lgs, access reprts, and security incident tracking? (R) Ensure EMR and ther audit lgs are enabled and mnitred regularly. Email alerts als shuld be setup fr lgin failures and ther events. Enabling and mnitring f Windws Security Event Lgs (wrkstatin and servers). It is als imprtant t mnitr the ther Event Lgs as well (Applicatin and System Lgs). Mnitring f lgs frm netwrking equipment, i.e. switches, ruters, wireless access pints, and firewalls Audit reductin, review, and reprting tls (i.e. a central syslg server) supprts after-the-fact investigatins f security incidents withut altering the riginal audit recrds. Cntinuus mnitring f the infrmatin system by using manual and autmated methds. Manual methds include the use f designated persnnel r utsurced prvider that manually reviews lgs r reprts n a regular basis, i.e. every mrning. Autmated methds include the use f email alerts generated frm syslg servers, servers and netwrking equipment, and EMR sftware alerts t designated persnnel. Track and dcument infrmatin system security incidents n an nging basis Reprting f incidents t the apprpriate persnnel, i.e. designated Privacy Officer r Infrmatin Security Officer (ISO) Use f central syslg server fr mnitring and alerting f audit lgs and abnrmalities n the netwrk, including: Accunt lcked due t failed attempts Failed attempts by unauthrized users Escalatin f rights Installatin f new services Event lg stpped Virus activity Assigned Security Respnsibility: Identify the security fficial wh is respnsible fr the develpment and implementatin f the plicies and prcedures required by this subpart fr the entity. (R) Wrkfrce Security: Implement plicies and prcedures t P a g e 6

164.308(a)(3)(ii)(A) TVS003 ensure that all members f its wrkfrce have apprpriate access t EPHI, as prvided under paragraph (a)(4) f this sectin, and t prevent thse wrkfrce members wh d nt have access under paragraph (a)(4) f this sectin frm btaining access t electrnic prtected health infrmatin (EPHI). Have yu implemented prcedures fr the authrizatin and/r supervisin f emplyees wh wrk with EPHI r in lcatins where it might be accessed? (A) Plicies and prcedures that specify hw and when access is granted t EHR systems, laptps, wireless access pints, etc. t nly thse individuals that require access VPN access t ffice when cnnecting frm hme, htel, etc. using IPSec D nt access the ffice server r wrkstatin with a Remte Desktp cnnectin withut the use f an IPSec VPN cnnectin. Therefre yur firewall shuld nt have tcp prt 3389 pened (frwarded) t any server r wrkstatin in the facility fr accessing an EMR system r any ther sftware Rle-based access t data that allws access fr users based n jb functin / rle within the rganizatin. This includes access t EMR systems, wrkstatins, servers, netwrking equipment, etc. Enfrcement thrugh Access Cntrl Lists (ACL s) by permitting nly the necessary traffic t and frm the infrmatin system as required. The default decisin within the flw cntrl enfrcement is t deny traffic and anything allwed has t be explicitly added t the ACL The prvider reviews the activities f users by utilizing the EMR auditing functins, Windws Event Lgs, and netwrking lgs frm ruters, switches, and firewalls. Email alerts f lgin failures, elevated access, and ther events are recmmended Audit lgs shuld be cmpiled t a centralized lcatin thrugh the use f a syslg server The prvider allws nly authrized persnnel t perfrm maintenance n the infrmatin system, including; EMR systems, wrkstatins, servers, and netwrking equipment Disable the ability fr users t write data t USB & CD/DVD Drives thrugh the use f Grup Plicies r enfrced lcally n the wrkstatins. Writing shuld nly be allwed if FIPS 140-2 cmpliant encryptin is utilized P a g e 7

