Step 2.1: Risk Assessment Questions: HIPAA Supplement

[Jul 17, 2008 14:02] The feature in Xpressions that notifies a user by email when they receive a voice mail is currently not working. Siemens is aware of the problem and is working on it. This does not affect any other aspect of Xpressions.

These questions will help determine and evaluate threats to the resources identified through a mission impact analysis, as well as adherence to general secure computing practices.

Unit Name: ___________________    Sub-Unit Name: ___________________

Risk Assessment Questions: HIPAA Supplement

In addition to the issues covered in the general questions, additional HIPAA issues focus on the need for documenting each policy and process, knowledge and training on compliance regulations, facility access controls, work station use and location and the review of logs and other auditing measures.

Medical Center (Agency 209) departments responsible for systems identified in Health System Policy 0218 (and listed in Appendix C) must substitute the RiskWatch assessment tool administered by HS/CS for the ITS-RM question sets provided in this section. Other Medical Center (Agency 209) departments have the option of using either the RiskWatch tool or the ITS-RM question sets that follow. For additional information on the RiskWatch tool, contact Jay Early <jee@virginia.edu>. All Agency 207 (Academic Division) and 246 (College at Wise) departments should use the ITS-RM question sets.

 

Yes

No

Documentation location or explanation for not following

A. Documentation

1. Does your organization have complete and current formal documentation instructions for reporting security breaches including both report procedures and response procedures entity-wide? Do they include formal written mechanisms to document security incidents?


2. Are documented formal procedures that establish and maintain personnel security in place and current?


3. Does the organization maintain a record of the transport and movement of hardware, software, and electronic media?


4. Do you retain for at least six years after their last effective date all compliance planning records along with decisions and justifications?


5. Have access control policy and procedures been implemented which formally document authorization, establishment, and modification of system accounts which access protected healthcare information (PHI)?

Do they include:

  • Access-establishment information use policies and rules to determine initial right of access to a terminal, transaction, program, process or transfer to some other user?
  • Access-modification information policies and rules to determine the types of and reasons for modification to established right of access to a terminal, transaction, program, process or transfer to some other user?
  • Access authorization records? (Access authorization could be recorded as part of a job description or other policy for the end user that details level of access in accordance with job function.)
  • Assurance that operating and maintenance personnel have appropriate access authorization?


B. Compliance Knowledge and Training

1. Have you reviewed all Administrative Simplification regulations for their applicability to your business?

(This refers to standardization of billing and claims transactions; contact the Office of the Director of Patient Financial Services for information about transactions and coding issues.)


2. Are the mandated, formal policies and procedures about sanctions or disciplinary actions in place and communicated to the entire workforce including notice of civil or criminal penalties for the misuse or abuse of health information?


3. Does your organization have a documented, formal process assuring that security awareness training is provided on a routine basis, including all system users, workforce and maintenance personnel? Does this include periodic awareness reminders?


C. Facility Access Controls, Workstation Use and Location

1. Are formal, current physical access control policies and procedures in place which allow only appropriate access to an entity including visitor control, and control of access to software programs for testing and revision? Do they include:

  • Validation of access privileges prior to granting physical access to the facility/ facilities?
  • A plan for security of the facility/facilities to safeguard against unauthorized access?


2. Are formal, current documented policies and procedures in place that

  • Decrease or limit the chance that PHI can be viewed inappropriately? (E.g., terminal placement in any area of a doctor's office where the screen contents can be viewed from the reception area.)
  • Define the functions, manner of performance, and physical attributes of the surroundings of a computer terminal site based on the sensitivity of the data accessed from that site?


3. Is each workstation and printer labeled to identify it as a part of a specific system or network and for maintaining inventory?


D. Review and Audit

1. Does the department take responsibility for monitoring its own compliance as required by Health System Policy 0217 (“Compliance Auditing and Monitoring Program”)?


2. Does the security awareness training program include mandatory information about monitoring log-in successes and failure and reporting discrepancies or suspicions?


3. Are audit controls in place and documented to record and examine system activity?


4. Is there a data authentication mechanism in place to corroborate that data have not been altered or destroyed? (This could include the use of a check sum, double keying, message authentication code, or digital signature.)


Prepared by:

Name:   __________________________
Signature:   _______________________
Title:   ___________________________
Date:   ___________________________

Approved by: Unit head

Name:_________________________
Signature:______________________
Title: __________________________
Date: __________________________

ITS-RM Home | Step 2.1 | Step 2.1: General - Step 2.1: HIPAA - Step 2.1: GLBA/FERPA | Step 2.2

 

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.