Policy Title: HIPAA Security Awareness and Training



Similar documents
Procedure Title: TennDent HIPAA Security Awareness and Training

Policy Title: HIPAA Access Control

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Information Security Overview

HIPAA and Mental Health Privacy:

The University of Illinois at Chicago. Health Science Colleges

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

ITS HIPAA Security Compliance Recommendations

HIPAA Security COMPLIANCE Checklist For Employers

REQUEST FOR BOARD ACTION

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Security Alert

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

DEPARTMENT OF MENTAL HEALTH AND DEVELOPMENTAL DISABILITIES

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Security. assistance with implementation of the. security standards. This series aims to

VMware vcloud Air HIPAA Matrix

HIPAA Security Rule Compliance

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

HIPAA Compliance Guide

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

HIPAA Security Training Manual

C.T. Hellmuth & Associates, Inc.

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Healthcare Management Service Organization Accreditation Program (MSOAP)

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

CHIS, Inc. Privacy General Guidelines

HIPAA Security Education. Updated May 2016

Can Your Diocese Afford to Fail a HIPAA Audit?

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Compliance Guide

University of Wisconsin-Madison Policy and Procedure

State HIPAA Security Policy State of Connecticut

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

HIPAA Security Rule Compliance and Health Care Information Protection

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Network Security Policy

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Healthcare Compliance Solutions

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Security Awareness Training Policy

Montclair State University. HIPAA Security Policy

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Regulations on Information Systems Security. I. General Provisions

Joseph Suchocki HIPAA Compliance 2015

Client Security Risk Assessment Questionnaire

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Krengel Technology HIPAA Policies and Documentation

HIPAA Security Checklist

How To Write A Health Care Security Rule For A University

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Healthcare Compliance Solutions

Information Security Policy Manual

Wellesley College Written Information Security Program

Overview of the HIPAA Security Rule

ITECH Net Monitor. Standards Compliance

District of Columbia Health Information Exchange Policy and Procedure Manual

How To Protect Research Data From Being Compromised

HIPAA Security Matrix

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA COMPLIANCE REVIEW

Data Management Policies. Sage ERP Online

IT Security Procedure

New Boundary Technologies HIPAA Security Guide

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Policies and Compliance Guide

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Accounting and Administrative Manual Section 100: Accounting and Finance

BSHSI Security Awareness Training

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

The Basics of HIPAA Privacy and Security and HITECH

External Supplier Control Requirements

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Security Framework Information Security Management System

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Information Security Policy

787 Wye Road, Akron, Ohio P F

External Supplier Control Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Information Resources Security Guidelines

Datto Compliance 101 1

Transcription:

Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy: 9/23/2011 Last Reviewed by TennDent Quality Monitoring/Improvement Committee: 9/23/2011 Secondary Department: Prior Policy or Cross Reference(s): 10/1/2010 Date Policy Last Revised: 9/23/2011 Review Frequency: Annually Next Scheduled Review: 7/1/2012 TennDent Quality Monitoring/Improvement Committee Approval: On File Approval Date: 9/23/2011 Scope: TennDent staff, network providers, and TennCare enrollees Purpose: TennDent is committed to conducting business in compliance with all applicable laws, regulations and TennDent policies. This Policy covers the components of the security awareness and training program. The program will include: Security reminders Procedures for guarding against, detecting and reporting malicious software Procedures for monitoring log-in attempts and reporting discrepancies Procedures for creating, changing and safeguarding passwords. Authoritative Reference: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191) HIPAA Security Rule [HIPAA Administrative Safeguards] (see 164.308(a)(5)] Policy: HIPAA Security Awareness and Training 1

Policy: 1. Security Reminders a. TennDent must develop and implement procedures to ensure that periodic security updates are issued to the Workforce on changes to TennDent's HIPAA Security Policies and/or TennDent s Security procedures. b. TennDent must develop and implement procedures to ensure that warnings are issued to the Workforce of discovered or reported threats, breaches or other HIPAA security incidents. (See HIPAA Security Policy -- Incident Response and Reporting Policy) c. Such procedures must be submitted to and approved by the Information Security Officer. 2. Protection from Malicious Software a. TennDent must develop and implement procedures for guarding against, detecting and reporting to the appropriate person(s) new and potential threats from malicious code such as viruses, worms, denial of service attacks, or any other computer program or code designed to interfere with the normal operation of a system or its contents and procedures. b. TennDent must train its Workforce to identify and protect against malicious code and software. c. TennDent must notify the Information Security Officer and its Workforce members of new and potential threats from malicious code such as viruses, worms, denial of service attacks, and any other computer program or code designed to interfere with the normal operation of a system or its contents and procedures. d. TennDent must notify IS if a virus, worm or other malicious code has been identified and is a potential threat to other systems or networks. (See HIPAA Security Policy Incident Response and Reporting Policy) e. TennDent is responsible for ensuring that any system that has been infected by a virus, worm or other malicious code is immediately cleaned and properly secured or isolated from the rest of the network. f. A virus detection system must be implemented on all workstations including a procedure to ensure that the virus detection software is maintained and up to date. (See HIPAA Security Policy -- Server, Desktop and Wireless Computer System Security Policy) g. All such procedures must be submitted for approval to the Information Security Officer. 3. Log-in Monitoring a. TennDent must implement a mechanism to log and document failed login attempts on each system containing medium and high-risk EPHI. b. TennDent must review such log-in activity reports and logs on a periodic basis. (See HIPAA Security Policy -- Security Management Policy) c. Log-in monitoring, logging and review procedures must be detailed in an Audit Control and Review Plan. (See HIPAA Security Policy -- Audit Control Policy) d. All failed log-in attempts of a suspicious nature, such as continuous attempts, must be reported immediately to the Information Security Officer. (See HIPAA Security Policy -- Incident Response and Reporting Policy) Policy: HIPAA Security Awareness and Training 2

