Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act. Part of being compliant is having a well documented comprehensive HITECH Compliance policy the identifies user and system responsibilities.
Some major components of the IT Security requirements of HIPAA and HITECH are as follows:
1. Unique Passwords and Password Encryption
2. Automatic Log out of a user after some period of inactivity
3. Encryption of attached documents
4. Encryption of emails and documents attached to emails.
5. The removal and or encryption of identifiers thereby making the data no longer PHI
All users of PHI computer resources must comply with these security policies and standards. This includes all employees contractors, consultants, and other non-employees that access data or use PHI resources. Violators of this policy will be dealt with in accordance with personnel policies, contractual agreements, and or legal statutes as appropriate.
HITECH Compliance Policy Examples
System (s) Users
User responsibilities include:
(1) Ensure that computer resources and all data available to them are safeguarded from misuse, viruses, theft, and damage.
(2) Users may not allow other persons to access ACME PHI CO. computer systems with their password or account. Users are responsible for activity conducted under their account ID.
(3) Users must report, as soon as possible, any security incidents and violations or suspected violations of this policy to the CTO.
(4) Remote access, user passwords and user IDs are considered sensitive information and will be protected as such. Users will employ the same procedures and caution as is they do with ACME PHI CO. confidential information when dealing with these types of information.
(5) Adhering to all software copyright laws.
(6) Use of unauthorized or unlicensed software is strictly prohibited.
(7) Users will not use their accounts or ACME PHI CO. computer resources for personal gain, to in anyway harass an individual, or to create or disseminate obscene/pornographic material.
E-mail Usage
The e-mail systems provided by ACME PHI CO. are owned by ACME PHI CO. and are provided for conducting official business. All data on these systems, including e-mail, are the property of ACME PHI CO.. ACME PHI CO. employees should not have an expectation that e-mail is private. Contents can be monitored, and review of employee e-mail may occur when a business situation so warrants. In such cases, an employee’s e-mail will be reviewed if specifically authorized ACME PHI CO. Manager or above, the CTO, or law enforcement representative duly authorized by the court. Except for on-site consultants, e-mail is generally NOT provided to non-ACME PHI CO. employed system users.
In its basic form, e-mail is an inherently insecure method of information exchange. Most mail systems send messages in clear text. Users are required to take “reasonable” efforts to protect the security and integrity of patient confidential information. PHI should never be included in an email message. If mail-delivery or faxing the information will not meet the business need then the process to be used should be approved by the CTO.
Occasional personal use of the ACME PHI CO. e-mail system is permitted. Users should limit the personal use of ACME PHI CO. e-mail just as they do telephone services. Excessive or inappropriate personal use could result in the loss of e-mail privileges and/or an administrative personnel action.
All e-mail originating from ACME PHI CO. systems is considered official ACME PHI CO. correspondence. All email addressed to users outside of the ACME PHI CO. email domain (ACME PHI CO.mange.com) will contain the following notice:
(1) Confidentiality Notice: This message and any attachments may contain information that is confidential, privileged and/or protected from disclosure under state and federal laws that deal with the privacy and security of medical information. If you received this message in error or through inappropriate means, please reply to this message to notify the Sender that the message was received by you in error, and then permanently delete this message from all storage media, without forwarding or retaining a copy.
Inappropriate E-mail Activities
Inappropriate activities include but are not limited to:
(1) Users may not include inappropriate materials in their messages. Examples of inappropriate materials include, but are not limited to, derogatory or defamatory language, profanity, pornography, or racial or ethnic slurs.
(2) Use of e-mail to harass others is illegal.
(3) Use of ACME PHI CO. e-mail for personal profit is not permitted.
(4) Distribution of electronic chain mail is prohibited. Chain mail puts undue stress on ACME PHI CO. systems and may often include detrimental or inappropriate content such as (but not limited to):
Contagious e-mail viruses. Hoaxes about missing children, viruses, urban legends, money, etc…
Political, sexual, religious content, which may be offensive to co-workers.
Note: Chain mail usually includes verbiage such as “forward this to everyone you know” or “forward this to 9 people in the next 5 minutes and you will have good luck all day”. Please delete any chain mail you receive or contact IS Security at XXX-XXX-XXXX for guidance.
(5) Game playing, distributing games, or gambling.
(6) Conducting any activity that interferes with or detracts from the user’s or other’s work duties.
(7) Conducting any activity that may reflect poorly on the user or ACME PHI CO..
(8) Advocating personal religious or political views and opinions.
(9) Forging or attempting to forge e-mail.
Instant Messaging
Instant Messaging services are not allowed at ACME PHI CO. except in special cases. Requests for IM services must be in writing and approved by the CTO.
Remote Access
Remote access capability is provided to ACME PHI CO. computer users on an as-needed basis. The system user must have their manager/supervisor’s approval to request remote access. The only remote access allowed is through the secured ACME PHI CO. servers provided for this purpose. Identification and authentication of users connecting to ACME PHI CO. is through the user’s ACME PHI CO. user ID and password.
(1) Remote Access Locations – Remote access users may only connect from approved locations. Currently approved remote locations are limited to a users personal residence. All other locations require prior authorization.
(2) User’s responsibilities – While working off-site, users must remember that ACME PHI CO. confidential information must be given the same attention to security as when working on it at ACME PHI CO. location. Confidential and sensitive information should not be stored on your home computer’s hard-drive (unless it is encrypted) even if it is a ACME PHI CO. provided computer. Nor should any laptop computer or computer media (CD-ROMS, diskettes, tapes, etc.) containing confidential or sensitive information be left unsecured when working off-site. In general such information will not be stored at personnel residence beyond the period of time that it is being used.
(3) Off-site protection of data – Storage media containing patient data or other sensitive information should be labeled as such, and at a minimum stored in a locked desk drawer or cabinet. The key or combination must be strictly controlled from unauthorized access. Any printed materials (hard copies) containing confidential or sensitive information will, at a minimum, also be stored as above.
(3) While traveling it is imperative that ACME PHI CO. employees protect any equipment and media in their possession. For example, when staying at a hotel while carrying a laptop, the laptop may not be left in the hotel unless locked in a safe in the room or in the hotel’s main safe. Always obtain a receipt when leaving a laptop with hotel personnel for security purposes. Note: You must get prior approval from ACME PHI CO. before utilizing a remote connection to ACME PHI CO. from any unapproved location.
(4) All ACME PHI CO. information processed off-site is the property of ACME PHI CO. and must be returned immediately upon request of ACME PHI CO..
(5) ACME PHI CO. employees will ensure that adequate measures are in place to protect equipment and information from theft, abuse, unauthorized use, and unauthorized disclosure.