GENERAL HIPAA COMPLIANCE POLICY

1. Introduction

AMELIA has adopted this General HIPAA Compliance Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs General HIPAA Compliance for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.
Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA Regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements at 45 CFR Parts 160 and 164, as amended.
  • Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to civil monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity.
  • Full compliance with HIPAA strengthens our ability to meet other compliance obligations and will support and strengthen our non-HIPAA compliance requirements and efforts.
  • Full compliance with HIPAA reduces the overall risk of inappropriate uses and disclosures of Protected Health Information (PHI) and reduces the risk of breaches of confidential health data.
  • The requirements of the HIPAA Administrative Simplication Regulations (including the HIPAA Privacy, Security, Enforcement, and Breach Notication Rules) implement sections 1171-1180 of the Social Security Act (the “Act”), sections 262 and 264 of Public Law 104-191, section 105 of 492 Public Law 110-233, sections 13400-13424 of Public Law 111-5, and section 1104 of Public Law 111-148.

4. Policy Statement

  • It is the Policy of AMELIA to become and to remain in full compliance with all the requirements of HIPAA.
  • It is the Policy of AMELIA to fully document all HIPAA compliance-related activities and efforts, in accordance with our Documentation Policy (03-BA).
  • All HIPAA compliance-related documentation will be managed and maintained for a minimum of six years from the date of creation or last revision, whichever is later, in accordance with AMELIA’ Documentation Retention policy (04-BA).

5. Procedures

In accordance with the amended HIPAA Final Rule, AMELIA commits to enacting, supporting, and maintaining the following procedures and activities, as a minimum, as required by HIPAA:

  • Privacy Policies and ProceduresAMELIA shall develop and implement written privacy policies and procedures that are consistent with the HIPAA Rules.
  • Privacy Personnel → AMELIA shall designate a privacy ocial responsible for developing and implementing its privacy policies and procedures who shall also be responsible for receiving complaints and providing individuals with information on AMELIA’ privacy practices.
  • Workforce Training and Management → Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of AMELIA (whether or not they are paid by AMELIA). AMELIA shall train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their various functions.
  • Sanctions → AMELIA shall have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures, and/or HIPAA’s Privacy and Security Rules.
  • Mitigation → AMELIA shall mitigate, to the extent practicable, any harmful eect it learns was caused by use or disclosure of PHI by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
  • Data Safeguards → AMELIA shall maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional uses or disclosures of PHI in violation of the Privacy Rule and its own policies, and to limit the incidental uses and disclosures pursuant to otherwise permitted or required uses or disclosures.
  • Complaints → AMELIA shall establish procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. AMELIA shall explain those procedures in its privacy practices notice.
  • Retaliation and Waiver → AMELIA shall NOT retaliate against a person for exercising rights provided by HIPAA, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates any HIPAA standard or requirement. AMELIA shall not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benets eligibility.
  • Documentation and Record Retention → AMELIA shall maintain, until at least six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, dispositions of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.

6. Compliance and Enforcement

All AMELIA managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

POLICIES AND PROCEDURES POLICY

1. Introduction

AMELIA has adopted this HIPAA Policies and Procedures Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule.
We hereby acknowledge our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the establishment and maintenance of policies and procedures for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers,

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA Regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements at 45 CFR Parts 160 and 164, as amended.
  • Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to civil monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity.
  • Full compliance with HIPAA strengthens our ability to meet other compliance obligations and will support and strengthen our non-HIPAA compliance requirements and efforts.
  • Full compliance with HIPAA reduces the overall risk of inappropriate uses and disclosures of Protected Health Information (PHI) and reduces the risk of breaches of confidential health data.
  • The requirements of the HIPAA Administrative Simplification Regulations (including the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules) implement sections 1171-1180 of the Social Security Act (the Act), sections 262 and 264 of Public Law 104-191, section 105 of 492 Public Law 110-233, sections 13400-13424 of Public Law 111-5, and section 1104 of Public Law 111-148.

4. Policy Statement

  • It is the Policy of AMELIA to create and implement appropriate policies and procedures as required by law and as suggested by good business practices and general business ethics.
  • All policies and procedures shall be updated and amended as needed or as required by law.
  • All policies and procedures shall be distributed to, or made otherwise available to, the entire workforce.
  • All policies and procedures shall be regularly maintained and secured, and copies shall be stored offsite with other important business records for safekeeping.
  • All members of the workforce are required to read, understand, and comply with this and all other policies and procedures created and implemented by AMELIA.

5. Procedures

  • AMELIA shall create or revise its own HIPAA policies and procedures, consistent with all applicable HIPAA Rules and Regulations as well as with applicable State laws and statutes.
  • AMELIA shall designate a qualified individual to assume control of the policies and procedures process. This individual, hereinafter, the HIPAA ocer, shall report to the Privacy Official and shall execute the creation or revision process in a timely manner.
  • AMELIA shall engage its qualified legal counsel to guide or review the policies and procedures creation/revision process, and to intercede where necessary, to ensure AMELIA’s policies and procedures meet all applicable HIPAA and other relevant standards.
  • AMELIA shall internally publish its HIPAA policies and procedures, when complete, to its workforce members, and shall provide appropriate training to members of its workforce on the interpretation and implementation of its policies and procedures.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

HIPAA DOCUMENTATION POLICY

1. Introduction

AMELIA has adopted this HIPAA Documentation Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amendedby the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the creation and maintenance of HIPAA-related documentation for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence inthe requirements of this policy is an important part of the responsibilities of every member ofthe workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitionscontained in the HIPAA Regulations
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordancewith the requirements at 45 CFR Parts 160 and 164, as amended.
  • Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to civil monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity.
  • Full compliance with HIPAA strengthens our ability to meet other compliance obligations and will support and strengthen our non HIPAA compliance requirements and efforts.
  • Full compliance with HIPAA reduces the overall risk of inappropriate uses and disclosures of Protected Health Information (PHI) and reduces the risk of breaches of confidential health data.
  • The requirements of the HIPAA Administrative Simplication Regulations (including the HIPAA Privacy, Security, Enforcement, and Breach Notication Rules) implement sections 1171-1180 of the Social Security Act (the Act), sections 262 and 264 of Public Law 104-191, section 105 of 492 Public Law 110-233, sections 13400 13424 of Public Law 111-5, and section 1104 of Public Law 111-148.

4. Policy Statement

  • It is the Policy of AMELIA to review all HIPAA-related documentation periodically, and update such documentation as needed, in response to environmental or operation changes aecting the privacy or security of individually identifiable health information.
  • Reviews of HIPAA-related documentation shall be made periodically and after any updates of the Rules, but at least every 3 years for the purposes of this policy
  • Reviews and updates of HIPAA-related documentation that occur as a result of this policy shall be made by AMELIA’ designated HIPAA ocer.
  • Reviews and updates of HIPAA-related documentation that occur as a result of this policy shall be documented according to AMELIA’ Documentation Policy (03-BA).

