HomeMy WebLinkAbout20060312.tiff RESOLUTION
RE: APPROVE AMENDED HIPAA COMPLIANCE PLAN TO INCLUDE GENERAL HIPPA
SECURITY POLICIES FOR WELD COUNTY
WHEREAS,the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS,the Health Insurance Portability and Accountability Act(HIPAA)was enacted by
the federal government in 1996, and
WHEREAS,on April 7, 2003, the Board of County Commissioners adopted the HIPAA
Compliance Plan for Weld County, and
WHEREAS,it is necessary to amend the Weld County HIPAA Compliance Plan to include
HIPAA Security Policies, and
WHEREAS, the Director of Finance and Administration recommends approval of the
amended H IPAACompliance Plan,to include HIPAA Security Policies,a copy of which is attached
hereto and incorporated herein by reference.
NOW,THEREFORE,BE IT RESOLVED,by the Board of County Commissioners,that the
Weld County HIPAA Compliance Plan be, and hereby is, amended to include the General HIPAA
Security Policies, a copy of which is attached hereto.
The above and foregoing Resolution was,on motion duly made and seconded,adopted by
the following vote on the 30th day of January, A.D., 2006.
BOARD OF COU TY COMMISSIONERS
i /- /4,\ ELD COUNN''<COLORADO
ATTEST: At, f s���'s �� ��i' .
Jt►-Ile, Chair
Weld County Clerk to the ;tir p
C cf),/
BY: �y i /as � � ( ►., David E. Long, Pro-Tern
D u CI to ,he Bo "\ ,
WI H. Jere ������ ��
AP D AS T •
� ,�I�w�.is�_
Robert D. Masden
ounty Attorney
Glenn Vaad -
Date of signature: ZiiitP
2006-0312
PE0024
GENERAL HIPAA SECURITY POLICIES
The following general HIPAA security policies shall apply to all county departments
covered by HIPAA. The policies are considered reasonable policies and procedures that
meet the requirements of the HIPAA Security Rule. All polices and procedures are
document in either paper or electronic form:
All HIPAA security documentation, policies, procedures, security incidents, all risk
assessment documentation for HIPAA, and any other related HIPAA security paperwork
shall be retained six years from the date of its creation or date it was last in effect,
whichever is later.
The designated HIPAA Privacy Officer shall also serve as the HIPAA Security Officer
for the department. The HIPAA Security officer shall:
• Consult and advise senior management regarding security issues
• Develop policies and procedures as necessary
• Monitor HIPAA Security Regulations and implement changes to ensure
compliance with HIPAA
• Consult with the Personnel Department regarding sanctions
• Serve as resource to workforce in the departments concerning security
The county has the following specific HIPAA Security responsibilities:
• Designation of Security Officer(Same as HIPAA Privacy Officer)
• Implementation of HIPAA Security Policies and Procedures (done)
• Train the County workforce (Ongoing)
• Impose sanctions upon those violating HIPAA Security Policies and Procedures
(See sanctions section of General HIPAA Security Policies)
• Taking corrective actions for security incidents (See incident section of General
HIPAA Security Policies)
• Refrain from harassing whistleblowers
• Maintain Business Association Agreements (See HIPAA business association
agreement section)
• Compliance with all required HIPAA Security Standards and Implementation
specifications (See General HIPAA Security Policies)
• Compliance with all required HIPAA Security Standards and Implementation
specifications as appropriate for the county (See General HIPAA Security
Policies)
• Documentation of appropriate HIPAA Security Standards and Implementation
(Ongoing)
Risk management for HIPAA purposes shall identify all security risks and where feasible
and cost effective policies and corrective actions shall be taken to mitigate the risk as
determined by the HIPAA Privacy Officer and department head in each department
covered by HIPAA. HIPAA Privacy Officer and department head in each department
2006-0312
covered by HIPAA shall be responsible for designing, reviewing, approving, and
implementing levels or risk mitigation.
