Agenda 06/25/2019 Item #16D15 (Agmt w/AAA SWFL)06/25/2019
EXECUTIVE SUMMARY
Recommendation to approve a Business Associate Agreement between the Area Agency on Aging
for Southwest Florida, Inc. (AAA SWFL) and Collier County to comply with the terms of Federal
Health Insurance Portability and Accountability Act of 1996 in accordance with the grantor’s
policies and procedures.
OBJECTIVE: To provide uninterrupted support services to Collier County Services for Seniors' elderly
clients.
CONSIDERATIONS: The Community and Human Services (CHS) Division's Services for Seniors
program has been providing support to Collier County's frail and elderly citizens for over thirty-four (34)
years as a Lead Agency through the Community Care for the Elderly (CCE), Alzheimer's Disease
Initiative (ADI), Home Care for the Elderly (HCE), and Older Americans Act Title IIIB (OAA) grant
programs. The goal of the program is to assist qualified persons in living as independently as possible in
their own homes or in the homes of relatives or caregivers. These grants are funded by the Fl orida
Department of Elder Affairs (DOEA) through AAA SWFL.
AAA SWFL is requiring that all Lead Agencies enter into a formal agreement detailing the obligations
required to comply with the Federal Health Insurance Portability and Accountability Act of 1996
(HIPPA). This agreement shall serve to document the parties accept the terms in protecting sensitive
patient health information from being disclosed without the patient’s consent or knowledge.
The agreement defines the County, as a Business Associate, an organization using or disclosing
individually identifiable health information to perform or provide functions, activities, or services for a
covered entity (AAA SWFL). By signing the agreement, the County will comply with the AAA
SWFL’s policy and procedures regarding the HIPPA rules set forth in the agreement.
FISCAL IMPACT: There is no Fiscal impact.
GROWTH MANAGEMENT IMPACT: There is no Growth Management impact.
LEGAL CONSIDERATIONS: This Item is approved for form and legality and requires a majority vote
for Board action. - JAB
RECOMMENDATION: To approve a Business Associate Agreement between the Agency and Collier
County to comply with the terms of the Federal Health Insurance Portability and Accountability Act of
1996 in accordance with the grantor’s policies and procedures.
Prepared By: Wendy Klopf, Grants Coordinator, Community and Human Services Division
ATTACHMENT(S)
1. AAASWFL-Collier,partial Bus Assoc Agrmt,6-7-19 (PDF)
2. (Linked) AAASWFL HIPAA policies (PDF)
16.D.15
Packet Pg. 2082
06/25/2019
COLLIER COUNTY
Board of County Commissioners
Item Number: 16.D.15
Doc ID: 9212
Item Summary: Recommendation to approve a Business Associate Agreement between the Area
Agency on Aging for Southwest Florida, Inc. (AAA SWFL) and Collier County to comply with the terms
of Federal Health Insurance Portability and Accountability Act of 1996 in accordance with the grantor’s
policies and procedures.
Meeting Date: 06/25/2019
Prepared by:
Title: Operations Coordinator – Community & Human Services
Name: Wendy Klopf
06/04/2019 3:38 PM
Submitted by:
Title: Manager - Federal/State Grants Operation – Community & Human Services
Name: Kristi Sonntag
06/04/2019 3:38 PM
Approved By:
Review:
Community & Human Services Maggie Lopez Additional Reviewer Completed 06/04/2019 4:46 PM
Community & Human Services Kristi Sonntag CHS Review Completed 06/05/2019 9:13 AM
Public Services Department Joshua Hammond Level 1 Reviewer Completed 06/05/2019 10:52 AM
Public Services Department Todd Henry Level 1 Division Reviewer Completed 06/05/2019 3:12 PM
County Attorney's Office Jennifer Belpedio Level 2 Attorney of Record Review Completed 06/07/2019 11:29 AM
Public Services Department Steve Carnell Level 2 Division Administrator Review Completed 06/11/2019 10:25 AM
Grants Erica Robinson Level 2 Grants Review Completed 06/13/2019 7:56 AM
Office of Management and Budget Valerie Fleming Level 3 OMB Gatekeeper Review Completed 06/14/2019 10:27 AM
County Attorney's Office Jeffrey A. Klatzkow Level 3 County Attorney's Office Review Completed 06/14/2019 11:47 AM
Grants Therese Stanley Additional Reviewer Completed 06/17/2019 11:04 AM
County Manager's Office Heather Yilmaz Level 4 County Manager Review Completed 06/17/2019 4:20 PM
Board of County Commissioners MaryJo Brock Meeting Pending 06/25/2019 9:00 AM
16.D.15
Packet Pg. 2083
16.D.15.aPacket Pg. 2084Attachment: AAASWFL-Collier,partial Bus Assoc Agrmt,6-7-19 (9212 : AAA-Business Associate Agreement-HIPPA)
16.D.15.aPacket Pg. 2085Attachment: AAASWFL-Collier,partial Bus Assoc Agrmt,6-7-19 (9212 : AAA-Business Associate Agreement-HIPPA)
16.D.15.aPacket Pg. 2086Attachment: AAASWFL-Collier,partial Bus Assoc Agrmt,6-7-19 (9212 : AAA-Business Associate Agreement-HIPPA)
16.D.15.aPacket Pg. 2087Attachment: AAASWFL-Collier,partial Bus Assoc Agrmt,6-7-19 (9212 : AAA-Business Associate Agreement-HIPPA)
Area Agency on Aging for SWFL
HIPAA Security Policy #1
Administrative Safeguards
Security Management Policy
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to develop a risk management process for the selection and implementation
of security safeguards to reduce the risks to electronic Protected Health Information (ePHI) to reasonable
and manageable levels.
Policy
f
1 Security Management Policy
TYPE: Standard
REFERENCE: 45 CFR 164.308(a)(1)(1)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement policies and procedures to prevent, detect, contain and correct security violations. "
Area Agency on Aging for SWFL will protect the confidentiality, integrity, and availability of ePHI
by maintaining appropriate safeguards for the networks and systems that handle ePHI. Area
Agency on Aging for SWFL will implement policies and procedures to prevent, detect, contain,
and correct security violations.
1,1 Risk Analysis
SAFEGUARD: Administrative
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.308(a)(1)(ii)(A)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity and availability of electronic protected health information held by the
covered entity. "
HIPAA Security Policy _1- Security Management Policy
Page 1 of 8
1. Area Agency on Aging for SWFL acknowledges the potential vulnerabilities associated
with storing ePHI, transmitting ePHI locally and transmitting ePHI outside of Area Agency
on Aging for SWFL.
2. To appropriately assess such potential vulnerabilities, Area Agency on Aging for SWFL
shall perform a Risk Assessment which:
i. Identify and document all ePHI repositories
ii. Identify and document potential threats and vulnerabilities to each repository
iii. Assess current security measures
iv. Determine the likeliness of threat occurrence
v. Determine the potential impact of threat occurrence
vi. Determine the level of risk
vii. Determine additional security measures needed to lower level of risk
viii. Document the findings of the Risk Assessment
Procedure
1. Document all ePHI repositories
I. Identify and document where ePHI is stored, received, maintained or transmitted.
1, ePHI may be indentified through surveys, questionnaires, interviews,
review of documentation, automated scans, or other data gathering
methods,
H. The output of this process should be documentation of all repositories/systems
that contain ePHI in an organization.
2. Identify and document potential threats and vulnerabilities to each repository
i. Identify and document all reasonably anticipated threats to ePH1. Examples o
Threats include:
1. Data entry error
2. Theft of a laptop
HIPAA Security Policy _1- Security Management Policy Page 2 of 8
:. 3. Power outage
ii. Identify and document all vulnerabilities to each ePHI repository.
iii. The output of this process should be documentation of all reasonably anticipated
threats and vulnerabilities to each repository/system that contains ePHI within an
organization.
3. Assess current security measures
i. Review the current security measures (safeguards / controls) that are currently in
place that are used to mitigate identified risks. Examples of current safeguards
include:
1. User awareness training
2. Backup procedures
3. Disaster Recovery procedures
4. Employee termination procedures
ii. The output of this process should be documentation of current security measures
to protect any repositories/systems that contain within an organization.
4. Determine the likeliness of threat occurrence
i. For each threat and vulnerability to ePHI that has been identified in step 2 of the
Risk Assessment procedure, calculate the likelihood of the threat occurring.
ii. The likeliness or probability of a threat occurring is usually measured in (low,
medium or high) or expressed as a number of times a threat is likely to occur in a
given year.
iii. Existing security measures as identified in step 3 of the Risk Assessment
procedure may lower the likeliness of a threat.
iv. Existing vulnerabilities as identified in step 2 of the Risk Assessment procedure
may raise the likeliness of a threat.
v. Examples of a likeliness of a threat includes:
1. If there has been issues with power outages in the past then the threat of
a power outage may be assessed as Nigh. Additionally, if a backup
generator has been previously installed (current security measure) then
the likeliness of a threat of a power outage may be reduced to Medium
-{ or Low.
HIPAA Security Policy _1- Security Management Policy Page 3 of 8
2. If there have been no issues with flooding in the past 5 years then the
threat from flooding may be assessed as Low.
vi. The output of this step should be documentation of all threat and vulnerability
combinations with associated likelihood estimates that may impact the
confidentiality, availability and integrity of ePHI of an organization.
5. Determine the potential impact of threat occurrence
For each threat and vulnerability to ePHI, calculate the associated impact of the
threat.
ii. Examples of threat impact include:
A fire in the computer room that contains all ePHI repositories / systems
would have a High impact. The fire may affect the availability of ePHI
repositories / systems.
iii. The output of this process should be documentation of all potential impacts
associated with the occurrence of threats triggering or exploiting vulnerabilities
that affect the confidentiality, availability and integrity of ePHI within an
organization.
6. Determine the level of risk
For each threat and vulnerability to ePHI, calculate the level of risk of the
associated threat.
i#. The level of risk is calculated by using the likeliness of a threat, as calculated in
step 4 of the Risk Assessment procedure and the resulting impact of a threat, as
calculated in step 5 of the Risk Assessment procedure.
iii. An example of calculating the level of risk for a threat include:
I- If the threat of a flood has been calculated with a likeliness of High and
the impact of a flood has been calculated as High then the associated
level of risk would then be High.
2. If the threat of a power outage has been calculated as Low and the
impact of a power outage has been calculated as Medium then the
s�anris�a ri�IrJatiral um��Li hs � nur
iv. The output of this process should be documentation of the level of risk
associated with each threat and impact to the confidentiality, availability and
integrity of ePHI within an organization.
7. Determine additional security measures needed to lower the level of risk I .)
HIPAA Security Policy _1- Security Management Policy Page 4 of 8
1. Based on the determination of the level of risk as defined in step 6 of the Risk
Assessment procedure, additional security measures (safeguards 1 controls) may
be needed to lower the risk.
ii. Examples of additional security measures needed include:
If the threat of a power outage has been calculated as High and the
impact of a power outage has been calculated as Medium then the
associate risk level would be High. An additional security measure that
may be implemented would be the installation of a backup generator to
lower the likeliness of a power outage impacting any systems containing
ePHI.
iii. The output of this process should be documentation of any additional security
measures that are needed to lower the level of risk associated with each threat
and impact to the confidentiality, availability and integrity of ePHI within an
organization.
8. Document the findings of the Risk Assessment
i. The final step in the Risk Assessment process is to document and publish all of
the findings in each of the steps of the Risk Assessment procedure.
1.2 Risk Management
SAFEGUARD: Administrative
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.308(a)(1)(ii)(B)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and
appropriate level to comply with § 164.306 (a) [Risk analysis]. "
1. Area Agency on Aging for SWFL shall implement security measures and safeguards for
each ePHI repository sufficient to reduce risks and vulnerabilities to a reasonable and
appropriate level. The level, complexity and cost of such security measures and
safeguards must be commensurate with the risk classification of each such ePHI
repository.
2. Area Agency on Aging for SWFL will reassess the potential risks and vulnerabilities of an
ePHI repository as part of a periodic review; it must update the security measures and
safeguards for such ePHI repository to reflect any changes in the risks and vulnerabilities
assessment. At a minimum the risk management process will include the following:
i. Assessment and prioritization, on the basis of risks, of each ePHI repository.
HIPAA Security Policy —1- Security Management Policy Page 5 of 8
ii. Selection and implementation of reasonable, appropriate, and cost-effective y' .
security measures to manage, mitigate, or accept identified risks.
iii. Security training and awareness on implemented security measures to workforce
members.
iv. Periodic evaluation and revision, as necessary, of the security measures.