4. Password Management a. TennDent must develop and implement procedures for creating, changing, and safeguarding passwords, which must comply with the HIPAA Security -- Access Control Policy. b. To ensure that passwords created and used by the TennDent Workforce to access any network, system, or application used to access, transmit, receive, or store EPHI are properly safeguarded and to ensure that the Workforce is made aware of all password related policies, the following minimum procedures must be followed, all of which must comply with the HIPAA Security Policy -- Access Control Policy: c. All Workforce members that access networks, systems, or applications used to access, transmit, receive, or store EPHI must be supplied with a unique user identification and password to access the aforementioned EPHI. d. All Workforce members must supply a password in conjunction with their unique user identification to gain access to any application or database system used to create, transmit, receive, or store EPHI. e. A generic user identification and password may be utilized for access to shared or common area workstations so long as the login provides no access to EPHI. f. An additional unique user identification and password must be supplied to access applications and database systems containing EPHI. g. All passwords used to gain access to any network, system, or application used to access, transmit, receive, or store EPHI must be of sufficient complexity to ensure that it is not easily guessable. h. Managers of networks, systems, or applications used to access, transmit, receive, or store EPHI, must ensure that passwords set by Workforce members meet the minimum level of complexity. i. Managers of networks, systems, or applications used to access, transmit, receive, or store EPHI are responsible for making Workforce members aware of all password-related policies and procedures, and any changes to those policies and procedures. j. Password aging times may be implemented in a manner commensurate with the criticality and sensitivity of the EPHI contained within each network, system, application or database. k. Workforce members are responsible for the proper use and protection of their passwords and must adhere to the following guidelines: i. Passwords are only to be used for legitimate access to networks, systems, or applications. ii. Passwords must not be disclosed to other Workforce members or individuals. iii. Workforce members must not allow other Workforce members or individuals to use their password. iv. Passwords must not be written down, posted, or exposed in an insecure manner such as on a notepad 5. Security Training Program a. TennDent is responsible for ensuring that its Workforce has the appropriate level of TennDent HIPAA security training so that all Workforce members who access, receive, transmit or otherwise use EPHI or who set up, manage or maintain systems and workstations that access, receive, transmit, or store EPHI are familiar with TennDent's HIPAA Policy: HIPAA Security Awareness and Training 3

Security policies and procedures and their responsibilities regarding such policies and procedures. Appropriate training must consist of, but is not limited to, the following requirements: i. HIPAA Security Policies ii. HIPAA Business Associate Policy iii. HIPAA Sanction Policy iv. Confidentiality, integrity and availability v. Individual security responsibilities vi. Common security threats and vulnerabilities b. TennDent is responsible for ensuring that all information technology staff members and all Workforce members who are responsible for the setup, installation or management of computer systems and networks containing EPHI have the appropriate level of HIPAA Security training. HIPAA Security training for these Workforce members must consist of, but is not limited to, the following requirements: i. HIPAA Security Policies ii. HIPAA Business Associate Policy iii. HIPAA Sanction Policy iv. Confidentiality, integrity and availability v. Individual Security responsibilities vi. Common security threats and vulnerabilities vii. Password structure and management procedures viii. Server, desktop computer, and mobile computer system security procedures, including security patch and update procedures and virus and malicious code procedures ix. Device and media control procedures x. Incident response and reporting procedures (See HIPAA Security Policy -- Incident Response and Reporting). c. TennDent must ensure that the appropriate information technology staff members are aware of and trained to comply with the following HIPAA Security plans and procedures: i. Log-in monitoring procedures (See HIPAA Security Policy Security Training and Awareness Policy) ii. Audit Control and Review Plan (See HIPAA Security Policy Audit Control Policy) iii. Data Backup Plan (See HIPAA Security Policy Data Backups and Contingency Planning Policy) iv. Disaster Recovery Plan (See HIPAA Security Policy Data Backups and Contingency Planning Policy) d. TennDent must maintain formal documentation of the current level of HIPAA training for each of its Workforce members. Violations Any individual, found to have violated this policy, may be subject to disciplinary action up to and including termination of employment. Related Policies and Procedures: Policy: HIPAA Security Awareness and Training 4

HIPAA Audit Controls Policy HIPAA Business Associate Contract and Other Arrangement Policy HIPAA Data Backup and Contingency Planning Policy HIPAA Data Backup Procedure HIPAA Incident Reporting and Response Policy HIPAA Incident Reporting and Response Procedure Related Documents: Policy: HIPAA Security Awareness and Training 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information