5. Procedures

  • The Privacy Ocial shall timely inform AMELIA’ HIPAA ocer of any changes in the relevant legislation that imply a need of updating the existing documentation.
  • Yearly, the HIPAA ocer shall conrm with the Privacy Ocial that the documentation is still accurate and that all aspects required by applicable regulations are appropriately described.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

HIPAA INVESTIGATIONS POLICY

1. Introduction

AMELIA has adopted this HIPAA Investigations Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs HIPAA Investigations for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA Regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements at 45 CFR Parts 160 and 164, as amended.
  • Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to: civil monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity.
  • AMELIA recognizes that the U.S. Department of Health and Human Services (“HHS”), its Oce for Civil Rights (“OCR”) and other designees, as well as State Attorneys General, are all authorized and empowered to investigate Covered Entities and Business Associates in matters of HIPAA compliance and enforcement.
  • AMELIA recognizes that timely and full cooperation with such investigative bodies is mandatory under HIPAA law; and that failure to cooperate with any HIPAA investigation is itself a violation of HIPAA Rules.

4. Policy Statement

  • It is the Policy of AMELIA to fully comply with HIPAA law and with all HIPAA-related investigations conducted by HHS.
  • It is the Policy of AMELIA to not impede or obstruct any HIPAA-related investigations conducted by HHS.
  • It is the Policy of AMELIA to provide all documentation or assistance required by law in connection with any HIPAA-related investigations conducted by HHS.

5. Procedures

Workforce members who are designated to assist with HIPAA-related investigations conducted by HHS must adhere to the following procedures:

  • Whenever an HHS investigation is discovered, the following persons must be immediately notied:
    • Attorneys (HIPAA counsel and local counsel, if different);
    • Executive Management;
    • Privacy Officer;
    • Security Officer;
    • Compliance Officer;
    • Health Information Management Department and/or the Custodian of Records.t
  • Cooperate, but do not volunteer information or records that are not requested.
  • Ask for the ocial government agency-issued identification of the investigators (Business cards are NOT ocial identification); write down their names, oce addresses, telephone numbers, fax numbers and e-mail addresses. If investigators cannot produce acceptable I.D., call legal counsel immediately and defer the provision of any PHI until after you confer with counsel or until the investigators produce acceptable I.D. BE SURE that you’ve made appropriate requests for I.D. and that they’ve been unreasonably refused before you do.)
  • Have at least one, if not two witnesses available to testify as to your requests and their responses.
  • Ask for the name and telephone number of the lead investigator’s supervisor, but only if, in your judgment, his/her demeanor indicates that you can ask such a question without engendering “hard feelings.” Under NO circumstances should you take any action to escalate tensions, except if you genuinely doubt the identity or authority of the investigators.
  • Determine if there are any law enforcement personnel present (i.e., FBI, US Attorney investigators, State Prosecutor investigators, etc.). If law enforcement personnel are present, then the investigation is likely a criminal one, with much more severe penalties than may result from a civil investigation. Generally, guns strapped to hips are a good indicator of the presence of law enforcement personnel; but, if in doubt, ask.
  • Permit the investigators to have access to protected health information (“PHI”), in accordance with our notice of privacy practices (“NPP”), and Federal and State law. Once investigators have veried their identities and have also veried their authority to access PHI, it is a violation of HIPAA to withhold PHI from them, if the PHI sought is the subject matter of the investigation, or reasonably related to the investigation. Again, ask investigators to verify that they are seeking access to the information because it is directly related to their legitimate investigatory purposes; and document their responses in your own written records.
  • Have a witness with you when you ask about their authority to access PHI, and the use that they will make of the PHI they are seeking access to, who can later testify as to what they told you. Two witnesses are even better. All witnesses should also prepare a written summary of the conduct and communications they observed as soon as possible after the incident; these summaries should be annotated with the time and date of the event, the time and date that the summaries were completed, and the witnesses’ signature.
  • Send sta employees elsewhere, if possible, during this rst investigation encounter. Thereis no requirement that we provide witnesses to be questioned during the initial phase of aninvestigation
  • Do NOT instruct employees to hide or conceal facts, or otherwise mislead investigators.
  • Ask the investigators for documents related to the investigation. For example, request:
    • copies of any search warrants and/or entry and inspection orders;
    • copies of any complaints;
    • a list of patients they are interested in;
    • a list of documents/items seized.
  • Do NOT expect that investigators will provide any of the above, except for the search warrant and a list of documents/items seized (if any).
  • Do not leave the investigators alone, if possible. Assign someone to “assist” each investigator present.
  • Do not offer food (coee, if already prepared, and water, if already available, is ok. Don’t do anything that could be construed as a “bribe” or a “kickback” to induce favorable treatment, such as offering to buy the investigators lunch.
  • Tell investigators what you are required by law to tell them. Answer direct questions fully and to the best of your ability. Always defer to the advice of legal counsel if you are unsure of what or how much to say.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

BREACH NOTIFICATION POLICY

AMELIA has adopted this Breach Notication Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIAhereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

1. Scope of Policy

This policy governs Breach Notication for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

2. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations concerned with notications to patients and consumers about breaches of individually identifiable health information, in accordance with the requirements at § 164.400 to § 164.414.
  • Compliance with HIPAA’s breach notication requirements is mandatory and failure to comply can bring severe sanctions and penalties.
  • Timely notications to affected Covered Entities about breaches of individually identifiable health information and Protected Health Information can help reduce or prevent identity theft and fraud.
  • Timely notications to affected Covered Entities about breaches of individually identifiable health information and Protected Health Information can help protect our business and reputation.

3. Definitions

As used within the HIPAA Final (“Omnibus”) Rule, the following terms have the following meanings:,
Breach means the acquisition, access, use, or disclosure of protected health information in amanner not permitted under subpart E of this part (i.e., 45 CFR Part 164 Subpart E) which compromises the security or privacy of the protected health information.

  1. Breach excludes:
    1. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part (i.e., 45 CFR Part 164 Subpart E).
    2. Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part (i.e., 45 CFR Part 164 Subpart E).
    3. A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
  2. Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E (i.e., 45 CFR Part 164 Subpart E) is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
    1. The nature and extent of the protected health information involved, including the types of identiers and the likelihood of re-identicat
    2. The unauthorized person who used the protected health information or to whom the disclosure was made;
    3. Whether the protected health information was actually acquired or viewed; and
    4.  Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specied by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L. 111-5.

4. Policy Statement

  • It is the Policy of AMELIA to provide timely notications to the affected Covered Entity about all breaches of Protected Health Information.
  • AMELIA shall notify the affected Covered Entity when any breach of Protected Health Information is discovered. A breach is treated as “discovered” by AMELIA the rst day on which such breach is known or should reasonably have been known to any employee or agent of AMELIA, other than the person who committed the breach

4. Policy Statement

  • Breach Notices must include a brief description of what happened, a description of the types of PHI involved, a brief description of the actions taken in response to the breach, and contact procedures for the Covered Entity to ask questions and obtain further information.
  • Telephone and email shall be the default methods of notication to the Covered Entity.
  • Business Associates (subcontractors) of AMELIA are required to immediately report all breaches, losses, or compromises of individually identifiable health information – whether secured or unsecured – to AMELIA’ designated HIPAA Ocer.
  • Business Associate contracts, whether existing or new, shall have corresponding Breach Notication requirements included in them.
  • Sanctions or re-training shall be applied to all workforce members who caused or created the conditions that allowed the breach to occur, according to AMELIA’ Sanction Policy (18-BA)
  • All breach-related activities and investigations shall be thoroughly and timely documented in accordance withAMELIA’ Documentation Policy (03-BA).

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18 – BA).