Procedure
1. The Risk Management process will be based on the following steps
Risk Analysis — A Risk Analysis will be performed based on Risk Analysis policy
(1.1).
ii. Risk Prioritization - Using information from the risk analysis, risks will be ranked
on a scale (from high to low) based on the potential impact to information
systems containing ePHI and the probability of occurrence.
iii. Cost -benefit analysis —An analysis shall identify and define the costs and
benefits of implementing or not implementing the identified security methods.
iv. Safeguard selection — Safeguards shall be selected that are the most appropriate
security methods to mitigate or manage identified risks to critical information
systems and ePHI, Such selections will be based on the nature of specific risks
and the feasibility, effectiveness, and cost of specific safeguards.
v. Assignment of responsibility — Appropriate workforce members will be identified
and assigned responsibility for implementing and managing selected safeguards.
vi. Security method evaluation - Selected security safeguards will be regularly
evaluated and revised as necessary.
vii. The results of each of the above steps will be formally documented_
1.3 Sanctions for Noncompliance
SAFEGUARD: Administrative
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.308(a)(1)(ii)(C)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
Apply appropriate sanctions against workforce members who fail to comply with the security
policies and procedures of the covered entity. "
1. To ensure that all workforce members fully comply with Security Policies, Area Agency
on Aging for SWFL will appropriately discipline and sanction employees and other
workforce members for any violation of the HIPAA Security Policies and Procedures
HI PAA Security Policy _1 - Security Management Policy Page 6 of 8
Procedure
1. Security Violations that Prompt Consideration of Disciplinary Action.
i. Human Resources ora department/ person with similar responsibilities may
discipline a workforce member, who violates the HIPAA Security Rule
ii. Human Resources or a department/ person with similar responsibilities may also
discipline managers or supervisors, if their lack of diligence or lack of supervision
contributes to a subordinate's Security Violation.
2. investigation of Security Violation
i. A workforce member who becomes aware of a Security Violation shall promptly
communicate the report to the HIPAA Security Officer and his or her supervisor
or Human Resources or a department 1 person with similar responsibilities.
ii. After receiving a reported Security Violation, the HIPAA Security Officer or
someone designated by him or her shall determine the facts and circumstances
surrounding the violation, and report the findings to Human Resources or a
department 1 person with similar responsibilities.
3. Imposition of Discipline
1. Human Resources or a department 1 person with similar responsibilities shall
impose sanctions for a Security Violation in accordance with Human Resources
policies.
4. Reporting of Security Violations
The failure to report a known Security Violation could lead to discipline because
each workforce member has an obligation to report any Security Violation of
which the workforce member becomes aware to the HIPAA Security Officer and
to his or her supervisor or the Human Resources Department or a department 1
person with similar responsibilities.
1.4 Information System Activity Review
SAFEGUARD: Administrative
IMPLEMENTATION TYPE: Required
REFERENCE. 45 CFR 184.308(a)(1)(ii)(D)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement procedures to regularly review records of information system activity, such as audit
logs, access reports and security incident tracking reports. "
1. Internal audit procedures shall be implemented to regularly review records of information
system activity, such as audit logs, access reports, and security incident tracking reports.
HIPAA Security Policy _1 - Security Management Policy Page 7 of 8
2. To ensure that system activity for all that contain ePHI is appropriately monitored and
reviewed, the following procedures outlined below should be followed at a minimum:
L An internal audit procedure should be established and implemented to regularly
review records of system activity. The internal audit procedure may utilize audit
logs, activity reports, or other mechanisms to document and manage system
activity.
1 _ Audit logs, activity reports, or other mechanisms to document and
manage system activity should be reviewed at intervals commensurate
with the associated risk of the information system or the ePHI
repositories contained on each information system. The interval of the
system activity review should not exceed, but may be less than, 90 days.
ii. An Audit Control and Review Plan should be created and approved by the HIPAA
Security Officer. This plan should include:
1. Systems and Applications to be logged
2. Information to be logged for each system
3. Procedures to review all audit logs and activity reports
4. Security incidents such as activity exceptions and unauthorized access
attempts should be detected, logged and reported immediately to the
appropriate system management and HIPAA Security Officer in
accordance with the HIPAA Security Policy #6 — Security Incident
Procedures
3. A Risk Analysis as defined in Section 1.1 of the Area Agency on Aging for SWFL HIPAA
Security Policy #1 - Security Management Policy should be performed annually but not more
than every two years.
Creation Date: 10/2312018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy —1- Security Management Policy Page 8 of 8
Area Agency on Aging for SWFL
HIPAA Security Policy #2
Administrative Safeguards
Security Officer Policy
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with such
Regulations.
Purpose of Policy
Under the HIPAA Security Regulations, Area Agency on Aging for SWFL is required to designate a
security official who is responsible for the development and implementation of its security policies and
procedures.
Policy
2.1 Assigned Security Responsibility
SAFEGUARD: Administrative
TYPE: Standard
HIPAA HEADING: REFERENCE: 45 CFR 164.308(a)(2)
SECURITY REGULATION STANDARDS LANGUAGE:
"Identify the security official who is responsible for the development and implementation of the
policies and procedures required by this subpart for the entity."
1. An individual will be assigned to assume responsibility for developing, implementing,
maintaining, and monitoring adherence to Area Agency on Aging for SWFL security
policies and procedures. This role is called the HIPAA Security Officer.
Procedure
1. The HIPAA Security Officer is responsible for:
L Ensuring that appropriate security measures and standards are implemented
and enforced with regard to ePHI. The security measures implemented
should be based on the criticality, sensitivity, and public or private nature of
the data.
ii. Review rights of authorized users of ePHI on a regular basis.
HIPAA Security Policy 2- Security Officer PolicyPage 1 of 2
iii. Review access and system logs for systems that contain ePHI.
iv. Investigate and report on security problems and issues and refer such
matters to the appropriate officials.
v. Develop conditions of use or authorized use procedures for ePHI.
vi. Provide training to regularly remind workers about their obligations with
respect to information and ePHI security.
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy _2- Security Officer PolicyPage 2 of 2
Area Agency on Aging for SWFL
HIPAA Security Policy #3
Administrative Safeguards
Workforce Security Policy
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to ensure that all workforce members who need access to electronic
Protected Health Information (ePHI) have the appropriate access while preventing all others from
obtaining access to ePHI.
Policy
3 Workforce Security Policy
TYPE: Standard
REFERENCE: 45 CFR 164.308(a)(1)(i)
SECURITY REGULATION STANDARDS LANGUAGE:
"lmplement policies and procedures to ensure that all members of its workforce have appropriate
access to electronic protected health information, as provided under paragraph (a)(4) [Information
access management] of this section, and to prevent those workforce members who do not have
access under paragraph (a)(4) of this section from obtaining access to electronic protected health
information."
1. Area Agency on Aging for SWFL will ensure that only properly authorized workforce
members shall have access to ePHI Systems. Workforce members shall not attempt to
gain access to any ePHI that they are not properly authorized to access. Area Agency on
Aging for SWFL shall train its workforce members on proper and appropriate use of
access rights.
2. Area Agency on Aging for SWFL shall take reasonable and appropriate steps to ensure
that workforce members who work with or have the ability to access ePHI are properly
authorized and/or supervised.
3. Area Agency on Aging for SWFL workforce members shall be screened, as appropriate,
during the hiring process.
4. Area Agency on Aging for SWFL shall implement a documented process for terminating
access to ePHI when employment of workforce members ends or when access is no
longer appropriate.
HIPAA Security Policy _3- Workforce Security Page 1 of 4
3.1 Authorization and Supervision
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(3)(ii)(A)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement procedures for the authorization and/or supervision of workforce members who work
with electronic protected health information or in locations where it might be accessed."
1. Area Agency on Aging for SWFL will take reasonable and appropriate steps to ensure
that workforce members who have the ability to access ePHI or work in areas where
ePHI might be accessed shall be properly authorized and/or supervised. Area Agency on
Aging for SWFL will use a Minimum Necessary Policy, which is one of its HIPAA Privacy
policies, and other policies as appropriate, as the basis for the type and extent of
authorized access to ePHI.
Procedure
1. Area Agency on Aging for SWFL will implement procedures to ensure that only workforce
members with a need to access ePHI are granted access to ePHI. No unauthorized
access to ePHI will be allowed.
2. Area Agency on Aging for SWFL shall maintain documentation detailing each workforce
member's role and responsibilities, why such workforce member requires access to ePHI
and the specific levels of ePHI access required by such workforce member.
3. Area Agency on Aging for SWFL shall ensure that all workforce members who work with
ePHI are supervised so that unauthorized access to ePHI is avoided. (See HIPAA
Security Policy #4 - Information Access Management).
3.2 Workforce Clearance Procedure
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(3)(ii)(B)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement procedures to determine that the access of a workforce member to Electronic
Protected Health Information (EPHI) is appropriate."
Area Agency on Aging for SWFL shall develop and implement procedures to ensure that
the ePHI access of its workforce members is appropriate when granted and continues to
be appropriate on an on-going basis. Area Agency on Aging for SWFL shall maintain
documentation detailing each workforce member's current role and responsibilities and
the ePHI access required for such role and responsibilities_ (See HIPAA Security Policy
#4 -- Information Access Management).
1. Each Area Agency on Aging for SWFL system manager (person who is responsible for
the access levels and permissions of a system) shall perform an initial review for each
system that uses ePHI to insure that the current user list as well as the level of access for
each user is appropriate. Each Area Agency on Aging for SWFL system manager should
perform a subsequent review at least annually.
HIPAA Security Polity 3- Workforce Security Page 2 of 4
2. Each supervisor shall advise the appropriate system manager when a workforce
member's role changes so that the workforce member's access level can be adjusted
promptly.
Area Agency on Aging for SWFL shall review prospective workforce members'
backgrounds during the hiring process and, as appropriate, shall perform verification
checks on prospective workforce members. Area Agency on Aging for SWFL shall
analyze prospective workforce members' access to and expected abilities to modify or
change ePHI as one of the bases for the type and number of verification checks
conducted. Verification checks may include:
i. Confirmation of claimed academic and professional qualification
ii. Professional license validation
iii. Credit check
iv. Criminal background check
v. Other state or federal database checks
3.3 Termination Procedure
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(3)(ii)(C)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement procedures for terminating access to electronic protected health information when the
employment of a workforce member ends or as required by determinations made as specified in
paragraph (a)(3)(ii)(B) [Workforce Clearance Procedure] of this section."
1. Area Agency on Aging for SWFL shall develop and implement procedures for terminating
access to ePHI when the workforce member's employment ends or when the access
granted is determined to be no longer appropriate. (See HIPAA Security Policy #4 —
Information Access Management).
Procedure
1. The termination procedures should include the following steps:
i. A notification mechanism to ensure that the appropriate personnel are made
aware that the workforce member's access to ePHI is no longer required.
ii. Recovery of all forms of access to PHI and ePHI that was granted or
assigned to that workforce member. Examples include, but are not limited to,
keys, remote access tokens, and identification badges.
iii. Disabling the workforce member's accounts on networks and system.
iv. Disabling remote access to networks and systems
v. Changing administrative or other shared passwords of which the workforce
member has been made aware.
HIPAA Security Policy _3- Workforce Security
Page 3 of 4
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy —3- Workforce Security Page 4 of 4
Area Agency on Aging for SWFL
HIPAA Security Policy #4
Administrative Safeguards
Information Access Management
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to describe the procedures that Area Agency on Aging for SWFL should
establish and implement to ensure that access to ePHI is assigned and managed in a manner
commensurate with the role of each workforce member.
Policy
4. Information Access Management Policy
TYPE: Standard
REFERENCE: 45 CFR 164.308(a)(4)(i)
SECURITY REGULATION STANDARDS LANGUAGE:
'Implement policies and procedures for authorizing access to electronic protected health
information that are consistent with the applicable requirements of subpart E of this part. "
This policy ensures that workforce members needing access to ePHI have appropriate
access, and provides procedural safeguards to ensure that access to ePHI is properly
restricted. Before access to ePHI can be established for a workforce member, that
workforce member must be authorized for the appropriate level of access that their
position requires. Access to ePHI and systems that store or process ePHI requires a
valid and authorized user account and password. Workforce members are required to
authenticate themselves to these systems using their unique user accounts.
