In compliance with the Health Information Portability and Accountability act of 1996 (42 U.S.C. 1320d), Upbring will ensure reasonable protection of Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) (as defined by in 45 C.F.R. 160.103). Upbring may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with the HIPAA regulation.
Upbring is committed to protecting Personal Health Information (PHI) in accordance with those standards established by the Department of Health and Human Services under the Health Insurance Portability and Accountability act of 1996 (HIPAA).
General Security Compliance Requirements (45 CFR 164.306)
- Ensure the confidentiality, integrity, and availability of all electronic protected health information that Upbring creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
- Ensure compliance with the Security Regulations by its Workforce.
1. Security Personnel and Implementation
Upbring has designated a Security Officer with overall responsibility for the development and implementation of policies for the Security Regulations. The HIPAA Security Officer is Upbring’s IT Manager in Technology Services and is responsible for:
- Complying with HIPAA Security Policies
- Maintain the confidentiality of all PHI
- Trains all Workforce members at the appropriate level of HIPAA training
Upbring will implement reasonable and appropriate security measures to comply with security in the Security Regulations. To determine what is reasonable and appropriate Upbring will take into account is size, capabilities, technical infrastructure, security capabilities, the costs of the security measures, against the potential risks to PHI disclosure.
3. Security Complaints
The Security Officer is responsible for facilitating a process for individuals to file a complaint regarding the handling of PHI by an Upbring workforce member. The Security Officer is responsible for ensuring that the complaint and its disposition are appropriately documented and handled.
4. Sanctions and Non-Retaliation
Upbring will ensure that appropriate discipline and sanction employees and any other Workforce members for violations of the security Policies. Upbring will refrain from intimidating or retaliating against any person for exercising his/her rights under the Security Regulations for reporting any concern, issue or practice that such person believes to be in violation of the Security Regulations. Upbring will not require any persons to inappropriately waive any rights to file a complaint with the Department of Health and Human Services.
5. Security Policies and Procedures
Upbring HIPAA Security Policies and Procedures are designed to ensure compliance with the Security Regulations. Such security policies and procedures shall be kept current and in compliance with any changes in the law, regulations or practices of Upbring in accordance with HIPAA.
6. Responsibility of All Employees
- Upbring Workforce is responsible for being aware of, and complying with, the Security Policies and Security Procedures.
- Upbring employee or volunteer must immediately report lost or stolen mobile device that is used to store PHI and/or sending an unencrypted email containing PHI to the wrong person. Reports must be made to IT Help Desk. Failure to make the report may result in sanctions.
Any individual found to have violated this policy, may be subject to disciplinary action.
Upbring will review, evaluate, and modify security measures implemented to comply with the HIPAA regulation to continue reasonable and appropriate protection of EPHI.
1. Security Management Process (45 CFR 164.308)(a)(1)
A. Risk analysis
UPBRING will conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by UPBRING or business associates.
B. Risk management
Upbring will implement security measures and safeguards that are reasonable and appropriate to reduce risks and vulnerabilities.
Upbring will apply appropriate sanctions against Workforce members who fail to comply with the security policies and procedures of Upbring or business associate.
D. Information system activity review
Upbring will regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Security incidents will be logged and reported immediately to Information Technology.
2. Assigned Security Responsibility (45 CFR 164.308(a)(2))
Upbring will assign and document that the person who is responsible for the development and implementation of the policies and procedures for HIPAA Security is below:
Upbring IT Department
3. Workforce Security (45 CFR 164.308(a)(3)
A. Authorization and/or supervision of PHI
Upbring will create procedures to ensure that only users with a need to access PHI are granted access to PHI. Any user needing access to PHI must be approved through their supervisor before being granted access to the PHI. Upbring will maintain documentation supporting each users access to all PHI involved. This access will be reviewed annually.
B. Workforce clearance procedure
Upbring will create procedures to determine that the access to PHI is needed and appropriate for each user. This will be determined by each department head where PHI is involved.
C. Termination of access
Upbring will develop and implement a procedure for terminating access to PHI when the user’s employment ends:
- Department head and/or human resources notifies information technology
- User network account is made inactive
- User is removed from all email distribution lists
- User is removed from any extranet systems
4. Information Access Management (45 CFR 164.308(a)(4)
Upbring will authorize and/or supervise employees and volunteers who work with EPHI or in locations where it might be accessed. Upbring will determine when the access of an employee or volunteer to PHI is appropriate and Upbring will ensure termination of access to PHI when the volunteer or employee is no longer with Upbring.