PRIVACY-OFFICIAL POLICY

1. Introduction

AMELIA has adopted this Privacy-Ocial Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs designation of a Privacy Ocial for AMELIA. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA Regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements at 45 CFR Parts 160 and 164, as amended.
  • Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to: civil 1 monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity.
  • AMELIA, as a Business Associate, recognizes that the designation of a Privacy Ocial is optional under the HIPAA Rules; and that such designation provides numerous benets to AMELIA.

4. Policy Statement

  • It is the Policy of AMELIA to designate and maintain at all times an active Privacy Official.
  • The Privacy Ocial’s general responsibilities are to :
    • Oversee all HIPAA-related compliance activities, including the development, implementation and maintenance of appropriate privacy and security-related policies  and procedures.
    • Conduct various risk analyses, as needed or required.
    • Manage breach notication investigations, determinations, and responses, including breach notications.
    • Develop or obtain appropriate privacy and security training for all workforce members, as appropriate.

5. Procedures

AMELIA‘ Privacy Ocial, and his or her designees, shall be responsible for implementing, managing, and maintaining the following procedures:

  • Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce, extended workforce, and for all business associates, in cooperation with Human Resources, the information security ocer, administration, and legal counsel as applicable.
  • Maintain an accurate inventory of (1) all individuals who have access to confidential information, including PHI, and (2) all uses and disclosures of confidential information by any person or entity.
  • Administer patient requests under HIPAA’s Patient Rights.
  • Administer the process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.
  • Cooperate with HHS and its Oce for Civil Rights, other legal entities, and organization ocers in any compliance reviews or investigations.
  • Work with appropriate technical personnel to protect confidential information from unauthorized use or disclosure.
  • Develop specic policies and procedures mandated by HIPAA.
  • Develop additional relevant policies, such as policies governing the inclusion of confidential data in emails, and access to confidential data by telecommuters.
  • Draft and disseminate the Privacy Notice required by the Privacy Rule.
  • Determine when consent or authorization is required for uses or disclosures of PHI, and draft forms as necessary.
  • Review all contracts under which access to confidential data is given to outside entities, bring those contracts into compliance with the Privacy Rule, and ensure that confidential data is adequately protected when such access is granted.
  • Ensure that all policies, procedures and notices are exible enough to respond to new technologies and legal requirements, or, if they are not, amend as necessary.
  • Ensure that future initiatives are structured in such a way as to ensure patient privacy.
  • Conduct periodic privacy audits and take remedial action as necessary.
  • Oversee employee training in the areas of information privacy and security.
  • Deter retaliation against individuals who seek to enforce their own privacy rights or those of others.
  • Remain up-to-date and advise on new technologies to protect data privacy.
  • Remain up-to-date on laws, rules and regulations regarding data privacy and update the Practice’s policies and procedures as necessary.
  • Track pending legislation regarding data privacy and if appropriate, seek to favorably inuence that legislation.
  • Anticipate patient or consumer concerns about our use of their confidential information, and develop policies and procedures to respond to those concerns and questions.
  • Evaluate privacy implications of online, web-based applications.
  • Monitor data collected by or posted on our website(s) for privacy concerns.
  • Serve as liaison to government agencies, industry groups and privacy activists in all matters relating to our privacy practices.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

HIPAA / STATE LAW PREEMPTION POLICY

1. Introduction

AMELIA has adopted this HIPAA/State Law Preemption Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs HIPAA Preemption and State Law for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations concerning state law preemptions of HIPAA regulations, in accordance with the requirements at § 160.201 to § 160.205.
  • HIPAA generally preempts state laws regarding medical or health privacy. However, state laws that provide stronger protections for confidential health data, or that provide for better patient and consumer access to health data than HIPAA, will generally preempt HIPAA regulations.
  • HIPAA Covered Entities and Business Associates must follow both HIPAA law and state law when possible. If there is a conict between the two, a preemption analysis and determination must be made to assess which laws (HIPAA, State Laws, or both) must be followed.

4. Policy Statement

  • It is the Policy of AMELIA to comply, whenever possible, with both state law in the state(s) where we operate, as well as HIPAA law and regulations.

5. Procedures

  • AMELIA‘s designated Privacy Ocial shall analyze HIPAA preemption issues, in cooperation with legal counsel, and make preemption determinations.
  • AMELIA‘s designated Privacy Ocial shall, in cooperation with legal counsel, create, modify, or amend organization policies to accurately reect preemption determinations and provide guidance to management on HIPAA and state law preemption issues.
  • If o-the-shelf or custom preemption analyses are obtained from external sources, it is the responsibility of the AMELIA‘ designated Privacy Ocial, in cooperation with legal counsel, to certify the validity and accuracy of such external preemption analyses before applying those analyses to AMELIA operations.
  • AMELIA‘ designated Privacy Ocial shall conduct ongoing research to monitor legislative changes in the state(s) where we operate that could aect HIPAA preemption issues.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

HIPAA TRAINING POLICY

1. Introduction

AMELIA has adopted this HIPAA Training Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs HIPAA Privacy and Security Training for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations concerning the training of workforce members, in accordance with the requirements at § 164.530(b).
  • Clear and complete HIPAA training, in combination with appropriate HIPAA awareness resources, can signicantly reduce the likelihood of breaches of confidential health information and the likelihood of HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to provide clear and complete HIPAA training to all members of the workforce, including ocers, agents, employees, contractors, temporary workers, and volunteers.
  • HIPAA training provided by AMELIA shall include relevant and appropriate aspects of both health data privacy and health data security, as it pertains to AMELIA’ operations and to the duties and responsibilities of specic individuals, workgroups, departments, and divisions.

5. Procedures

  • HIPAA training, at minimum, shall include the basics of HIPAA itself; the basics of HIPAA’s privacy and security requirements and restrictions; and a review of relevant and appropriate internal Policies and Procedures related to HIPAA and HIPAA compliance.
  • HIPAA training shall be provided to all new hires during the new employee orientation period, before new employees are exposed to or work with individually identiable health information.
  • HIPAA training shall be conducted periodically for all employees, but no less than every twelve months.
  • Fostering ongoing, continuous HIPAA awareness shall be regarded as a separate type of workforce learning from regular HIPAA training. The designated HIPAA Privacy Ocial shall be responsible for the development (or acquisition), and deployment of appropriate HIPAA awareness materials to maintain a high level of HIPAA awareness among the workforce.
  • The designated HIPAA Privacy Ocial, is responsible for the development or acquisition of appropriate HIPAA training and awareness resources.
  • HIPAA training resources should aim to develop a general understanding of HIPAA and its requirements and restrictions. HIPAA awareness resources should aim to maintain a high level of HIPAA awareness, and a protective attitude toward confidential data on an ongoing, daily basis.
  • The training is developed through a platform provided by Amelia so that workers can complete it.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

PHI USES AND DISCLOSURES POLICY

1. Introduction

AMELIA has adopted this Protected Health Information (“PHI”) Uses and Disclosures Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013)…

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the permitted uses and disclosures of Protected Health Information for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of
he workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations concerning uses and disclosures of Protected Health Information, in accordance with the requirements at § 164.502 to § 164.514.
  • AMELIA must implement policies and procedures to ensure that all uses, and disclosures of PHI are made or denied in accordance with HIPAA law and regulations.
  • For especially sensitive information (e.g., AIDS/HIV, alcohol and drug abuse prevention and treatment, and the like), patient consent to disclosure must be informed. That is, made with the patient’s or consumer’s knowledge of the risks and benets of the disclosure.
  • Any disclosure of confidential patient information carries with it the potential for an unauthorized redisclosure that breaches confidentiality.
  • If AMELIA incurs in costs when releasing patient information (e.g., copying, postage, and so forth) HIPAA Regulations and State law may permit to charge a reasonable fee to oset those costs.

