HIPAA Security Practices
- Authorized By: District Director of Health
- Initial Effective Date: 3/1/2024 (JLM)
- Replaces: NKIDHD HIPAA Program Plan dated 7/9/2004
- Reviewed: Annually
- Revised: 5/15/2024 (PJM)
- Contact: HIPAA Security Officer
Assigned Security Responsibility
Policy
Compliance with federal security standards is the responsibility of the HIPAA Security Officer, as appointed by the District Director of Health. NKY Health’s Director of Clinical Services serves as NKY Health’s HIPAA Security Officer.
Procedure
A HIPAA Security Officer must be appointed by the District Director of Health. The HIPAA Security Officer may assign any of the responsibilities listed in this section to other staff members or contractors but continues to be responsible for making sure these responsibilities are carried out.
Establishing the provider’s security program and overseeing its implementation
Ensuring compliance with federal and state security regulations and standards
Reviewing all purchases or acquisitions of information technology for consistency with the provider’s security policies and standards
Investigating security incidents (i.e., known or suspected violations of security policies and procedures and breaches in security measures or the security of the provider’s PHI)
Reviewing information system activity to ensure compliance with the provider’s security policies and procedures
Developing and implementing a security training and awareness program for the provider’s employees and staff
Reviewing and approving the security provisions of contracts with business associates
Delegating specific tasks such as review of business associate contracts, while remaining responsible for compliance with the provider’s security policies and standards
Reviewing annual compliance with security requirements, policies, and standards
Workforce Security
Authorization / Supervision
Policy
All employees and other members of the provider’s workforce must be specifically authorized to use the information resources or to access PHI. If they are not specifically authorized, they must be under the direct supervision of an appropriately authorized staff member when working with PHI or on components of the provider’s information system and working only for a temporary period, such as when repairing a system.
Procedure
Generally, staff members are authorized to use only the PHI needed to perform their professional and job responsibilities.
The job description of every staff member should specify the access to information resources and PHI that is authorized. Following are the categories of access authorization:
Clinical Authorization – Physicians, nurses, and other health professionals may access any information contained in a patient’s records (other than information that has been restricted by the patient’s physician) for the purpose of treating the patient, including consulting with other professionals concerning the patient’s treatment.
Office/Clerical Authorization – Office staff responsible for preparing and submitting claims and processing payment information may access any information contained in a patient’s records needed to meet requirements for submission and adjudication of a claim for services.
Administrative Authorization – Members of the provider’s management may access any information contained in patient records when required for the purpose of supervising staff or complying with licensing and other regulatory requirements.
IT Management Authorization – Staff responsible for managing the provider’s information resources may access information needed to configure security features of computer hardware and software. Examples include establishing user passwords and setting permissions to access data or configure hardware and software.
A staff member who requires access to information that he or she is not authorized to access should request the assistance of an appropriately authorized staff member.
Maintenance and housekeeping staff who may have physical access to PHI should be supervised closely enough to reasonably ensure that the security policies of the medical practice are not violated.
Staff members who are authorized to access PHI must complete security and privacy training annually and must review the limitations on their access to information and information resources.
Workforce Clearance
Policy
Staff members will be authorized to access PHI and to use information resources if the following are true:
They meet the minimum professional or technical qualifications for the position they occupy.
They have not been disciplined for serious infractions of security in previous jobs.
Staff members who have been disciplined for infractions of security policies and procedures may be granted restricted access until their trustworthiness has been established to the satisfaction of the HIPAA Security Officer.
Procedure
When verifying credentials and checking references, the staff member responsible for hiring should determine that the candidate has not been sanctioned or disciplined for infractions of security policies or standards in the past.
Any restrictions on access to information resources should be communicated to the HIPAA Security Officer and the Information Systems Analyst so the necessary technical restrictions in access privileges can be implemented.
Termination Procedures
Policy
A staff member’s authorization to use information resources and to access PHI ends upon termination of employment.
Procedure
Staff members must turn in keys or key cards that give access to computer equipment or facilities upon termination of their relationship with NKY Health or their need for access.
The Privacy Officer, HIPAA Security Officer and Information Systems Analyst should be notified of the effective date of any employee termination or of the date on which a staff member’s authorization to use the provider’s information resources will terminate.
The staff member’s user account on the provider’s information system will be disabled or deleted upon termination of the relationship with NKY Health by the Information Systems Analyst.