164.308(a)(3)(ii)(B) TVS003 164.308(a)(3)(ii)(C) TVS003, TVS009 Security plicy fr all persnnel that is signed and updated regularly which specifies apprpriate use n the systems, i.e. email cmmunicatin, EMR access, keeping passwrds safe, use f cable lcks and privacy screens, etc. The use f use f nndisclsure agreements, acceptable use agreements, rules f behavir, and cnflict-finterest agreements Security plicy fr third-party persnnel and the mnitring fr cmpliance t the plicy Third-party persnnel include EMR vendrs, utsurced IT functins, and any ther thirdparty prvider r cntractr Have yu implemented prcedures t determine that the Access f an emplyee t EPHI is apprpriate? (A) Apprval prcess fr activating and mdifying accunts t laptps / wrkstatins and EHR systems (i.e. a netwrk access request frm that requires apprpriate signatures befre creating r mdifying a user accunt) Prcess fr disabling and remving accunts fr vluntary and invluntary terminatins EMR sftware cnfigured t lg and track all access which specifies each user accessing PHI, whether success r failure. Security plicy fr all persnnel that is signed and updated regularly which specifies apprpriate use n the systems, i.e. email cmmunicatin, EMR access, keeping passwrds safe, use f cable lcks and privacy screens, etc. The screening f individuals (i.e. backgrund checks) requiring access t rganizatinal infrmatin and infrmatin systems befre authrizing access The use f use f nndisclsure agreements, acceptable use agreements, rules f behavir, and cnflict-finterest agreements Have yu implemented prcedures fr terminating access t EPHI when an emplyee leaves yu rganizatin? (A) Security plicy fr all persnnel that is signed and updated regularly which specifies apprpriate use n the systems, i.e. email cmmunicatin, EMR access, keeping passwrds safe, use f cable lcks and privacy screens, etc. Prcedures fr terminating emplyment f individuals (full-time, part-time, temprary, cntractrs, etc.) including: Disabling f any EMR user accunts Disabling f Windws accunts t wrkstatins and/r servers P a g e 8

Terminatin f any ther system access Cnduct exit interviews Retrieval f all rganizatinal prperty Prvides apprpriate persnnel with access t fficial recrds created by the terminated emplyee that are stred n the infrmatin system (i.e. cmputer, server, etc.) Prcedures fr when persnnel are reassigned r transferred t ther psitins within the rganizatin and initiates apprpriate actins. Apprpriate actins include: Returning ld and issuing new keys, identificatin cards, and building passes Clsing f ld accunts and establishing new accunts Changing system access authrizatins Prviding fr access t fficial recrds created r cntrlled by the emplyee at the ld wrk lcatin and in the ld accunts 164.308(a)(4)(i) 164.308(a)(4)(ii)(A) TVS002 164.308(a)(4)(ii)(B) TVS003, TVS007, TVS008 Infrmatin Access Management: Implement plicies and prcedures fr authrizing access t EPHI that are cnsistent with the applicable requirements f subpart E f this part. If yu are a clearinghuse that is part f a larger rganizatin, have yu implemented plicies and prcedures t prtect EPHI frm the larger rganizatin? (A) Plicies and prcedures shuld be in place t help prtect the EPHI data frm the larger rganizatin that may nt require access t the data. The rganizatin may have a shared netwrk s it s imprtant fr the safeguards t limit r islate access t EPHI fr nly thse that are specifically authrized. The safeguards shuld include: Restricted user access n laptps and wrkstatins t help prevent sftware installatins and mdificatins t the Operating System and its services Use f Micrsft Active Directry (Windws Dmain Cntrller) accunts t limit permissins based n rle r jb functin Firewall Access Cntrl List set t deny access by default and t nly allw the needed access (prts, prtcls, and services) thrugh Have yu implemented plicies and prcedures fr granting access t EPHI, fr example, thrugh access t a wrkstatin, transactin, prgram, r prcess? (A) P a g e 9