4. Policy Statement

  • It is the Policy of AMELIA to conduct its operations in full compliance with HIPAA’s Rules governing uses and disclosures of Protected Health Information.
  • AMELIA will process requests for information from patient records in a timely, consistent manner as set forth in this policy.

5. Procedures

    • The following priorities and time frames shall apply to requests for disclosures of PHI:
      • Emergency requests involving immediate emergency care of patient: immediate processing
      • Priority requests pertaining to current care of patient: within one workday.
      • Patient request for access to own record: within three (3) workdays.
      • Subpoenas and depositions: as required.
      • All other requests: within ve (5) workdays.
    • Courtesy Notications to Practitioners – As a courtesy, records processing personnel shall notify the appropriate healthcare practitioner when any of the following occur:
      • Patient or his or her representative requests information from the medical record.
      • Patient or representative requests direct access to the complete medical record.
      • Patient or representative institutes legal action.
    • Disclosure Monitoring and Logging – Medical records personnel will maintain a log to track the step-by-step process towards completion of each request for the release of PHI. Health Information Management personnel and the designated Privacy Ocial, will review and update this log to give proper priority to requests and to provide early intervention in problem situations. The log shall contain the following information:
      • Date department received the request.
      • Name of patient.
      • Name and status (patient, parent, guardian) of person making request
      • Information released.
      • Date released..
      • Fee charged (if any).
    • Schedule – AMELIA will process requests for information from patient records in a timely, consistent manner as set forth in this policy.
    • Fee – AMELIA will charge a reasonable fee to oset the costs associated with specic categories of requests. The designated HIPAA Privacy Ocial, shall develop and implement a Fee Schedule related to disclosures of PHI. Fees shall be based on an assessment of such factors as the costs of equipment and supplies, employee costs, and administrative overhead and shall include postage (including express mail or courier costs) when incurred at the request of the authorizing party. For requests for records in electronic format, HIPAA permits fees to include only direct labor costs when responding to such requests. Individual states have also established maximum fees for copies of patient records.
    • Unless the request species release of the complete medical record, AMELIA shall release only selected portions of the record. AMELIA shall prepare an appropriate cover letter detailing the items included.
    • Prohibition of Redisclosure – Unless a law or regulation requires a more specic prohibition on redisclosure (usually for AIDS/HIV, alcohol and drug abuse, and other particularly sensitive medical information), each disclosure outside the facility shall contain the following notice:
      • The attached medical information pertaining to [Name of patient] is confidential and legally privileged. AMELIA has provided it to [Name of recipient] as authorized by the patient. The recipient may not further disclose the information without the express consent of the patient or as authorized by law.
    • Retention of Disclosure Requests – The designated Privacy Ocer, or other responsible party (if no Privacy Ocial has been designated), will retain the original request, the authorization for release of information, and a copy of the cover letter in the patient(s) medical record for the appropriate record retention period.
    • Use of Copying Services – To facilitate the timely processing of release of information requests, AMELIA may use the services of a commercial copying service on terms that protect the integrity and confidentiality of patient information.
    • Disclosure Quality Control – The designated Privacy Ocial, shall conduct a routine audit of the release of information at least annually, paying particular attention to the following:
      • Validity of authorizations
      • Appropriateness of information abstracted in response to the request.
      • Retention of authorization, request, and transmitting cover letter
      • Procedures for telephone, electronic, and in-person requests.
      • Compliance with designated priorities and time frames.
      • Proper processing of fees.
      • Maintenance of confidentiality.
    • In-service Training on Disclosures — The Privacy Ocial shall give periodic in-service training to all employees involved in the release of information.
    • Annual Policy Review – The Privacy Ocial shall review this policy and associated procedures with risk management and legal counsel at least annually.
    • Capacity to Authorize — AMELIA requires a written, signed, current, valid authorization to release
      medical information as follows:
Patient Category Required Signature
Adult Patient The patient or a duly authorized representative, such as
court-appointed guardian or attorney. Proof of
authorized representation required (such as notarized
power of attorney).
Deceased Patient Next of kin as stated on admission face sheet (state
relationship on authorization) or executor/ administrator
of estate.
Unemancipated Minor Parent, next of kin, or legally appointed guardian or
attorney (proof of relationship required)..
Emancipated Minor Same as adult patients above.
  • Authorization Forms — The designated Privacy Ocial shall develop and use an approved authorization form. All personnel will use this form whenever possible. All personnel shall, however, honor letters and other forms, provided they include all the required information.
  • Refusal to Honor Authorization — The designated Privacy Ocial will not honor a patient authorization when there is a reasonable doubt or question as to the following information:
    • Identity of the person presenting the authorization.
    • Status of the individual as the duly appointed representative of a minor, deceased, or
      incompetent person.
    • Legal age or status as an emancipated minor
    • Patient capacity to understand the meaning of the authorization.
    • Authenticity of the patient(s) signature.
    • Current validity of the authorization.
    • In such situations, the employee shall refer the matter to the Privacy Ocer for review and
      decision.
  • Electronic Records — The above requirements apply equally to electronic records. No employee shall release electronic records without complying with this policy.

Person and Identity Verication Table

Person and Identity Verication Table

Person to Identify In-Person Encounter Telephone Encounter Request in Writing (E-mail, mail, hand-delivered)
Attorney Presents with business card and photo identification (i.e., drivers license or organization ID badge). It would be dicult to verify identity and authority by phone. Verication in person or in writing may be required Supplies business card, photo identification (i.e. driver’s license or org ID badge), letterhead. Conrmation call is required.
Facility Directory: Verify identity Verify identity Verify identity.
Patient Patient provides name, address, and date of birth and/or social security number; or Acquainted with patient Patient provides name, address, and date of birth and/or social security number; or Acquainted with patient Patient provides name, address, and date of birth and/or social security number. Verify patient’s signature with that on le or on driver’s license.
Personal Representative (Legal Guardian) for the Patient Personal Rep provides patient’s name, address, and date of birth and/or social security number, and veries (via legal docs) relationship to patient; or, Acquainted with personal Rep as such. Personal Rep provides patient’s name, address, and date of birth and/or social security number, and veries (via legal docs) relationship to patient; or, Acquainted with Personal Rep as such. Patient provides name, address, and date of birth and/or social security number. Verify patient’s signature with that on le or on driver’s license.

Persons Involved in the Patient’s Immediate Care (PHI relevant only to the patient’s current care

(164.510(b)). Blood Relative Spouse Domestic Partner Roommate Boy/Girl Friend Neighbor

Patient actively involves this person in his/her care; or In your best professional judgment, the disclosure is in the patient’s best interest. Patient actively involves this person in his/her care; or In your best professional judgment, the disclosure is in the patient’s best interest. N/A
Colleague   Use call-back  
Power of Attorney for the Patient Presents with a photo ID and a copy of the POA. Verify patient’s signature with one
on le. Acquainted with power of attorney as being such
Previously obtained a copy of the POA and veried the patient’s signature with one
on file. Acquainted with power of attorney as being such
Obtain a copy of the POA and verify the patient’s signature with one on le
Provider From Another Facility Acquainted with provider as a treatment provider; Provider is wearing a photo badge from his/her facility; or, Patient/personal representative introduces provider to you. Acquainted with provider as a treatment provider; or; Call requestor back through main switchboard number (not via a direct number). Recognize name of facility and address on letterhead as a treatment facility; or Call requestor back through main switchboard number (not via a direct number).

