Spring 2014 issue of Horizons
PROFESSIONAL SERVICES
Information Technology Security Framework for Protected Health Information
Technical Safeguards Access Controls ∙ Unique user identification ∙ Emergency access procedures ∙ Automatic logoff ∙ Encryption and decryption
Administrative Safeguards Security Management ∙ Risk analysis ∙ Risk management ∙ Sanction policy ∙ Information system activity review
Audit Controls
Assigned Security Responsibility
Integrity ∙ Mechanism to authenticate electronic PHI
Workforce Security ∙ Authorization and/or supervision ∙ Workforce clearance procedure ∙ Termination procedures Information Access Management ∙ Isolating healthcare clearinghouse functions ∙ Access authorization ∙ Access establishment and modification Security Awareness and Training ∙ Security reminders ∙ Protection from malicious software ∙ Log in monitoring ∙ Password management
Person or Entity Authentication
Transmission Security ∙ Integrity controls ∙ Encryption
Organizational Safeguards Business Associate Agreements ∙ Business associate agreements ∙ Other arrangements
Physical Safeguards Facility Access Controls ∙ Contingency operations ∙ Facility security plan ∙ Access control and validation procedures ∙ Maintenance records
Security Incident Procedures ∙ Response and reporting Contingency Plan ∙ Data backup plan ∙ Disaster recovery plan
Workstation Use
∙ Emergency mode operation plan ∙ Testing and revision procedures ∙ Application and data criticality analysis Business Associate Agreements ∙ Written contract or other arrangements
Workstation Security
Device and Media Controls ∙ Data backup and storage ∙ Disposal ∙ Media re-use ∙ Accountability
Source: Centers for Medicare & Medicaid Services
Implementing an information security framework that encompasses the
in any certified health record information system.
aforementioned controls will minimize the risk of inappropriate access or disclosure of personal health information as well as demonstrate that a provider is exercising due care as it relates to safeguarding the security and privacy of its patients.
The administrative, organizational and physical controls require health care providers to implement appropriate internal control procedures in their organization. The controls should be scalable to the provider’s operation as they relate effectiveness as well as cost.
page 42 | horizons Spring 2014
Made with FlippingBook - professional solution for displaying marketing and sales documents online