ScholarlyDocs®

HCI 665 Case Study HIPPA Risk Assessment Wk-7

HCI 665 Case Study HIPPA Risk Assessment Wk-7

$ 5.00

HCI 665 Case Study HIPPA Risk Assessment Wk-7 Implement policies and procedures to prevent, detect, contain, and correct security violations Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec 164.206(a). Implement procedures to regularly review records of information system activity, such as audit logs, access…

Category:
Tags:

Description

HCI 665 Case Study HIPPA Risk Assessment Wk-7

Implement policies and procedures to prevent, detect, contain, and correct security violations
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec 164.206(a).
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Implement procedures for termination access to electronic protected health information when the employment of a workforce member ends or as required by determination made as specified in paragraph (a)(3)(ii)(B) of this section.
Implement procedures for termination access to electronic protected health information when the employment of a workforce member ends or as required by determination made as specified in paragraph (a)(3)(ii)(B) of this section.
Implement a security awareness and training program for all members of its workforce (including management).
Implement a security awareness and training program for all members of its workforce (including management).
(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
(ii) Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security updates.
Implement policies and procedures to address security incidents.
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Assess the relative criticality of specific applications and data in support of other contingency plan components.
(b)(1) Standard: Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
(b)(1) Standard: Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
(b)(2) Implementation specifications:
(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
(ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
(iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
Assign a unique name and/or number for identifying and tracking user identity.
Assign a unique name and/or number for identifying and tracking user identity.
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Implement a mechanism to encrypt and decrypt electronic protected health information.
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
§164.502(i) Standard: Uses and disclosures consistent with notice: A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice.
“§164.520(a)(1) Right to notice. Except as provided by paragraph (a)(2) or (3) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information.

§164.520(b)(1) Required elements. The covered entity must provide a notice that is written in plain language and that contains the elements required by this paragraph.
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed: “”THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”” (ii) Uses and disclosures. (iii) Separate statements for certain uses or disclosures. (iv) Individual rights. (v) Covered entity’s duties. (vi) Complaints. (vii) Contact. (viii) Effective date.
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
§164.530(j)(1) Standard: Documentation. A covered entity must: (i) Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form; (ii) If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and (iii) If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation. (iv) Maintain documentation sufficient to meet its burden of proof under § 164.414(b).
(2) Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.

 

 

Related products