Check List for Security Compliance
As of this writing, the security rule is not yet finalized. However, DHHS has indicated that the final rule will not differ substantially from the proposed rule. Any modifications to the proposed rule will focus on reducing redundancies and providing clarification in some areas. In the meantime, healthcare organizations are implementing policies and procedures that they concede should be in place now.
Even though the security rule is not yet final, there are many significant portions of the rule that must be in place in order comply with the privacy rule. Privacy and security go hand in hand and minimum security measures are needed if the privacy rules are to be complied with. The deadline for privacy rule compliance is April 14, 2003.
Healthcare industry experts agree that the following tasks should either already be in place or in progress.
The first group of tasks should be in place now, the second group in progress and the third group should be met in order to have a comprehensive security plan (after completion of group 1 & 2).
Group 1 (in place now)
· Designate a security officer or manager.
· Communicate the security officer designation to the workforce.
· Appoint a HIPAA project manager.
· Appoint a cross-functional HIPAA project steering committee.
· Establish HIPAA subcommittees for the transactions and code sets, privacy and security rules.
· Conduct a HIPAA readiness assessment.
· Inventory polices and procedures for privacy and security.
· Inventory information systems and the criticality/sensitivity of the information processed.
· Inventory business associates who handle protected information.
· Inventory biomedical equipment that stores protected information.
· Inventory employees with remote access to patient information systems.
· Inventory vendors with remote access to patient information systems.
· Solicit HIPAA readiness plans from information systems vendors.
· Develop a HIPAA compliance plan, budget and reporting system.
· Conduct workforce HIPAA awareness sessions.
Group 2 (in progress now)
· Create new policies, procedures and forms identified through the readiness assessment, including
incident response.
· Further develop and confirm the corporate risk profile.
· Conduct a risk analysis based on the readiness assessment.
· Develop or update contingency and disaster recovery plans.
· Establish a facility security plan for safeguarding patient information.
· Implement destruction policies for trash and other media containing protected information.
· Adopt backup, storage and retention procedures for all media containing protected information.
· Establish and document formal security and privacy training programs.
· Determine actions or items to be audited, adopt an audit trail retention policy, and establish and
conduct an audit trail monitoring process.
· Define minimum security standards for information systems that store or process protected information.
Group 3 (comprehensive compliance)
· Create guidelines on workstation use and location.
· Establish a formal configuration/change control process, including anti-virus updates.
· Review access controls and consider creating a role-based model.
· Automate the process of notifying I.T. staff of terminations and transfers.
· Implement HIPAA language for chain of trust agreements.
· Conduct a vulnerability scan on information systems that store or process protected information.
· Certify information systems that store or process protected information.
· Conduct a network intrusion test.
· Test incident response.
· Review the information security program.
· Test contingency and disaster recovery plans.