HIPAA Security Policy
HIPAA Security Policy
Paragon Pain Rehabilitation LLP (“Paragon”) takes seriously the security of its patients’ health information. Paragon is committed to complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended and supplemented by Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and the regulations promulgated pursuant to each, including the Security Standards for the Protection of Electronic Health Information at 45 CFR part 160 and part 164 (the “Security Rules”), as well as other federal, state and local laws, rules and regulations related to the use and disclosure of protected health information (“PHI”).
Paragon will ensure the confidentiality, integrity and availability of PHI it creates, maintains, receives or transmits in accordance with HIPAA, the HITECH Act and the Security Rule. To that end, Paragon has adopted a series of security procedures that address administrative, physical and technical safeguards.
The Paragon HIPAA Security Policy (“Security Policy”) and procedures set forth herein shall be reasonable and appropriate to comply with the standards, implementation specifications or other requirements of HIPAA, the HITECH Act and the Security Rule, taking into account the size, complexity, and capabilities of Paragon; the technical infrastructure, hardware, and software capabilities; the costs of security measures; and the probability and criticality of potential risks to PHI.
These procedures set forth herein apply to all Paragon employees, volunteers, contractors and agents of the Paragon (“Workforce”), who are expected to comply with the Paragon policies and the procedures set forth herein. These policies and procedures set forth herein will be reviewed periodically and updated as necessary.
- Security Officer 2
- Administrative Safeguards 2
- Security Management Process 2
- Workforce Security and Information Access Management 3
- Security Awareness and Training. 3
- Security Incident Procedures 4
- Contingency Plan. 4
- Evaluation. 5
- Business Associate Contracts 5
- Facility Access Controls 5
- Workstation Use and Security. 6
- Device and Media Controls 6
- Technical Safeguards 7
- Access Control 7
- Audit Controls 7
- Integrity. 7
- Person or Entity Authentication. 8
- Transmission Security. 8
- Additional Procedures 8
Director of Operations has been designated as the HIPAA Security Officer for Paragon. The Security Officer’s responsibilities shall include, but are not limited to:
- Working together with the Paragon Privacy Officer for the development, implementation and enforcement of HIPAA, the HITECH Act, the Privacy and Security Rules, the Paragon policies and procedures and the policies and procedures set forth herein.
- Investigating security incidents and implementing appropriate security measures to limit or mitigate improper use or disclosure of PHI (including electronic PHI (“ePHI”)); and
- Working with the Privacy Officer to develop and present appropriate training programs regarding Paragon’s HIPAA security policies and procedures.
Paragon shall, at a minimum, implement the following policies and procedures to prevent, detect, contain, and correct security violations:
- Risk Analysis: The Security Officer will conduct (or arrange to be conducted) regular assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI held by the Paragon. Any written reports documenting the findings of such assessments shall be maintained by Paragon.
- Risk Management: The Security Officer shall ensure that the provisions of this document, along with applicable Paragon information security policies are implemented by Paragon. The Security Officer shall evaluate the findings of Paragon’s risk assessments and draft (or cause to be drafted) a risk management plan to address identified threats or vulnerabilities to Paragon PHI.
- Sanction Policy: Paragon is responsible for ensuring that all Workforce abide by the policies and procedures set forth herein, as well as applicable Paragon information security policies and procedures. In the event that a Workforce member violates any security policy, an immediate investigation shall be conducted by Paragon. In accordance with this Security Policy, appropriate sanctions, including, but not limited to, verbal warnings, written warnings, probationary periods, termination of access rights to PHI and/or termination of employment may be imposed on persons who violate these policies depending upon the severity of the violation.
- Information System Activity Review: Paragon shall ensure that the electronic medical record system and patient management system(s) are capable of generating appropriate information system activity reports such as audit trails, log-in monitoring and security incident reports. Paragon will ensure that it maintains information system activity reports and conducts periodic (at least quarterly) reviews of such reports. The results of all information system activity reviews shall be retained by the Paragon.
Paragon shall, at a minimum, implement the following policies and procedures to ensure that all Workforce have appropriate access to PHI, and to prevent those Workforce members who do not have access from obtaining access to PHI:
- Authorization and Supervision: Paragon shall take reasonable steps to limit each Workforce member’s access to PHI to the minimum amount necessary for that person’s job responsibilities. Paragon shall be responsible for authorizing workforce members to access PHI to the extent minimally necessary to conduct their job duties. Paragon will only allow contractors, maintenance and other personnel access to areas where PHI may be stored as necessary.