Public Official

CIA Court Order FBI Law Enforcement Ocer OCR OIG Public Health Agency Ocial Other

Presents an agency I.D. badge; Presents with a written statement of legal authority;
Presents with a written statement of appointment on approp. govt. letterhead; Presents with warrant, court order, or legal process issued by a grand jury, or a judicial or admin. tribunal; Presents with a contract for services or purchase order; or, Official states release is necessary to prevent or lessen the threat to the
Official states release is necessary to prevent or lessen the threat to the health/safety of a person/public. Written statement of legal authority; Written statement of appointment on appropriate government; Warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal; or Contract for services or purchase order
  health/safety of a person/public.    

Vendor Who Helps Assists w Treatment, Payment, or Health Care Operations

Examples Include, But Are Not Limited to the Following:
Accreditation Org. DME Company Insurance Co. Pharmacy Vendor Software Vendor Statement Vendor

Recognize requestor/ organization; or Photo identification with organization Recognize requestor or organization Recognize requestor/ organization; or Call requestor back through main switchboard number (not via a direct number).
Workforce Member of Our Organizationr Acquainted with individual as a workforce member; or, Workforce member is wearing an I.D. badge. Acquainted with individual as a workforce member; or, Workforce member is calling from an in-house extension. Request is sent from/through our own computer system; or Request is on our own letterhead.

PHI Disclosures Table

Requestor Authorization Required? Copy Fee Charged? Track on Disclosure Accounting?
Accrediting Agencies (JCAHO, CARF) No No No
Attorney for Resident Yes Yes No
Attorney for Facility/Corporation No No No
Contractors/ Business Associates No, unless their purpose falls outside of TPO. No No

For Deceased Persons

Coroner or Medical Examiner, Funeral Directors Organ Procurement

No No Yes

Employer

PHI specic to work related illness or injury, and

No, for the purpose listed. No No
Required for employer’s
compliance with occupational
safety and health laws
Yes for all
others.
   
Family Members No for oral
disclosures to family members involved in care; Yes for others
Yes No

Entity Subject to the Food and Drug Administration

Adverse events, product defects or biological product deviations
Track products Enable product recalls, repairs, or replacements Conduct post marketing surveillance

No No Yes
Health Oversight
Government benets program Fraud and abuse compliance Civil rights laws
Trauma/tumor registries Vital statistics Reporting of abuse or neglect
No No Yes
Health Care Practitioners and Providers
for Continuity of Treatment and Payment
No No No
Health Care Practitioners and Providers if not Involved in Care or Treatment (i.e., consultants) No No No

Insurance Companies/Third Party Payors

Related to Claims Processing

No No No

Judicial and Administrative Proceedings

Court order, or warrant Subpoena

No
No – See Subpoena Policy
No
Yes
Yes
Yes

Law Enforcement

Administrative request Locating a suspect, fugitive, material witness or missing person
Victims of crime Crimes on premises Suspicious deaths Avert a serious threat to health or
safety

No No Yes, except for disclosures to
correctional institutions.

Public Health Authorities

Surveillance Investigations Interventions Foreign governments collaborating with US public health authorities Recording births/deaths Child/elder abuse Prevent serious harm Communicable disease

No No Yes
Research (w/o Authorization) No, if IRB or Privacy Board
approves research study and waives authorization.
No Yes
Resident/Resident’s Personal Representative No Yes No

Specialized Government Functions

Military and Veterans’ activities Protective services for the President Foreign military personnel National security and intelligence activities

No No Yes, except for disclosures for national security and intelligence activities.

Workers’ Compensation

Comply w/existing laws (see state law)

No See
applicable State Law
Yes

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

PATIENT RIGHTS POLICY

1. Introduction

AMELIA has adopted this Patient Rights Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title= XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013). We acknowledge that full compliance with the HIPAA Final Rule is required by or before September 23, 2013.

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the provision and management of Patient Rights for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements pertaining to the rights of patients at § 164.520, to § 164.528, as 1 amended by the HITECH Act of 2009 (ARRA Title XIII), and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).
  • Patient information related to patient rights includes only that information contained in each patient’s Designated Record Set (“DRS”), which is defined in the HIPAA regulations at § 164.501 as:
    • A group of records maintained by or for a covered entity that is:
      • The medical records and billing records about individuals maintained by or for a covered health care provider;
      • The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
      • Used, in whole or in part, by or for the covered entity to make decisions about individuals.
    • The term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
  • The provision of patient rights in a timely and positive manner can enhance the quality of care we provide to patients, by providing certain rights and controls to patients over their individually identifiable health information.

4. Policy Statement

  • It is the Policy of AMELIA to provide all the patient rights that are called for in the HIPAA regulations.
  • Patient Rights that we provide, and support include:
    1. The Right to receive a copy of our “Notice of Privacy Practices”, which details how individually identifiable health information may be used or disclosed by this organization.
    2. The Right to review or obtain a copy of medical records about that patient, or about the patient’s minor children.
    3. The Right to request restrictions on the use or disclosure of the patient’s medical records
    4. The Right to receive individually identifiable health information at an alternate address or through alternate delivery means, such as by fax or courier.
    5. The Right to request amendments to medical records, with certain limitations
    6. The Right to an accounting of certain disclosures of individually identifiable health information.
    7. The Right to le a privacy complaint directly with us, or with the federal government.
  • No retaliation of any kind is permitted against any person, patient, or workforce member for exercising any Right guaranteed by HIPAA.
  • It is the Policy of AMELIA that our Designated Record Set, for purposes of fullling HIPAA Patient Rights includes the following types or categories of data and items:
    • Identification data
    • Behavioral data
    • Contact data
    • Medical history if the person shares it.
    • Psychological data

5. Procedures

  • When a patient exercises a right under HIPAA regulation, the Privacy Ocer will verify the business associate contract with the relevant covered entity to determine if it shall make such PHI available to the covered entity or if it needs to provide an individual with access to the information directly

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

PRIVACY COMPLAINTS POLICY

1. Introduction

AMELIA has adopted this Privacy Complaints Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the privacy complaints process for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to privacy complaints in accordance with the requirements at § 164.530(a) and § 164.530(d), as amended by the HITECH Act of 2009 (ARRA Title XIII), and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).
  • HIPAA regulations, at § 164.530(g), prohibit intimidating or retaliatory acts against any person or patient who les a privacy complaint or exercises any Right guaranteed under HIPAA.

4. Policy Statement

  • It is the Policy of AMELIA to respond in a timely and positive manner to all complaints submitted by any persons or parties, including patients, workforce members, and any other person or party.
  • Responsibility for the acceptance of, management of, and responses to complaints shall reside with the designated HIPAA Privacy Ocer, who shall establish a process and appropriate forms to receive and process complaints.

