SECURITY PLAN To establish parameters of desired levels of security for Electronic PHI per area, department, function, and role. These protocols must be in place to ensure compliance with First Stage Meaningful Use for Electronic Health Records.
TECHNICAL SAFEGUARDS
RISK / CONCERN SECURITY MEASURE
1. Data Integrity Protect PHI from improper alteration or destruction Implement authentication measures for PHI
2. Access Control Mechanisms Data and PHI accessible only to persons/programs with authorization Proof of identity authenticated before access to PHI is granted
3. Identity Authentication Authenticity measures to prove the identity of any person/entity seeking access to PHI Authentication that they are who/what they say they are
4. Audit Controls Built in EHR feature records/examines all activity regarding access to PHI
5. Transmission Security Protect against access to PHI during transmission over electronic communications network(s)
6. Unauthorized Disclosure Computer screen locks/disappears after one (1) minute of inactivity. Requires a unique password by authorized person to unlock
7. PHI Exchange All Persons/Entities Ensure all PHI data is encrypted and transmitted over secure communication lines HIV/AIDS PHI data requires special authorization for access/transfer 8. Password Vulnerability Institute security codes/questions Iris/fingerprint identity scanners
PHYSICAL SAFEGUARDS
RISK / CONCERN SECURITY MEASURE
1. Facility Access Control Limit access to areas where PHI is housed Ensure only authorized persons have access to these areas
2. PHI Exchange within Healthcare Facility, with Outside Providers, Reportable for Public Health Reasons/Safety, or Transferred to a Portable Device or Drive Ensure all PHI data is encrypted and transferred over secure communication lines Access to HIV/AIDS related PHI will require special authorization specifically designed for access to this type of PHI
3. Workstations Specify workstations that allow access to electronic PHI Specify appropriate use of the Workstations Specify physical environment of workstations that are able to access PHI
4. Workstation Use Restrict access to workstations that contain PHI to only staff who have a need to know regarding patient care Enhance security controls on those workstations containing PHI that pertains to HIV/AIDS