Security Policies & Procedures
Administrative Safeguards: Assigned Security Responsibility
Policy:
CANM will assign and document the responsibility for security to a specific individual to provide an organizational focus and importance to security. Responsibilities would include the management and supervision of (1) the use of security measures to protect data, and (2) the conduct of personnel in relation to the protection of data. [164.308(a)(2)]
Procedures:
CANM has designated a Security Officer with responsibility for the development and implementation of policies that conform to the Security Regulations. The Security Officer is responsible for:
- Developing, implementing, and evaluating periodically the security policies and procedures, in conjunction with the Compliance Committee.
- reporting regularly to management regarding the status of the security policies;
- overseeing the maintenance of the practice’s hardware and software and tracking hardware and software inventory;
- initiating, facilitating, and promoting activities to foster security information awareness;
- overseeing, directing, and delivering security training to all workforce members;
- acting as the point of contact for receiving, documenting, tracking, investigating, and taking action on all complaints concerning security policies and procedures in coordination and collaboration with other similar functions; and
- performing periodic risk assessments and ongoing compliance monitoring activities at each practice location.
CANM is an unaffiliated business unit of North Mississippi Health Services (“NMHS”). NMHS also has a designated HIPAA Security Officer for their organization.
POLICY DESCRIPTION: Administrative Safeguards: Assigned Security Responsibility
POLICY #: 782
APPROVED: March 2, 2005
REVISION DATE:May 16, 2012
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Business Associate Contracts
Policy:
CANM will enter into a contract or other arrangement with persons that meet the definition of business associates. The covered entity must obtain satisfactory assurances from the business associate that it will appropriately safeguard the information in accordance with these standards. [164.308(b)(1)]
Procedures:
Written Contract or Other Arrangement:
The final regulations, pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), govern the security of electronic individually identifiable health information obtained, created or maintained by certain entities. The HIPAA Security Rule requires that CANM enter into an agreement with business associates in order to protect the security of electronic protected health information. This may be an amendment to the Business Associate Agreement required under the Privacy Rule. See CANM Policy #759.
CANM’s contracts with its business associates will address the following safeguards required by the security rule. The business associate will:
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of CANM.
- Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it.
- Report to CANM any security incident of which it becomes aware.
Business Associate agreements will also authorize termination of the agreement by CANM if CANM determines that the business associate has violated a material term of the contract.
References: CANM Policy #759; Business Associate Agreement
POLICY DESCRIPTION: Administrative Safeguards: Business Associate Contracts
POLICY #: 789
APPROVED: March 2, 2005
REVISION DATE:
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Contingency Plan
Policy:
CANM will establish a contingency plan to be in effect for responding to system emergencies. The plan would include an applications and data criticality analysis, a data backup plan, a disaster recovery plan, an emergency mode operation plan, and testing and revision procedures. [164.308(a)(7)]
Procedures:
Data Backup Plan
CANM established a data backup plan for in-house systems (such as nuclear imaging) that would create and maintain retrievable exact copies of all ePHI. All media used for backing up ePHI must be stored in a physically secure environment, such as a secure, off-site storage facility or, if backup media remains on site, in a physically secure location, different from the location of the computer systems it backed up.
North Mississippi Health Services (“NMHS”) maintains a data backup plan which covers mission critical applications, i.e., Epic, Enterprise EMR. Their backup is performed at least nightly, and is periodically tested to ensure ePHI can be retrieved and made available.
Disaster Recovery Plan
CANM will establish and implement a data recovery plan pursuant to which it can restore or recover any loss of ePHI and the systems needed to make the ePHI available in a timely manner. This will include restoring the loss of data due to an emergency or disaster such as fire, vandalism, terrorism, system failure, or natural disasters such as floods effecting systems containing ePHI. CANM will make all efforts to be prepared to respond to the event in order to regain efficient operation of the systems that are damaged.
NMHS maintains a data recovery plan to address recovery of loss of ePHI from Enterprise EMR and Epic.
CANM would refer to the guidelines listed below in the event of a disaster:
- All disaster recovery efforts will be coordinated by the Chief Executive Officer with assistance from the Board and Management.
- A complete list of the workforce contact information and a vendor contract list will be maintained.
- Vital records for the practice, such as server and workstation warranties, will be organized.
