Spring 2014 issue of Horizons

PROFESSIONAL SERVICES

Information Technology Security Framework for Protected Health Information

Technical Safeguards Access Controls ∙ Unique user identification ∙ Emergency access procedures ∙ Automatic logoff ∙ Encryption and decryption

Administrative Safeguards Security Management ∙ Risk analysis ∙ Risk management ∙ Sanction policy ∙ Information system activity review

Audit Controls

Assigned Security Responsibility

Integrity ∙ Mechanism to authenticate electronic PHI

Workforce Security ∙ Authorization and/or supervision ∙ Workforce clearance procedure ∙ Termination procedures Information Access Management ∙ Isolating healthcare clearinghouse functions ∙ Access authorization ∙ Access establishment and modification Security Awareness and Training ∙ Security reminders ∙ Protection from malicious software ∙ Log in monitoring ∙ Password management

Person or Entity Authentication

Transmission Security ∙ Integrity controls ∙ Encryption

Organizational Safeguards Business Associate Agreements ∙ Business associate agreements ∙ Other arrangements

Physical Safeguards Facility Access Controls ∙ Contingency operations ∙ Facility security plan ∙ Access control and validation procedures ∙ Maintenance records

Security Incident Procedures ∙ Response and reporting Contingency Plan ∙ Data backup plan ∙ Disaster recovery plan

Workstation Use

∙ Emergency mode operation plan ∙ Testing and revision procedures ∙ Application and data criticality analysis Business Associate Agreements ∙ Written contract or other arrangements

Workstation Security

Device and Media Controls ∙ Data backup and storage ∙ Disposal ∙ Media re-use ∙ Accountability

Source: Centers for Medicare & Medicaid Services

Implementing an information security framework that encompasses the

in any certified health record information system.

aforementioned controls will minimize the risk of inappropriate access or disclosure of personal health information as well as demonstrate that a provider is exercising due care as it relates to safeguarding the security and privacy of its patients.

The administrative, organizational and physical controls require health care providers to implement appropriate internal control procedures in their organization. The controls should be scalable to the provider’s operation as they relate effectiveness as well as cost.

page 42 | horizons Spring 2014