Appendix Q 463
Client Response:
2. Are there adequate provisions in the disaster recovery plan to ensure that
these processes can continue with minimal disruption in the event of a
disaster?
Guidance: Related to the question above, part of the HIPAA compliance
effort should be to ensure that processes to protect electronic protected
health information (identified in the question above) could be continued
with minimal effort or interruption.
Client Response:
b. ADDRESSABLE Implementation Specifications
Both of the addressable specifications related to contingency plans are related to
updating the contingency plan. Although these are addressable, i.e., they are not
specifically required, no real alternatives exist. As a best practice, contingency plans
and security practices in general should be evaluated on a regular basis, and adjust-
ments should be made to reflect the current threats and vulnerabilities facing the
business.
i. Testing and Revision Procedures
“Implement procedures for periodic testing and revision of contingency plans.”
26
Guidance: As a best practice, contingency plans should be tested on a reg-
ular basis and updated as required. This was made an addressable specifica-
tion to allow companies to do the level of testing and revision or alternative
procedures that are best suited for their environment. The example cited in
the Federal Register is related to smaller entities, which might not find it
reasonable to test as frequently or extensively. For example, a full test
might not be feasible, but a certain portion of a contingency plan might be
tested or a tabletop exercise might be done. When performing a security
assessment, the level of testing and revision should be commensurate with
the risk.
Client Response:
AU1706_book.fm Page 463 Tuesday, August 17, 2004 11:02 AM
464 A Practical Guide to Security Assessments
ii. Applications and Data Criticality Analysis
“Assess the relative criticality of specific applications and data in support of other
contingency plan components.”
27
This requirement is essentially calling for conducting an assessment to determine
criticality and risk related to specific applications and data.
Guidance: Although this is listed as a separate specification, the criticality
of applications and data should be reviewed when performing the Risk
Analysis — one of the first Administrative requirements in the HIPAA se-
curity regulations. As a best practice, however, the criticality of applica-
tions and data should be evaluated on a regular basis. Often, as new
applications are rolled out, security and contingency plans are not always
given consideration and are treated as afterthoughts. The person owning
the plan should be active in the process of understanding the criticality of
data and applications.
Client Response:
8. STANDARD — EVALUATION (REQUIRED)
“Perform a periodic technical and non-technical evaluation, based initially upon the
standards implemented under this rule and subsequently, in response to environmental
or operational changes affecting the security of electronic protected health information,
that establishes the extent to which an entity’s security policies and procedures meet
the requirements of this subpart.”
28
1. Does the client perform any type of ongoing security assessment?
Guidance: This requirement is essentially an ongoing assessment for
which the initial risk analysis can be used as a baseline. The goal of this
requirement is to ensure that entities do not just implement HIPAA securi-
ty requirements and then forget about them. The reality is that operations
change and as a result, the IT environment changes and the risks change.
Notwithstanding HIPAA, ongoing security assessments should be done for
any entity to ensure that the information security program is properly
aligned with the risks the company is facing. Some ways to comply with
this requirement include ongoing IT audits or regular security assessments
(using internal or external resources). Some aspects of this requirement,
based on the comments received during the comment phase of the HIPAA
security legislation process, include:
AU1706_book.fm Page 464 Tuesday, August 17, 2004 11:02 AM
Appendix Q 465
• Internal or external resources can do ongoing assessments. Entities
have the option based on the cost and availability of resources.
• Although HIPAA does not have any “certified” products, entities
should monitor the National Institute of Standards and Technology
(NIST) for product recommendations.
Client Response:
9. STANDARD — BUSINESS ASSOCIATE CONTRACTS AND OTHER
A
RRANGEMENTS (REQUIRED)
“A covered entity, in accordance with §164.306 [qualifications for being a ‘covered
entity’], may permit a business associate to create, receive, maintain, or transmit elec-
tronic protected health information on the covered entity’s behalf only if the covered
entity obtains satisfactory assurances, in accordance with §164.314(a) [business asso-
ciate contract] that the business associate will appropriately safeguard the Information.”