5. Security Awareness and Training (45 CFR 164.308(a)(5))
A. Security reminders
- Upbring has established procedures on how Upbring departments and users will be notified of periodic updates of security changes in HIPAA security policies and procedures and general security policies.
- Upbring has established procedures on how to notify departments and users of any warnings that re issued for discovered, reported or potential threats.
B. Protection from malicious software
- Upbring will provide training to all its users on how to identify and protect against malicious code and software.
- Information Technology will develop and implement procedures to detect and guard against malicious code such as viruses, worms and ad ware, and any other computer program or code designed to interfere with normal operations of a system.
- A virus detection system is implemented on all workstations including a procedure to ensure that the virus detection software is maintained and up to date.
- Information Technology will notify all departments and users of new and potential threats from malicious code such as viruses, worms, denial of service attacks, and any other computer program or code designed to interfere with the normal operation of a system or its contents and procedures.
- Departments and users will notify Information Technology if a virus, worm or other malicious code has been identified.
- Information Technology will be responsible for ensuring that any system that has been infected by a virus, worm or other malicious code is immediately cleaned and properly secured or isolated from the rest of the network.
C. Log-in monitoring
- Information Technology will implement a mechanism to log and document failed login attempts on each system containing medium and high-risk PHI.
- Information Technology will review such log-in activity reports on a periodic basis.
- All failed log-in attempts of a suspicious nature, such as continuous attempts, must be reported to the HIPAA Security Officer.
D. Password management
Information Technology will develop and implement procedures for creating, changing, and safeguarding passwords. The following minimum procedures will be followed:
- All users including Upbring employees, vendors, and agencies who use a computer or has access to network resources or systems will have unique user identification and password.
- All computers, network resources, system and applications will require the user supply a password in conjunction with their unique user identification to gain access.
- A role-based user identification and password may be utilized for access to shared or common area workstations so long as the login provides no access to PHI. Access to
- PHI will be permitted if there is a second unique user ID and password required.
- All passwords will be of sufficient complexity to ensure that it is not easily guessable by dictionary attacks.
- Department heads and IT will be responsible for making their employees aware of all password-related policies and procedures, and any changes to those policies and procedures.
- IT will be responsible for setting password aging times for systems, networks, and applications.
- All employees are responsible for the proper use and protection of their passwords and must adhere to the following guidelines:
- Passwords are only to be used for legitimate access to networks, systems, or applications.
- Passwords must not be disclosed to other users or individuals.
- Employees must not allow other employees or individuals to use their password.
- Passwords must not be written down, posted, or exposed in an insecure manner.
E. Security training
Upbring will ensure that its employees have been given the appropriate level of HIPAA security training so that all employees who access, receive, transmit or otherwise use PHI are familiar with security policies and procedures and their responsibilities regarding such policies and procedures.
6. Security Incident Procedures (45 CFR 164.308(a)(6))
A. All incidents, threats, or violations that affect or may affect the confidentiality, integrity, or availability of EPHI must be reported and responded to using the following procedures:
- Users will notify IT for issues involving viruses, worms, or malicious code, network or system related attached, unauthorized access to PHI or system containing PHI and intrusion attempts from outside.
- IT will investigate and recommend updates of fixes for security incidents.
- The HIPAA security and privacy officers will notify each other of security or privacy issues and then notify management.
B. The security officer will document all security related incidents and their outcomes. IT will develop and implement disaster recovery reporting procedures for failures, outages, or data loss that involve EPHI systems or applications.
7. Contingency Plan (45 CFR 164.308(a)(7))
A. Data backup plan
- IT will establish and implement a Data Backup Plan which will allow for retrievable exact copies of all data and files on system.
- The Plan will require that all media used for the backups be stored in a physically secure location off-site.
B. Disaster recovery plan
- Upbring will create a plan to recover from the loss of data due to an emergency or disaster such as a fire, vandalism, terrorism, system failure, or natural disaster effecting systems in a timely manner.
- The Plan will include procedures to restore data from backups in the case of a disaster causing data loss.
C. Emergency mode operation plan
Upbring will establish procedures to enable continuation of critical business processes for protection of the security of EPHI while operating in emergency mode. The Plan will be documented and easily available to the necessary personnel.
C. Testing and revision procedures
- Data backup procedures will be tested on a periodic basis to ensure that exact copies can be retrieved.
- The plan will be bested on a periodic basis to make sure systems and data can be restored or recovered.
- Emergency mode operation procedures will be tested on a periodic basis to ensure that critical business processes can continue in a satisfactory manner while operating in emergency mode.