The staff member will surrender any protected information, including information contained on storage media (e.g., a CD-ROM or removable disk, data storage key, VPN access key etc.) that may be in the staff member’s possession at the time the relationship with the organization ends.
An employee who has been dismissed should be escorted out of the building, and the employee’s access authorization terminated immediately when the employee’s supervisor feels these actions are appropriate to safeguard the security of the provider’s PHI and information system. The HIPAA Security Officer should be notified and steps taken to safeguard building security as needed.
The staff member’s access to ePHI in any system controlled by the HIPAA Security Officer shall be terminated by the HIPAA Security Officer.
Information Access Authorization / Access Control
Unique User Identification
Policy
The HIPAA Security Officer ensures that the provider’s information systems implement a unique user identification system that permits access to NKY Health’s information resources only by those persons with appropriate authorization.
Procedure
Every staff member authorized to use NKY Health’s information systems is given a unique user name and selects a password known only to the staff member. Staff members must use their user name and password when using the information system and accessing PHI.
Access Authorization
Policy
Staff members receive authorization to access PHI and to use NKY Health’s workstations, conduct transactions, and run software applications based on their job responsibilities and qualifications. Authorization enables staff members to use the provider’s information resources.
Staff members should not access information for other staff members lacking appropriate authorization.
Procedure
Only authorized staff members are allowed to use workstations (computer terminals, personal computers, and other devices) that can access PHI. A unique user ID and password are required to use NKY Health’s information systems. Additional information regarding access authorization can be found at the policies and links listed below.
Refer to 6.14 of NKY Health's Guide to Personnel Policies
Computers / Email / Technology (Computers / Email / Technology Policy)
Access Establishment and Modification
Policy
NKY Health will establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process based on their access needs at that time.
Procedure
The ability of staff members and other users to use workstations or computer programs to conduct specific transactions or to perform various functions, tasks, or procedures is determined by each individual’s access authorization. These tasks include installing new software, backing up data, and maintaining and configuring computer hardware or software.
NKY Health grants individual users the right to access PHI and related information resources consistent with its access policies and procedures.
When a staff member’s access authorization needs to be changed, a formal request should be submitted to the HIPAA Security Officer, who then reviews the request and authorizes the revised access privileges if the request meets the provider’s authorization requirements.
The ability of staff members and other users to use workstations or computer programs to conduct specific transactions or to perform various functions, tasks, or procedures is determined by each individual’s access authorization. These tasks include installing new software, backing up data, and maintaining and configuring computer hardware or software.
Facility Access Controls
Facility Security Plan
Policy
All computer equipment and devices that are used to access, transmit, or store PHI are protected from unauthorized physical access, tampering, and theft.
Procedure
Network servers and storage devices are housed in a secure location where visitors shall not access.
The equipment closet, office, or room in which such equipment is located is locked at all times.
All paper copies of PHI shall be stored in locked cabinets and paper chart racks shall be locked when not under direct supervision of staff.
Technology advancements and increased availability of technologies to the public will be periodically assessed to determine whether they pose a threat to security.
Backups
Backups of Media are uploaded to offsite cloud location using 256 bit encryption. Physical backups are no longer maintained.
Access Control and Validation Procedures
Policy
All components of NKY Health’s information system are housed in secure locations.
Visitors to NKY Health’s office are accompanied by a staff member when in a position to access the provider’s information resources.
Consultants and contractors responsible for installing, maintaining, or testing computer equipment and software are authorized to access NKY Health’s information systems as if they were staff members authorized to perform similar tasks or functions.
Procedure
Components of NKY Health’s information system other than workstations are located in secure, locked areas or cabinets. Only staff members authorized to use or service that equipment have keys to secure areas.
All visitors to NKY Health are to register with the receptionist and sign the visitor log. The visitor log includes:
The name of the visitor
The company or government entity represented by the visitor
The purpose of the visit
The time of arrival
The person being visited
The time the visitor leaves the facility
Visitors to the provider are not left alone except in public waiting areas.
Visitors should not be left alone in areas such as physician offices in which they may be able to access the provider’s information system. Contractors and maintenance personnel who are not staff members sign the visitor’s log but need not be accompanied by a staff member at all times when performing work covered by a business associate agreement.
Contractors and maintenance personnel are given a unique user ID and password so that the practice can monitor their access to NKY Health’s information resources. Before a user ID is activated, the HIPAA Security Officer reviews with the contractor the provider’s security policies and procedures and the provisions of the business associate agreement related to security.
