HomeMy WebLinkAbout20080329.tiff RESOLUTION
RE: APPROVE AMENDED HIPAA COMPLIANCE PLAN TO UPDATE GENERAL HIPAA
SECURITY POLICIES FOR WELD COUNTY
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Health Insurance Portability and Accountability Act (HIPAA)was enacted
by the federal government in 1996, and
WHEREAS, on April 7, 2003, the Board of County Commissioners adopted the HIPAA
Compliance Plan for Weld County, and
WHEREAS, it is necessary to amend the Weld County HIPAA Compliance Plan to update
HIPAA Security Policies, and
WHEREAS, the Director of Finance and Administration recommends approval of the
amended HIPAA Compliance Plan,to update HIPAA Security Policies, a copy of which is attached
hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED, by the Board of County Commissioners, that the
Weld County HIPAA Compliance Plan be, and hereby is, amended to include updated General
HIPAA Security Policies, a copy of which is attached hereto.
The above and foregoing Resolution was, on motion duly made and seconded, adopted by
the following vote on the 30th day of January, A.D., 2008.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST: Mtedl E H. Jerke, Chair
Weld County Clerk to the Board
Iasi fe
R 2. lyi�sden, Pro-Tem
571-}4BY: .
Deputy- lerk to the Board '
William F. Garcia
AP ED AS RM: EXCUSED
David E. Long
County orney ij ,,.,,,,�,,,�
G/ Douglas Rade cher
Date of signature: / vs
2008-0329
PE0022
�� : i � n-3/4$7oF-
GENERAL HIPAA SECURITY POLICIES
The following general HIPAA security policies shall apply to all county departments covered by
HIPAA. The policies are considered reasonable policies and procedures that meet the
requirements of the HIPAA Security Rule. All polices and procedures are documents in either
paper or electronic form:
All HIPAA security documentation, policies, procedures, security incidents, all risk assessment
documentation for HIPAA, and any other related HIPAA security paperwork shall be retained six
years from the date of its creation or date it was last in effect, whichever is later.
The designated HIPAA Privacy Officer shall also serve as the HIPAA Security Officer for the
department. The HIPAA Security officer shall:
• Consult and advise senior management regarding security issues
• Develop policies and procedures as necessary
• Monitor HIPAA Security Regulations and implement changes to ensure
compliance with HIPAA
• Consult with the Personnel\Human Resource Department regarding sanctions
• Serve as resource to workforce in the departments concerning security
The county has the following specific HIPAA Security responsibilities:
• Designation of Security Officer (Same as HIPAA Privacy Officer)
• Implementation of HIPAA Security Policies and Procedures (done)
• Train the County workforce (Ongoing)
• Impose sanctions upon those violating HIPAA Security Policies and Procedures
(See sanctions section of General HIPAA Security Policies)
• Taking corrective actions for security incidents (See incident section of General
HIPAA Security Policies)
• Refrain from harassing whistleblowers
• Maintain Business Association Agreements (See HIPAA business association
agreement section)
• Compliance with all required HIPAA Security Standards and Implementation
specifications (See General HIPAA Security Policies)
• Compliance with all required HIPAA Security Standards and Implementation
specifications as appropriate for the county (See General HIPAA Security
Policies)
• Documentation of appropriate HIPAA Security Standards and Implementation
(Ongoing)
Risk management for HIPAA purposes shall identify all security risks, and where feasible and cost
effective, policies and corrective actions shall be taken to mitigate the risk as determined by the
HIPAA Privacy Officer and department head in each department covered by HIPAA. The HIPAA
Privacy Officer and department head in each department covered by HIPAA shall be responsible
for designing, reviewing, approving, and implementing levels or risk mitigation.
Information Systems Activity Review: Each department in the county covered by HIPAA shall
regularly review records of information system activity. Each department's HIPAA Security Officer
shall review audit logs that record activities related to access of the system by its users monthly.