D. Applications and data criticality analysis
- Upbring will assess the relative criticality of specific applications and data ins upport of other contingency plan components.
8. Evaluation (45 CFR 164.308(a)(8))
Upbring will ensure that a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of EPHI is performed and to make sure Upbring’s security policies and procedures meet the requirements of the HIPAA regulation.
A. Periodic evaluation
- Upbring will evaluate its security policies to determine their compliance with the HIPAA Security Regulations. Upbring will make the security policies compliant with the Security Regulations and will evaluate security policies on a periodic basis for environmental or operational changes affecting the security of PHI.
- Security and Privacy Officers will on an annual basis review the policies and procedures for compliance of the Security Regulations.
- When changes are made to security policies or procedures all department management will be notified of the changes.
- Review of the security policies and procedures will be made upon any changes to the HIPAA Security Regulations.
9. Business Associate Contracts and Other Arrangements (45 CFR 164.308(b)(1))
Upbring may permit a business associate to create, receive, maintain, or transmit EPHI on Upbring’s behalf only if the Upbring obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. Upbring is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
1. Facility Access Controls (164.310(a)(1))
Upbring will implement policies and procedures to limit physical access to its EPHI systems and the facility in which they are houses, while ensuring that properly authorized access is allowed.
2. Implementation Specifications (164.310(a)(2))
A. Contingency operations
Upbring will create procedures to allow physical facility access during emergencies to support restoration of data under a disaster recovery plan.
B. Security plan
Upbring will create and maintain a general Upbring security plan that safeguards all facilities, systems, and equipment against unauthorized physical access, tampering, and theft.
C. Access control and validation procedures
- Upbring will validate an employee’s access to facilities where PHI is available.
- Upbring will control, validate, and document visitor access to any facility where PHI is stored. Visitors including vendors, repair personnel, and other non-employees.
- Upbring will secure the physical locations where PHI data is stored.
- Facilities where PHI is available will provide appropriate access control mechanisms for access to the facility.
D. Maintenance records
Upbring will manage repairs and modifications to the physical security components of the facility including locks, doors, and other physical access control hardware.
3. Workstation Use (45 CFR 164.310(b))
- All employees will ensure that all computers that access PHI are used in a secure and legitimate manner.
- Users of Upbring systems and workstations should have no expectation of privacy. To appropriately manage its information systems and enforce appropriate security measures, IT may log, review, or monitor any data stored or transmitted on its information systems.
- Upbring may remove or deactivate any user privileges and access to secured areas, when necessary to preserve the integrity, confidentiality and availability of its facilities, user services, and data.
4. Server, Desktops, Laptops, and Wireless Computer System Security (45 CFR 164.310(c))
- Upbring will ensure all servers, desktops, laptops and other computer devices used to access, transmit, receive or store PHI are appropriate secured.
- Servers will be located in a physically secured environment.
- The system administrator or root account will be password protected.
- A user identification and password authentication mechanism will be implemented to control user access to the server and workstation.
- A security patch and update will be established and implemented to ensure that all security patches and updates are promptly applied.
- Servers must be located on a secure network with firewall protection.
- All unused or unnecessary services shall be disabled.
- Upbring uses a virus detection system and this virus detection software is maintained and up to date.
- Desktop systems that are located in open, common, or otherwise insecure areas must also implement the following measures:
- An inactivity timer or automatic logoff mechanisms must be implemented.
- The workstation screen or display must be situated in a manner that prohibits unauthorized viewing.
- Mobile stations that are located or used in open, common, or otherwise insecure areas must also implement the following measures:
- A theft deterrent device.
- An inactivity timer.
- Reasonable safeguards used to prohibit unauthorized entities from viewing confidential information such as logins, passwords, or PHI.
- Personal Digital Assistants (PDAs) and other handheld mobile devices must be purged as soon as it is no longer needed on that devise.
Each mobile system that is used to access, transmit, receive, or store EPHI must comply with as many of the aforementioned measures as is allowed.
5. Device and Media Controls (45 CFR 164.310(d)(1))
- Device: Including but not limited to personal computers, laptops, handheld units, PDAs.
- Storage Media: Including but not limited to disk drives, tapes, floppy disks, CD’s, zip disks, flash cards, USB memory sticks, optical disks, and hard copies.
All PHI on decommissioned devices and storage media must be irretrievably destroyed, in order to protect the confidentiality of the data contained. If the devise or media contains PHI that is not required or needed, and is not a unique copy, a data destruction toll must be used to destroy the data on the devise or media prior to disposal. A typical reformat is not sufficient as it does not overwrite the data. If the devise or media contains the only copy of PHI that is required or needed, a retrievable copy of the PHI must be made prior to disposal. Paper containing sensitive information should be shredded.
