Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 1 - Security Mangement Process

 

Title: Risk Analysis (R) Policy: SEC-01.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(1)(ii)(A)
Standard:Security Management Process Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Implement policies and procedures to prevent, detect, contain, and correct security violations.

Policy

OSU will regularly conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by OSU.  §164.308(a)(ii)(A)

Procedure

OSU will complete a Risk Analysis in accordance with the HIPAA Security Rule, and will keep thorough documentation.  The Risk Analysis will include, but not limited to the following:

  1. Physical Audit of all clinic locations, and other areas where PHI may be stored on or in OSU facilities.
  2. Information Security questionnaire from all departments, including Information Technology (IT).
  3. In cooperation with IT, the HIPAA Compliance Office will maintain an electronic document of all known locations (Servers/computers, etc.) that house PHI.
  4. Items of concern that need addressing by the respective departments.
  5. Follow-up notes on how the respective department(s) addressed the items of concern.
Reference

Appropriate Contingency Plan


top of page top

 

Title: Risk Management (R) Policy: SEC-01.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(1)(ii)(B)
Standard: Security Management Process Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To provide security measures sufficient to reduce risks and vulnerabilities to electronic protected health information.           

Policy

OSU will implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with policy SEC-00.03 & SEC-00.04.  §164.308(a)(ii)(B)

OSU will take the necessary steps to maintain the confidentiality, integrity, and availability of electronic protected health information held by OSU.
Procedure

OSU has an ongoing HIPAA Steering Committee which meets periodically to provide proper oversight regarding HIPAA Privacy and Security compliance.  The HIPAA Compliance Office will provide guidance and direction to assure all HIPAA security requirements are met.  This office will be responsible for coordinating meetings of the Steering Committee and the agenda thereof. 

The HIPAA Compliance Office will require the assistance of the OSU IT department, OSU Security Officer and the OSU-CHS/OSU-Tulsa IT staff in order to address and implement Security Rule standards regarding IT-related projects and security of the network.

All OSU-CHS employees will receive initial HIPAA Security compliance training, coordinated by the HIPAA Compliance Officer.  After initial training is complete, HIPAA training will be modified to include the security policies as well.  In addition, the HIPAA Compliance Officer will work with the IT staff to provide regular security training information and updates as appropriate.  A departmental website, email alerts, newsletters, and other means will be used to communicate information to employees, either from the HIPAA Compliance Office or from IT Directly.

Once the compliance plan is implemented, the HIPAA Compliance Office will direct ongoing evaluation and review of existing policies and procedures to maintain appropriate levels of security.  This will include electronic auditing methods, internal audit review, site walk-throughs and other methods to monitor and maintain compliance.

OSU used the CMS web material, NIST Standard’s, the Federal Register containing the Final Rule, and the American Osteopathic Association’s guide as its reference for implementation.


top of page top

 

Title: Sanctions (R) Policy: SEC-01.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(1)(ii)(C)  §164.530(e)(1)
Standard: Administrative Safeguards Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

This policy covers the possible sanctions against OSU workforce members who fail to comply with the policies and procedures of this organization in regards to HIPAA.          

Policy

OSU will apply appropriate sanctions against workforce members who fail to comply with the HIPAA policies and procedures of OSU.  §164.308(a)(1)(ii)(C)

This policy does not cover the subject of sanctions taken by the regulating agencies against OSU.  It does not apply to employees with respect to actions or disclosures of whistle blowers or victims of crime.

Sanctions will be consistent with existing OSU policy and procedures regarding discipline in the workplace.   Sanctions are made at the discretion of administration and may range from a verbal warning to termination of employment.

OSU will maintain documentation of all sanction policies.  Training will be provided to all employees for clarification purposes.  Training records will be maintained in the HIPAA Compliance Office and/or designated locations. 

Violations and sanctions will be documented and maintained in the employees’ personnel file.

OSU employees are protected from intimidation, threats, coercion, discrimination, or other retaliatory actions for filing a complaint with the Secretary of Health and Human Services (HHS) under subpart C of part 160, the Enforcement Rule.

There are many types of a breach or violations of HIPAA.  Some common examples that an individual may receive sanctions for, include but are not limited to:

  • Discussing patient information in a public area.
  • Leaving a copy of patient information in a public area.
  • Leaving a computer unattended in a patient accessible area with Protected Health Information (PHI) unsecured.
  • Accessing and viewing the record of a patient out of curiosity or concern (coworker, supervisor, public personality, own medical record, etc.).
  • Releasing information without appropriate authorization, to include discussion about a patient not related to direct patient care.
  • Removing any document with PHI, whether paper (including but not limited to medical record, schedules, test results, or EOB) from the premises that is not applicable to Treatment, Payment or Operations (TPO).
  • Violating passwords or log-on policy.
  • Removal of equipment or any computer device containing ePHI (including but not limited to disks, flash drives, or email).
  • Maintaining ePHI in unsecure areas outside of a network storage drive.
  • Reviewing patient records to use information for personal relationship (including but not limited to accessing birthdate or address)
  • Compiling a mailing list of patients for personal use or financial gain.
  • Sale of any PHI to an individual, company, or corporation.
  • Caused or participated in any theft or compromise of PHI.
  • Failure to report a known or suspected HIPAA violation of oneself or a coworker.