4.1 Access Authorization
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(4)(ii)(B)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement policies and procedures for granting access to electronic protected health information,
for example, through access to a workstation, transaction, program, process, or other
mechanism. "
1. Area Agency on Aging for SWFL shall implement procedures to establish, document,
periodically review and modify if appropriate each workforce member's right to access
ePHI.
HIPAA Security Policy _4- Information Access Management Page 1 of 3
Procedure
1. Procedures for Access Authorization should include the following:
i. Each supervisor or manager is responsible for authorizing access to systems
and networks containing ePHI for his or her subordinates. Workforce
members are not permitted to authorize their own access to ePHI or be
granted authorization from another supervisor.
ii. Each supervisor or manager is responsible for ensuring that the access to
ePHI granted to each of his or her subordinates is the minimum necessary
access required for each such subordinate's job role and responsibilities.
iii. Each supervisor or manager is responsible for periodically reviewing the
access to ePHI granted to each of his or her subordinates and for modifying
such access if appropriate.
4.2 Access Establishment and Modification
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(4)(11)(C)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement policies and procedures that, based upon the covered entity's access authorization
policies, establish, document, review, and modify a user's right of access to a workstation,
transaction, program, or process."
1. Area Agency on Aging for SWFL will create a documented process for establishing,
documenting, reviewing, and modifying access to ePHI in accordance with Area Agency
on Aging for SWFL Information Access Management policy (Security Policy #4 —
Information Access Management) and as set forth in the Access Authorization
operational specification (see Security Policy #4.1 — Information Access Management).
All requests for establishing or modifying access will be submitted in writing.
Procedure
1. Procedures for Access Establishment and Modification include:
i. System managers shall implement a procedure for establishing and
documenting different access levels to ePHI. System managers must define
access levels for accessing ePHI. These access levels must be
communicated to all supervisors of workforce members.
ii. System managers shall implement a procedure for documenting
establishment of access to ePHI. All requests for access or modification of
access must be done in writing (or electronic) and copies of the request must
be kept for at least 6 years
iii. System mangers shall implement a procedure for reviewing on a regular
basis workforce members' access privileges to ePHI.
iv. System managers shall implement a procedure for modifying the access
privileges of workforce members to ePHI, as appropriate, based on the
periodic reviews.
HIPAA Security Policy —4- Information Access Management Page 2 of 3
0
•
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy —4- Information Access Management
Page 3 of 3
0
•
•
Area Agency on Aging for SWFL
HIPAA Security Policy #5
Administrative Safeguards
Security Awareness and Training
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to develop a security awareness program that will train Area Agency on
Aging for SWFL's workforce members on how to reasonably protect and safeguard ePHI while allowing
them to perform their job functions
Policy
5 Security Awareness and Training
TYPE: Standard
REFERENCE: 45 CFR 164.308(a)(5)(i)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement a security awareness and training program for all members of its workforce including
management. "
1. All Area Agency on Aging for SWFL workforce must receive security training on how to
protect the confidentiality, integrity, and availability of ePHI. Workforce members will not
be allowed to access ePHI until they are properly trained on how to protect and
safeguard the ePHI. The security and awareness program will include the following:
Security reminders
Procedures for guarding against, detecting and reporting malicious software
iii. Procedures for monitoring log -in attempts and reporting
iv. Procedures for creating, changing and safeguarding passwords
2. The Area Agency on Aging for SWFL HIPAA Security Officer will advise each existing
workforce member (and new workforce members) of the level of training required and the
procedure for completing training. The HIPAA Security Officer will keep a log containing
the name of the workforce member, job classification, training level required, date the
training was completed and date the training log was last reviewed for that employee.
The Security Officer will continually track workforce members' training in the log to insure
that training is completed in a timely manner and to reevaluate training needs when a
workforce member's job function changes.
HIPAA Security Policy _5- Security Awareness Page I of 4
5.1 Security Reminders
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(5)(ii)(A)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Periodic security updates."
1. Area Agency on Aging for SWFL must develop and implement procedures to ensure
that periodic security updates are issued to the workforce on reminders of or changes
to Area Agency on Aging for SWFL' HIPAA Security Policies_
2. Area Agency on Aging for SWFL must develop and implement procedures to ensure
that warnings are issued to the workforce of potential, discovered or reported threats,
breaches, vulnerabilities or other HIPAA security incidents. (See HIPAA Security
Policy ##6 -- Incident Response and Reporting).
Procedure
1. Area Agency on Aging for SWFL will periodically provide Security updates and
reminders to it's workforce on how to protect and safeguard ePHI.
2. Security updates and reminders may be in the form of emails, videos, face to face
presentations, posters or other methods to distribute the updates and reminders.
3. Area Agency on Aging for SWFL will provide Security updates when any of the
following occur;
Significant changes to Area Agency on Aging for SWFL' HIPAA Security
Policies and Procedures.
ii. Significant changes to safeguards or controls to protect ePHI.
iii. Substantial risks to systems that contain ePHI.
5.2 Protection from Malicious Software
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(5)(ii)(B)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Procedures for guarding against, detecting, and reporting malicious software. "
1. Area Agency on Aging for SWFL must develop and implement procedures for
guarding against, detecting and reporting to the appropriate persons, new and
potential threats from malicious software such as viruses, worms, denial of service
operation of a system or its contents and procedures.
Procedure
1. Area Agency on Aging for SWFL will ensure that all systems will run anti-virus 1 anti-
malware software that protect against malicious software. The software must be
current and up to date with virus 1 malware definitions. 0
HIPAA Security Policy _5- Security Awareness Page 2 of 4
2. Area Agency on Aging for SWFL shall train its workforce members to identify and
protect against malicious software. Periodic Security updates will be provided to all
workforce members on how to identify and avoid malicious software.
3. Area Agency on Aging for SWFL shall notify its workforce members of new and
potential threats from malicious software designed to interfere with the normal
operation of a system or its contents and procedures.
4. Area Agency on Aging for SWFL's workforce members shall not try to bypass or
disable the anti-virus 1 anti-malware software.
5.3 Log -in Monitoring
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(5)(ii)(C)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Procedures for monitoring log -in attempts and reporting discrepancies. "
1. Area Agency on Aging for SWFL shall train its workforce members on monitoring
Log -in attempts and reporting discrepancies that the workforce member becomes
aware of.
Procedure
1. Area Agency on Aging for SWFL's workforce members should expect that all activity
on systems that contain ePHI will be logged and recorded. In addition, all changes
made to ePHI will be logged and recorded.
2. Area Agency on Aging for SWFL's workforce members should be trained on how to
identify and report suspicious access activity on their workstations.
3. Area Agency on Aging for SWFL' workforce members should be trained on any
limitations on the number of failed login attempts that are permitted. In addition,
workforce members should be trained that failed Log -in attempts will be logged and
recorded.
5.4 Password Management
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(5)(ii)(D)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Procedures for creating, changing, and safeguarding passwords."
1. Area Agency on Aging for SWFL must train its workforce members on creating,
changing and safeguarding passwords in accordance with HIPAA Security Policy #14
- Access Control.
Procedure
1. Area Agency on Aging for SWFL's workforce members should receive training on the
password policy that is defined in HIPAA Security Policy #14 - Access Control.
HIPAA Security Policy _5- Security Awareness Page 3 of 4
2_ Area Agency on Aging for SWFL's workforce members should receive training on
how to protect and safeguard passwords.
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy -5- Security Awareness Page 4 of 4
Area Agency on Aging for SWFL
HIPAA Security Policy #6
Administrative Safeguards
Privacy and Security Incident Procedures
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to develop the response to and reporting of security incidents, including the
identification of and response to suspected or known security incidents, the mitigation of the harmful
effects of known security incidents, to the extent possible, and the documentation of security incidents
and their outcomes.
Policy
6 Privacy and Security Incident Procedures
TYPE: Standard
REFERENCE: 45 CFR 164.308(a)(6)(i
SECURITY REGULATION STANDARDS LANGUAGE:
'Implement policies and procedures to address security incidents. "
1, Area Agency on Aging for SWFL will develop and document a procedure for identifying,
responding to and reporting of all privacy and security incidents against PHI and ePHI or
other critical systems.
2. Definitions
Breach
Breach means the acquisition, access, use, or disclosure of protected health information
(PHI) or electronic protected health information (ePHI) in a manner not permitted under
the HIPAA Privacy and/or HIPAA Security Rules which compromises the security or
privacy of the PHI or ePHI. For the purpose of this policy, PHI will be used to refer to both
protected health information (PHI) and electronic protected health information (ePHI)
Unsecured PHI
Unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable
to unauthorized individuals through the use of a technology or methodology specified by
the Secretary. Guidance has been given by the Department of Health and Human
Service (HHS)
HIPAA Security Policy _6- Incident Response Page 1 of 6
htt ://www.hhs. ov/ocrl rivac Ihi aaladministrative/breachnotifir-ationrule/b uidance.html j
3. Breach exclusions
I. Any unintentional acquisition, access, or use of PHI by a workforce member or a
business associate, if such acquisition, access, or use was made in good faith and
within the scope of authority and does not result in further use or disclosure.
Any inadvertent disclosure by a person who is authorized to access PHI at a
covered entity or business associate to another person authorized to access PHI
at the same covered entity or business associate and the information received as
a result of such disclosure is not further used or disclosed.
iii. A disclosure of PHI where a covered entity or business associate has a good faith
belief that an unauthorized person to whom the disclosure was made would not
reasonably have been able to retain such information.
6.1 Reporting and Response
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.308(a)(6)(ii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Identify and respond to suspected or known security incidents; mitigate, to the extent practicable,
harmful effects of security incidents that are known to the covered entity; and document security
incidents and their outcomes. "
1. Area Agency on Aging for SWFL will ensure that all incidents, threats, or violations that
affect or may affect the privacy, confidentiality, integrity, or availability of PHI will be
reported and responded to.
2. Area Agency on Aging for SWFL shall have a Privacy and Security Incident Response
Team (IRT) charged with the responsibility of identifying, evaluating and responding to
privacy and security incidents. The HIPAA Privacy and Security Officers shall oversee
the activities of the IRT.
Procedure
1. The Area Agency on Aging for SWFL's IRT will be responsible for investigating all known
or suspected privacy and security incidents.
2. Area Agency on Aging for SWFL will document a procedure for all workforce members to
follow to report privacy and security incidents. See Appendix A — Security Incident
_ D�.r r.r.rtica � nra
3. Area Agency on Aging for SWFL will ensure that all workforce members receive training
on how to identify and report privacy and security incidents.
4. All workforce members must follow the documented procedure to report privacy and
security incidents. In addition, workforce members must report all known or suspected
privacy and security incidents.
HIPAA Security Policy 6- Incident Response Page 2 of 6
5. All workforce members must assist the IRT with any privacy or security incident
investigations.
6.2 Breach Determination
The Privacy and Security Incident Response Teams (IRT) will investigate all reported and
suspected privacy and security breaches. The following guidelines will help determine if a privacy
or security incident would be considered a breach as defined by the HIPAA Privacy, Security and
Omnibus rules:
1- An acquisition, access, use, or disclosure of PHI in a manner not permitted under the
HIPAA Privacy or Security rules is presumed to be a breach unless Area Agency on
Aging for SWFL or a business associate demonstrates that there is a low probability that
the PHI has been compromised based on a risk assessment of at least the following
factors:
The nature and extent of the PHI involved, including the types of identifiers and
the likelihood of re -identification;
ii. The unauthorized person who used the protected health information or to whom
the disclosure was made;
iii, Whether the protected health information was actually acquired or viewed; and
iv. The extent to which the risk to the PHI has been mitigated.
6.3 Breach Notification
Following the discovery of a breach of unsecured PHI, Area Agency on Aging for SWFL will notify
each individual whose unsecured PHI has been, or is reasonably believed to have been,
accessed, acquired, used, or disclosed as a result of such breach.
Date of discovery
A breach will be treated as discovered as of the first day the breach is known or by
exercising reasonable diligence would have been known.
Timeliness of notification
Area Agency on Aging for SWFL will provide the required'notifications without
unreasonable delay and in no case later than 60 calendar days after discovery of a
breach.