5. Procedures

  • All complaints must be submitted in written form, dated and signed by the complainant.
  • AMELIA shall investigate and respond to all complaints with a written response within 30 days of the time each complaint is submitted in writing. If more time is required to investigate and resolve a specic complaint, the complainant shall be notied in writing within 30 days of the time each complaint is submitted in writing, that additional time is required to investigate and resolve the complaint. In no case shall more than 60 days elapse between the time a complaint is submitted in writing and the resolution of the complaint.
  • The designated HIPAA Ocer shall investigate each and every complaint in a fair, impartial, and unbiased manner. All parties named in the complaint, or who participated in events leading to the complaint, shall be interviewed in a non-threatening and non coercive manner.
  • The nal resolution or disposition of each complaint shall be documented in accordance with AMELIA‘ Documentation Policy (03-BA), and shall be retained in accordance with AMELIA‘ Documentation Retention Policy (04-BA).
  • The nal resolution or disposition of each complaint shall be documented and a summary of the ndings shall be provided to the complainant within 30 days of the time each complaint is submitted in writing, unless the additional 30-days of response time is invoked, as above.
  • In addition to providing complainants with a written response to their complaint, complaints that are found to have merit will be resolved with some remediation that is appropriate to the severity of the situation. Such remediations may include, but are not limited to:
    • A written apology to the complainant from our organization.
    • Credit-monitoring service for the complainant for a period of one or two years, paid for by our organization, when the complaint involves a breach of unsecured individually identifiable health information that has been compromised or put at risk by our actions.
    • Financial compensation, if determined to be appropriate by legal counsel and senior management.
    • Sanctions against workforce members, as appropriate to the circumstances.
    • Other unspecied remediation(s), as determined by legal counsel and senior management.
  • For complaints submitted to the federal government, it is the Policy of AMELIA to cooperate fully and openly with federal authorities as they conduct their investigation, as specied in AMELIA’ HHS Investigations Policy (07-BA).
  • No ocer, agent, employee, contractor, temporary worker, or volunteer of AMELIA shall obstruct or impede any investigation in any way, whether internal or federal.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

RISK MANAGEMENT PROCESS POLICY

1. Introduction

AMELIA has adopted this Protected Health Information (“PHI”) Uses and Disclosures Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

2. Introduction

AMELIA has adopted this Risk Management Process Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013). We acknowledge that full compliance with the HIPAA Final Rule is required by or before September 23, 2013.

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

3. Scope of Policy

This policy governs the establishment and maintenance of a Risk Management Process for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

4. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the establishment and management of an appropriate risk management process, in accordance with the requirements at § 164.302 to § 164.318.
  • Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to: civil monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity.
  • The establishment and maintenance of an appropriate risk management process will generally reduce our privacy and security risk, can reduce the likelihood of creating HIPAA violations, whether inadvertent or intentional.

5. Policy Statement

Ocers, agents, employees, contractors, temporary workers, and volunteers must read, understand, and comply with this policy.

  • It is the Policy of AMELIA to establish, implement, and maintain an appropriate risk management process.
  • Such a risk management process shall be under the direct control and supervision of the designated Privacy Ocial and shall involve legal counsel, information technology, records management, senior management, and any other parties or persons deemed to be appropriate to the process.
  • Business and information-technology “best practices”, along with the research and recommendations of the National Institute for Standards and Technology (“NIST”), shall be included in the development and execution of the risk management process.
  • AMELIA’s risk management process shall strive to identify, analyze, prioritize, and minimize identied risks to information privacy, security, integrity, and availability. The nature and severity of various risk and risk elements shall be identied and quantied, with the goal of reducing risk as much as is practicable. The risk management process shall be ongoing, and shall be updated, analyzed, and improved on a continuous basis.
  • The results of the risk management process shall be input into management’s decision-making processes, in order to help reduce our overall risk and to comply with HIPAA and other applicable laws and regulations.

6. Procedures

AMELIA’ risk management process will involve the following key steps:

  • An annual risk assessment exercise undertaken by management facilitated by the Privacy Ocial in accordance with the Risk Analysis Policy (16-BA), which involves assessment of the consequence and likelihood of risk.
  • The development and/or review of individual risk management plans for the risks identied which exceed AMELIA’ defined acceptable risks;
  • The incorporation of risk management into institutional strategic planning, and operational and resource management planning processes;
  • Document all risks with a potentially high impact, as assessed on the basis of their likely occurrence or impact; and
  • Test documented risk management procedures at appropriate intervals.

7. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

RISK ANALYSIS POLICY

1. Introduction

AMELIA has adopted this Risk Analysis Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Risk Analysis for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to risk analysis, in accordance with the requirements at § 164.308(a)(1).
  • Risk analysis is an integral part of this organization’s overall Risk Management Process Policy and process.

4. Policy Statement

  • It is the Policy of AMELIA to conduct periodic assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (“ePHI”) that we are entrusted with.
  • Responsibility for conducting periodic risk analyses shall be with the designated Privacy Ocial who shall establish a plan and procedures for the conduct of such analyses.

5. Procedures

  • All such risk analyses and assessments shall be conducted periodically, but at least annually.
  • The risk analysis process shall be modeled upon the risk analysis process recommended by the National Institute for Standards and Technology (“NIST”).
  • The results of risk analyses and assessments shall become an integral part of management’s decision-making process, and shall guide decisions related to the protection of Protected Health Information.
  • All such risk analyses and assessments shall be documented in accordance with this organization’s Documentation Policy (03-BA) and HIPAA Regulations.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

RISK MANAGEMENT IMPLEMENTATION POLICY

1. Introduction

AMELIA has adopted this Risk Management Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Risk Management Implementation for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to risk management implementation, in accordance with the requirements at § 164.308(a)(1).
  • Compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties.
  • This Risk Management Implementation Policy shall be considered an integral part of our other Risk Management policies, including, but not limited to, our:
    1. Risk Management Process Policy, and our
    2. Risk Analysis Policy

4. Policy Statement

  • It is the Policy of AMELIA to fully and completely implement our risk management process and all related policies.
  • The implementation of our risk management process, analyses, and improvements shall be under the direct supervision of the designated Privacy Official.
  • The designated Privacy Ocial shall develop and implement a plan, procedures, and a timetable for the implementation of our risk management process in all its aspects. Such actions shall be consistent with our other risk management policies.

5. Procedures

  • Based on the results of the performed Risk Analysis, the Privacy Ocial shall develop a risk management strategy that includes roles and responsibilities for each unit together with the applicable deadlines and submit it to management for approval.
  • Once said approval has been obtained, the strategy shall be published in the internal channels of the organization and the corresponding department managers shall deploy the units assigned to them.
  • The Privacy Ocial shall monitor the implementation of the measures assigned to each department and host follow-up meetings until the totality of the units have been addressed.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

SANCTION POLICY

1. Introduction

AMELIA has adopted this Sanction Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Workforce Sanctions and disciplinary actions for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to workforce-member sanctions, in accordance with the requirements at § 164.308(a)(1).
  • Appropriate, fair and consistent sanctions have a deterrent inuence on workforce transgressions; can help prevent breaches of individually identifiable health information and Protected Health Information, and can help prevent, or reduce the severity, of HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to establish and implement appropriate, fair and consistent sanctions for workforce members who fail to follow established policies and procedures, or who commit various offenses.
  • Sanctions applied shall be appropriate to the nature and severity of the error or offense, and shall consist of an escalating scale of sanctions, with less severe sanctions applied to less severe errors and oenses, and more severe sanctions applied to more severe errors and offenses.
  • Certain oenses can invoke immediate termination, including, but not limited to:
    • Theft;
    • Intentional lying or deception;
    • Drug or alcohol use while on the job;
    • Violence against persons or property;
  • Offenses involving obvious illegal activity may result in notications to appropriate law enforcement authorities.
  • It is the Policy of AMELIA to fully document all workforce sanctions and their dispositions, according to our Documentation Policy and HIPAA requirements.

