Contingency Plan

The Contingency Plan section of the Administrative Rule is made up of 5 tasks. 3 of these tasks are required and 2 are addressable. These tasks establish and implement policies and procedures for responding to an emergency that damages systems that contain EPHI. This section can take some time to complete, although you may already have some portions covered under other policies and procedures.

The first Contingency Plan task is the Data Backup Plan. You must establish and implement procedures to create and maintain retrievable exact copies of EPHI.

Most agencies already have this task covered. However, you should review and document your backup procedure to insure you are confident that EPHI data can be recovered in case of a disaster.

Security Incident Procedures

This section of the Administrative Rules requires that you implement policies and procedures to address security incidents. There is one required task.

Response and Reporting is a required task under this section. You must identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents. Document security incidents and their outcomes.

Once a security incident is discovered or suspected you must have a process in place to minimize the damage, and document the incident from discovery to conclusion. Currently, there is no provision in the rule regarding reporting to the authorities. However, in some cases this may be necessary. Again, employees must have and be aware of a method of reporting actual or suspected incidents to you.

Password Management

The next task is to implement procedures for creating, changing, and safeguarding passwords. This is an addressable task. Remember that every user that accesses EPHI must use a unique login name. Every user must also use a secure password. Strong Passwords should be used and passwords should be changed on a regular basis. Passwords should not be shared. Procedures should be in place in case a a password breach is detected or suspected.

Windows servers have built in functions that help with this process. Password expiration and forced strong password usage are examples of the built in functions.

Realize that the password is the basic building block of your EPHI security. If you do not have good password policies and procedures you will fail the most basic compliance test.

Where You Should Be

I have been talking to several agencies lately and realize that most of you are not moving forward very fast with your HIPAA security compliance. Many of you have indicated that it will become a priority after the beginning of the year. If you have the resources to complete this project in that time frame, you should be OK. However, you should at least know where you stand and you should know that now.

By this time you should have named a HIPAA Security Compliance Officer. I suggest that that person create a small team consisting of an IT person, HR person, administrative person, and a health care person. This team should be able to resolve any policy and/or procedure issues that may come up during this project. The results the team comes up with should be reviewed by your attorney.

You should also have done your Risk Analysis by now. This will give you a good idea of how much work you have to do to become compliant. Don't forget, the Risk Analysis is a required task in the Security Rule.

The law goes into effect on April 21st. There are many tasks to be completed. Make sure you give yourself time to become compliant. You don't want to find out at the last minute that you still have a bunch of the 50 or so items in the rule to be completed.

Login Monitoring

Agencies must implement procedures for monitoring login attempts and reporting discrepancies. This is an addressable task.

Windows servers have the ability to log successful and unsuccessful login attempts. These logs should be regularly reviewed to look for anything out of the ordinary. Other products can be purchased that can make this monitoring easier.

Login logs may also be available for specific applications that contain EPHI. These logs should be reviewed regularly as well.

A procedure needs to be in place to handle any abnormal results in these logs.

Protection From Malicious Software

This task requires that agencies create procedures for guarding against, detecting, and reporting malicious software. This is an addressable task.

What is malicious software? Viruses and Spyware are the major players. Protecting workstations, laptops, and servers from these threats is a multi-level task. Up to date Anti-Virus software and Spyware detectors are basic requirements. Keeping Windows and all applications up to date with security updates is critical.

You must have a policy regarding installation of any type of software on your IT devices to be able to manage this task. This policy must be well understood by all users and violations must be addressed. Periodic checks of workstations, laptops, and servers should be made to insure that all products are up to date and that unauthorized software has not been installed.

Security Awareness and Training

The next section under the Administrative Rules is Security Awareness and Training. Agencies must implement a security awareness and training program for all members of the workforce including management.

There are 4 tasks under this section. The first is to create a process for periodically distributing information regarding security issues to the workforce. This is an addressable task. Methods can include formal training sessions, email alerts and reminders, Intranet messages, posters, meetings, etc.