164.308(a)(4)(ii)(C) TVS001, TVS003, TVS015 Plicy and prcedures that specify hw and when access is granted t EHR systems, laptps, etc. t nly thse individuals that require access Apprval prcess fr activating and mdifying accunts t laptps / wrkstatins and EHR systems (i.e. a netwrk access request frm that requires apprpriate signatures befre creating r mdifying a user accunt) Prcess fr disabling and remving accunts fr vluntary and invluntary terminatins EHR sftware t lg and track all access which specifies each user Rle-based access t data that allws access fr users based n jb functin / rle within the rganizatin. This includes access t EMR systems, wrkstatins, servers, netwrking equipment, etc. Enfrcement thrugh Access Cntrl Lists (ACL s) by permitting nly the necessary traffic t and frm the infrmatin system as required. The default decisin within the flw cntrl enfrcement is t deny traffic and anything allwed has t be explicitly added t the ACL The prvider reviews the activities f users utilizing the EMR auditing functins, Windws Event Lgs, and netwrking lgs frm ruters, switches, and firewalls. Email alerts f lgin failures, elevated access, and ther events are recmmended Audit lgs shuld be cmpiled t a centralized lcatin thrugh the use f a syslg server The use f use f nndisclsure agreements, acceptable use agreements, rules f behavir, and cnflict-finterest agreements Security plicy fr third-party persnnel and mnitring f cmpliance t the security plicy Third-party persnnel include EMR vendrs, utsurced IT functins, and any ther thirdparty prvider r cntractr Have yu implemented plicies and prcedures that are based upn yur access authrizatin plicies t establish, dcument, review, and mdify a user s right f access t a wrkstatin, transactin, prgram, r prcess? (A) Plicy and prcedures that specify hw and when access is granted t EHR systems, laptps, etc. t nly thse individuals that require access Apprval prcess fr activating and mdifying accunts t laptps / wrkstatins and EHR systems (i.e. a netwrk access request frm that requires apprpriate signatures befre creating r mdifying a user accunt) P a g e 10

164.308(a)(5)(i) 164.308(a)(5)(ii)(A) TVS005, TVS006 Prcess fr disabling and remving accunts fr vluntary and invluntary terminatins EHR sftware t lg and track all access which specifies each user Security Awareness and Training: Implement a security awareness and training prgram fr all members f its wrkfrce (including management). D yu prvide peridic infrmatin security reminders? (A) Security awareness training t all users befre authrizing access t the system, i.e. during new emplyee rientatin. Examples f prviding infrmatin security reminders include: Face-t-face meetings Email updates Newsletters Pstings in public areas, i.e. hallways, kitchen Cmpany Intranet Security awareness training shuld be cnducted at an n-ging basis Maintain cntact with special interest grups, specialized frums, prfessinal assciatins, news grups, and/r peer grups f security prfessinals t stay up t date with the latest recmmended security practices, techniques, and technlgies. Subscribe t email security alerts and advisries including: Cisc security alerts CERT advisry alerts NIST publicatins and vulnerability alerts Other vendr-specific alerts like McAfee, Symantec, etc. 164.308(a)(5)(ii)(B) TVS014, TVS018, TVS019, TVS025 D yu have plicies and prcedures fr guarding against, detecting, and reprting malicius sftware? (A) Security awareness training t all users befre authrizing access t the system, i.e. during new emplyee rientatin. Security awareness training shuld be cnducted at an n-ging basis Antivirus prtectin n every wrkstatin/server within the rganizatin (i.e. McAfee, Symantec, etc.) Updated at least daily but wuld recmmend every 4 hurs Regularly scheduled antivirus scans f all systems, i.e. weekly r mnthly Centralized administratin, updating, and P a g e 11

