Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy: 9/23/2011 Last Reviewed by TennDent Quality Monitoring/Improvement Committee: 9/23/2011 Secondary Department: Prior Policy or Cross Reference(s): 10/1/2010 Date Policy Last Revised: 9/23/2011 Review Frequency: Annually Next Scheduled Review: 7/1/2012 TennDent Quality Monitoring/Improvement Committee Approval: On File Approval Date: 9/23/2011 Scope: TennDent staff, network providers, and TennCare enrollees Purpose: TennDent is committed to conducting business in compliance with all applicable laws, regulations and TennDent policies. This Policy covers the components of the security awareness and training program. The program will include: Security reminders Procedures for guarding against, detecting and reporting malicious software Procedures for monitoring log-in attempts and reporting discrepancies Procedures for creating, changing and safeguarding passwords. Authoritative Reference: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191) HIPAA Security Rule [HIPAA Administrative Safeguards] (see 164.308(a)(5)] Policy: HIPAA Security Awareness and Training 1
Policy: 1. Security Reminders a. TennDent must develop and implement procedures to ensure that periodic security updates are issued to the Workforce on changes to TennDent's HIPAA Security Policies and/or TennDent s Security procedures. b. TennDent must develop and implement procedures to ensure that warnings are issued to the Workforce of discovered or reported threats, breaches or other HIPAA security incidents. (See HIPAA Security Policy -- Incident Response and Reporting Policy) c. Such procedures must be submitted to and approved by the Information Security Officer. 2. Protection from Malicious Software a. TennDent must develop and implement procedures for guarding against, detecting and reporting to the appropriate person(s) new and potential threats from malicious code such as viruses, worms, denial of service attacks, or any other computer program or code designed to interfere with the normal operation of a system or its contents and procedures. b. TennDent must train its Workforce to identify and protect against malicious code and software. c. TennDent must notify the Information Security Officer and its Workforce members of new and potential threats from malicious code such as viruses, worms, denial of service attacks, and any other computer program or code designed to interfere with the normal operation of a system or its contents and procedures. d. TennDent must notify IS if a virus, worm or other malicious code has been identified and is a potential threat to other systems or networks. (See HIPAA Security Policy Incident Response and Reporting Policy) e. TennDent is responsible for ensuring that any system that has been infected by a virus, worm or other malicious code is immediately cleaned and properly secured or isolated from the rest of the network. f. A virus detection system must be implemented on all workstations including a procedure to ensure that the virus detection software is maintained and up to date. (See HIPAA Security Policy -- Server, Desktop and Wireless Computer System Security Policy) g. All such procedures must be submitted for approval to the Information Security Officer. 3. Log-in Monitoring a. TennDent must implement a mechanism to log and document failed login attempts on each system containing medium and high-risk EPHI. b. TennDent must review such log-in activity reports and logs on a periodic basis. (See HIPAA Security Policy -- Security Management Policy) c. Log-in monitoring, logging and review procedures must be detailed in an Audit Control and Review Plan. (See HIPAA Security Policy -- Audit Control Policy) d. All failed log-in attempts of a suspicious nature, such as continuous attempts, must be reported immediately to the Information Security Officer. (See HIPAA Security Policy -- Incident Response and Reporting Policy) Policy: HIPAA Security Awareness and Training 2
4. Password Management a. TennDent must develop and implement procedures for creating, changing, and safeguarding passwords, which must comply with the HIPAA Security -- Access Control Policy. b. To ensure that passwords created and used by the TennDent Workforce to access any network, system, or application used to access, transmit, receive, or store EPHI are properly safeguarded and to ensure that the Workforce is made aware of all password related policies, the following minimum procedures must be followed, all of which must comply with the HIPAA Security Policy -- Access Control Policy: c. All Workforce members that access networks, systems, or applications used to access, transmit, receive, or store EPHI must be supplied with a unique user identification and password to access the aforementioned EPHI. d. All Workforce members must supply