III. Content of notification
A notification will be provided to each individual affected by the discovered breach. The
notification should include the following:
• A brief description of what happened, including the date of the breach and the
date of the discovery of the breach, if known;
HIPAA Security Policy _6- Incident Response Page 3 of 6
• A description of the types of unsecured PHI that were involved in the breach
(such as whether full name, social security number, date of birth, home address,
account number, diagnosis, disability code, or other types of information were
involved);
• Any steps patients should take to protect themselves from potential harm
resulting from the breach;
• A brief description of what Area Agency on Aging for SWFL is doing to
investigate the breach, to mitigate harm to patients, and to protect against any
further breaches; and
• Contact procedures for individuals to ask questions or learn additional
information, which shall include a toll-free telephone number, an e-mail address,
Web site, or postal address.
• The notification should be written in plain language.
IV. Methods of notification
The following methods should be used to notify individuals affected by the discovered
breach:
Written notice
Written notification by first-class mail to the patient at the last known address of
the individual or, via e-mail if the patient agrees to e-mail notice. The notification
may be provided in one or more mailings as information is available.
If the patient is deceased notifications will be sent to next of kin or personal
representative
Substitute notice
If contact information is out of date and written notification cannot be made, a
substitute notification can be used.
If contact information is out of date for fewer than 10 individuals, the
substitute notification may be provided by an alternative form of written
notice, telephone, or other means.
• If contact information is out of date for more than 10 individuals, the
substitute notification may be in the form of either a conspicuous posting
for a period of 90 days on the home page of Area Agency on Aging for
SWFL's Web site, or conspicuous notice in major print or broadcast
media in geographic areas where the individuals a ec e y the breach
likely reside. The notice should include a toll-free contact phone number
that remains active for at least 90 days.
• In any case deemed to require urgency because of possible imminent
misuse of unsecured PHI, notification may provided to individuals by
HIPAA Security Policy 6- Incident Response Page 4 of 6
k.: telephone or other means, as appropriate, in addition to notice defined
above.
V_ Notification to media
In addition to notifying individuals of a known breach, a notification to the media is
required if the breach involves more than 500 residents of a State or jurisdiction. The
notification should occur no later than 60 days after the breach discovery.
VL Notification to Health and Human Services (NHS)
Area Agency on Aging for SWFL will notify HHS of a discovery of a known breach. The
timing of the notification will be the following:
• For breaches involving 500 or more individuals a notification to HHS will occur no
later than 60 days after the date of discovery.
For breaches involving fewer than 500 individuals a notification to HHS will occur
no later than 60 days after the end of each calendar year. All breaches involving
fewer than 500 individuals in the calendar year will be reported to HHS 60 days
after the end of each calendar year.
HHS has given guidance to breach notification on their website:
htt :llwww.hhs. ov/ocrl rivac /hi aaladministrative/breachnotificationruiet
VII, Notification by business associates
Breaches discovered by business associates will be reported to a covered entity without
delay and no later than 60 calendar days after discovery of the breach.
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy _6- Incident Response Page 5 of 6
Appendix A — Security Incident Response Log
Incident Identification Information
Name:
Phone:
Email:
Date/Time Detected:
System 1 Application Affected:
Incident Summary
Type of incident Detected:
(Denial of Service, Malicious Code, Unauthorized
Access, Unauthorized Use 1 Disclosure, Unplanned
System Downtime, Other)
Description of Incident:
Names of Others Involved: I I
Incident Notification
How Was This Notified?
(Security Office, IT Personnel, Human Resources,
Other)
Response Actions
Include Start and Stop times
Identification Measures (Incident
Accessed, Options Evaluated):
Containment Measures:
Evidence Collected (Systems logs, etc.):
HIPAA Security Policy —6- Incident Response Page 6 of 6
F-2
•
f
Area Agency on Aging for SWFL
HIPAA Security Policy #7
Administrative Safeguards
Contingency Plan
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to plan for operational contingencies in the event of a disaster or emergency
and to ensure that ePHI is protected during the disaster or emergency.
Policy
7 Contingency Plan
TYPE: Standard
REFERENCE: 45 CFR 164.308(a)(7)(i)
SECURITY REGULATION STANDARDS LANGUAGE:
"Establish policies and procedures for responding to an emergency or other occurrence (for
example, fire, vandalism, system failure, and natural disaster) that damages systems that contain
electronic protected health information."
1. Area Agency on Aging for SWFL must develop a documented procedure to respond in
the event an emergency, disaster or other occurrence (i.e., fire, vandalism, system failure
and natural disaster) when any system that contains ePHI is affected, including:
Data Backup Plan
ii. Disaster Recovery Planning
iii. Emergency mode operation plan
iv. Testing and Revision Procedures
7.1 Data Backup Plan
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.308(a)(7)(ii)(A)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Establish and implement procedures to create and maintain retrievable exact copies of electronic
protected health information."
HIPAA Security Policy 2- Contingency PlanningPage 1 of 5
(7)
1. Area Agency on Aging for SWFL shall establish and implement a Data Backup Plan
pursuant to which it would create and maintain retrievable exact copies of all ePHI that is
stored on all Area Agency on Aging for SWFL computer systems.
2. The Data Backup Plan shall apply to all files, records, images, voice or video files that
may contain ePHI.
3. The Data Backup Plan shall require that all media used for backing up ePHI be stored in
a physically secure environment, such as a secure, off-site storage facility or, if backup
media remains on site, in a physically secure location, different from the location of the
computer systems it backed up.
4. If an off-site storage facility or backup service is used, a written contract or Business
Associate Agreement shall be used to ensure that the Business Associate will safeguard
the ePHI in an appropriate manner.
5. Data backup procedures outlined in the Data Backup Plan shall be tested on a periodic
basis to ensure that exact copies of ePHI can be retrieved and made available.
Procedure
1. Area Agency on Aging for SWFL will develop and implement a procedure to ensure that
daily backups and exact and retrievable copies are made of all systems that contain
ePHI.
ry },
2. Area Agency on Aging for SWFL will develop a list of systems that contain ePHI or that
contain critical information and ensure that each of the systems are included in the daily
backup.
3. Area Agency on Aging for SWFL will ensure that periodic tests are performed to ensure
the daily backups are valid, contain retrievable information and can be restored in the
event of a disaster or emergency.
4. Area Agency on Aging for SWFL will develop and implement a procedure to define
restoration steps in the event data needs to be restored from backup.
5. Area Agency on Aging for SWFL will ensure that any media used for the daily backup will
be stored in a physically secure environment, such as a secure, off-site storage facility or,
if backup media remains on site, in a physically secure location, different from the
location of the computer systems it backed up.
6. Data encryption should be used to safeguard any ePHI on the daily backups.
7.2 Disaster Recovery Plan
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.308(a)(7)(ii)(B)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Establish procedures to restore any loss of data. "
HIPAA Security Policy _7- Contingency PlanningPage 2 of 5
1. To ensure that Area Agency on Aging for SWFL can recover from the loss of data
due to an emergency or disaster such as fire, vandalism, terrorism, system failure, or
natural disaster effecting systems containing ePHI, Area Agency on Aging for SWFL
shall establish and implement a Disaster Recovery Plan pursuant to which it can
restore or recover any loss of ePHI and the systems needed to make that ePHI
available in a timely manner.
2. The Disaster Recovery Plan should include training and security reminders to all
workforce members.
Procedure
1. The Disaster Recovery Plan should include procedures to restore ePHI from data
backups in the case of a disaster causing data loss.
2. The Disaster Recovery Plan should include procedures to log system outages,
failures, and data loss to critical systems, and procedures to train the appropriate
personnel to implement the disaster recovery plan.
3. The Disaster Recovery Plan shall be documented and easily available to the
necessary personnel at all times.
7.3 Emergency Mode Operation Plan
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.308(a)(7)(ii)(C)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Establish procedures to enable continuation of critical business processes for protection of the
security of electronic protected health information while operating in emergency mode. "
1, Area Agency on Aging for SWFL shall establish and implement (as needed)
procedures to enable continuation of critical business processes for protection of the
security of ePHI while operating in emergency mode.
Procedure
1. Area Agency on Aging for SWFL will define what constitutes and triggers an
Emergency that would require an Emergency Mode Operation Plan.
2. The Emergency Mode Operation Plan shall include detailed steps on how workforce
members will react to emergencies that impact the confidentiality, integrity, and
availability of ePHI,
3. The Emergency Mode Operation Plan shall include steps that outline security
processes and controls to ensure the confidentiality, integrity, and availability of ePHI.
4. The Emergency Mode Operation Plan shall be documented and easily available to
the necessary personnel at all times.
HIPAA Security Policy `7- Contingency PlanningPage 3 of 5
5. The Emergency Mode Operation Plan should include training and security reminders
to all workforce members.
7.4 Testing and Revision Procedures
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(7)(ii)(D)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement procedures for periodic testing and revision of contingency plans."
1. The Contingency procedures outlined in the Disaster Recovery and Emergency
Operations Plans (Contingency Plan) shall be tested on a periodic basis.
2. Any necessary revisions or updates to the Contingency Plans shall be made.
Procedure
1. Testing of Contingency Plan should be performed at least annually.
2. Any necessary revisions that are identified during the Contingency Plan testing will
be made to the Contingency Plans.
7.5 Application and Data Criticality Analysis
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.308(a)(7)(11)(E)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
Assess the relative criticality of specific applications and data in support of other contingency
plan components.
1. Area Agency on Aging for SWFL shall assess the relative criticality of specific
applications and data for purposes of developing its Data Backup Plan, its Disaster
Recovery Plan and its Emergency Mode Operation Plan.
2. The assessment of data and application criticality should be conducted periodically
and at least annually to ensure that appropriate procedures are in place for data and
applications at each level of risk.
Procedure
1. Area Agency on Aging for SWFL will, at least annually, identify the relative criticality
2. The list of critical systems will be used to prioritize which systems to concentrate on
when implementing the Contingency Plan.
Creation Date: 10/23/2018
MIPAA Security Policy _7- Contingency PlanningPage 4 of 5
+ Effective Date: 10/23/2018
Last Revision Date:
•
HIPAA Security Policy _7- Contingency PlanningPage 5 of 5
0
:7
:7
Area Agency on Aging for SWFL
HIPAA Security Policy #8
Administrative Safeguards
Evaluation of Security Policies and Procedures
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to define the procedures that will ensure that each Security Policy adopted by
Area Agency on Aging for SWFL is periodically evaluated for technical and non-technical viability.
Policy
8 Evaluation
TYPE: Standard
REFERENCE: 45 CFR 164.308(a)(8)(1)
SECURITY REGULATION STANDARDS LANGUAGE:
"Perform a periodic technical and nontechnical evaluation, based Initially upon the standards
implemented under this rule and subsequently, in response to environmental or operational
changes affecting the security of electronic protected health information that establishes the
extent to which an entity's security policies and procedures meet the requirements of this
subpart. "
1. Area Agency on Aging for SWFL Security Policies initially should be evaluated to
determine their compliance with the HIPAA Security Rule. Once compliance with the
HIPAA Security Rule is established, the Area Agency on Aging for SWFL Security
Policies should be evaluated on a periodic basis to assure continued viability in light of
technological, environmental, operational or regulatory changes that could affect the
security of ePHI.
Procedure
1. Area Agency on Aging for SWFL HIPAA Security Officer shall periodically (at least
annually) evaluate its HIPAA Security Procedures to ensure that such Procedures
maintain their technical and non-technical viability and continue to comply with any
Regulatory Policies
2. The results of the periodic security evaluation shall be documented and retained.
HIPAA Security Policy . 8- Evaluation Page 1 of 2
3. In the event that one or more of the following events occur, the policy evaluation process
should be triggered:
Changes in the HIPAA Security Regulations or Privacy Regulations.
New federal, state, or local laws or regulations affecting the privacy or security of
PHI or ePHI.
iii. Changes in technology, environmental processes or business processes that
may affect HIPAA Security Policies or Security Procedures.
iv. A serious security violation, breach, or other security incident occurs
4. Any changes to Security Policies or Procedures shall be communicated to all workforce
members.
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy —8- Evaluation Page 2 of 2
Area Agency on Aging for SWFL
HIPAA Security Policy #9
Administrative Safeguards
Business Associate Contracts
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to cover all Business Associates that create, receive, maintain, or transmit
ePHI on Area Agency on Aging for SWFL's behalf. Area Agency on Aging for SWFL will develop and
implement contracts that ensure the Business Associate will appropriately safeguard the information in
compliance with the HIPAA Security Rule.