- Workforce Clearance: Paragon will review all new requests for access to its systems and grant minimum necessary access. Paragon will also audit all existing active system users on a regular basis to ensure that Workforce has a level of access commensurate with their job responsibilities. The level of access to Paragon systems of each Workforce member shall be documented and reviewed regularly and revised as needed. Paragon shall ensure that at all times a document of user access is retained.
- Termination Procedures: Upon the termination or resignation of any Workforce member, Paragon will immediately request that said Workforce member’s user ID and access be terminated. For Workforce members terminated for cause that Paragon deems to be “high risk,” Paragon shall request for termination of that Workforce member’s access on the same day as the individual’s last work day. In addition, Paragon shall recover all keys, identification cards and any other objects that facilitate physical access to its property, buildings and equipment from terminated or resigning employees prior to their departure.
Paragon Workforce receives ongoing security training as a part of the annual HIPAA training In addition, Paragon is responsible for implementing the following processes:
- Disseminating periodic security updates to Workforce members and ensuring that they are trained on any revisions to the Paragon’s security policies;
- Ensuring that appropriate malicious software detection software is installed on Paragon systems, which will be routinely updated;
- Monitoring user log-ins and reporting any discrepancies to the Security Officer;
- Implementing safeguards to protect passwords, including:
- Instructing Workforce not to share or write down passwords.
- Ensuring that all user passwords are at least six to eight characters long and include alpha and numeric or “special” characters: and
- Employing system functionality that requires users to change their password(s) at least every 6 months.
- Respond appropriately to any such security incident by, at a minimum:
- Ensuring that the processes outlined in this policy are implemented.
- Implementing any other necessary safeguards to mitigate potential harm;
- Work to continuously develop the security incident response plan, the protective measures implemented to reduce the likelihood of security incidents, and the list of required procedures to follow in the event of a security incident; and
- Document any suspected or known security incidents and the response to those incidents. Paragon shall maintain such documentation for six (6) years.
Paragon shall, at a minimum, implement the following policies and procedures for responding to emergencies or other occurrences that may damage systems containing ePHI:
- Data Backup: Paragon shall routinely create and maintain backups of all ePHI.
- Emergency Mode Operation: Paragon shall create an Emergency Mode Operation Plan, which shall assess and take into account the relative criticality of Paragon systems and serve as the contingency plan for continuing business operations while information assets are unusable because of an emergency or disaster. Paragon shall retain a copy of its completed Emergency Mode Operations Plan.
- Disaster Recovery: Paragon shall develop procedures for recovering any lost data from backups of electronically stored PHI. The data recovery procedures shall be documented in its Emergency Mode Operation Plan.
- Testing and Revision Procedure: Paragon shall conduct tabletop drills which will test its Emergency Mode Operation Plan on a regular basis. Paragon will prepare a report documenting the results of the testing and revise its Emergency Mode Operation Plan as needed. Paragon shall retain a copy of its completed Emergency Mode Operations Plan.
Paragon will periodically evaluate the effectiveness of its policies and procedures to ensure they continue to meet the requirements under HIPAA, the HITECH Act and the Security Rule. Paragon shall conduct such an evaluation on a regular basis and the evaluator will prepare a report describing any noncompliance with HIPAA, the HITECH Act and the Security Rule. The Security Officer will develop (or caused to be developed) a written plan of action to correct any areas of noncompliance. The written report documenting noncompliance and the corrective action plan shall be maintained by Paragon.
Paragon shall implement the following policies and procedures, to limit physical access to its electronic information systems and the facility or facilities in which they are housed:
- Contingency Operations: Paragon will develop procedures to grant temporary authorization to access its facilities and electronic information systems to maintenance and repair personnel during emergency occurrences for the purpose of restoring lost data and/or repairing damaged equipment. Those procedures shall be documented in the Paragon’s Emergency Mode Operations Plan.
- Facility Security Plan: Paragon shall create a Facility Security Plan. The Facility Security Plan shall, at a minimum, establish procedures for:
- Implementing physical safeguards to prevent unauthorized physical access, tampering or theft from Paragon facilities.
- Validating that only authorized personnel have access to Paragon facilities and documenting all personnel that have key cards, physical keys, key codes or other apparatuses that facilitate physical access to the Paragon;
- Regularly evaluating whether locking mechanisms need to be changed or altered to maintain physical security of Paragon facilities.
- Using sign-in sheets to document visitor access and patient visits to the Paragon facilities;
- Maintaining documentation of all repairs and modifications to security related physical components of Paragon facilities – i.e. hardware, walls, doors and locks.
- Paragon shall retain a current copy of its Facility Security Plan.