Any actual or attempted unauthorized access or security incident event shall be tracked, either
� Q09 -0329
manually or via system software. The following elements shall be tracked: type of event, date and
time of occurrence, user ID, program involved, outcome, remediation steps, and required
sanctions.
Background checks will be conducted on all employees deemed to be in a high risk security area
as determined by the department head and agreed to by the Director of Personnel/Human
Resources. Affiliated Computer Services(ACS)shall conduct background check on all employees.
Each department's Security Officer shall define access levels for all positions in the department.
Security Officers in all departments shall verify that all employees terminating, transferring, or
resigning have had their system access removed.
Each department's Security Officer shall develop and implement a training program that ensures
that employees have an understanding of all HIPAA policies, procedures, and practices, as well
as understanding sanctions for violation of HIPAA policies, facility security plan, proper methods
for device and media disposal and reuse, how to access the system in an emergency, protection
from malicious software, and approved methods of encrypting HIPAA data. Management staff
should be taught documentation requirements, workforce clearance, termination procedures,
computer access policies and procedures, data backup, disaster recovery, ongoing risk
management, and maintenance of records, evaluation responsibilities, and emergency access
procedures.
The Privacy/Security Officer shall ensure that all employees are periodically (at least annually)
updated on HIPAA security issues. As needed, employees will be given security reminders via
memos, posters, emails, etc. Each departmental HIPAA Security Officer shall develop a work plan
delineating roles and appropriate task assignments for departmental volunteers and interns.
The HIPAA Security Incident Response Team shall be comprised of the department's Security
Officer, Director of Finance and Administration, and designated members of the IT department.
They shall use the COBIT Standards for Computer Security Incidents Response to guide their
actions.
All departmental HIPAA Security Officers shall periodically(at least annually)arrange and conduct
a technical and non-technical evaluation of the HIPAA Security compliance. The IT department
shall provide technical assistance, as required. The HIPAA Security Officer of each department
shall be responsible for implementing the evaluation findings and documenting actions taken.
The Business Associates agreement shall have the recommended"Chain of Trust Partner Clause".
Each departmental HIPAA Security Officer shall write a Contingency Plan that states the
personnel/vendors permitted access during an emergency; identification will be by county ID cards
or vendor ID cards.
At least annually each departmental HIPAA Security Officer shall test its Contingency Plan. Testing
and revision should include training and awareness of all personnel, who is in charge in an
emergency,and what the procedures are. The efficacy of the plan should be tested. Data back-up
should be tested. Any problems discovered in the testing of the plan should result in changes to
the plan to resolve the issues discovered.
Each departmental HIPAA Security Officer shall write a Physical Security plan that shall include:
• Location and protection controls for key computer assets - ACS
• A description of the fire suppression system (alarm/sprinkler in server rooms)
• Description of the method used to control access to the facility (security
guards, cipher locks, video, computer card key system)
• Detail of locking mechanisms (cipher locks, computer card key system,
locked fireproof safe, etc)
• Description of any type of alarm or intrusion device
• How access is limited to the facility by day and time
• How access is limited by role
• Any procedures to sign in visitors or provide escorts, if necessary
• Any procedures and protocol for department volunteers
Buildings and Grounds shall change all access codes for HIPAA secured areas at least quarterly,
and, as determined appropriate by the department head, when an employee is terminated.
Buildings and Grounds shall maintain a record any time physical security to a HIPAA controlled
area is modified, such as a new lock, new video surveillance, when any vendor hardware or
technical repairs are done,etc. Buildings and Grounds shall keep a maintenance list of all building
security elements that must be maintained, such as alarms, lights,doors, locks,sprinkler systems,
smoke detectors, etc. ACS shall maintain a list of IT security items, such as servers, routers,
computers, software, etc.
HIPAA Sanctions found in the Privacy Rule and Policies and Procedures section shall apply to
HIPAA Security Policies and Procedures in the same manner for anyone violating either the Privacy
Rule and Policies and Procedures or HIPAA Security Policies and Procedures.
HIPAA General Security PolicesREVISED 1207
Hello