Policy
9 Business Associate Contracts
TYPE: Standard
REFERENCE: 45 CFR 164.308(b)(1); 45 CFR 164.308(b)(4)
SECURITY REGULATION STANDARDS LANGUAGE:
"A covered entity, in accordance with § 764.306 [Security standard.- General rules], may permit a
business associate to create, receive, maintain, or transmit electronic protected health
information on the covered entity's behalf only if the covered entity obtains satisfactory
assurances, in accordance with § 764.374(a)[Business Associate contracts and other
arrangements] that that the business associate will appropriately safeguard the information."
At times ePHI may be disclosed to and used by Business Associates (BA) as
necessary to allow the BA to carry out a healthcare related function or activity on
behalf of Area Agency on Aging for SWFL or to provide services to Area Agency on
Aging for SWFL. A BA must sign a Business Associates Agreement (BAA) with Area
Agency on Aging for SWFL, in order to access, use or disclose ePHI. The BAA must
be in writing and must contain the requirements of the Security Rule and authorized
signatures.
Procedure
1. The HIPAA Security Officer shall ensure that all Business Associates enter into
Business Associate Agreements that contain the requirements of the Security Rule.
2. Each Business Associate Agreement shall state that the Business Associate will:
HIPAA Security Policy_9 - Business Associate Contracts Page 1 of 2
i. Implement administrative, physical, and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of the
ePHI that it creates, receives, maintains, or transmits on Area Agency on Aging
for SWFL' behalf.
ii. Ensure that any agent, including a subcontractor to whom it provides such
information, agrees to implement reasonable and appropriate safeguards to
protect it.
iii. Report to Area Agency on Aging for SWFL any security incident of which it
becomes aware.
iv. Authorize the termination of the Business Associate Agreement by Area
Agency on Aging for SWFL if Area Agency on Aging for SWFL determines that
the Business Associate has violated a material term of the contract.
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy —9 - Business Associate Contracts Page 2 of 2
Area Agency on Aging for SWFL
HIPAA Security Policy #10
Physical Safeguards
Facility Access Controls
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to define the procedures that will limit physical access to electronic
information systems and the facility or facilities in which such systems are housed, while still ensuring that
proper authorized access is allowed.
Policy
10 Facility Access Controls
TYPE: Standard
REFERENCE: 45 CFR 164.310(a)(1)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement policies and procedures to limit physical access to its electronic information systems
and the facility or facilities in which they are housed, while ensuring that properly authorized
access is allowed."
1. Area Agency on Aging for SWFL shall create and maintain a Facility Security Plan that
outlines and documents its procedures to safeguard all facilities, systems, and equipment
used to store ePHI against unauthorized physical access, tampering, or theft. The
Facility Security Plan will include:
i. Contingency Operations Plans
ii. Facility Security Plans
iii. Access Control and Validation Plans
iv. Maintenance Records
10.1 Contingency Operations
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.310(a)(2)(1)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
HIPAA Security Policy _10- Physical Safeguards -Facility Access Controls Page 1 of 4
"Establish (and implement as needed) procedures that allow facility access in support of
restoration of lost data under the disaster recovery plan and emergency mode operations plan in
the event of an emergency. "
1. Area Agency on Aging for SWFL will create procedures that ensure access to facilities by
appropriate personnel during Disasters or Emergency Operations. These procedures will
be incorporated into the respective Contingency Operations Plan (See HIPAA Security
Policy#? — Contingency Plan)
Procedure
1. Area Agency on Aging for SWFL shall implement the following procedures to allow facility
access in the event of an emergency, disaster, or other occurrence resulting in lost data:
i. Area Agency on Aging for SWFL will take reasonable and appropriate steps
to secure any location that contains PHI or ePHI. Area Agency on Aging for
SWFL workforce members will take reasonable and appropriate steps to
continue to protect PHI and ePHI.
ii. Area Agency on Aging for SWFL will permit access to all workforce members
involved in the repair of electronic information systems and in the restoration
of lost data in accordance with the Emergency Mode Operation Procedures
and Disaster Recovery Procedures (see HIPAA Security Policy #7 -
Contingency Plan)
iii. Area Agency on Aging for SWFL Management and/or HIPAA Security Officer
shall see that Area Agency on Aging for SWFL' workforce members involved
in Emergency Mode Operation Procedures and Disaster Recovery
Procedures (see HIPAA Security Policy #7 -Contingency Plan) have access
to rooms and areas containing any back-up data stored on-site or off-site.
10.2 Facility Security Plan
IMPLEMENTATION TYPE: Addressable
REFERENCE. 45 CFR 164.310(a)(2)(ii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement policies and procedures to safeguard the facility and the equipment therein from
unauthorized physical access, tampering, and theft. "
1. Area Agency on Aging for SWFL will implement procedures to safeguard facilities and
equipment from unauthorized physical access, tampering, and theft.
Procedure
1. Area Agency on Aging for SWFL shall ensure that all network servers, application
servers, routers, database systems, device management system hardware, and other
enn,nra sra lnr rerl ir► rrtirutiti ry �raa il�aF fan ha n v rr lhr S.P_Cura .her kv* .Qnd kAV
or any other appropriate security mechanism to limit access to only authorized personnel.
2. Area Agency on Aging for SWFL will ensure that only appropriate and authorized
personnel have access to facilities housing operations related systems.
HIPAA Security Policy _10- Physical Safeguards -Facility Access Controls Page 2 of 4
3. Any other workforce members requiring access to facilities housing Area Agency on
Aging for SWFL operations -related electronic information systems shall request and
receive permission from the HIPAA Security Officer.
i. Such access shall only be granted on a need -to -know basis.
ii. The HIPAA Security Officer shall log the names of personnel who have
requested and been granted access to the facilities containing Area Agency on
Aging for SWFL electronic information systems.
10.3 Access Control and Validation Procedures
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.310(a)(2)(iii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"implement procedures to control and validate a person's access to facilities based on their role
or function, including visitor control, and control of access to software programs for testing and
revision. "
1. Area Agency on Aging for SWFL will take reasonable and appropriate steps to control
and validate physical access to facilities containing ePHI Systems.
Procedure
1. Area Agency on Aging for SWFL will implement the following procedures to control and
validate a person's access to facilities based on their role or function:
Access to highly sensitive areas that contain ePHI will only be granted on a
need to know basis and based on a legitimate business need.
ii. All access to areas that house systems that contain ePHI will be tracked and
logged. Logs will contain at a minimum: person's name, company, date of
entry, time of entry, duration and reason for entry.
iii. Guests of Area Agency on Aging for SWFL should not be given access to
areas that house systems that contain ePHI.
iv. Patients should only be permitted in common areas and should not be given
access to areas that house systems that contain ePHI.
10.4 Maintenance Records
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.310(a)(2)(iv)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement policies and procedures to document repairs and modifications to the physical
components of a facility which are related to security (for example, hardware, walls, doors, and
locks). "
1. Area Agency on Aging for SWFL management will be responsible for overseeing that
repairs and modifications to the physical components of the facility, which are related to
security (for example, hardware, walls, doors and locks), are completed and logged. At a
minimum, the log shall contain the following information.-
HIPAA
nformation:
HIPAA Security Policy —10- Physical Safeguards -Facility Access Controls Page 3 of 4
L The equipment or component where maintenance has been performed
ii. The date maintenance was performed
iii. A description of the maintenance performed
iv. The Area Agency on Aging for SWFL's workforce member(s) or contractor
who performed the maintenance.
Creation Date: 10/2312018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy _10- Physical Safeguards -Facility Access Controls Page 4 of 4
Appendix A
Area Agency on Aging for SWFL Computer Use Policy
Introduction
This document provides guidelines for appropriate use of computer facilities and services at Area
Agency on Aging for SWFL. It is not a comprehensive document covering all aspects of computer use.
It offers principles to help guide Area Agency on Aging for SWFL's employees, and specific policy
statements serve as a reference point. It will be modified as new questions and situations arise.
Computers, the Internet and electronic mail (e-mail) are powerful research, communication, commerce
and time -saving tools that are made available to Area Agency on Aging for SWFL employees. The use
of this efficient and effective communication tool is critical but, like any tools, computers, the Internet
and e-mail have the potential to be used for inappropriate purposes.
Area Agency on Aging for SWFL will provide workstations and other computer systems to Area Agency
on Aging for SWFL employees for the purpose of performing their job functions for Area Agency on
Aging for SWFL. Area Agency on Aging for SWFL employees shall be responsible for using
workstations appropriately in conformance with this Policy.
Policy
The following policies on computer, the Internet and electronic mail usage shall be observed by all Area
Agency on Aging for SWFL employees.
• Users of the Internet and e-mail are to comply with all appropriate laws, regulations and
generally accepted Internet etiquette.
• Primary purpose of the Internet and e-mail is to conduct official business.
• Users should identify themselves properly when using the Internet and e-mail, conduct
themselves professionally, and be aware that their activities reflect on the reputation and
integrity of all Area Agency on Aging for SWFL's employees.
• Each user is individually responsible for the content of any communication sent over or
placed on the Internet and e-mail.
• All employees have a responsibility to ensure a respectful workplace. Area Agency on
Aging for SWFL equipment must not be used to visit Internet sites that contain
pornographic or sexually explicit information, pictures, or cartoons.
• Exceptions to this policy are only allowed when pre -approved by the department head
and deemed necessary for official Area Agency on Aging for SWFL business, research or
investigatory work.
The following actions are prohibited. It is unacceptable for Area Agency on Aging for SWFL employees
to:
• Knowingly or intentionally publish, display, transmit, retrieve or store inappropriate or
HIPAA Security Policy _11- Physical Safeguards -Workstations Use Page 3 of 6
offensive material on any department computer system.
• Create or distribute defamatory, false, inaccurate, abusive, threatening, racially offensive
or otherwise biased, discriminatory or illegal material.
• View or distribute obscene, pornographic, profane, or sexually oriented material.
• Violate laws, rules, and regulations prohibiting sexual harassment.
• Engage in any unauthorized activities for personal financial gain.
• Place advertisements for commercial enterprises, including but not limited to, goods,
services or property.
• Download, disseminate, store or print materials including articles and software, in
violation of copyright laws.
• Download any software, including but not limited to games, screen savers, toolbars or
any other browsing tools without the permission of Information Services.
• Violate or infringe on the rights of others.
• Conduct business unauthorized by Area Agency on Aging for SWFL.
• Restrict or inhibit other users from using the system or the efficiency of the computer
systems.
• Cause congestion or disruption of networks or systems, including distribution of chain
letters.
• Transmit incendiary statements, which might incite violence or describe or promote the
use of weapons.
• Use the system for any illegal purpose or contrary to Area Agency on Aging for SWFL
policy or business interests.
• Connect a personal computer to the Area Agency on Aging for SWFL network without
having the computer checked by Information Services to insure no threatening viruses 1
programs infect the Area Agency on Aging for SWFL network.
• Monitor or intercept the files or electronic communications of other employees or third
parties.
• Hack or obtain access to systems or accounts they are not authorized to use.
• To disclose a Login ID(s) or password to anyone nor allow anyone to access any
information system with someone else's Login ID(s) or passwords
• Use other people's Login ID(s) or passwords to access any information system for any
reason.
• Will not post any patient information on social network sites, public forums, etc.
• Users shall not remove from Area Agency on Aging for SWFL's facilities electronic media
that contains Protected Health Information (PHI) or confidential or proprietary Area
Anennv on Aaina for S41?FL in ormatinn unless s�irh remrnral.is auihorizeri by 9 user's
supervisor and the user signs out the media in accordance with the Area Agency on
Aging for SWFL HIPAA Security Device and Media Controls Policy.
Any employee who abuses the privilege of their access to e-mail or the Internet in violation of this policy
will be subject to corrective action, including possible termination of employment, legal action, and f
criminal liability.
HIPAA Security Policy —11 - Physical Safeguards -Workstations Use Page 4 of 6
Any employee will immediately report to the Area Agency on Aging for SWFL Security Coordinator any
activity that violates this agreement.
HIPAA Security Policy _11- Physical Safeguards -Workstations Use Page 6 of 6
I have read, understand, and agree to comply with the foregoing policies, rules, and conditions
governing the use of the Area Agency on Aging for SWFL computer and telecommunications equipment
and services. I understand that I have no expectation of privacy when I use any of the
telecommunication equipment or services. I am aware that Internet and e-mail may be subject to
monitoring. I am aware that violations of this guideline on appropriate use of the e-mail and Internet
systems may subject me to disciplinary action, including termination from employment, legal action and
criminal liability. I further understand that my use of the email and Internet may reflect on the image of
Area Agency on Aging for SWFL to our patients, competitors and suppliers and that I have responsibility
to maintain a positive representation of Area Agency on Aging for SWFL_ Furthermore, I understand that
this policy can be amended at any time.