All breaches and/or violations of HIPAA and/or OSU policy are eligible for sanctions against the employee(s) involved, whether they know or should have known about the issue.

Depending on the severity of the offense all breaches and/or violations may receive any of the following sanctions:

  • Verbal warning and retraining
  • Plan of Corrective Action
  • Warning letter with plan of corrective action with a notice of possible termination
  • Revocation of system access
  • Suspension without pay
  • Termination
  • Reports to law enforcement, licensing agencies or other officials as necessary.

The level of sanctions for all breaches/violations depends on the size, scope, intent and the employee’s prior history.  Employees in a supervisory role will be held to a higher standard.

Procedure
  1. All employees are obligated to report any known or suspected breach or violation of HIPAA or OSU policy.
  2. All reports are to be made to the HIPAA Compliance Officer either via phone, in person, email, or ethicspoint.
  3. If a report is made to any other individual besides the HIPAA Compliance Officer or his/her designee, that individual must report it to the HIPAA Compliance Officer.  For example, a report is made to a supervisor; the supervisor shall report the issue to the HIPAA Compliance Officer.
  4. Upon notification of a possible or suspected breach or violation, the HIPAA Compliance Officer will conduct an investigation without unreasonable delay.
  5. The HIPAA Compliance Officer may enlist the help of the Department of Information Technology, Human Resources, the HIPAA Steering Committee, OSU General Counsel, Outside Legal Counsel, Administration, the Office of the President of OSU, and the State Board of Regents if need be.
  6. As part of the investigation, the HIPAA Compliance Officer will take into account the following four factors:
    1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
    2. The unauthorized person who used the PHI or to whom the disclosure was made;
    3. Whether the PHI was actually acquired or viewed; and
    4. The extent to which the risk to the PHI has been mitigated.
  7. Upon completion of the investigation, the HIPAA Compliance Officer will write a report, detailing the events of the issue, without further disclosing any PHI, and provide recommendations as to how to resolve and mitigate the issue.
  8. The report will be kept on file in the HIPAA Compliance Office and sent to Human Resources, where sanctions will be determined.  Please see above list of possible sanctions.
  9. The HIPAA Compliance Officer will then notify all affected patients following the procedures in the Breach Notification Policies.
  10. The HIPAA Compliance Officer will meet with the HIPAA Steering Committee to discuss the issue and address the mitigation of the now known problem, if needed.
  11. At any time throughout this process, a report to law enforcement or a licensing or regulatory agency may be made at the discretion of Administration.
Reference

PRV-13.05 Sanctions


top of page top

 

Title: Information System Activity Review (R) Policy: SEC-01.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(1)(ii)(D)
Standard: Security Management Process Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To define how OSU will conduct System Activity Tracking.

Policy

OSU will implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.  §164.308(a)(1)(ii)(D)

Procedure

OSU will review records of information system activity on at least on a monthly basis.  Additional reviews will be done as needed where incidents are reported or suspected.  The following areas will be reviewed.

  • Electronic Medical Records Software
  • Practice Management / Financial Software
  • Windows / Network Access / Application Access Programs
  • Internet Usage
  • Terminated Employees access to various systems has been appropriately revoked.
  1. The OSU HIPAA Compliance Office shall be responsible for the review of system activity, such as logins, file access, access, level modifications and security incidents.  OSU IT and Campus Security staff will make themselves available to offer assistance as needed.
  2. The audit standards shall be reviewed periodically and modified if indicated.
  3. The review logs will be kept by the HIPAA Compliance Office.
  4. OSU shall implement processes to monitor and log access to the various OSU Medical and Business Office software systems and other systems deemed necessary.
  5. OSU may utilize third party software to assist in the auditing and tracking as required of this policy.
  6. OSU shall have in place policies and procedures regarding audit procedures necessary for review of security breaches.
  7. OSU shall have in place, consistent with OSU personnel policies and procedures, defined security infractions and the associated penalties or disciplinary actions associated with such infractions.
  8. All staff with access to ePHI shall be made aware of the audit standards and possible sanctions for failure to follow such policies.
Reference

Audit Controls


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube