INSIGHT VISION CENTER MEDICAL GROUP, INC.
Privacy-Security Officer: Paige Hedrick, Administrator
(559) 449-5050
Purpose: The following security policy is adopted to ensure that InSight Vision Center Medical Group, Inc. complies appropriately with applicable federal and state security protection laws and regulations. Protection of electronic protected health information (ePHI) is of great importance to this organization. Violations of any of these provisions will result in appropriate disciplinary action including possible termination of employment.
Effective Date: This policy is in effect as of September 1, 2012.
Expiration Date: This policy remains in effect until superceded or cancelled.
Policy Owner: Please contact Paige Hedrick, Practice Administrator – Privacy and Security Officer for any questions.
Assigning Privacy and Security Responsibilities
It is the policy of InSight Vision Center Medical Group, Inc. that specific individuals within our workforce are assigned the responsibility of implementing and maintaining the HIPAA Privacy and Security Rule’s requirements. Furthermore, it is the policy of InSight Vision Center Medical Group, Inc. that these individuals will be provided sufficient resources and authority to fulfill their responsibilities.
Risk Analysis
It is the policy of InSight Vision Center Medical Group, Inc. that a risk analysis has been completed and is periodically updated to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI. It is the policy of InSight Vision Center Medical Group, Inc. that the risk analysis includes a review of the critical nature of electronic PHI and related applications or business processes with a subsequent ranking or prioritization (criticality analysis).
Risk Management
It is the policy of InSight Vision Center Medical Group, Inc. that security measures are in place and maintained sufficient to reduce risks and vulnerabilities to reasonably appropriate level to:
1) Ensure the confidentiality, integrity and availability of all electronic PHI that this organization creates, maintains, stores, or transmits
2) Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI
3) Protect against any reasonably anticipated uses or disclosures of electronic PHI that is not permitted by HIPAA or applicable state law
4) Ensures that all members of the workforce are aware of these requirements and comply with them
Sanctions
It is the policy of InSight Vision Center Medical Group, Inc. that sanctions will be applied to workforce members who fail to comply with the security policies and procedures.
Information system activity review
It is the policy of InSight Vision Center Medical Group, Inc. that information system activity records are regularly reviewed such as security incident tracking reports.
Supervision
It is the policy of InSight Vision Center Medical Group, Inc. that an authorized, knowledgeable person must supervise maintenance personnel whenever work is being done on a system that contains or processes electronic PHI. It is also the policy of this organization that access authorization for maintenance personnel must be set appropriately for the jobs assigned to each.
Personnel Clearance
It is the policy of InSight Vision Center Medical Group, Inc. that personnel be cleared before access to electronic PHI is allowed.
Personnel and Workforce Termination
It is the policy of InSight Vision Center Medical Group, Inc. that personnel and workforce will no longer have access to electronic PHI terminated as soon as practicable after they are terminated. This will include physical access to our facility as well as technical access.
Training and Awareness
It is the policy of InSight Vision Center Medical Group, Inc. that all employees and contractors receive training in security awareness and in the security procedures to be followed during the performance of their duties. It is the policy of InSight Vision Center Medical Group, Inc. that periodic reminders and training will be provided to the workforce.
Protection from malicious software
It is the policy of InSight Vision Center Medical Group, Inc. that it will implement and maintain procedures for detecting, reporting and guarding against malicious software. It is the policy of InSight Vision Center Medical Group, Inc. that all members of the workforce will be periodically reminded and trained regarding this policy.
Log in monitoring
It is the policy of InSight Vision Center Medical Group, Inc. that log in attempts and discrepancies will be monitored to the extent practicable.
Password management
It is the policy of InSight Vision Center Medical Group, Inc. that a written procedure will be followed to create and assign passwords, which will include periodic changing and safeguarding of passwords.
Security Incident policy
It is the policy of InSight Vision Center Medical Group, Inc. that all security incidents (suspected or actual) will be identified and an appropriate response developed, including but not limited to documentation in writing. Any harmful effects or violations will be mitigated to the extent practicable. All responses and follow up actions will be documented.
Contingency Plans
It is the policy of InSight Vision Center Medical Group, Inc. that a contingency plan is in place and maintained. The contingency plan includes procedures for data back up, disaster recovery including restoration of data, and emergency mode operations. It is the policy of this organization that the contingency plan includes a procedure to allow facility access in support of restoration of lost data and to support emergency mode operations in the event of an emergency. It is the policy of this organization that access control will include procedures for emergency access to electronic PHI.
Testing
It is the policy of InSight Vision Center Medical Group, Inc. that all security controls and measures in place be periodically tested to ensure proper functioning. It is also the policy of this organization that all procedures adopted to protect the confidentiality, integrity and availability of information and information services be tested to ensure that important security considerations have not been overlooked. It is also the policy of this organization that contingency plans and related measures will be periodically tested to ensure proper functioning and to maintain readiness in the event of a contingency.
Evaluation
It is the policy of InSight Vision Center Medical Group, Inc. that a periodic technical and non-technical evaluation will be conducted to audit the effectiveness of the security controls and measures in place in consideration of environmental or operational changes.