- Specific tasks and responsibilities will be delegated to the workforce responsible for data recovery.
- Damage as a result of a disaster will be assessed.
- Employees will be given instructions to guide in the restoration process.
- A communication plan for patients and the public will be developed.
In the event of physical destruction to any CANM building, operations could resume at one of the regional locations if needed.
Emergency Mode Operation Plan
CANM will establish procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode. Emergency mode operation procedures will help ensure that critical business processes can continue in a satisfactory manner while operating in emergency mode.
If access failure occurs in one of CANM’s locations, ePHI can be faxed from one location that is still operational to the other location that is experiencing the failure.
Members of the workforce are instructed to return to manual workflow process when operating in emergency mode. Any information captured manually will be transferred to the appropriate information systems as soon as systems are in operation.
Testing and Revision Procedures
The data backup, recovery, and emergency mode operation procedures will be tested on a periodic basis to ensure that ePHI and the systems needed to make ePHI available can be restored, recovered, or made available for continuation of operating the practice.
NMHS maintains an emergency mode operation plan to address continued network operations in an emergency situation, and performs tests periodically.
Applications and Data Criticality Analysis
CANM will assess the relative criticality of specific applications and data for purposes of developing its data backup plan, its disaster recovery plan, and its emergency mode operation plan. This will be assessed periodically and at least annually to ensure appropriate procedures are in place for data and applications.
CANM has identified the key applications that support ePHI as being Epic and Enterprise EMR.
References: CANM Policy #194, CANM Policy #551 , CANM Policy #790, CANM Policy #793
POLICY DESCRIPTION: Administrative Safeguards: Contingency Plan
POLICY #: 787
APPROVED: March 2, 2005
REVISION DATE:August 17, 2011
May 16, 2012
August 6, 2013
July 8, 2014
November 10, 2020
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Evaluation
Policy:
CANM will periodically conduct an evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI. [164.308(a)(8)]
Procedures:
CANM Security Policies and Procedures will be evaluated by the Compliance Committee to determine their compliance with the security regulations. Once compliance is established, the policies and procedures will be evaluated on a periodic basis to assure continued viability in light of technological, environmental or operational changes that could affect the security of ePHI. The Compliance Committee will review on an on-going basis the viability of policies, and will recommend any necessary changes. If the change is adopted, such change will be communicated through policy updates.
In the event that any of the following events occur, the policy evaluation process will begin:
- Changes in the HIPAA Security Regulations or Privacy Regulations;
- New federal, state, or local laws or regulations affecting the privacy or security of PHI;
- Changes in technology, environmental processes or business processes that may affect security policies and procedures;
- Occurrence of a serious security violation, breach, or other security incident.
All HIPAA Security Policies and Procedures will be evaluated at least annually.
NMHS will be responsible for maintaining its security policies and procedures.
POLICY DESCRIPTION: Administrative Safeguards: Evaluation
POLICY #: 788
APPROVED: March 2, 2005
REVISION DATE: May 16, 2012
July 13, 2021
July 11, 2023
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Information Access Management
Policy:
CANM will establish and maintain documented policies and procedures defining levels of access for all personnel authorized to access health information, and how access is granted and modified. [164.308(a)(4)]
Procedures:
Isolating Health Care Clearinghouse Functions
CANM does not perform any clearinghouse functions.
Access Authorization, Access Establishment and Modification
CANM will establish, document, periodically review and modify if appropriate each workforce member’s right to access ePHI. Such procedures will include the following:
- The Human Resources Manager is responsible for authorizing access to systems and networks containing ePHI for his or her workforce. Workforce members are not permitted to authorize their own access to ePHI.
- The Human Resources Manager is responsible for ensuring that the access to ePHI granted to each member of the workforce is the minimum necessary access required for each member’s job role and responsibilities.
- The Human Resources Manager is responsible for modifying such access if appropriate.
- When a workforce member’s employment terminates, the Human Resources manager will ensure that all workforce member’s accounts to access ePHI are terminated.
- The Human Resources manager will ensure that the workforce member’s access to all facilities housing ePHI is terminated, including but not limited to card access, keys, codes, and other facility access control mechanisms. The termination process will follow the termination checklist.