By signing this Agreement, I agree to comply with its terms and conditions. Failure to read this
Agreement is not an excuse for violating it. Area Agency on Aging for SWFL may deny access to
information systems if this Agreement is not returned signed and dated,
Signature
Date
Requestor's Immediate Supervisor Signature Date
Access Agreement Approved by (printed name) Date
HIPAA Security Policy —11 - Physical Safeguards -Workstations Use Page 6 of 6
Area Agency on Aging for SWFL
HIPAA Security Policy #11
Physical Safeguards
Workstation Use
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to provide policies and specifications on workstation use that include
documented instructions and procedures defining the proper functions to be performed and the manner in
which those functions are to be performed in order to maximize the security of ePHI
Policy
0 11 Workstation Use
TYPE: Standard
REFERENCE: 45 CFR 164.310(b)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement policies and procedures that specify the proper functions to be performed, the
manner in which those functions are to be performed, and the physical attributes of the
surroundings of a specific workstation or class of workstations that can access electronic
protected health information.
1. To ensure that workstations and other computer systems that may be used to send,
receive, store or access ePHI are only used in a secure and legitimate manner, all
workforce members' must comply with the Area Agency on Aging for SWFL Computer
Use Policy, a copy of which is attached as Exhibit A.
2. Area Agency on Aging for SWFL may provide workstations and other computer systems
to workforce members for the purpose of performing their job functions for Area Agency
on Aging for SWFL. Workforce members shall be responsible for using workstations
appropriately in conformance with this Policy.
3. Area Agency on Aging for SWFL may remove or deactivate any workforce member's
user privileges, including but not limited to, user access accounts and access to secured
areas, when necessary to preserve the integrity, confidentiality and availability of its
facilities, user services, and data.
4. Workforce members must be assigned and use a unique User Identification and
Password (See HIPAA Security Policy #14 - Access Control)
HIPAA Security Policy _11- Physical Safeguards -Workstations Use Page 1 of 6
5. Workforce members that use Area Agency on Aging for SWFL information systems and
workstation assets should have no expectation of privacy. To appropriately manage its
information system assets and enforce appropriate security measures, Area Agency on
Aging for SWFL may log, review, or monitor any data (ePHI and non-ePHI) stored or
transmitted on its information system assets.
Creation Date: 10/23/2018
Effective Date: 10123/2018
Last Revision Date:
HIPAA Security Policy _11- Physical Safeguards -Workstations Use Page 2 of 6
Area Agency on Aging for SWFL
HIPAA Security Policy #12
Physical Safeguards
Workstation Security
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to describe the physical safeguards applicable for each server, desktop
computer system and wireless computer system used to access, transmit, receive and store ePHI to
ensure that appropriate security is maintained and that access is restricted to authorized workforce
members.
Policy
12 Workstation Security
TYPE: Standard
REFERENCE: 45 CFR 164.310(c)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement physical safeguards for all workstations that access electronic protected health
information, to restrict access to authorized users. "
1. Area Agency on Aging for SWFL will take reasonable and appropriate steps to prevent
unauthorized access to workstations, servers and portable devices including laptops,
smartphones, CD-ROMs, DVDs, USB Drives, etc. that store or access ePHI.
Workstations and laptops that are in common areas that store or access
ePHI should be physically placed with the monitor so that it prohibits
unauthorized people from viewing confidential information such as logins,
passwords or ePHI.
Workstations and laptops that are in common areas that store or access
ePHI should utilize privacy screens to prevent unauthorized access to ePHI.
iii. Workstations and laptops that are in common areas that store or access
ePHI should be secured by restraints such as locking cables.
iv. Portable devices and media including laptops, smartphones, CD-ROMs,
DVDs, USB Drives, data backup tapes, etc. that contains ePHI should utilize
encryption to protect the ePHI.
HIPAA Security Policy _12- Physical Safeguards- Workstation Security Page 1 of 3
V. Portable devices and media should be concealed when from view when
offsite to prevent theft.
vi. All network servers, application servers, routers, database systems, device
management system hardware, and other servers should be located in a
room or an area that can be physically secured by lock and key or any other
appropriate security mechanism to limit access to only authorized personnel.
(See HIPAA Security Policy#10 — Facility Access Controls).
vii. All workstations, servers and portable devices will run anti-virus 1 anti-
malware software that protect against malicious software. The software must
be current and up to date with virus 1 malware definitions. Workforce
members must use and keep active current versions of approved anti-virus 1
anti-malware software scanning tools to detect and remove malicious
software from workstations and files. Workforce members must not disable
these tools unless specifically directed by computer support personnel to do
so in order to resolve a particular problem.
viii. All workstations, servers and portable devices, where feasible, must
implement a security patch and update procedure to ensure that all relevant
security patches and updates are promptly applied based on the severity of
the vulnerability corrected.
2. Area Agency on Aging for SWFL will take reasonable and appropriate steps to prevent
unauthorized access to workstations, servers and portable devices from misuse and
physical damage, vandalism, power surges, electrostatic discharge, magnetic fields,
water, overheating and other physical threats.
Workstations must not be located where they will be directly affected by
extremes of temperature or electromagnetic interference. Precautions
should also be taken to ensure that workstations cannot be affected by
problems caused by utilities, such as water, sewer and/or steam lines that
pass through the facility.
ii. All facilities that store systems that contain ePHI, should have appropriate
smoke and/or fire detection devices, sprinklers or other approved fire
suppression systems, and working fire extinguishers in easily accessible
locations throughout the facility.
iii. All servers that contain ePHI, should be connected to an Uninterrupted
Power Supply (UPS) to prevent server crashes during power outages or
spikes_ Servers should be configured to shut down in a controlled manner if
the power outage is for an extended period of time.
iv. All systems should be connected to surge protectors, where feasible, to
protect against power spikes and surges.
3. A user identification and password authentication mechanism shall be implemented to
4. Workforce members suspecting any inappropriate or unauthorized use of workstations
should immediately report such incident or misuse to the HIPAA Security Officer.
Creation Date: 10/23/2018
Effective Date: 10/23/2018
HIPAA Security Policy 12- Physical Safeguards- Workstation Security Page 2 of 3
Last Revision Date:
HIPAA Security Policy _12- Physical Safeguards- Workstation Security Page 3 of 3
Area Agency on Aging for SWFL
HIPAA Security Policy #13
Physical Safeguards
Device and Media Controls
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to define the policy and procedures that govern the receipt and removal of
hardware and electronic media that contain ePHI into and out of a facility; and the movement ePHI within
the facility; and to implement methods to properly dispose of ePHI.
Policy
13 Device and Media Controls
TYPE: Standard
REFERENCE: 45 CFR 164.310(d)(1)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement policies and procedures that govern the receipt and removal of hardware and
electronic media that contain electronic protected health information into and out of a facility, and
the movement of these items within the facility. "
1, Area Agency on Aging for SWFL will develop policies and procedures that govern receipt,
removal, movement and disposal of hardware and electronic media containing ePHI
within the facility. The policies and procedures will address device and media controls
relating to:
1. Disposal
ii. Media Re -use
iii, Accountability
iv, Data Backup and Storage
13.1 Disposal
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 64.310(d)(2)(i)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement policies and procedures to address the final disposition of electronic protected health
information, andlor the hardware or electronic media on which it is stored."
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 1 of 11
1. Area Agency on Aging for SWFL must take reasonable and appropriate steps to dispose
of portable devices and media that contain ePHI. Removal steps must ensure that ePHI
is properly copied off of the device and that destruction of ePHI prevents unauthorized
access to the ePHI.
Procedure
1. Prior to destroying or disposing of any portable device or media, care must be taken to
ensure that the device or media does not contain ePHI.
2. If the portable device or media contains the only copy of ePHI that is required or needed,
a retrievable copy of the ePHI must be made prior to disposal.
3. if the portable device or media contains ePHI that is not required or needed, and is not a
unique copy, a data destruction tool must be used to destroy the data on the device or
media prior to disposal. A typical reformat is not sufficient as it does not overwrite the
data. Note that a data destruction tool which adheres to the Department of Defense
(DoD 5220.22-M) standard is recommended to properly destroy ePHI.
3. HIPAA Security Officer or delegate will notify the Information Technology (IT)
department/company/individual of equipment that needs to be disposed of.
4. HIPAA Security Officer or delegate will determine data sensitivity of data to be disposed
of. (See Data Classification Table below)
5. IT will assess the condition of the equipment, they will:
a. IT will track the disposal of the device (type of hardware, serial number, etc).
See Appendix A: Media Disposal Log
b. IT will run approved wiping software on all devices to make sure all patient
information is removed from the device. This may include physical destruction
(See Methods of Destruction below)
c. IT will verify the hardware's data has been removed
d. IT will dispose of the hardware
6. HIPAA Security Officer or delegate 1 IT will document the destruction of the asset and
keep a record. See Appendix C: Media Disposal Log
7. If taken to outside facility - The media shall be taken to an approved, certified facility for
erasure or destruction. A letter of certification regarding date and time of
erasure/destruction shall be obtained
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 2 of 11
•
C
Data Classification Table:
1. Low (Unclassified) - No requirement to erase data but in the interest of prudence normally erase
the data using any means such as reformatting or degaussing.
• Basic operating system, personal files,
2. Medium Sensitive - Erase the data using any means such as reformatting or degaussing.
• Business related information that does not contain patient information (ePHI).
3. Hiah (Confidential) -The data must be erased using an approved technology to make sure it is
not readable using special technology techniques. (See method of destruction below)
• Media contains patient information (ePHI).
Examples of hardware devices include:
• Workstation
• Laptop
• Tablet (!Pad/Android)
• Smartphones
• Server hard drives
• Memory stick (USB drives)
• CD ROM disk 1 DVD ROM
• Storage 1 Backup tape(s)
• Hard drives
• Copiers 1 Scanners 1 Fax machines
• X -Rays 1 Ultrasound 1 Diagnostic Machines
• Any other hardware that contains ePHI
HIPAA Security Policy _.13- Physical Safeguards- Device -Media Page 3 of 11
Methods of Destruction Table:
Clear One method to sanitize media is to use software or hardware products to
overwrite storage space on the media with non -sensitive data. This process
may include overwriting not only the logical storage location of a file(s) (e.g., file
allocation table) but also may include all addressable locations. The security
goal of the overwriting process is to replace written data with random data. A
data destruction tool which adheres to the Department of Defense (DoD
5220.22-M) standard is recommended to properly destroy ePHI. Overwriting
cannot be used for media that are damaged or not rewriteable.)
Purge Degaussing and executing the firmware Secure Erase command (for ATA
drives only) are acceptable methods for purging. Degaussing is exposing the
magnetic media to a strong magnetic field in order to disrupt the recorded
magnetic domains. A degausser is a device that generates a magnetic field
used to sanitize magnetic media. Degaussers are rated based on the type (i.e.,
low energy or high energy) of magnetic media they can purge. Degaussers
operate using either a strong permanent magnet or an electromagnetic coil.
Degaussing can be an effective method for purging damaged or inoperative
media, for purging media with exceptionally large storage capacities, or for
quickly purging diskettes.
Destroy
There are many different types, techniques, and procedures for media
destruction. If destruction is decided on because of the high security
categorization of the information, then after the destruction, the media should
be able to withstand a laboratory attack.
• Disintegration, Pulverization, Melting, and Incineration. These
sanitization methods are designed to completely destroy the media.
They are typically carried out at an outsourced metal destruction or
licensed incineration facility with the specific capabilities to perform
these activities effectively, securely, and safely.
• Shredding. Paper shredders can be used to destroy flexible media such
as diskettes once the media are physically removed from their outer
containers. The shred size of the refuse should be small enough that
there is reasonable assurance in proportion to the data confidentiality
that the data cannot be reconstructed.
Optical mass storage media, including compact disks (CD, CD -RW, CD -R, CD -
crosscut shredding or burning. When material is disintegrated or shredded all
residues must be reduced to nominal edge dimensions of five millimeters (5
mm) and surface area of twenty-five square millimeters (25 mm).
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 4 of 11
•
13.2 Media Re -use
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 64.310(d)(2)(ii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement procedures for removal of electronic protected health information from electronic
media before the media are made available for re -use. "
1. Area Agency on Aging for SWFL must take reasonable and appropriate steps to ensure
that portable device and media do not contain ePHI prior to re -use the device or media.