reprting is recmmended Use f central syslg server fr mnitring and alerting f audit lgs and abnrmalities n the netwrk, including: Accunt lcked due t failed attempts Failed attempts by unauthrized users Escalatin f rights Installatin f new services Event lg stpped Virus activity Spam prtectin can be perfrmed n the wrkstatins themselves and/r at the gateway (entry/exit pint int the netwrk) Wrkstatin slutins include built-in Micrsft Outlk Junk-email ptin r McAfee/Symantec suites that include Spam prtectin with their antivirus slutins Gateway slutins include Websense, Barracuda Netwrks, TrendMicr, etc. 164.308(a)(5)(ii)(C) TVS014, TVS019 D yu have prcedures fr mnitring lgin attempts and reprting discrepancies? (A) Apprval prcess fr activating and mdifying accunts t laptps / wrkstatins and EHR systems (i.e. a netwrk access request frm that requires apprpriate signatures befre creating r mdifying a user accunt) Prcess fr disabling and remving accunts fr vluntary and invluntary terminatins The prvider reviews the activities f users utilizing the EMR auditing functins, Windws Event Lgs, and netwrking lgs frm ruters, switches, and firewalls. Email alerts f lgin failures, elevated access, and ther events are recmmended Audit lgs shuld be cmpiled t a centralized lcatin thrugh the use f a syslg server It's recmmended t have audit lgs g t a central server by using a syslg server Example syslg servers fr central mnitring and alerting f auditable events include, Kiwisyslg, Gfi Event Manager, Syslg Manager, Slarwinds Syslg Mnitr, Splunk Syslg Examples f auditable events include, but are nt limited t: Accunt creatin Accunt mdificatin Accunt disabled Accunt escalatin P a g e 12

164.308(a)(5)(ii)(D) TVS006 Server health Netwrk health Access allwed Access denied Service installatin Service deletin Cnfiguratin changes Ensure EMR and ther audit lgs are enabled and mnitred regularly. Email alerts als shuld be setup fr lgin failures and ther events. EHR sftware t lg and track all access which specifies each user Enabling and mnitring f Windws Security Event Lgs (wrkstatin and servers). Als imprtant t mnitr the ther Event Lgs as well (Applicatin and System Lgs). Mnitring f lgs frm netwrking equipment, i.e. switches, ruters, wireless access pints, and firewalls D yu have prcedures fr creating, changing, and safeguarding passwrds? (A) Passwrds include tkens, bimetrics, and certificates in additin t standard passwrds. Standard passwrds shuld meet the fllwing criteria: Enfrce passwrd histry. Previus 12 passwrds cannt be used Maximum passwrd age. Passwrds shuld expire every 30 90 days. Minimum passwrd age. Passwrds can nly be changed manually by the user after 1 day Minimum passwrd length. 8 r mre characters lng Passwrd cmplexity. Passwrds shuld cntain 3 f the fllwing criteria Uppercase characters (A-Z) Lwercase characters (a-z) Numbers (0-9) Special characters (i.e.!,#,&,*) Accunt lckut. Accunts lck after 3 unsuccessful passwrd attempts Enfrced in the EMR system, Active Directry, r at least n the lcal wrkstatin r server. Passwrds include Micrsft lgins (Active Directry Dmain Cntrller r just lcally lgging int a cmputer) fr each individual user. Unique username and passwrd fr EHR systems. The use f passwrds and/r tkens fr remte access thrugh a Virtual Private Netwrk (VPN) Example tken prducts include, RSA SecureID r Aladdin s etken P a g e 13

164.308(a)(6)(i) 164.308(a)(6)(ii) TVS025 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) TVS026 Each user has a unique identifier (i.e. user ID and passwrd) when accessing their cmputer, EHR sftware, r any ther system r resurce Security awareness and training prgram t educate users and managers fr safeguarding f passwrds. See 164.308(a)(5)(i) N shared access fr any resurce r system (i.e. cmputer r EHR system) The management f authenticatrs (i.e. security tkens). Management includes the prcedures fr initial distributin, lst/cmprmised r damaged authenticatrs, r revking f authenticatrs. Authenticatrs culd be tkens, PKI certificates, bimetrics, passwrds, and key cards Authenticatr feedback includes the displaying f asterisks when a user types in a passwrd. The gal is t ensure the system des nt prvide infrmatin that wuld allw an unauthrized user t cmprmise the authenticatin mechanism. Security Incident Prcedures: Implement plicies and prcedures t address security incidents. D yu have prcedures t identify and respnd t suspected r knwn security incidents; mitigate t the extent practicable, harmful effects f knwn security incidents; and dcument incidents and their utcmes? (R) Incident handling prcess can include audit mnitring f the EMR system, netwrk mnitring, physical access mnitring. The prcess shuld detail hw the incident is reprted, cntained, eradicated, and then recvered. Track and dcument infrmatin system security incidents n an nging basis Reprting f incidents t the apprpriate persnnel, i.e. designated Privacy Officer r Infrmatin Security Officer (ISO) The training f persnnel fr the handling and reprting f security incidents Cntingency Plan: Establish (and implement as needed) plicies and prcedures fr respnding t an emergency r ther ccurrence (fr example, fire, vandalism, system failure, and natural disaster) that damages systems that cntain EPHI. Have yu established and implemented prcedures t create and maintain retrievable exact cpies f EPHI? (R) Perfrm nightly backups f PHI which are taken ffsite n a daily, at a minimum weekly, basis t an authrized P a g e 14