- If a member of the workforce transfers to North Mississippi Health Services (“NHMS”) or one of its affiliates, the workforce member’s access within CANM will be re-evaluated as of the last date of CANM employment. The new manager will be responsible for requesting access to ePHI commensurate with the workforce member’s new role and responsibilities at the NMHS entity.
NMHS will authorize access for Epic and Information Technology Services (“ITS”) systems.
References: CANM Policy #550, CANM Policy #552, CANM Policy #783
POLICY DESCRIPTION: Administrative Safeguards: Information Access Management
POLICY #: 784
APPROVED: March 2, 2005
REVISION DATE: August 17, 2011
November 10, 2020
August 10, 2022
September 15, 2022
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Security Awareness and Training
Policy:
CANM will implement a security awareness and training program for all members of its workforce. Training will include awareness training for all personnel, periodic security reminders, user education concerning virus protection, user education in the importance of monitoring login success/failure, and how to report discrepancies, and user education in password management. [164.308(a)(5)]
Procedures:
Security Reminders
CANM will send a notification to members of the workforce on any changes to security policies. Warnings will be issued to workforce members of potential, discovered or reported threats, breaches, vulnerabilities or other HIPAA security incidents
Protection from Malicious Software
NMHS Information Technology Systems (“ITS”) department will enact protocols for guarding against, detecting and reporting new and potential threats from malicious code such as viruses, worms, denial of service attacks, or any other computer program or code designed to interfere with the normal operation of a system or its contents and procedures. The Security Officer will notify the NMHS PC HelpDesk if a virus, worm or other malicious code has been identified on the network and is a potential threat to other systems or networks, outlined in CANM Policy #786. The system that has been infected by a virus, worm or other malicious code will be cleaned and properly secured or isolated from the rest of the network. This function will be performed by NMHS workforce.
CANM will train its workforce to identify and protect against malicious code and software. A virus detection system, NMHS approved Enterprise Corporate Edition will be implemented and maintained on all workstations.
Log-In Monitoring
Failed login attempts on Epic and the Enterprise EMR system containing ePHI should be documented by NMHS staff. Passwords are required to be reset every 180 days.
Password Management
Passwords will be created and required for workforce member access to any network, system, or application used to access, transmit, receive, or store ePHI. All workforce members must supply a password in conjunction with their unique user identification to gain access to any application or database system used to create, transmit, receive, or store ePHI. Passwords should be properly safeguarded, and the workforce will be made aware of password related policies. A password must be of sufficient complexity to ensure that it is not easily guessable.
The workforce members are responsible for the proper use and protection of their passwords. Passwords are only to be used for legitimate access to networks, systems, or applications. Passwords must not be disclosed to other employees or individuals. Passwords should not be posted or exposed in an insecure manner such as on a notepad or posted on the workstation.
Security Training
The workforce members will receive training on security policies and procedures and their responsibilities regarding such policies and procedures. Security training will be a component of new workforce members’ orientation process as well. NMHS staff also stresses the importance of security awareness and confidentiality when passwords are issued.
References: CANM Compliance Plan, CANM Policy #150, Confidentiality Agreement Form, CANM Policy #786, CANM Policy #794
POLICY DESCRIPTION: Administrative Safeguards: Security Awareness and Training
POLICY #: 785
APPROVED: March 2, 2005
REVISION DATE: August 17, 2011
May 16, 2012
August 6, 2013
July 8, 2014
July 15, 2016
November 10, 2020
September 15, 2022
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Security Incident Procedures
Policy:
CANM will implement security incident procedures to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known; and document security incidents and their outcomes. [164.308(a)(6)]
Procedures:
Response and Reporting
All incidents, threats, or violations that affect or may affect the confidentiality, integrity, or availability of ePHI must be reported to the Security Officer. If the incident affects or may affect other systems and networks, the NMHS Network Services must be notified. If the incident is a threat to ePHI, the NMHS HIPAA Security Officer must be notified. NMHS Network Services should investigate and propagate recommended updates or fixes to threatened or actual security incidents. Incidents that should be reported include, but are not limited to:
- Virus, worm, or other malicious attacks.
- Network or system intrusions.
- Persistent intrusion attempts from a particular entity.
- Unauthorized access to ePHI, an ePHI based system, or an ePHI based network.
- ePHI data loss due to disaster, failure, or error.