If the device or media does contain ePHI then steps must be taken to ensure that the
ePHI is properly destroyed prior to re -use of the device or media.
Procedure
1. Prior to making a portable device or media available for reuse, care must be taken to
ensure that the device or media does not contain ePHI.
2. If the device or media contains the only copy of ePHI that is required or needed, a
retrievable copy of the ePHI must be made prior to reuse.
3. If the portable device or media contains ePHI that is not required or needed, and is not a
unique copy, a data destruction tool must be used to destroy the data on the device or
media prior to reuse. A typical reformat is not sufficient as it does not overwrite the data_
Note that a data destruction tool which adheres to the Department of Defense (DoD
5220.22-M) standard is recommended to properly destroy ePHI
4. The use of a data destruction tool before reuse is not required if the media is used for
system or data backup, as long as the media is stored and transported in a secured
environment.
13.3 Accountability
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 64.310(d)(2)(iii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Maintain a record of the movements of hardware and electronic media and any person
responsible therefore."
Procedure
When using portable devices or media to transport ePHI, a procedure must be
developed to track and maintain records of the movement of such devices and the
media and the parties responsible for the device and media during its movement.
A log should be maintained of any hardware containing ePHI that has been received
into or removed from Area Agency on Aging for SWFL's facilities. The log should
note the workforce member receiving or removing the equipment, the date of receipt
or removal, the person approving the receipt or removal, and the date the hardware
was returned. (See Appendix A Receipt of Hardware or Electronic Media Containing
ePHI Log and Appendix B Removal of Hardware or Electronic Media Containing
ePHI Log).
13.4 Data Backup and Storage
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 5 of 11
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 64.310(d)(2)(iv)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Create a retrievable, exact copy of electronic protected health information, when needed, before
movement of equipment. "
1. Before moving any systems that contain ePHI, a procedure must be developed to
ensure that the ePHI is properly backed up and secured prior to moving.
Procedure
1, If a system contains ePHI, all files containing ePHI must be backed up to a computer,
tape, USB drive, CD-ROM, disk, or other storage media before equipment is moved
within or outside of Area Agency on Aging for SWFL facilities.
2. The backed -up data should be stored in a secure area until it is placed on different
equipment or restored to the original equipment from which it was removed.
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 6 of 11
a
I
(U
1 � 1
1
1
1
1 1
1
1
1
1
I m
1
1
1
I
1 1
1
1
1
1
�I m I
I
I
I
I I
I
I
I
I
1 L 1
1
1
r
1 1
1
1
1
1
1 0J t
! °G I
1
I
1
I
1
I
r I
1 1
1
I
1
I
1
1
I
I
I I
1 1
6.I
I
1
I
I
I
1
I I
1 1
I
1
!
1
I
1
I
1
= I m 1
1
1
1
1 1
1
1
1
1
WIC
ol f z I
I
I
I
I I
I
I
I
I
Cl)
❑ 1 1
1 !
I
!
1
I
1
1 1
1
1
1
1
1 1
1
1
I
1
I I
1 t
I
1
I
1
I
1
I
1
1 1
1
1
1
1 1
1
1
1
1
CLI 1
1
1
1
1 1
1
1
1
1
V I
� I I
I
L I 1
1
I
1
I
1
I I
I 1
I
1
I
1
I
1
!
1
of I
I
I
I
I I
I
I
I
I
LA 1 1
a!
t
1
1
1 1
1
1
1
1
1 u r
1
1
r
1 1
1
1
1
1
1 1
1
1
1
1 I
1
I
t
1
1 1
1
r
1
1 1
1
1
1
1
ral I
1 1
I
I
1
1
I
1
I I
1 1
I
I
I
1
I
1
I
1
1 1
1
1
1
1
z
ul I
I
I
I
1
I I
1
I
1
f
1
I
I
1
o a 1 m
21 .a 1
I
I
I
I I
I
I
I
I
Y 1 a 1
a Q a! a I
1
f
1
I
1
I
1 1
I I
1
I
1
I
1
I
1
I
` r
. w l 'u
1
1
r
1 1
I
1
1
1
u Li a,
v41 oL~ 1
1
1
1
1 1
1
I
I
I
❑ I I
I
I
I
I I
I
I
r
I
1 1
1
1
1
1 1
1
1
1
1
I
I
f
I
I I
I
I
I
I
I o I
I
i
I
I I
I
I
I
I
� IA I ly 1
1
1
I
1 1
1
1
1
1
E I (u 1
1
1
1
1 1
1
1
1
1
rol � I
'u
I
I
I
I I
I
I
I
1
Z I 1
1
1
1
1 1
1
1
1
1
! au, I
I
I
!
! I
I
I
I
I
1 1
1
1
r
1 1
r
1
1
1
1 1
1
1
1
1 (
1
(
l
1
I m
1 ❑ 1
1
1
I
1 1
1
1
1
1
1 1
xel I
1
I
l
I
1
I
1 1
f I
1
I
1
I
1
I
1
I
C I
Q!f !
I
I
!
! !
I
t
1
t
m
3
z
CL
m
to
co
40
c
0
u
as
'c
0
a
LU
L
O
L
M
3
L
a
0
a
m
AS
13
c
m
CL
c.
a
r
r
0
co
w
0)
m
a-
.0
pal �
I I
I
I
I
I
I
I
I
I
I CC
I I
I
I
I
I
I
I
I
I
Lcc1
I
I
1
I I
I
I
I
I
I
C
m 2 1 to
o,
a
I
I
I
I
1
I
1
I
1
I
1
I I
1 1
I
1
I
1
1
1
1
I
1
I
I
I
I
I
I
I
I
I
>EI
C M
I
I
I
I
I
I
I
I
I
I
ZI
I
1
I
I
1
I
!
I
I
I
I
I
[
I
I
l
I
I
I
I
I
1
1
1
1
1
1
1
1
1
I
1
�-I
1•
1
1
1
1
1
1
1
I
1
I
1
I
1
I
1
I
E
I
I
I
I
I
m I m
'0
(>uE >
Q Ip
I
I
I
I
I
1
I
!
I
I
CL Q,
I
1
I
I
I
I
I
J
I
1
CL 1 p,
I
I
I
I
I
I
I
I
1
I
I
!
I
I
1
!
!
I
I
I
I
1
!
I L
I
I
I
I
I
I
I
I
I
I
? I ai M
I
1
1
!
1
1
1
1
I
1
of 3=v
[
I
I
1
I
I
I
I
I
I
E
cyI
of oc
I
I
I
f
I
I
I
I
I
I
`~ 1 0
of a t
1
I
,
I
I
I
1
I
1
I
1
I
1
I
1
I
1
I
1
I
NI , y cu
I 1/1
I
I
I
I
I
I
1
I
I
I
i
I
I
I
I
I
I
I
I
I
I
�
1
I a
1 Qu
I
I
I
I
I
l I
I I
I
I
axl
I
1
I
I
I l
I
I
I
I
r
r
0
co
w
0)
m
a-
.0
Appendix C: Media Disposal Log
The below data was disposed / destroyed as required in HIPAA Security Policy #13 — Device and
Media Control.
Date of Destruction:
Authorized By: Click here to enter text.
Description of Information Disposed of or Destroyed (include Manufacturer/Model/Serial
Number/etc):
Click here to enter text.
Backup of Protected Health Information (PHI)? Required if PHI is the only copy
❑ Yes
❑ No
If Yes, List Backup Location: Click here to enter text.
Method of Destruction:
❑ Clear (One method to sanitize media is to use software or hardware products to overwrite storage
space on the media with non -sensitive data. This process may include overwriting not only the logical
storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The
security goal of the overwriting process is to replace written data with random data. Overwriting cannot
be used for media that are damaged or not rewriteable.)
❑ Purge (Degaussing and executing the firmware Secure Erase command (for ATA drives only) are
acceptable methods for purging. Degaussing is exposing the magnetic media to a strong magnetic field
in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic
field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high
energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet
or an electromagnetic coil. Degaussing can be an effective method for purging damaged or inoperative
media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes.
❑ Destroy (Destruction of media is the ultimate form of sanitization. After media are destroyed, they
cannot be reused as originally intended. Physical destruction can be accomplished using a variety of
methods, including disintegration, incineration, pulverizing, shredding, and melting. If destruction is
decided upon due to the high security categorization of the information or due to environmental
factors, any residual medium should be able to withstand a laboratory attack.
Disintegration, Incineration, Pulverization, and Melting. These sanitization methods are designed to
completely destroy the media. They are typically carried out at an outsourced metal destruction or
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 9 of 11
incineration facility with the specific capabilities to perform these activities effectively, securely, and
safely.
Shredding. Paper shredders can be used to destroy flexible media such as diskettes once the media are
physically removed from their outer containers. The shred size of the refuse should be small enough
that there is reasonable assurance in proportion to the data confidentiality level that the information
cannot be reconstructed.
Optical mass storage media, including compact disks (CD, CD -RW, CD -R, CD-ROM), optical disks (DVD),
and magneto -optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning)
Destruction Method Used:
Click here to enter text.
final Disposition of Media:
❑ Disposed
❑ Reused Internally
❑ Reused Externally (sold / donated / etc.)
❑ Returned to Manufacturer / Leasing Company / Vendor / etc.
❑ Other: :lick here to enter text.
Save this log and retain indefinitely.
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 10 of 11
HIPAA Security Policy _13- Physical Safeguards- Device -Media Page 11 of 11
0
C
Area Agency on Aging for SWFL
HIPAA Security Policy #14
Technical Safeguards
Access Control
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to assure that systems containing ePHI are accessed only by those persons
or software programs that have been granted access rights under the HIPAA Security Policy #4 —
Information Access Management.
Policy
14 Access Control
TYPE: Standard
REFERENCE: 45 CFR 164.312(a)(1)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement technical policies and procedures for electronic information systems that maintain
electronic protected health information to allow access only to those persons or software
programs that have been granted access rights as specified in § 164.308(a)(4)."
1. Area Agency on Aging for SWFL must develop procedures to ensure that access to ePHI
is only permitted to authorized persons. The procedures should include the following;
i. All workforce members must be assigned a unique user identifier (i.e. userid)
that allows for workforce member identification and tracking of access to ePHI.
ii. Emergency access procedures that enable authorized workforce members to
obtain access to necessary ePHI during a disaster or other emergency.
iii. Automatic Logoff procedures that protect ePHI from unauthorized access while
workforce members are utilizing systems that access ePHI.
iv. The use of encryption where it is reasonable and appropriate to protect ePHI.
2. All networks that contain systems that access or store ePHI should be protected by a
network firewall.
14.1 Unique User Identification
HIPAA Security Policy _14- Technical Safeguards- Access Control Page 1 of 4
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.312(a)(2)(i)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Assign a unique name and/or number for identifying and tracking user identity. "
1. All workforce members must comply with the measures outlined in this policy to uniquely
identify and track each workforce member that access systems and applications that
contain ePHI.
2. Any workforce member that requires access to any system, or application that access,
transmits, receives, or stores ePHI, must be provided with a unique user identification
string. (See HIPAA Security Policy #3 -- Workforce Security and HIPAA Security Policy
#4 -- Information Access Management).
3. Area Agency on Aging for SWFL will develop password policies that specify creating,
modifying and protecting of passwords.
Procedure
1. Workforce members will be assigned an unique user identification (i.e. userid) in order to
access any system or application that transmits, receives or stores ePHI.
2. Each workforce member must ensure that their assigned user identification is
appropriately protected and only used for legitimate access to systems or applications.
3. if a workforce member believes their user identification has been comprised, they must
report the security incident. (See HIPAA Security Policy #6-- Incident Response).
4. Workforce members should be aware of the following password procedures to create and
use strong passwords to protect ePHI:
i. Should be a minimum of eight characters in length.
ii. Should incorporate both upper and lower case letters (e.g, a -z and A -Z)
iii, Should incorporate digits and punctuation characters as well as letters e.g., 0-
9,(!@#$%^&'O_-+=O[I:;"'I\i?cam
i. Should not be words found in a Dictionary.
ii. Should not include easily guessed information such as personal information,
names, pets, birth dates, etc,
5. Workforce members should be aware of the following procedures to protect passwords:
i_ Passwords should not be written down
iii. If a workforce member suspects that their passwords has been
compromised they should report the incident immediately
6. Passwords should be changed at least every 90 days
HIPAA Security Policy —14- Technical Safeguards- Access Control Page 2 of 4
7. After a number of failed password attempts, the workforce member's account should be
disabled (e.g. 3 or 5 failed attempts)
14.2 Emergency Access Procedure
IMPLEMENTATION TYPE: Required
REFERENCE: 45 CFR 164.312(a)(2)(ii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Establish procedures for obtaining necessary electronic protected health information during an
emergency. "
1. Area Agency on Aging for SWFL will take reasonable and appropriate steps to define
procedures to enable authorized workforce members to obtain access to necessary ePHI
during a disaster or other emergency.