164.308(a)(7)(ii)(B) TVS026 164.308(a)(7)(ii)(C) TVS026 strage facility It s recmmended that the strage lcatin be at least 60 miles away Regularly test backups t verify reliable restratin f data (i.e. tests perfrmed at least n a quarterly basis) All backups shuld be encrypted using FIPS 140-2 cmpliant sftware and algrithms Backups shuld be verified t help ensure the integrity f the files being backed up Even fr hsted EMR slutins, it is imprtant t ensure the vendr is perfrming these functins and that these prcedures are part f the Agreement Have yu established (and implemented as needed) prcedures t restre any lss f EPHI data that is stred electrnically? (R) Prcedure fr btaining necessary PHI during an emergency. This shuld be part f yur Cntingency Plan Identified an alternate prcessing facility in case f disaster The use f a primary and alternate telecmmunicatin services in the event that the primary telecmmunicatin capabilities are unavailable The time t revert t the alternate service is defined by the rganizatin and is based n the critical business functins An example wuld be as simple as frwarding the main ffice number t an alternate ffice r even a cell phne Perfrm nightly backups f PHI which are taken ffsite n a daily, at a minimum weekly, basis t an authrized strage facility It s recmmended that the strage lcatin be at least 60 miles away Regularly tests backups t verify reliable restratin f data (i.e. tests perfrmed at least n a quarterly basis) All backups shuld be encrypted using FIPS 140-2 cmpliant sftware and algrithms Backups shuld be verified t help ensure the integrity f the files being backed up Even fr hsted EMR slutins, it is imprtant t ensure the vendr is perfrming these functins and that these prcedures are part f the Agreement Have yu established (and implemented as needed) prcedures t enable cntinuatin f critical business prcesses and fr prtectin f EPHI while perating in the emergency mde? (R) Prcedure fr btaining necessary PHI during an emergency. This shuld be part f the Cntingency Plan P a g e 15

164.308(a)(7)(ii)(D) TVS026 164.308(a)(7)(ii)(E) TVS026 164.308(a)(8) TVS024, TVS026 The training f persnnel in their cntingency rles and respnsibilities Training shuld ccur at least annually The testing f the cntingency plan at least annually, i.e. a table tp test t determine the incident respnse effectiveness and dcument the results Reviewing the cntingency plan at least annually and revising the plan as necessary (i.e. based n system/rganizatinal changes r prblems encuntered during plan implementatin, executin, r testing. Prcedures t allw the infrmatin system t be recvered and recnstituted t a knwn secure state after a disruptin r failure. This culd include prcedures t restre backup tapes t a new server in respnse t a hardware failure. Have yu implemented prcedures fr peridic testing and revisin f cntingency plans? (A) The training f persnnel in their cntingency rles and respnsibilities Training shuld ccur at least annually Testing f the cntingency plan at least annually, i.e. a table tp test t determine the incident respnse effectiveness and dcument the results Reviewing the cntingency plan at least annually and revise the plan as necessary (i.e. based n system/rganizatinal changes r prblems encuntered during plan implementatin, executin, r testing. Have yu assessed the relative criticality f specific applicatins and data in supprt f ther cntingency plan cmpnents? (A) Prcedure fr btaining necessary PHI during an emergency. This shuld be part f the Cntingency Plan Business Impact Analysis (BIA) will help determine the criticality f specific applicatins and data Categrize the infrmatin system based n guidance frm FIPS 199, which defines three levels f ptential impact n rganizatins r individuals shuld there be a breach f security (i.e. a lss f cnfidentiality, integrity, r availability) Ptential impact ptins are Lw, Mderate, r High Have yu established a plan fr peridic technical and nn technical evaluatin f the standards under this rule in respnse t envirnmental r peratinal changes affecting the security f EPHI? (R) P a g e 16