The Security and Privacy Officers must notify each other of security or privacy issues if they determine that an incident or issue could affect the other office.
Workforce members who report possible security issues in good faith will not be subjected to retaliation as a result of the report. Whenever a security issue has been identified, through monitoring, reporting of possible issues, investigations, or otherwise, the Security Officer will have the responsibility to take or direct appropriate action to address the issue. The corrective action will be designed to ensure that the specific issue is addressed and similar problems will not occur in the future. When applicable, the compliance policies regarding communications and investigations may be referenced for security incidents. All correspondence with outside authorities such as local police, FBI, media, etc. must go through the Chief Executive Officer.
All security related incidents and their outcomes should be logged and documented. All instances of failures, outages, or data loss that involve critical ePHI are reported to the Security Officer.
The harmful effects of known security incidents may be mitigated by following these reporting procedures for notifying others of a known incident so that appropriate action may be taken. The HIPAA Security Officer will be notified of viruses and other malicious software and NMHS-wide threats to ePHI. Such notifications may be made by way of network distribution lists or by the NMHS Security Officer. The Security Officer is responsible for propagating these notifications within CANM and ensuring that appropriate measures are implemented to mitigate the harmful effects of such security threats based on such notifications.
North Mississippi Health Services (“NMHS”) will periodically monitor Enterprise EMR and Epic user activity, including password activity, virus scans, and audit trails to determine if any security incidents have occurred involving CANM, as a business unit of NMHS. Following the identification of a security incident, the first priority must be to communicate the details of the incident to the relevant NMHS technical staff to expeditiously begin resolving the issue. The CANM Security Officer will be notified of any potential concerns identified.
Any internal incident identified will be logged on a security incident log. All necessary and reasonable steps will be taken to respond to and address all identified and confirmed security incidents. All responses will be logged into the security incident log.
If the incident cannot be resolved and could potentially cause disruptions among other practice workforce members such that it will inhibit them from performing their assigned job responsibilities, the Security Officer will notify the rest of the workforce of the situation via email, telephone, verbally, or in writing, whichever communication media works best under the circumstances. Affected workforce will be notified of the estimated time necessary to address the security incident. Once the issue has been resolved, the Security Officer will notify the workforce of the resolution, using whichever communication media works best under the circumstances.
When applicable, notification to appropriate parties will be given regarding any breach of health information in any form which is not electronically encrypted.
Data Breach Notification Purposes. CANM may use or disclose medical information to provide legally required notices of unauthorized access to or disclosure of medical information.
References: CANM Compliance Program, CANM Policy #785
POLICY DESCRIPTION: Administrative Safeguards: Security Incident Procedures
POLICY #: 786
APPROVED: March 2, 2005
REVISION DATE:August 17, 2011
September 4, 2013
November 10, 2020
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Security Management Process
Policy:
CANM will establish a formal security management process to involve the creation, administration, and oversight of policies to address the full range of security issues and to ensure the prevention, detection, containment, and correction of security violations. This process includes implementation features consisting of a risk analysis, risk management, sanction policy, and an information system activity review. [164.308(a)(1)]
Procedures:
Risk Analysis
CANM acknowledges the potential vulnerabilities associated with storing ePHI and transmitting ePHI. CANM conducts assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held in its systems. Security measures will be periodically reassessed and updated as needed.
Risk Management
North Mississippi Health Services (“NMHS”) will assist CANM in identifying and implementing appropriate security measures and safeguards. All NMHS’ networks, systems, and applications are subject to compliance with the NMHS Security Management Policy. CANM will implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security rule.
Sanction Policy
To ensure that all members of the CANM workforce fully comply with the CANM security policies, CANM will appropriately discipline and sanction workforce members for failing to comply. The discipline and sanction policy for failure to comply with policies and procedures is outlined in our compliance program.
Information System Activity Review
Internal audit procedures will be established to regularly review records of information system activity. The internal audit procedure may utilize audit logs, activity reports, or other mechanisms to document and manage system activity. NMHS’ audit department performs information system activity reviews periodically for all business units. NMHS will notify CANM of any potential concerns identified.
The audit trail reports must be kept in a secure location and retained for six years at a minimum. Any abnormalities must be documented and immediately followed up on. Abnormalities include suspicious log-in attempts, unusually frequent password changes, and computer file changes and/or deletions.
