Security Management Processes

• Assess, analyze, and manage the risk of concepts and practices
• Employ security measures sufficient to reduce risk
• Uphold a sanction policy against workforce members who fail to comply with security policies
• Conduct procedures to regularly review records of information systems activities

• Identify the security official who is responsible for the development of the policies and procedures

• Establish procedures for the authorization and/or supervision of workforce members
• Demonstrate that the access of a workforce member is appropriate
• Properly remove access when employment ends or is no longer deemed appropriate

• Ensure proper protection from unauthorized access from other parts of our organization
• Grant appropriate access to ePHI through access to a workstation, transaction, program, or process
• Review authorization policies for a user’s right of access to a workstation, transaction, program, or process

• Conduct security awareness and training programs for all members of our company
• Guard against and detect malicious software programs
• Monitoring log-in attempts and guard against intrusions
• Engage in creating, changing, and safeguarding passwords

• Identify and respond to suspected or known security incidents
• Report and document security incidents and their outcomes

• Respond to emergency or other occurrences that damage systems that contain ePHI
• Conduct a data backup plan that will create and maintain retrievable exact copies of ePHI
• Participate in and implement procedures to avoid and recovery data in the event of a disaster
• Engage in procedures that will enable continuation of critical business processes for protection of ePHI  while in the operation of emergency mode
• Participate in periodic testing and revision of backup, continuation, and recovery plans
• Continue to assess the relative criticality of specific applications and data in support of contingency plan components

• Periodically review and maintain reasonable and appropriate security measures to comply with the Security Rule

• When we must enter into a contract or other arrangement with persons or businesses that meet the definition of business associate we will appropriately safeguard ePHI by obtaining assurance that the business associate will meet applicable requirements through a written contract

• Safeguard and limit physical access of our ePHI and the facilities in which they are housed
• Allow facility access in support of data and system restoration in the event of disaster recovery
• Secure all facilities against unauthorized access
• Validate a person’s access to facilities based on their roles and functions
• Document repairs and modifications to the physical components of the facilities which are related to security

• Engage in proper functions to be preformed, the manner in which the functions are to be preformed and the physical attributes surrounding the workstations

• Workstation use and accessibility will be restricted to authorized users only

• Secure and govern the receipt and removal of hardware and electronic media that contain ePHI

• Allow access on systems that contain ePHI to only those persons or software programs that have been granted access
• Track and identify user by name and/or number when accessing information systems
• Document procedures for obtaining necessary ePHI during an emergency
• Electronically terminate all person or software session after a predetermined time of inactivity
• Employ methods to encrypt and decrypt ePHI when necessary
• Record and examine activity in information systems that contain ePHI

• Protect ePHI from improper alteration and destruction
• Automatically check for data integrity with check sum verifications or digital signatures

• Verify that person or entity seeking access is authentication by proper identification

• Guard against unauthorized access to ePHI that is being transmitted over electronic communication networks
• Secure ePHI to ensure that it is not improperly modified through proper communication protocols
• Implement technologies to encrypt ePHI

• Ensure that any business associates will provide safeguards to protect ePHI and ensure that the associate agrees to implement reasonable protection of ePHI         

• Policies and Procedures will reflect the mission and culture of our organization thereby enabling our company to use current standard business practices for policy development and implementation

• We will maintain the policies  and procedures in written form and if action, activity or assessment is required to be documented we will maintain a written record of that

• We will retain this document for six years from the date of its creation or the date when it last was in effect, whichever is later

• This document is available to those persons responsible for implementing the procedures to which the document pertains

• We will review this documentation periodically and update it as needed, in response to environment and operational changes affecting the security of the ePHI.