164.308(b)(1) 164.308(b)(4) TVS002 164.310(a)(1) Plicy and prcedures that facilitate the implementatin f the security assessment, certificatin, and accreditatin f the system. Yearly assessment f the security safeguards t determine the extent t which they are implemented crrectly, perating as intended, and prducing the desired utcme with respect t meeting the security requirements. A senir persn in the practice signs and apprves infrmatin systems fr prcessing befre peratins r when there is a significant change t the system. Cntinuus mnitring f infrmatin systems using manual and autmated methds. Manual methds include the use f designated persnnel r utsurced prvider that manually reviews lgs r reprts n a regular basis, i.e. every mrning. Autmated methds include the use f email alerts generated frm syslg servers, servers and netwrking equipment, and EMR sftware alerts t designated persnnel. Business Assciate Cntracts and Other Arrangements: A cvered Entity (CE), in accrdance with Sec. 164.306, may permit a business assciate t create, receive, maintain, r transmit EPHI n the cvered entity s behalf nly if the CE btains satisfactry assurances, in accrdance with Sec. 164.314(a) that the business assciate apprpriately safeguard the infrmatin. Have yu established written cntracts r ther arrangements with yur trading partners that dcuments satisfactry assurances that the BA will apprpriately safeguard the infrmatin? (R) Authrizatin and mnitring f all cnnectins frm the infrmatin system t ther infrmatin systems, i.e. a VPN cnnectin frm the prvider's system t an EMR sftware vendr The rganizatin requires that prviders f external infrmatin systems (i.e. EMR vendrs) emply adequate security cntrls in accrdance with applicable laws, Executive Orders, directives, plicies, regulatins, standards, and guidance. This will ultimately invlve a Business Assciate Agreement but can als include additinal cntracts as well. HIPAA SECURITY RULE - PHYSICAL SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE Facility Access Cntrls: Implement plicies and prcedures t limit physical access t its electrnic P a g e 17

164.310(a)(2)(i) TVS010, TVS026 164.310(a)(2)(ii) TVS010, TVS022 164.310(a)(2)(iii) TVS001, TVS010, TVS015 infrmatin systems and the facility r facilities in which they are hused, while ensuring that prperly authrized access is allwed. Have yu established (and implemented as needed) prcedures that allw facility access in supprt f restratin f lst data under the disaster recvery plan and emergency mde peratins plan in the event f an emergency? (A) Prcedure fr btaining necessary PHI during an emergency. This shuld be part f the Cntingency Plan Tape backups taken ffsite t an authrized strage facility Identify alternate prcessing facility in case f disaster Alternate wrk sites have apprpriate administrative, physical, and technical safeguards. Have yu implemented plicies and prcedures t safeguard the facility and the equipment therein frm unauthrized physical access, tampering, and theft? (A) Plicy and prcedures that specify physical and envirnmental safeguards used. 164.310(a)(2)(iii) utlines sme specific safeguards that are recmmended System security plan that specifies an verview f the security requirements fr the system and a descriptin f the security cntrls in place r planned fr meeting thse requirements. Have yu implemented prcedures t cntrl and validate a persn s access t facilities based n their rle r functin, including visitr cntrl, and cntrl f access t sftware prgrams fr testing and revisin? (A) Enfrcement thrugh Access Cntrl Lists (ACL s) by permitting nly the necessary traffic t and frm the infrmatin system as required. The default decisin within the flw cntrl enfrcement is t deny traffic and anything allwed has t be explicitly added t the ACL VPN access t ffice when cnnecting frm hme, htel, etc. using IPSec D nt access the ffice server r wrkstatin with a Remte Desktp cnnectin withut the use f an IPSec VPN cnnectin. Therefre yur firewall shuld nt have tcp prt 3389 pened (frwarded) t any server r wrkstatin in the facility fr accessing an EMR system r any ther sftware Rle-based access t data that allws access fr users based n jb functin / rle within the rganizatin. This includes access t EMR systems, P a g e 18