CANM is an unaffiliated business unit of North Mississippi Health Services (“NMHS”). NMHS has a written policy which covers the ePHI risk analysis that they will conduct, the security measures and safeguards that will be implemented for its ePHI based upon such risk analysis, and the information systems review activity that will be conducted to ensure the security of such ePHI. All networks, systems, and applications are subject to compliance with the NMHS security policies.
References: CANM Compliance Program
POLICY DESCRIPTION: Administrative Safeguards: Security Management Process
POLICY #: 781
APPROVED: March 2, 2005
REVISION DATE: May 10, 2006
EFFECTIVE DATE: April 20, 2005
Administrative Safeguards: Workforce Security
Policy:
CANM will make every effort to ensure that all workforce members have appropriate access to ePHI and to prevent workforce members who do not have access to ePHI from obtaining such access. [164.308(a)(3)]
Procedures:
Access is the ability to interact with a computer system (e.g., use, change, or view). System users must have access to certain information in order to adequately perform their assigned duties, pursuant to their individual job descriptions.
Authorization and/or Supervision; Workforce Clearance
CANM uses user IDs and unique passwords to control access to the systems. CANM expects practice information to be available when it is needed and to be safeguarded from access by unauthorized individuals.
CANM has established management controls for granting and changing access to the practice management system. NMHS has established management controls for granting and changing access to the electronic medical records systems.
Only workforce members with a need to access ePHI are granted access to ePHI. CANM will ensure that all workforce members who work with ePHI have the appropriate access so that unauthorized access to ePHI is avoided. Access changes will only be made at the manager’s request.
Termination Procedures
A workforce member’s access to ePHI will be terminated when the employment ends or when the level of access granted is determined to be no longer appropriate. The Human Resources Manager will be responsible for ensuring the workforce member’s access to the systems are revoked as well as access to the physical office. The attached checklist will be completed to assist with this process.
References: CANM Policy #550, CANM Policy #552, CANM Policy #784
TerminationCheckList-Revised 11-2021 (1)-PDF
POLICY DESCRIPTION: Administrative Safeguards: Workforce Security
POLICY #: 783
APPROVED: March 2, 2005
REVISION DATE:May 16, 2012,
July 13, 2021
EFFECTIVE DATE: April 20, 2005
HIPAA Security – General Compliance
Policy:
Cardiology Associates of North Mississippi (“CANM”) intends to make all efforts to comply with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regarding the security of electronic Protected Health Information (“ePHI”).
Procedures:
The scope of this Policy covers CANM’s general approach to compliance with the Security Regulations. As a covered entity under the Security Regulations, CANM should:
- ensure the confidentiality, integrity and availability of all ePHI CANM creates, receives, maintains or transmits;
- protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required; and
- ensure compliance with the Security Regulations by its workforce.
Compliance with the Security Regulations will require CANM to implement:
- Administrative Safeguards—those actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of CANM’s workforce in relation to the protection of and authorized access to said ePHI.
- Physical Safeguards—those physical measures, policies and procedures to protect CANM’s electronic information systems, related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
- Technical Safeguards—the technologies and the policies and procedures for its use that protect ePHI and control access to it.
The specifications for implementation of each of these safeguards are addressed in the security policies and procedures. The Administrative Safeguards are set forth in HIPAA Security Policies #781-789; the Physical Safeguards are set forth in HIPAA Security Policies #790-793; and the Technical Safeguards are set forth in HIPAA Security Policies #794-798. NMHS also has developed policies and procedures to address these security standards for the network/system, of which we are an unaffiliated business unit.
Every member of the CANM workforce is responsible for being aware of, and complying with, the Security Regulations and the Security Policies and Procedures.
Reference: CANM Policy #750
POLICY DESCRIPTION: HIPAA Security – General Compliance
POLICY #: 780
APPROVED: March 2, 2005
REVISION DATE: July 15, 2016
EFFECTIVE DATE: April 20, 2005
Physical Safeguards: Device and Media Controls
Policy:
CANM will govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility. [164.310(d)(1)]
Procedures:
These policies and procedures pertain to the use of hard drives, storage systems, removable disks, floppy drives, CD ROMs, memory sticks, and all other forms of removable media and storage devices. The NMHS Information Technology Services (“ITS”) department should be involved in any removal or movement of any system, device, or media containing ePHI that resides on the NMHS network.