Audit
It is the policy of InSight Vision Center Medical Group, Inc. that audit controls are in place to record and examine the activity of all information systems that contain or use electronic PHI. This organization will maintain procedures to protect electronic PHI from improper alteration or destruction and to routinely authenticate that electronic PHI retains its integrity (including but not limited to version control, read only privileges).
Authentication
It is the policy of InSight Vision Center Medical Group, Inc. that all information system users be authenticated before access to information processing resources is allowed. Specifically, each user must have his or her own system account, and passwords must never be shared.
Authorization and Termination
It is the policy of InSight Vision Center Medical Group, Inc. that authority to access electronic PHI be granted or supervision be provided to users who will work with electronic PHI. When these users no longer require their access or are terminated, all authorization will cease including the revocation and deletion of passwords, user ID’s and system privileges.
Access to Protected Health Information
It is the policy of InSight Vision Center Medical Group, Inc. that all access control mechanisms must be configured to allow access only to the information and information processing functions needed by each employee or contractor to perform their assigned duties. It is also the policy of this organization that proper procedures must be followed whenever access to health information is authorized, established or modified and that records of access authorizations must be maintained. Access will be granted and maintained to the extent possible at a system level, role or job function (and application software) level, and workstation or device level. It is the policy of this organization that access control will include unique name/and or numbers to identify and track user identity. It is the policy of this organization that access controls will include automatic log offs for unattended computer sessions and, as appropriate, applicable encryption of electronic PHI (including system level encryption for stored data, and stored data on other devices such as workstations, portable devices and backup media). It is the policy of this organization that appropriate password protection will be implemented. It is the policy of this organization that emergency access will be maintained by relying on a backup list of user IDs and passwords.
Device and Media Access Control
It is the policy of InSight Vision Center Medical Group, Inc. that reusable media, such as tapes, zip disks or diskettes, or hardware that contains electronic PHI must be securely erased or otherwise destroyed before being discarded to prevent unauthorized access to electronic PHI. This policy extends to media that will be re-used by another party. It is the policy of this organization to safeguard and account for the receipt and removal of all hardware and media containing electronic PHI. It is the policy of this organization to backup devices that contain critical electronic PHI or applications prior to their relocation as appropriate.
Physical Access Control
It is the policy of InSight Vision Center Medical Group, Inc. that areas to limit physical access to electronic information systems (including diagnostic equipment that maintains electronic PHI) to those properly authorized. It is also the policy of this organization that appropriate safeguards are in place to protect these systems and the electronic PHI they contain from tampering, theft or destruction. It is the policy of this organization that visitors sign in and are verified and monitored. It is the policy of this organization to review and supervise any repairs or modifications to the facility that could compromise security.
Workstation Use Guidelines
It is the policy of InSight Vision Center Medical Group, Inc. that workstations be positioned in such a manner as to avoid accidental, unauthorized exposure of health information. It is the policy of this organization that displays be locked when unattended. It is the policy of this organization that access to workstations be restricted to authorized users. This workstation policy extends to desktop computers, laptop computers, PDA’s, electronic diagnostic equipment and all storage media connected or stored in the immediate environment.
Secure Data Transmission
It is the policy of InSight Vision Center Medical Group, Inc. that data communications that contain electronic PHI must be encrypted or transmitted using a secure transmission protocol if they traverse public networks such as the Internet. It is also the policy of this organization that all data transmission methods must incorporate data integrity and authentication controls.
Configuration Management
It is the policy of this InSight Vision Center Medical Group, Inc. that proper procedures be followed for the installation or removal of all hardware devices or software programs. It is also the policy of this organization that the hardware/software inventory must be kept current and that the configuration must be documented in sufficient detail to be rebuilt in the case of an emergency.
Business Associates
It is the policy of InSight Vision Center Medical Group, Inc. that business associates must be contractually bound to protect electronic PHI as required in applicable federal regulations. It is also the policy of this organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate. It is the policy of this organization that any business associate agreement that cannot be terminated, and has not corrected the violation will be reported to the Secretary of the Department of Health and Human Services.
SB1386 and AB1298 Compliance
It is the policy of InSight Vision Center Medical Group, Inc. that it will comply with state laws regulating the response to any breach of unencrypted information that could be used for identity theft or other malicious activities.
Document retention, availability and currency
It is the policy of InSight Vision Center Medical Group, Inc. that these policies and all related procedures be retained for 6 years from the date of its creation or the date when it was last in effect, whichever is later. It is also the policy of this organization to make this documentation available to those persons responsible for implementing the related procedures and that this documentation and policy will be kept current in response to relevant environmental or operational changes or changes in law.
Investigation and Enforcement
It is the policy of InSight Vision Center Medical Group, Inc. that in addition to cooperation with Security Oversight Authorities, this medical practice will follow procedures to ensure that investigations are supported internally and that members of our workforce will not be retaliated against for cooperation with any authority. It is our policy to attempt to resolve all investigations and avoid any penalty phase if at all possible.