29
This regulation requires an entity to have assurance that if a “business associate”
creates, receives, maintains, or transmits electronic protected health information on
behalf of the covered entity, the business associate will appropriately safeguard the
information. The business associate requirement does not apply to the following:
•Transmission of electronic protected health information between a cov-
ered entity and a health care provider concerning the treatment of an
individual
•Transmission of electronic protected health information between a group
health plan, HMO, or health insurance issuer to a plan sponsor
•Transmission of electronic protected health information from or to gov-
ernment agencies that are health plans and provide public benefits
1. Does the client have any business associate relationships and if so, how
are they handled as it pertains to the security and privacy of electronic
protected health information?
Guidance: “Business associate relationships occur in those cases in which
the covered entity is disclosing information to someone or some organiza-
tion that will use the information on behalf of the covered entity.”
30
Exam-
ples of business associates are professional services such as accounting,
law, consulting, and other services.
Client Response:
AU1706_book.fm Page 465 Tuesday, August 17, 2004 11:02 AM
466 A Practical Guide to Security Assessments
a. REQUIRED Implementation Specifications
i. Written Contract or Other Arrangement
“A covered entity, in accordance with §164.306 (Security Standard General Rules), may
permit a business associate to create, receive, maintain, or transmit electronic protected
health information on the covered entity’s behalf only if the covered entity obtains
satisfactory assurances, in accordance with §164.314(a) (business associate contract reg-
ulations) that the business associate will appropriately safeguard the Information.”
31
A covered entity using a business associate should have a written agreement that
appropriately safeguards the electronic protected health information in the associ-
ate’s possession.
1. Does the client have the appropriate contracts for any business associate
working for the client?
Guidance: For any business associates, there should be a standard contract
that is used. Some of the elements to look for in a contract are those that
require business associates to do the following:
32
• Not use or further disclose the PHI (Protected Health Information)
other than as permitted by the contract or as required by law
• Use appropriate safeguards to prevent unauthorized use or disclosure
of the PHI
• Report to the covered entity any unauthorized use or disclosure of
which it becomes aware
• Ensure that any agents, including subcontractors, to whom it provides
PHI agree to the same restrictions and conditions that apply to the
business associate
• On termination of the contract, return or destroy all PHI in its posses-
sion, or, where that is not possible, extend the protections of the
contract for as long as the information is retained
Client Response:
b. ADDRESSABLE Implementation Specifications
i. None
PHYSICAL SAFEGUARDS
The physical safeguards–related requirements are mostly “addressable” specifica-
tions. Note that these requirements are separate from the electronic security require-
ments, which cannot be performed in lieu of the Physical Safeguard controls listed
AU1706_book.fm Page 466 Tuesday, August 17, 2004 11:02 AM
Appendix Q 467
below. There was some confusion over the meaning of “Physical Safeguards” when
the HIPAA security requirements were first presented. Based on the Federal Register,
Physical Safeguards are defined as:
“Security measures to protect a covered entity’s electronic information systems and
related buildings and equipment, from natural and environmental hazards, and unau-
thorized intrusion”
1. FACILITY ACCESS CONTROLS
“Entities should have policies and procedures in place to limit physical access to its
electronic information systems and the facility or facilities where they are housed,
while ensuring that properly authorized access is allowed”
33
a. REQUIRED Implementation Specifications
i. None
b. ADDRESSABLE Implementation Specifications
i. Contingency Operations
“Implement policies and procedures to limit physical access to its electronic informa-
tion systems and the facility or facilities in which they are housed, while ensuring that
properly authorized access is allowed.”
34
Policies and procedures should be in place to ensure that there is access to facilities
to the extent required in restoring data as part of the disaster recovery plan and
emergency mode operations. This specification is essentially a complement to the
existing disaster recovery plan and emergency mode operations. Some level of access
to facilities is required when executing a disaster recovery plan or operating in
emergency mode. Keep in mind that this is an addressable specification meaning
that covered entities have significant flexibility in how these specifications will be
implemented. The flexibility is good for small companies that have limited budget
and staff.
1. Do specific policies and procedures to limit access to physical facilities
exist?
Guidance: The basic policies and procedures are the foundation for limit-
ing physical access and establishing good physical security controls. This
enables personnel to be educated and provides management a basis for
enforcement.
Client Response:
AU1706_book.fm Page 467 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.