Disposal
Prior to destroying or disposing of any storage device or removable media, care must be taken to ensure that the device or media does not contain ePHI. A retrievable copy of the ePHI may be made prior to disposal if the device or media contains the only copy of ePHI that is required or needed. If the ePHI is not required or needed and is not a unique copy, a data destruction tool must be used to destroy the data on the device or media prior to disposal. North Mississippi Health Services (“NMHS”) will assist as requested with this function.
Media Re-use
CANM does not reuse video media. NMHS will assist with making network storage devices available for reuse when appropriate. Prior to making storage devices and removal media available for reuse, care must be taken to ensure that the device or media does not contain ePHI. If the device or media contains the only copy of ePHI that is required or needed, a retrievable copy of the ePHI must be made prior to reuse. If the device or media contains ePHI that is not required or needed, and is not a unique copy, a data destruction tool must be used to destroy the data on the device or media prior to reuse. A typical reformat is not sufficient as it does not overwrite the data. When using removable media for the purpose of system backups and disaster recovery and the removable media is stored and transported in a secured environment, the use of a data destruction tool between uses is not necessary.
Accountability; Data Backup and Storage
The Security Officer will oversee the movement, receipt and removal of all hardware and electronic media. NMHS staff will assist with this function as needed.
The data backup plan is addressed in the contingency plan policy.
Reference: CANM Policy #787
POLICY DESCRIPTION: Physical Safeguards: Device and Media Controls
POLICY #: 793
APPROVED: March 2, 2005
REVISION DATE: July 8, 2014
September 15, 2022
EFFECTIVE DATE: April 20, 2005
Physical Safeguards: Facility Access Controls
Policy:
CANM will limit physical access to its electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. [164.310(a)(1)]
Procedures:
Contingency Operations
As discussed in the contingency plan policy, the workforce will be given instructions in the restoration process, including physical facility access during emergencies to support restoration of data.
Facility Security Plan; Access Control and Validation Procedures
CANM will make every effort to safeguard all facilities, systems, and equipment used to store ePHI against unauthorized physical access, tampering, or theft. CANM uses access control mechanisms for giving the workforce access to facilities used to house ePHI based systems. Key or keypad locks and swipe cards are examples of physical access control mechanisms used in CANM facilities.
All visitors who require access to facilities containing ePHI-based systems should check in with the front desk staff and provide information regarding their identity and the purpose of their visit. Visitors will be escorted to and from their destination. Visitors include vendors, repair personnel, and other non-workforce members.
Maintenance Records
A facility maintenance log will be kept to document and manage repairs and modifications to the physical security components of the Gloster Creek Village facility. This includes locks, doors, and other physical access control hardware.
North Mississippi Health Services (“NMHS”) will maintain facility access controls to address their facilities.
Reference: CANM Policy #787
POLICY DESCRIPTION: Physical Safeguards: Facility Access Controls
POLICY #: 790
APPROVED: March 2, 2005
REVISION DATE: June 17, 2009
EFFECTIVE DATE: April 20, 2005
Physical Safeguards: Workstation Security
Policy:
CANM will implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. [164.310(c)]
Procedures:
Each desktop system used to access, transmit, receive or store ePHI is appropriately secured. A user identification and password authentication mechanism has been implemented to control user access to the system.
Desktop systems that are located in open, common, or otherwise insecure areas must implement an automatic logoff mechanism. The workstation screen or display should be situated in a manner that prohibits unauthorized viewing. When appropriate, an alternative security measure can be implemented (i.e. password protected screensaver, etc.).
A personal electronic device is classified as a portable device that interfaces with a divisional workstation. A personal electronic device is primarily used for personal information management. Personal electronic devices and other handheld mobile devices should not be used for long-term storage of ePHI; ePHI stored on hand held mobile devices must be purged as soon as it is no longer needed on that device. Members of the workforce with personal electronic devices are responsible for keeping the devices in a physically secure environment. Passwords are strongly encouraged for the privacy, security and protection of personal electronic devices.
A mobile station is also considered a portable electronic device. Members of the workforce using mobile stations are responsible for making efforts to keep such stations secure. An automatic logoff mechanism must be implemented on mobile stations.