Organizational Sanction Policy
Policy
Employees and other members of NKY Health workforce are subject to sanctions for violating the provider’s security policies and procedures.
Procedure
Violations of security measures and the penalties associated with them include the following.
Minor Security Breaches
This category of breaches consists of minor or unrepeated violations of security policies.
Sanction—A minor infraction will result in brief counseling and, if necessary, additional security training.
Example—A staff member briefly leaves her workstation unattended without logging off to prevent injury to a patient or another staff member or due to sudden illness.
Significant Security Breaches
This category includes any documented violation of the security of PHI that could easily have been avoided had the staff member exercised due care.
Sanction—A pattern of repeated, significant violations of security policy may be grounds for temporarily suspending an employee and may lead to termination of the employee.
Example—A staff member attaches a note to his workstation monitor that gives his user ID and password.
Severe Security Breaches
This category includes any deliberate violation of security policies and procedures or confidentiality requirements that are not justified by considerations of employee or patient health and safety or were not necessary or unavoidable during an emergency situation.
Sanction—A deliberate violation of security policies will result in the immediate suspension of the employee or other workforce member and the termination of all access to protected health information and information resources.
Example—A staff member makes a copy of PHI and gives it to a vendor without obtaining required authorizations.
Applications and Data Criticality Analysis
Policy
As part of the development of a comprehensive contingency plan, the Information Systems Analyst in collaboration with the leadership team assesses the relative criticality of specific applications and data. Arrangements are made to ensure that critical applications and equipment are replaced within one work day in the event of failure. Critical data are backed up as provided in the back-up plan.
See Also NKY Health’s IT Continuity and Disaster Recovery Plan.
Emergency Access Procedure
Policy
NKY Health’s computer equipment is configured to allow only staff members with appropriate authorization to access information stored on the computer and to configure software installed on the equipment.
Staff members who implement contingency plans must have authorization that enables them to repair equipment and implement emergency procedures.
If user accounts must be deleted or disabled to repair equipment failures or restore functions during an emergency, the affected users are notified and new user names and passwords are established.
Procedure
The Information Systems Analyst maintains a written record of so-called “administrator” user account names and passwords in a secure, locked file. An administrator user account has full authorization to configure equipment and software.
Protection from Malicious Software
Policy
Anti-virus software is installed on all computer workstations and servers to protect NKY Health and its information from attack by malicious software such as computer viruses and other external threats.
Procedure
The Information Technology Department (IT) is responsible for ensuring that antivirus software has been installed on all workstations and on network servers. The IT also ensures that antivirus software is regularly updated.
Staff members must not disable antivirus software and must immediately act to report virus infections and remove viruses from affected machines when the antivirus software identifies an infection. The IT Department maintains a log of virus infections and detections that includes a record of successful eradication of viruses and cleaning of affected files and computer applications. Staff members are responsible for reporting all viruses detected by antivirus software. The IT Department confirms that the viruses have been successfully removed from the affected machines.
Staff members with access to the internet should not open email messages and email attachments from unknown senders.
Encryption and Decryption
Policy
When the HIPAA Security Officer in collaboration with the leadership team deems it necessary, information transmitted outside NKY Health is encrypted to prevent use by unauthorized individuals.
Procedure
Data should be encrypted when it is transmitted over a network that might be accessible by unauthorized individuals. Information that can be used to alter or defeat NKY Health’s security measures also should be encrypted.
NKY Health using Fortimail can secure email messages by putting in [encrypt] in subject line. The recipient will get a message they received a secure message and will be prompted to create a password. After recipient creates password, they will be able to access secure email by inputting the password they just created. The secure email process encrypts email messages and for added security the secure message stays in Fortimail when recipient signs in to access email access.
The IT Department determines the technical methods for implementing encryption and decryption.
Controls on access to NKY Health information includes per IT:
Encryption/Decryption –should be used when any PHI can be made portable such as on laptop computers or transmitting through the internet
Transmission over the Internet is encrypted
Information on our NKY Health servers is encrypted in transit and protected in storage
The data on an individual’s computer’s local hard drives is not encrypted; therefore, employees should not keep PHI on their local hard drives.
HIPAA Privacy Policies and Procedures are located on NKY Health’s Policies – Procedures – Forms Google Site: Privacy and Security of Protected Health, Confidential and Sensitive Information Guidelines