a password in conjunction with their unique user identification to gain access to any application or database system used to create, transmit, receive, or store EPHI. e. A generic user identification and password may be utilized for access to shared or common area workstations so long as the login provides no access to EPHI. f. An additional unique user identification and password must be supplied to access applications and database systems containing EPHI. g. All passwords used to gain access to any network, system, or application used to access, transmit, receive, or store EPHI must be of sufficient complexity to ensure that it is not easily guessable. h. Managers of networks, systems, or applications used to access, transmit, receive, or store EPHI, must ensure that passwords set by Workforce members meet the minimum level of complexity. i. Managers of networks, systems, or applications used to access, transmit, receive, or store EPHI are responsible for making Workforce members aware of all password-related policies and procedures, and any changes to those policies and procedures. j. Password aging times may be implemented in a manner commensurate with the criticality and sensitivity of the EPHI contained within each network, system, application or database. k. Workforce members are responsible for the proper use and protection of their passwords and must adhere to the following guidelines: i. Passwords are only to be used for legitimate access to networks, systems, or applications. ii. Passwords must not be disclosed to other Workforce members or individuals. iii. Workforce members must not allow other Workforce members or individuals to use their password. iv. Passwords must not be written down, posted, or exposed in an insecure manner such as on a notepad 5. Security Training Program a. TennDent is responsible for ensuring that its Workforce has the appropriate level of TennDent HIPAA security training so that all Workforce members who access, receive, transmit or otherwise use EPHI or who set up, manage or maintain systems and workstations that access, receive, transmit, or store EPHI are familiar with TennDent's HIPAA Policy: HIPAA Security Awareness and Training 3
Security policies and procedures and their responsibilities regarding such policies and procedures. Appropriate training must consist of, but is not limited to, the following requirements: i. HIPAA Security Policies ii. HIPAA Business Associate Policy iii. HIPAA Sanction Policy iv. Confidentiality, integrity and availability v. Individual security responsibilities vi. Common security threats and vulnerabilities b. TennDent is responsible for ensuring that all information technology staff members and all Workforce members who are responsible for the setup, installation or management of computer systems and networks containing EPHI have the appropriate level of HIPAA Security training. HIPAA Security training for these Workforce members must consist of, but is not limited to, the following requirements: i. HIPAA Security Policies ii. HIPAA Business Associate Policy iii. HIPAA Sanction Policy iv. Confidentiality, integrity and availability v. Individual Security responsibilities vi. Common security threats and vulnerabilities vii. Password structure and management procedures viii. Server, desktop computer, and mobile computer system security procedures, including security patch and update procedures and virus and malicious code procedures ix. Device and media control procedures x. Incident response and reporting procedures (See HIPAA Security Policy -- Incident Response and Reporting). c. TennDent must ensure that the appropriate information technology staff members are aware of and trained to comply with the following HIPAA Security plans and procedures: i. Log-in monitoring procedures (See HIPAA Security Policy Security Training and Awareness Policy) ii. Audit Control and Review Plan (See HIPAA Security Policy Audit Control Policy) iii. Data Backup Plan (See HIPAA Security Policy Data Backups and Contingency Planning Policy) iv. Disaster Recovery Plan (See HIPAA Security Policy Data Backups and Contingency Planning Policy) d. TennDent must maintain formal documentation of the current level of HIPAA training for each of its Workforce members. Violations Any individual, found to have violated this policy, may be subject to disciplinary action up to and including termination of employment. Related Policies and Procedures: Policy: HIPAA Security Awareness and Training 4
HIPAA Audit Controls Policy HIPAA Business Associate Contract and Other Arrangement Policy HIPAA Data Backup and Contingency Planning Policy HIPAA Data Backup Procedure HIPAA Incident Reporting and Response Policy HIPAA Incident Reporting and Response Procedure Related Documents: Policy: HIPAA Security Awareness and Training 5