NMHS’ Information Technology Systems (“ITS”) will ensure that all servers used to access, transmit, receive or store ePHI are appropriately secured.
POLICY DESCRIPTION: Physical Safeguards: Workstation Security
POLICY #: 792
APPROVED: March 2, 2005
REVISION DATE: May 16, 2012
August 6, 2013
September 15, 2022
EFFECTIVE DATE: April 20, 2005
Physical Safeguards: Workstation Use
Policy:
CANM will specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access ePHI. [164.310(b)]
Procedures:
To ensure that workstations and other computer systems that may be used to send, receive, store or access ePHI are only used in a secure and legitimate manner, the workforce must comply with the Computer Network and Internet Access Policy and Netiquette Policy.
Workforce members that use NMHS/CANM information systems and workstations should have no expectation of privacy. To appropriately manage its information system assets and enforce appropriate security measures, NMHS/CANM may log, review, or monitor any data (ePHI and non-ePHI) stored or transmitted on its information system assets.
NMHS may remove or deactivate any workforce member’s user privileges, including but not limited to, user access accounts and access to secured areas, when necessary to preserve the integrity, confidentiality and availability of its facilities, user services, and data.
Workforce members with remote access privileges to CANM’s network are required to ensure that their remote access connection is given the same consideration as the user’s on-site connection to CANM.
References: CANM Policy #182, CANM Policy #192
POLICY DESCRIPTION: Physical Safeguards: Workstation Use
POLICY #: 791
APPROVED: March 2, 2005
REVISION DATE:
EFFECTIVE DATE: April 20, 2005
Technical Safeguards: Access Control
Policy:
CANM will ensure that access to ePHI is only available to those persons or programs that have been appropriately granted such access. [164.312(a)(1)]
Procedures:
Unique User Identification
For the purpose of access control, CANM will identify and track each user of networks, systems, and applications that contain ePHI. Any member of the workforce that requires access to any network, system, or application that access, transmits, receives, or stores ePHI will be provided with a unique user identifier. When accessing the network, system, or application a workforce member must supply his or her assigned unique user identifier in conjunction with a secure password to gain access. Workforce members should not allow another individual to use their unique user identifier or password. Workforce members should ensure that their user identification is not exposed in an insecure manner. If workforce members believe their user identification has been compromised, they must report that to the appropriate manager or Security Officer.
Emergency Access Procedure
To ensure that access to critical ePHI is maintained during an emergency situation, procedures are established to ensure that access to a system that contains ePHI and is used to provide patient treatment is made available to any caregiver in the case of an emergency if the denial or strict access to that ePHI could inhibit or negatively affect patient care. If access failure occurs in one of CANM’s locations, ePHI can be sent from one location that is still operational to the other location that is experiencing the failure. NMHS has procedures in place to restore extreme system failures.
Automatic Logoff
Workstations that access, transmit, receive, or store ePHI, such as electronic medical records, will employ automatic logoff mechanisms which will terminate a user session after a specified time period of inactivity (i.e., password protected screensaver that blacks out screen activity). Workstations located in locked or secure environments need not implement automatic logoff mechanisms.
When leaving a workstation unattended, employees should lock or activate the systems automatic logoff mechanism (e.g., CTRL, ALT, DELETE, and lock computer), or logout of all applications and database systems containing ePHI.
Encryption and Decryption
Encryption of ePHI is required in some instances as a transmission control and integrity mechanism. Internal email correspondence (Outlook) is encrypted.
North Mississippi Health Services (“NMHS”) network housing ePHI has implemented perimeter security and access control with a firewall. NMHS maintains the firewall affecting the network system.
Remote Access: Secure remote access extends the secure network to the remote user using a secure network connection. Authorization mechanisms are required for all remote access sessions to networks containing ePHI via an Internet service provide. Mechanisms to bypass authorized remote access mechanisms are prohibited. NMHS maintains remote access policies for the network.
Wireless Access: Wireless access to networks containing ePHI-based systems and applications is permitted so long as encryption is enabled and user ID/password authentication is enabled. NMHS maintains encryption requirements for wireless access.