Workstations must be used solely for work-related purposes and Workforce should only have access to systems to the extent necessary to complete their job responsibilities. Workforce are prohibited from using workstations for personal use and from downloading, installing, copying, or using any software applications or programs on any workstation without permission of the Security Officer. Workforce are also prohibited from storing ePHI on local hard drives or their portable electronic devices or personal computers.
The following measures to ensure the security of workstations and equipment also apply:
- Keep all network closets and server rooms locked at all times and limit physical access to only those personnel that require access to complete their job duties;
- Require that all unattended portable computing devices and electronic storage devices containing PHI are appropriately secured in locked areas;
- Locate workstations in a manner to restrict viewing and install privacy screens on workstations that can be viewed by patients and visitors;
- Review activity logs and audit trials at regular intervals to ensure compliance;
- Enable security settings on all workstations and portable computing devices to require entry of unique user name and password to obtain access; and
- Enable lockout settings to return all workstations to a password protected screen saver after a period of inactivity.
Paragon shall, at a minimum, implement the following policies and procedures, which will govern the receipt and removal of hardware and electronic media that contain ePHI into and out of Paragon, and the movement of these items within Paragon:
- Disposal and Media Re-use: The following safeguards must be used when re-using or disposing of hardware and electronic media containing PHI:
- Fully reformat any electronic media or device containing PHI before re-use. The reformatting must ensure that information previously contained on the device cannot be accessed or re-used. If uncertain of industry-standard methods for disposal of electronic media, Providers may contact the Security Officer.
- Shred or otherwise destroy paper records containing PHI prior to disposal;
- Employ appropriate methods that are designed to permanently remove data from memory locations when disposing of electronic media and devices containing PHI;
- Provide the Security Officer with a log of all electronic data destruction listing the device, date of destruction, individual authorizing the destruction, name of the individual or entity performing the destruction and final disposition of the device.
- Accountability: Paragon shall create and maintain an inventory of all hardware, software and electronic media containing ePHI. Paragon shall retain a current copy of its inventory.
- Data Backup and Storage: Prior to moving any Paragon equipment, it will be evaluated to determine whether such equipment contains PHI. For equipment that does contain PHI, Paragon shall ensure that a retrievable, exact copy of electronic PHI is created before that equipment is moved. All backups will be validated for accuracy, completeness and integrity, and appropriate safeguards should be implemented to protect the technical and physical security of stored backup media.
Paragon shall implement, at a minimum, the following technical policies and procedures for electronic information systems that maintain PHI to allow access to only those persons or software programs that have been granted access rights:
- Unique User Identification: Workforce members that have access to Paragon systems must be assigned unique logon IDs and passwords. An access control system shall identify each user and prevent unauthorized users from entering or using information resources.
- Emergency Access Procedure: The Emergency Mode Operations Plan shall document procedures for obtaining access to necessary electronic PHI in the event of an emergency.
- Automatic Log-off: Workstations’ and systems’ lock-out settings must be set to return to a locked screen after a period of inactivity. Paragon, in its discretion, shall determine the length of inactivity for system lock-out for each workstation based on the level of risk of unauthorized use of the workstation, and in a manner that does not disrupt clinical activity.
Paragon shall conduct regular reviews of information system activity reports and address any discrepancies or potential security incidents. The frequency and depth of audits conducted by Paragon shall be commensurate with the criticality, value and sensitivity of the information.
In order to protect electronic PHI from improper alteration or destruction, the Security Officer shall:
- Ensure that the policies and procedures set forth herein are followed by all Workforce members; and
- Evaluate and revise the policies and procedures set forth herein on an as needed basis to ensure that appropriate safeguards are in place to protect PHI from improper alteration or destruction.
Unique logon IDs and passwords must be assigned to Workforce with access to systems containing ePHI. Paragon shall implement at least the following procedures to verify that each person or entity seeking access to ePHI is the one claimed:
- Instructing Workforce not to share or write down passwords;
- Use of another Workforce member’s username/password is prohibited for logging into systems containing ePHI;
- Ensuring that all user passwords are at least six to eight characters long and include alpha and numeric or “special characters; and
- Employing system functionality that requires users to change their password(s) at least every 6 months.
Paragon shall, at a minimum, implement the following technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
- Integrity Controls: Paragon shall ensure that electronically transmitted PHI is not improperly modified without detection until disposed of by implementing the following measures:
- Ensuring that system settings are set to track all edits to PHI by user, date, and time;
- Password protecting email attachments that contain PHI; and
- Using sophisticated encryption software for the electronic transmission of e-mails or attachments containing PHI.
- Encryption: Paragon will work with IT and the Security Officer on an ongoing basis to identify systems that require encryption.