5. Procedures

  • Upon the rst noncompliant event, the workforce member’s supervisor will have a private conversation with the workforce member and review the appropriate policy and procedure to be certain the workforce member understands the policy.
  • Upon the second noncompliant event, the supervisor and oce administrator will have a private conversation with the workforce member, and a written reprimand will be placed in the employee’s personnel file.
  • Upon the third noncompliant event for the same activity, the workforce member will be sent home for 3 days without pay.
  • Upon the fourth non-compliant event, employee will be terminated.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

INFORMATION SYSTEMS ACTIVITY REVIEW POLICY

1. Introduction

AMELIA has adopted this Information Systems Activity Review Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the condfientiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Information Systems Activity Reviews for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to information systems activity review, in accordance with the requirements at § 164.308(a)(1).

4. Policy Statement

  • It is the Policy of AMELIA to regularly review various indicators and records of information system activity, including, but not limited to: audit logs; access reports; and security incident reports.
  • The goal of this Information Systems Activity Review Policy is to prevent, detect, contain, and correct security violations and threats to individually identifiable health information, whether in electronic or any other forms.
  • It is the Policy of AMELIA to fully document all information system activity review activities and efforts.
  • This Information Systems Activity Review Policy shall be implemented and executed in accordance with our risk management policies and procedures.

5. Procedures

    • Definitions:
      • Log Review: The internal process of reviewing information system access and activity (e.g., log-ins, le accesses, and security incidents). A review may be done as a periodic event, as a result of a Covered Entity request, or suspicion of employee wrongdoing. Review activities shall also take into consideration AMELIA’ information system risk analysis results.
      • System Logs: Records of activity maintained by the system which provide: date and time of activity; origin of activity; identification of user performing activity; description of attempted or completed activity.
      • Review Trail: A means to monitor information operations to determine if a security violation occurred by providing a chronological series of logged computer events (review logs) that relate to an operating system, an application, or user activities. Review trails provide: Individual accountability for activities such as an unauthorized access of ePHI; Reconstruction of an unusual occurrence of events such as an intrusion into the system to alter information; Problem analysis such as an investigation into a slowdown in a system’s performance, and other data as needed based on AMELIA’ objectives

A review trail identies who (login) did what (create, read, modify, delete, add, etc.) to what (data) and when (date, time).

      • Electronic Protected Health Information (ePHI): Means individually identifiable health information that is: transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
      • .Trigger Event: Activities that may be indicative of a security breach that require further investigation, e.g., High risk or problem prone incidents or events, Covered entity request, Employee complaints, Requests by law enforcement or other outside agency with proper subpoena if applicable, Atypical patterns of activity, Failed authentication attempts, After-hours activity if applicable, Activity post termination, etc.
    • General
      • Responsibility for reviewing information system access and activity is assigned to
        AMELIA’ CTO. The responsible individual shall:
        • Assign the task of generating reports for review activities to the individual responsible for the application, system, or network
        • Assign the task of reviewing the logs to the individual responsible for the application, system, or network, the Privacy Ocial, or any other individual determined to be appropriate for the task.
        • Organize and provide oversight to a team structure charged with review compliance activities (e.g., parameters, frequency, sample sizes, report formats, evaluation, follow-up, etc.).
      • AMELIA reviewing processes shall address access and activity at the following levels
        listed below. Reviewing processes may address date and time of each log-on attempt,
        date and time of each log-o attempt, devices used, functions performed, etc.
        • User: User level review trails generally monitor and log all commands directly initiated by the user, all identification and authentication attempts, and les, patients, and resources accessed.
        • Application: Application level review trails generally monitor and log user activities, including data les opened and closed, patients accessed, specic actions, and printing reports.
        • System: System level review trails generally monitor and log user activities, applications accessed, and other system defined specic actions.
        • Network: Network level review trails generally monitor information on current operations, penetrations, and vulnerabilities
      • AMELIA shall determine the systems or activities that will be tracked or reviewed by:
        • Focusing efforts on areas of greatest risk and vulnerability as identied in the information systems risk analysis and ongoing risk management processes.
        • Maintaining confidentiality, integrity, and availability of ePHI applications and systems
        • Assessing the appropriate scope of system reviews based on the size and needs of AMELIA by determining:
          • information/ePHI at risk,
          • systems, applications or processes which arevulnerable to unauthorized or inappropriate access,
          • activities that should be monitored (create, read, update, delete = CRUD),
          • information to be included in the review record.
      • AMELIA shall provide immediate reviewing in response to trigger events and:
        • Covered entity request.
        • Employee complaint.
        • Suspected breach of patient confidentiality.
        • High risk or problem prone event.
        • External report, such as from credit bureau or law enforcement.
      • AMELIA shall determine review criteria with a risk based approach. This may include but is not limited to reviewing security risk analysis ndings, past experience, current and projected future needs, and industry trends and events. AMELIA will determine its ability to generate, review, and respond to review reports using internal resources. AMELIA may determine that external resources are also appropriate. AMELIA recognizes that failure to address automatically generated review logs, trails, and reports through a systematic review process may be more detrimental to the organization than not reviewing at all.
      • AMELIA shall designate the employees or contractors who are authorized to use
        security testing and monitoring tools. Such tools may not be used by anyone not specically authorized. These tools may include, but are not limited to:
        • Scanning tools and devices
        • Password cracking utilities
        • Network or wireless packet capture utilities
        • Passive and active intrusion detection systems
        • Other devices as determined by AMELIA
      • Review documentation/reporting tools shall address, at a minimum, the following date elements:
        • Authorizing ocial or policy, Application, System, Network, Department, and/or User Reviewed.
        • Review Type.
        • Individual/Department Responsible for Review.
        • Date(s) of Review
        • Reporting Responsibility/Structure for Review Results.
        • Conclusions.
        • Recommendations.
        • Actions
        • Assignments.
        • Follow-up.
      • The process for review of logs, trails, and reports shall include:
        • Description of the activity as well as rationale for performing review.
        • Identification of which workforce members or department/unit will be responsible for review (workforce members should not review logs which pertain to their own system activity unless there is no alternative or an inherent conict of interest).
        • Frequency of the reviewing process
        • Determination of signicant events requiring further review and follow-up.
        • Identification of appropriate reporting channels for review of results and required
          follow-up.
      • Vulnerability testing software may be used to probe the network. This may be to identify what is running (e.g., operating system or product versions in place). Any
        publicly-known vulnerabilities should be corrected. Re-evaluate whether the system can withstand attacks aimed at circumventing security controls.
        • Testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third party reviewing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be reviewing their own services – separation of duties).
        • Testing shall be done annually.
    • Review request for specic causes
      • A request may be made for review for a specic cause. The request may come from a variety of sources including, but not limited to, Covered Entity’s, Human Resources, Risk Management, Privacy Ocial, and/or a member of AMELIA’ administration.
      • A request for a review for specic cause must include time frame and nature of the request. The request must be reviewed and approved by AMELIA Privacy Ocial.
    • Evaluation and reporting of review findings
      • System logs that are routinely gathered must be reviewed in a timely manner.
      • Report of review of results shall be limited on a minimum necessary/need to know basis. Review of results may be disclosed as deemed necessary. Legal or administrative counsel shall be consulted.
      • The reporting process shall allow for meaningful communication of the review ndings to the appropriate departments/units.
        • Signicant ndings shall be reported immediately in a written format. AMELIA security incident response form may be utilized to report a single event.
        • Routine ndings shall be reported to the sponsoring leadership structure in a written report format.
      • Security reviews constitute an internal, confidential monitoring practice that may be included in AMELIA’ performance improvement activities and reporting. Care shall be taken when releasing the results of the reviews. Review information which may further expose organizational risk should be shared with extreme caution. Generic security review information may be included in organizational reports (PHI shall not be included in the reports).
      • Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the responsible and sponsoring departments/units.
      • If criminal activity is discovered during a review, it should be reported to appropriate law enforcement.
    • Reviewing business associate and/or vendor access and activity
      • Periodic monitoring of business associate and vendor information system activity should be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between AMELIA and the external agency.
      • If it is determined that the business associate or vendor has exceeded the scope of access privileges, AMELIA’ leadership must reassess the business relationship.
      • If it is determined that a business associate has violated the terms of the HIPAA business associate agreement, AMELIA must take immediate action to remediate the situation. Continued violations may result in discontinuation of the business relationship.
    • Review log security controls and backup
      • Review logs shall be protected from unauthorized access or modication, so the information they contain will be available if needed to evaluate a security incident.
      • Whenever possible, audit trail information shall be stored on a separate system. This is done to apply the security principle of “separation of duties” to protect audit trails from hackers. Audit trails maintained on a separate system would not be available to hackers 6 who may break into the network and obtain system administrator privileges. A separate system would allow AMELIA to detect hacking security incidents. .
      • Review logs maintained within an application shall be backed-up as part of the application’s regular backup procedure.
      • AMELIA shall review internal back-up, storage and data recovery processes to ensure that the information is readily available in the manner required. See AMELIA’ backup procedures.
    • Workforce training, education, awareness and responsibilities