Reference: CANM Policy #785
POLICY DESCRIPTION: Technical Safeguards: Access Control
POLICY #: 794
APPROVED: March 2, 2005
REVISION DATE: August 6, 2013
July 8, 2014
EFFECTIVE DATE: April 20, 2005
Technical Safeguards: Audit Controls
Policy:
CANM will implement audit control mechanisms to record and examine activity in information systems that contain or use ePHI. [164.312(b)]
Procedures:
North Mississippi Health Services (“NMHS”) Internal Auditing Department is responsible for audit trails on Enterprise EMR and EPIC, and will periodically monitor ITS user activity to determine if any security incidents have occurred involving CANM, as a business unit of NMHS. CANM will be notified of any potential concerns identified.
POLICY DESCRIPTION: Technical Safeguards: Audit Controls
POLICY #: 795
APPROVED: March 2, 2005
REVISION DATE:August 17, 2011
November 10, 2020
September 15, 2022
July 11, 2023
EFFECTIVE DATE: April 20, 2005
Technical Safeguards: Integrity
Policy:
CANM will protect ePHI from improper alteration or destruction. [164.312(c)(1)]
Procedures:
Mechanism to Authenticate ePHI
Data authentication is the process used to validate data integrity, verify that the data sent is the same data that is received and ensure the integrity of data stored and retrieved.
NMHS uses data authentication mechanisms to maintain this function for the network, including transmission of data and ensuring that ePHI has not been altered or destroyed by a virus or other malicious code.
CANM workforce members are trained on their responsibility to maintain the integrity of ePHI.
POLICY DESCRIPTION: Technical Safeguards: Integrity
POLICY #: 796
APPROVED: March 2, 2005
REVISION DATE:
EFFECTIVE DATE: April 20, 2005
Technical Safeguards: Person or Entity Authentication
Policy:
CANM will verify that a person or entity seeking access to ePHI is the person or entity claimed. [164.312(d)]
Procedures:
CANM workforce members seeking access to any network, system, or application that contains ePHI must satisfy a user authentication mechanism such as a unique user identification and password to verify their authenticity.
CANM workforce members seeking access to any network, system, or application must not misrepresent themselves by using another person’s user ID and password or other authentication information.
CANM workforce members are not permitted to allow other individuals to use their authentication information
POLICY DESCRIPTION: Technical Safeguards: Person or Entity Authentication
POLICY #: 797
APPROVED: March 2, 2005
REVISION DATE:
EFFECTIVE DATE: April 20, 2005
Technical Safeguards: Transmission Security
Policy:
CANM will guard against unauthorized access to or modification of ePHI that is being transmitted over an electronic communications network or via any form of removable media. [164.312(e)(1)]
Procedures:
All transmissions from nmhs.net (which includes CANM transmissions) destined for an outside entity must go through the North Mississippi Health Services (“NMHS”) network and are subject to the NMHS transmission security policies.
Integrity Controls
NMHS maintains controls for transmissions of ePHI from the NMHS domain to a network outside of the NMHS domain. Prior to transmitting ePHI from the NMHS domain to a network outside of the NMHS domain, the receiving person or entity will be authenticated.
Encryption
The CANM network participates in the NMHS domain and is covered under the NMHS security mechanisms. Therefore, all transmissions of ePHI between NMHS and CANM are permitted with no additional security mechanisms.
The transmission of ePHI within NMHS via an e-mail or messaging systems is permitted without additional security measures or safeguards so long as only a minimal amount of ePHI is being transmitted. E-mail accounts that are used to send or receive ePHI should not be forwarded to non-NMHS accounts.
Communication through the patient portal is considered secure messaging.
The transmission of ePHI over a wireless network within the NMHS domain is permitted if the local wireless network is utilizing an authentication mechanism to ensure that wireless devices connecting to the wireless network are authorized, and the local wireless network is utilizing an encryption mechanism for all transmissions over the aforementioned wireless network.
When transmitting ePHI electronically, regardless of the transmission system being used, workforce members must take reasonable precautions to ensure that the receiving party is who they claim to be and has a legitimate need for the ePHI requested.
POLICY DESCRIPTION: Technical Safeguards: Transmission Security
POLICY #: 798
APPROVED: March 2, 2005
REVISION DATE: August 6, 2013
July 15, 2016
EFFECTIVE DATE: April 20, 2005