To write effective and uniform procedures that will support the objectives of the services provided by the HIM Services Department.
Delta Policy and Procedure
Purpose This Policy covers the unique user identification and password, emergency access, automatic logoff, encryption and decryption, firewall, and remote and wireless access procedures that will apply to electronic information systems that maintain Electronic Personal Health Information. Policy To write effective and uniform procedures that will support the objectives of the services provided by the HIM Services Department. Procedure The following are specific tips for writing and maintaining effective procedures: 1. Manage Access to PHI Will Monitor access activity, Monitor and review inappropriate access activity. 2. Identification and password Each user must ensure that their assigned User Identification is appropriately protected and only used for legitimate access to networks, systems, or applications. If a user believes their user identification has been comprised, they must report that security incident to their manager, who will contact the appropriate HIPAA Officer 3. Emergency access a. To ensure that access to critical EPHI is maintained during an emergency situation, each Department must establish and implement procedures to ensure that access to a system that contains EPHI and is used to provide treatment to an individual is made available to any Policy: HIPAA Access Control 3 caregiver in the case of an emergency, if the denial or strict access to that EPHI could inhibit or negatively affect an individual’s care. b. EPHI repositories that do not affect an individual’s care are not subject to the foregoing emergency access requirement. 4. Automatic logoff When leaving a server, workstation, or other computer system unattended, Users must lock or activate the systems automatic logoff mechanism (e.g. CNTL, ALT, DELETE and Lock Computer) or logout of all applications and database systems containing EPHI. 5. Encryption and decryption Encryption of EPHI as an access control mechanism is not required unless the custodian of said EPHI deems the data to be highly critical or sensitive. Encryption of EPHI is required in some instances as a transmission control and integrity mechanism. 6. Firewall, and remote Firewalls must be configured to support the following minimum requirements: • Limit network access to only authorized TennDent users and entities. • Limit network access to only legitimate or established connections. An established connection is return traffic in response to an application request submitted from within the secure network. • Console and other management ports must be appropriately secured or disabled. • Implement mechanism to log failed access attempts. • Must be in a physically secure environment. Users of remote workstations must comply with HIPAA Security Policy – Workstation Acceptable Use Policy.
I think TennDent policy guideline is specifically they provide more detail in the policy. References Policy and Procedure Considerations for Health Information Exchange Organizations. (n.d.). Retrieved from http://bok.ahima.org/doc?oid=107715 https://content.learntoday.info/Learn/HI435_Summer_12/site/Media/TennDent%20Policy%20HIPAA-Access-Control.pdf |