Procedure
1. Area Agency on Aging for SWFL will ensure that the Disaster Recovery and Emergency
Operations plans include steps to enable authorized workforce members to obtain access
to necessary ePHI during a disaster or other emergency. (See HIPAA Security Policy#7
— Contingency Planning)
2. Area Agency on Aging for SWFL will train workforce members on the Disaster Recovery
and Emergency Operations Plan (See HIPAA Security Policy#7 — Contingency Planning)
0 14.3 Automatic Logoff
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.312(a)(2)(iii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement electronic procedures that terminate an electronic session after a predetermined time
of inactivity. "
1. When feasible, electronic sessions will be terminated and workforce members will be
logged out of systems accessing or containing ePHI after a number of minutes (e.g., 5,
10 or 15 minutes), requiring the workforce member to be identified and authenticated
again in order to regain access and continue the session.
Procedure
1. Systems that access or store ePHI should implement an automatic logoff after a
determined period of inactivity. Workforce members would need to be identified and
authenticated again to regain access and continue the session.
2. Workforce members should be trained that when leaving a server, workstation, or other
computer system un -attended, they must lock or activate the system's automatic logoff
mechanism (e.g. CTRL, ALT, DELETE and Lock Computer) or logout of all applications
and database systems containing ePHI.
14.4 Encryption and Decryption
IMPLEMENTATION TYPE: Addressable
HIPAA Security Policy _14- Technical Safeguards- Access Control Page 3 of 4
REFERENCE: 45 CFR 164.312(a)(2)(iv)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement a mechanism to encrypt and decrypt electronic protected health information.
1. Area Agency on Aging for SWFL should implement encryption mechanisms where it is
reasonable and appropriate to protect and safeguard ePHI.
2. Encryption should be used on all portable devices and media to encrypt ensure ePHI is
protected in the event the device or media is lost or stolen.
Procedure
1. Workforce members should be trained on the use of encryption to protect ePHI.
2. All portable devices and media that contain ePHI should be encrypted to protect ePHI in
the event that they are lost or stolen.
3. All backup tapes and media that contain ePHI should utilize encryption to protect ePHI.
4. Area Agency on Aging for SWFL should implement secure encrypted remote access
procedures to protect systems that access or store ePHI
i. Authentication and encryption mechanisms should be required for all remote
access sessions to networks containing ePHI. Examples of such mechanisms
include VPN clients, authenticated SSL web sessions, and encrypted Citrix
client access.
5. Area Agency on Aging for SWFL should implement secure encrypted wireless access
procedures to protect systems that access or store ePHI.
i. All wireless access to Area Agency on Aging for SWFL's networks should
utilize encryption mechanisms.
ti. All encryption mechanisms implemented to comply with this policy should
support a minimum of 128 -bit encryption.
Creation Date: 10/23/2018
Effective Date: 10123/2018
Last Revision Date:
HIPAA Security Policy —14- Technical Safeguards- Access Control Page 4 of 4
Area Agency on Aging for SWFL
HIPAA Security Policy #15
Technical Safeguards
Audit Controls Policy
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to define the hardware, software and/or procedural mechanisms that will be
implemented by Area Agency on Aging for SWFL to record and examine activity in information systems
that contain or use ePHI.
Policy
15 Audit Controls
TYPE: Standard
REFERENCE: 45 CFR 164.312(b)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement hardware, software, and/or procedural mechanisms that record and examine activity
in information systems that contain or use electronic protected health information. "
1. Area Agency on Aging for SWFL should implement, where reasonable and appropriate,
audit mechanisms to track and audit access to systems that contain or use ePHI.
i. Each systems containing ePHI shall utilize a mechanism to log and store
system activity-
ii- Each system's audit log shall include_ but is not limited to, User ID, Login
DatelTime, and Activity Time. Audit logs may include system and application
log -in reports, activity reports, exception reports or other mechanisms to
document and manage system and application activity.
System audit logs shall be reviewed on a regular basis- (See HIPAA Security Policy #1 — Policy #1
Security Management
iv. Security incidents such as activity exceptions and unauthorized access
attempts should be detected, logged and reported immediately to the
appropriate systems management and the HIPAA Security Officer in
accordance with the HIPAA Security Policy #6 - Security Incident Procedures.
HIPAA Security Policy _15- Technical Safeguards- Audit Controls Policy Page 1 of 2
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy _1 S- Technical Safeguards- Audit Controls Policy Page 2 of 2
Area Agency on Aging for SWFL
HIPAA Security Policy #16
Technical Safeguards
Integrity Policy
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to define the appropriate data authentication measures that Area Agency on
Aging for SWFL shall implement to ensure that ePHI is not improperly altered or destroyed.
Policy
16 Integrity
TYPE: Standard
REFERENCE: 45 CFR 164.312(c)(1)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement policies and procedures to protect electronic protected health information from
improper alteration or destruction, "
1. Area Agency on Aging for SWFL will implement procedures to ensure that ePHI is not
improperly altered or destroyed.
Procedure
1. Area Agency on Aging for SWFL will implement mechanisms to protect ePHI from
alteration or destruction by Malicious Software such as a virus or malware. (See HIPAA
Policy#12 — Workstation Security).
2, Area Agency on Aging for SWFL will implement mechanisms to protect ePHI integrity
during storage and use, including the use of data redundancy (i.e. Redundant Arrays of
Inexpensive Disks [RAID] configurations) and error -correcting memory
16.1 Mechanism to Authenticate ePHI
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.312(c)(2)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
'Implement electronic mechanisms to corroborate that electronic protected health information has
not been altered or destroyed in an unauthorized manner,
HIPAA Security Policy _16- Technical Safeguards- Integrity Policy Page 1 of 2
1. Area Agency on Aging for SWFL must implement mechanisms to validate that ePHI has
not been altered or destroyed in an unauthorized manner.
Procedure
1. Area Agency on Aging for SWFL will take steps to ensure that, when reasonable and
appropriate, electronic mechanisms are implemented to validate the integrity of ePHI by
proving that it has not been improperly altered or destroyed. Examples of electronic
mechanisms that are capable of detecting and reporting unauthorized alteration or
destruction of EPHI include:
i. Checksum
ii. Hash values
iii. Digital signatures
iv. Encryption
v. Disk redundancy (such as Redundant Arrays of Inexpensive Disks or"RAID").
2. The use of electronic mechanisms to ensure that ePHI has not been altered or destroyed
will be determined by the HIPAA Security Officer
Creation Date: 10123/2018
Effective Date: 10/2312018
Last Revision Date:
HIPAA Security Policy —16- Technical Safeguards- Integrity Policy Page 2 of 2
Area Agency on Aging for SWFL
HIPAA Security Policy #17
Technical Safeguards
Person or Entity Authentication Policy
..._ ..... ..
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to define the procedures to be implemented by Area Agency on Aging for
SWFL to verify that a person or entity seeking access to ePHI is the person or entity claimed.
Policy
17 Person or Entity Authentication
h ; TYPE: Standard
REFERENCE: 45 CFR 164.312(d)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement procedures to verify that a person or entity seeking access to electronic protected
health information is the one claimed. "
1. Area Agency on Aging for SWFL will implement authentication mechanisms to ensure the
authenticity of a person or entity prior to granting access to ePHI.
Procedure
1. All workforce members of Area Agency on Aging for SWFL are provided a unique
username and password for all systems containing ePHI. (See the Area Agency on Aging
for SWFL HIPAA Security Policy #14 - Access Control Policy).
2. Workforce members will select a password in accordance to the Area Agency on Aging
for.SWFL HIPAA Security Policy #14 -Access Control Policy. .
3. Workforce members of Area Agency on Aging for SWFL must not use another person's
account to access any system. If a workforce member requires access to a system, they
must gain access using an account in their own name. If new or additional access to a
system is required, the procedures outlined in Area Agency on Aging for SWFL HIPAA
Security Policy #4 - Information Access Management must be followed.
4. If a workforce member becomes aware that someone has improperly obtained his or her
username and password or has improperly accessed Area Agency on Aging for SWFL
electronic system through the use of the username and password, the workforce member
HIPAA Security Policy T17- Technical Safeguards- Person or Entity Authentication Policy Page 1 of 2
shall immediately report the incident (See HIPAA Security Policy#6 -- Security Incident
Procedures).
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy —17- Technical Safeguards- Person or Entity Authentication Policy Page 2 of 2
Area Agency on Aging for SWFL
HIPAA Security Policy #18
Technical Safeguards
Transmission Security Policy
Statement of Policy
Area Agency on Aging for SWFL is a Covered Entity under the Health Insurance Portability and
Accountability Act (HIPAA) Security Regulations. As such, Area Agency on Aging for SWFL is required to
safeguard electronic protected health information (ePHI) in accordance with the HIPAA Security Rule
Regulations. These policies reflect Area Agency on Aging for SWFL's commitment to complying with
such Regulations.
Purpose of Policy
The purpose of the policy is to define the technical security measures that Area Agency on Aging for
SWFL will implement to guard against unauthorized access to or modification of ePHI that is being
transmitted over an electronic communications network or via any form of removable media.
Policy
18 Transmission Security Policy
TYPE: Standard
REFERENCE: 46 CFR 164.312(e)(1)
SECURITY REGULATION STANDARDS LANGUAGE:
"Implement technical security measures to guard against unauthorized access to electronic
protected health information that is being transmitted over an electronic communications
network. "
1. Area Agency on Aging for SWFL will implement procedures to reasonable protect ePHI
against unauthorized access while being transmitted over an electronic communications
network. Measures to protect ePHI include:
i. Implementing Integrity Controls
ii. Data Encryption
18.1 integrity Controls
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.312(e)(2)(i)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement security measures to ensure that electronically transmitted electronic protected health
information is not improperly modified without detection until disposed of."
1. Area Agency on Aging for SWFL will implement security measures to ensure that
electronically transmitted ePHI is not improperly modified without detection until disposed
of.
HIPAA Security Policy _18- Technical Safeguards- Transmission Security Policy Page 1 of 3
Procedure
1. The use of Secure Sockets Layer (SSL) should be utilized when accessing or
transmitting ePHI to or from any website.
2. Transmission of ePHI via other methods should use secure and encrypted mechanisms
to safeguard and protect ePHI.
18.2 Encryption
IMPLEMENTATION TYPE: Addressable
REFERENCE: 45 CFR 164.312(e)(2)(ii)
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
"Implement a mechanism to encrypt protected health information whenever deemed appropriate."
1. Area Agency on Aging for SWFL will implement and utilize data encryption where it is
reasonable to protect and safeguard ePHI. Encryption should be utilized when:
i. Transmitting ePHI to outside entities
ii. Stored on Portable Devices and Media
iii. Sent via Email or messaging systems
iv. Sent over wireless networks
Procedure
1. Area Agency on Aging for SWFL will utilize encryption to protect and safeguard ePHI
when sending to entities that are outside of the Area Agency on Aging for SWFL'
network. The file, document, or folder containing ePHI should be encrypted before
transmission.
2. Area Agency on Aging for SWFL should utilize encryption when transmitting ePHI on
Portable Devices or Media. Portable Devices and Media include but are not limited to
Laptops, Tablets, USB Drives, CD-ROMs, DVDs, Floppy Drives and (Backup) Tapes.
3. Area Agency on Aging for SWFL will utilize encryption when send ePHI via email or
messaging systems.
Area Agency on Aging for SWFL should not send ePHI via email or messaging
systems if encryption has not been implemented.
4. Area Agency on Aging for SWFL will utilize secure encrypted wireless networks to
transmit ePHI.
when using public non -encrypted wireless networks.
HIPAA Security Policy —18- Technical Safeguards- Transmission Security Policy Page 2 of 3
•
•
Creation Date: 10/23/2018
Effective Date: 10/23/2018
Last Revision Date:
HIPAA Security Policy _18- Technical Safeguards- Transmission Security Policy Page 3 of 3