wrkstatins, servers, netwrking equipment, etc. Plicy and prcedures that specify physical and envirnmental safeguards used. A list f persnnel with authrized access t specific areas. If a card-access system is used then the list can be generated by the card-access system. The use f cipher lcks and/r card access cntrl system t sensitive areas f the facility Cipher lcks require a cde fr entry instead f just a standard physical key Keri Access Cntrl System is an example f a system that requires the user t have a card that has t be swiped r held in frnt f a sensr fr entry Mnitring physical access thrugh the use f cardaccess system, i.e. Keri access cntrl system Mnitring physical access thrugh the use f vide cameras Cntrls physical access by authenticating visitrs at the frnt desk (r ther sensitive areas) befre authrizing access t the facility Presenting an authrized badge r ID fr access Recrds f physical access are kept that includes: (i) name and rganizatin f the persn visiting; (ii) signature f the visitr; (iii) frm f identificatin; (iv) date f access; (v) time f entry and departure; (vi) purpse f visit; and (vii) name and rganizatin f persn visited. Designated persnnel within the facility review the visitr access recrds daily. 164.310(a)(2)(iv) 164.310(b) Have yu implemented plicies and prcedures t dcument repairs and mdificatins t the physical cmpnents f a facility, which are related t security (fr example, hardware, walls, drs, and lcks)? (A) Plicies and prcedures that specify maintenance t the facility Change management prcess that allws request, review, and apprval f changes t the infrmatin system r facility Spare parts available fr quick maintenance f hardware, drs, lcks, etc. Have yu implemented plicies and prcedures that specify the prper functins t be perfrmed, the manner in which thse functins are t be perfrmed, and the physical attributes f the P a g e 19

surrundings f a specific wrkstatin r class f wrkstatin that can access EPHI? (R) Rle-based access t data that allws access fr users based n jb functin / rle within the rganizatin. This includes access t EMR systems, wrkstatins, servers, netwrking equipment, etc. Enfrcement thrugh Access Cntrl Lists (ACL s) by permitting nly the necessary traffic t and frm the infrmatin system as required. The default decisin within the flw cntrl enfrcement is t deny traffic and anything allwed has t be explicitly added t the ACL Firewall r brder ruter prevents spfing with utside incming traffic by denying RFC 3330 (Special use address space) and RFC 1918 (Private internets) as the surce address. ACL's (access cntrl lists) are als used n ruters, switches and firewalls t specifically allw r deny traffic (prtcls, prts and services) thugh the devices and nly n authrized interfaces. Enfrce sessin lck after 10 minutes (n mre than 30 minutes) f inactivity n the cmputer system. This can be enfrced thrugh Active Directry Grup Plicies if in a Windws Dmain envirnment r at least set lcally n the cmputer if nt n a dmain. Users have the ability t manually initiate a sessin lck n their cmputer as needed (i.e. Alt, Ctrl, Delete then Enter) Sessin lck shuld nt be mre than 30 minutes fr remte access (VPN access) and prtable devices (laptps, PDA's, etc.) Terminate VPN sessins after 30 minutes f inactivity Terminate terminal services r Citrix sessins after 30 minutes f inactivity. Terminate EHR sessin after 30 minutes f inactivity Cntrlling and mnitring f all remte access thrugh the use f a syslg server, VPN server, and Windws Active Directry and/r Cisc Access Cntrl Server (ACS). IPSec VPN cnnectins fr remte access Disable the ability fr users t write data t USB & CD/DVD Drives thrugh the use f Grup Plicies r enfrced lcally n the wrkstatins. Writing shuld nly be allwed if FIPS 140-2 cmpliant encryptin is utilized Use f central management and encryptin f remvable media including USB thumb drives (i.e. PGP, Safeguard Easy, PintSec Prtectr, etc.) The use f cipher lcks and/r card access cntrl P a g e 20