C. Media reuse
Any equipment or storage media that contains confidential, critical, internal use only, and/or private information will be erased by appropriate means or destroyed by IT before the equipment/media is reused.
D. Record of movements
When using storage devices and removable media to transport PHI Upbring will implement a tracking system to monitor the movement of those devices and media and the parties responsible for the device and media during its movement.
1. Access Control (45 CFR 164.312(a)(1)
A. Unique user identification
- All users that require access to any network, system, or application will be provided with a unique user identification.
- Passwords must be a minimum of 8 characters in length.
- Passwords must not include easily guessed information such as personal information, names, pets, birthdates, etc.
- Users will not share their unique user identification or password with anyone.
- Users must ensure that their user identification is not documented, written, or otherwise exposed in an insecure manner.
- If a user believes their user identification has been compromised, they must report that security incident to IT for a new password.
B. Emergency access
- IT will establish and implement as needed procedures for obtaining necessary EPHI during an emergency.
- Systems that do not affect patient care are not subject to the emergency access requirement.
C. Automatic logoff
- Any server or workstation that stores or access PHI will have the password protected screensaver turned on.
- Any servers or workstations that are located in locked or secure environment need not implement inactivity timers.
- When leaving a server or workstation unattended, the users must lock or active the systems automatic logoff mechanism or logout of all applications and database systems containing PHI.
D. Encryption and decryption
- Encryption of PHI as an access control mechanism is not required unless the custodian of said PHI deems the data to be highly critical or sensitive. Encryption of PHI is required in some instances as a transmission control and integrity mechanism.
E. Firewall use
- Upbring’s network will implement perimeter security and access control with a firewall.
- IT will document the configuration of its firewalls used to protect the networks.
F. Remote access
- Remote access connections require authentication and encryption mechanisms when connecting via an internet service provider or dialup connection.
- The following security measures must be implemented for any remote access connection:
- Mechanisms to bypass authorized remote access mechanisms are strictly prohibited unless with express written consent of IT.
- Remote access systems must employ a mechanism to “clear out” cache and other session information upon termination of session.
- Remote access workstations must employ a virus detection and protection mechanisms.
- All encryption mechanisms implemented will support a minimum of 128-bit encryption.
- Any user requesting remote access to Upbring network must be approved by department head and IT to ensure that the remote workstation device meets security measures.
G. Wireless access
- Wireless access to Upbring networks is permitted when the following security measures have been implemented:
- Encryption must be enabled.
- MAC-based or User ID/Password authentication must be enabled.
- Unmanaged, ad-hoc, or rogue wireless access points are not permitted.
- All encryption mechanisms implemented will support a minimum of 128-bit encryption.
2. Audit Control (45 CFR 164.312(b))
- IT will implement system logging mechanisms for all systems that contain PHI.
- Each system’s audit log will include at least User ID, login date/time, and logout date/time.
- System audit logs will be reviewed on a regular basis.
3. Integrity (45 CFR 164.312(c)(1))
- Upbring will use mechanisms such as error-correcting memory and RAID disk arrays to protect data from alteration or being destroyed.
- Upbring will be protected from data alterations or destruction by viruses or other malicious code.
- For data integrity during transmission Upbring will implement a mechanisms to corroborate that PHI is not altered or destroyed during transmission.
4. Person or Entity (45 CFR 164.12(d))
- All users who use any network, workstation, system, or application that contains PHI will be required to login with user id and password.
- Users must not misrepresent themselves by using another person’s user ID and password.
- Users are NOT permitted to allow other persons or entities to use their unique user ID and password.
- A reasonable effort will be made to verify the identity of the receiving person or entity prior to transmitting PHI.
5. Transmission Security (45 CFR 164.312(e)(1))
- All transmissions of PHI files, folders or documents outside the Upbring network will be secured.
- All receiving entities will be authenticated before transmission.
- Any transmissions should include only the minimum amount of PHI.
- Use of E-mail to transmit PHI can be used if the following conditions are met:
- The PHI data must be in a password protected document.
- The sender can authenticate the receiver.
- The receiver has given permission to have their PHI sent via E-mail.
- The receiver has been made aware of the risks involved.
- Wireless connections can be used within the Upbring network since the connections are secure and encryption is used. Wireless connections outside the Upbring should not be used.
- Integrity controls:
- Transmitting PHI via removable media will require the documents to be password protected.
- All receiving entities will be authenticated before transmission.
- Any transmissions should include only the minimum amount of PHI.