HIPAA Lesson 9 Flashcards
List the Security Rule three types of safeguards:
Administrative, physical, and technical.
Administrative actions, policies, and procedures to manage a covered entity’s security choices and the conduct of its workforce in relation to electronic protected health information.
Administrative Safeguards
List the nine administrative safeguard standards of the Security Rule:
- Security management process
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency plan
- Evaluation
- Business associate contracts and other arrangements
Implement policies and procedures to prevent, detect, contain, and correct security violations.
Security management process
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Risk analysis
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule.
Risk management
Apply appropriate penalties against workforce members who fail to comply with the entity’s security policies and procedures.
Sanction policy
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Information system activity review
Identify the security official who is responsible for the development and implementation of the policies and procedures required by this Rule for the entity.
Assigned security responsibility
Implement policies and procedures to ensure that all members of [the] workforce have appropriate access to electronic protected health information, as provided under the Information Access Management standard, and to prevent those workforce members who do not have access from obtaining access.
Workforce security
Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Authorization and/or supervision
Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Workforce clearance procedure
Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in the Workforce Clearance Procedure of this Rule.
Termination procedures
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].
Information access management
If a healthcare clearinghouse is part of a larger organization, the clearinghouse operation must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization.
Isolating healthcare clearinghouse function
Implement policies and procedures for granting access to electronic protected health information—for example, through access to a workstation, transaction, program, process, or other mechanism.
Access authorization
Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Access establishment and modification
Implement a security awareness and training program for all members of [the] workforce (including management).
Security awareness and training
Provide periodic security updates to members of the workforce.
Security reminders
Implement procedures for guarding against, detecting, and reporting malicious software.
Protection from malicious software
Implement procedures for monitoring login attempts and reporting discrepancies.
Login monitoring
Implement procedures for creating, changing, and safeguarding passwords.
Password management
Implement policies and procedures to address security incidents.
Security incident procedures
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents known to the covered entity; and document security incidents and their outcomes.
Response and reporting
Establish (and implement as needed) policies and procedures for responding to emergencies and other occurrences that can damage data and systems containing EPHI.
Contingency plan
Establish and implement procedures to create and maintain retrievable exact copies of EPHI.
Data backup and recovery plan
Establish (and implement as needed) procedures to restore any loss of data.
Disaster recovery plan
The emergency mode operation plan requires covered entities to establish (and implement as needed) procedures to enable continuation of critical business processes, while maintaining the security of EPHI while operating in emergency mode.
Emergency mode operation plan
Implement procedures for periodic testing and revision of contingency plans.
Testing and revision procedures
Assess the relative criticality of specific applications and data in support of other contingency plan components.
Applications and data criticality analysis
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].
Evaluation
A business associate [may] create, receive, maintain, or transmit EPHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.
Business associate contracts and other arrangements
List the Security Management Process Implementation Specifications;
Risk analysis (R) Risk management (R) Sanction policy (R) Information system activity review (R)
List the Workforce Security Implementation Specifications:
Authorization and/or supervision (A)
Workforce clearance procedure (A)
Termination procedures (A)
List the Information Access Management Implementation Specifications:
Isolating healthcare clearinghouse function (R) Access authorization (A) Access establishment and modification (A)
List the Security Awareness and Training Implementation Specifications:
Security reminders (A) Protection from malicious software (A) Login monitoring (A) Password management (A)
List the Security Incident Procedures Implementation Specifications:
Response and reporting (R)
List the Contingency Plan Implementation Specifications:
Data backup plan (R) Disaster recovery plan (R) Emergency mode operation plan (R) Testing and revision procedure (A) Applications and data criticality analysis (A)
List the Business Associate Contracts and Other Arrangements Implementation Specifications:
Written contract or other arrangements (R)
Which of these implementation specifications is part of the security management process standard? o Risk management. o Password management. o Disaster recovery plan. o Access authorization.
Risk management.
What is a sanction policy?
o Penalties for failing to comply with security policies.
o A procedure to regularly review access reports.
o An assessment of potential risks and vulnerabilities.
o Security measures that reduce risks and vulnerabilities.
Penalties for failing to comply with security policies.
Which administrative safeguard standard encompasses the concept of "minimum necessary"? o Contingency plans. o Assigned security responsibility. o Evaluation. o Workforce security.
Workforce security.
What is the purpose of the security and awareness training standard?
o To establish policies and procedures for granting access to electronic protected health information.
o To isolate healthcare clearinghouse functions.
o To establish a contingency plan in case of an emergency.
o To train everyone in your workforce about good security practices.
To train everyone in your workforce about good security practices.
"An attempted or successful unauthorized use of system operations" is the definition of which of the following? o Evaluation. o Security reminder. o Security incident. o Assigned security responsibility.
Security incident.
These requirements seem vague to me. I work for a small provider, and we don’t have a lot of money to spend on lawyers and IT staff. How do I know if my organization is compliant?
HIPAA compliance is an ongoing activity. You’re never going to say, “Okay, I’m done with HIPAA now!” You’ll continually need to evaluate your organization and make common-sense decisions about what you can do better.
Some of these requirements seem like they’re the same. Why are there six implementation specifications all about appropriate access?
Keep in mind that the Security Rule supports the Privacy Rule. “Minimum necessary” is a big part of the Privacy Rule, and that’s reflected in the Security Rule. Workforce security and information access management are similar standards, but they cover different aspects of ensuring overall appropriate access. By the way, appropriate access is just another phrase that means minimum necessary.