Information Systems Activity Review: Each department covered by HIPAA in the county
shall regularly review records of information system activity. Each department's HIPAA
Security Officer shall review audit logs that record activities related to access of the
system by its users monthly. Any actual or attempted unauthorized access or security
incident event shall be tracked, either manually or via system software. Following
elements shall be tracked: type of event, date and time of occurrence, User ID, program
involved, outcome, remediation steps, and sanctions required.
Background checks will be conducted on all employees deemed to be in a high risk
security area as determined by the department head and agreed to by the Director of
Personnel. ACS shall do background check on all employees.
Each department's Security Officer shall define access levels for all positions in the
department. Security Officers in all departments shall verify that all employees
terminating, transferring, or resigning have had their system access removed.
Each department's Security Officer shall develop and implement a training program that
ensures that employees have an understanding of all HIPAA policies, procedures, and
practices. Understand sanctions for violation of HIPAA policies, facility security plan,
proper methods for device and media disposal and reuse, how to access the system in an
emergency, protection from malicious software, and approved methods of encrypting
HIPAA data. Management staff should be taught documentation requirements, workforce
clearance, termination procedures, computer access policies and procedures, data backup,
disaster recovery, ongoing risk management, maintenance of records, evaluation
responsibilities, and emergency access procedures.
The Privacy/Security Officer shall ensure that all employees are periodically (at least
annually) updated on HIPAA security issues. As needed employees will be given security
reminders via memos, posters, emails, etc.
The HIPAA Security Incident Response Team shall be comprised of the department's
Security Officer, Director of Finance and Administration, and designated members of IT
department. They shall use the COBIT Standards for Computer Security Incidents
Response to guide their actions.
All departmental HIPAA Security Officers shall periodically(at least annually) arrange
and conduct technical and non-technical evaluation of the HIPAA Security compliance.
The IT department shall provide technical assistance as required. The HIPAA Security
Officer of each department shall be responsible for implementing the evaluation findings
and documenting actions taken.
The Business Associates agreement shall have the recommended "Chain of Trust Partner
Clause".
Each departmental HIPAA Security Officer shall write a Contingency Plan that states the
personnel/vendors permitted access during an emergency, identification will be by county
ID cards or vendor ID cards.
At least annually each departmental HIPAA Security Officer shall test its Contingency
Plan. Testing and revision should include training and awareness of all personnel, who is
in charge in an emergency, and what the procedures are. The efficacy of the plan should
be tested. Data back up should be tested. Any problems discovered in the testing of the
plan should result in changes in the plan to resolve the issues discovered.
Each departmental HIPAA Security Officer shall write a physical security plan that shall
include:
• Location and protection controls for key computer assets (ACS)
• A description of the fire suppression system (alarm/sprinkler in server rooms)
• Description of the method used to control access to the facility(security
guards, cipher locks, video, computer card key system)
• Detail of locking mechanisms (cipher locks, computer card key system,
locked fireproof safe, etc)
• Description of any type of alarm or intrusion device
• How access is limited to the facility by day and time
• How access s limited by role
• Any procedures to sign in visitors or provide escorts, if necessary
Buildings and Grounds shall change all access codes for HIPAA secured areas at least
quarterly, and as determined appropriate by the department head when an employee is
terminated. Buildings and Grounds shall maintain a record any time physical security to a
HIPAA controlled area is modified, such as a new lock, new video surveillance, when
any vendor hardware or technical repairs are done, etc. Buildings and Grounds shall keep
a maintenance list of all building security elements that must be maintained, such as
alarms, lights, doors, locks, sprinkler systems, smoke detectors, etc. ACS shall maintain
a list of IT security items, such as servers, routers, computers, software, etc.
HIPAA Sanctions found in the Privacy Rule and Policies and Procedures section shall
apply to HIPAA Security Policies and Procedures in the same manner for anyone
violating either the Privacy Rule and Policies and Procedures or HIPAA Security Policies
and Procedures.
HIPAA General Security Polices
Hello