AMELIA workforce members are provided training, education, and awareness on safeguarding the privacy and security of business and patient protected health information. AMELIA’ commitment to reviewing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events, and applicable policies.

Workforce members are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the
reviewing process detect a workforce member’s failure to comply with organizational policies

  • Retention of review information
    • Review logs and audit trail report information shall be maintained based on organizational needs. There is no standard or law addressing the retention of review log/trail information. Retention of this information shall be based on:
      • Organizational history and experience.
      • Available storage space
    • Reports summarizing review activities shall be retained for a period of six years.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA)

ASSIGNMENT OF SECURITY RESPONSIBILITY POLICY

1. Introduction

AMELIA has adopted this Assignment of Security Responsibility Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the Assignment of Responsibility for health information data security for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of
the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the assignment of security responsibility, in accordance with the requirements at § 164.308(a)(2).
  • The assignment of overall security responsibility is an important and integral part of our overall risk management process and shall be conducted in accordance and coordination with our Risk Management Process Policy.

4. Policy Statement

  • It is the Policy of AMELIA to assign overall responsibility for the security of individually identifiable health information, in electronic and other forms, to a person who is qualied and competent to assume such responsibility.
  • The person with overall responsibility for the security of individually identifiable health information, in electronic and other forms, shall be the [*] designated Privacy Ocial, who shall report directly to [*].

5. Procedures

The Privacy Ocial shall implement the following procedures, as appropriate, in accordance with AMELIA’ Risk Management policies:

  • Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce, extended workforce, and for all business associates, in cooperation with Human Resources, the information security ocer, administration, and legal counsel as applicable.
  • Maintain an accurate inventory of (1) all individuals who have access to the Practice’s confidential information, including PHI, and (2) all uses and disclosures of the Practice’s confidential information by any person or entity.
  • Administer patient requests and processes under HIPAA’s patient rights.
  • Administer the process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.
  • Cooperate with the Oce of Civil Rights, other legal entities, and organization ocers in any compliance reviews or investigations.
  • Work with appropriate technical personnel to protect the Practice’s confidential information from unauthorized use or disclosure.
  • Develop specic policies and procedures mandated by the Privacy Rule.
  • Develop additional relevant policies, such as policies governing the inclusion of confidential data in emails, and access to confidential data by telecommuters.
  • Draft and disseminate the privacy notice required by the Privacy Rule.
  • Determine when the Practice might need member consent or authorization for use or disclosure of PHI, and draft forms as necessary.
  • Ensure that any research efforts conducted or supported by the Practice comply with appropriate privacy laws and policies and adequately protect the privacy of the data subjects.
  • Review all contracts under which access to confidential data is given to outside entities, bring those contracts into compliance with the Privacy Rule, and ensure that the Practice’s confidential data is adequately protected when such access is granted.
  • Ensure that all policies, procedures and notices are exible enough to respond to new technologies and legal requirements, or, if they are not, amend as necessary.
  • Ensure that future Practice initiatives are structured in such a way to ensure patient privacy.
  • Conduct periodic privacy audits and take remedial action as necessary.
  • Oversee employee training in the area of privacy.
  • Guard against retaliation against individuals who seek to enforce their own privacy rights or those of others.
  • Remain up-to-date and advise on new technologies to protect data privacy.
  • Remain up-to-date on laws, rules and regulations regarding data privacy and update the Practice’s policies and procedures as necessary.
  • Track pending legislation regarding data privacy and if appropriate seek to inuence that legislation.
  • Anticipate members’ concerns and questions about the Practice’s use of their confidential information and develop policies and procedures to respond to those concerns and questions.
  • Evaluate privacy implications of any future on-line, web-based application procedure.
  • Monitor any data collected by or posted on the Practice’s Web sites for privacy concerns.
  • Serve as liaison to government agencies, industry groups and privacy activists in all matters relating to the Practice’s privacy practices.
  • It is the Policy of AMELIA to fully document the assignment of overall security responsibility, and all related activities and efforts, according to our Documentation Policy (03-BA) and HIPAA requirements.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

AUTHORIZATION AND SUPERVISION POLICY

1. Introduction

AMELIA has adopted this Authorization and Supervision Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the authorization and supervision of health data-related access and activities for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the authorization and supervision of workforce members who will be accessing individually identifiable health information as part of their work-related duties, in accordance with the requirements at § 164.308(a)(3).
  • Compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties.
  • Proper and appropriate authorization to access individually identifiable health information, and appropriate supervision of workforce members authorized to access individually identifiable health information, are essential components of a well-managed risk management system.
  • Proper and appropriate authorization to access individually identifiable health information, and appropriate supervision of workforce members authorized to access individually identifiable health information, can help reduce our overall risk, and reduce the likelihood of data breaches and HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to only permit workforce members who have been appropriately authorized, to have access to individually identifiable health information.
  • It is the Policy of AMELIA to properly and appropriately supervise workforce members who have access to individually identifiable health information.
  • Workforce members of AMELIA shall have access only to the individually identifiable health information that they need in order to perform their work-related duties.
  • It is the Policy of AMELIA to fully document the authorization and supervision of all workforce members who have access to individually identifiable health information.’

5. Procedures

  • Under the supervision of the Privacy Ocial, all management positions shall document access levels granted to the employees in their teams and review access levels on a periodic basis and make revisions as necessary.
  • Under the supervision of the Privacy Ocial, the oce administrator shall document access levels granted to third parties (e.g., contractors, collaborators) and review access levels on a period basis and make revisions as necessary.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

WORKFORCE CLEARANCE POLICY

1. Introduction

AMELIA has adopted this Workforce Clearance Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Workforce Clearance and Screening (pre-employment and post-employment) for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to workforce clearance, in accordance with the requirements at § 164.308(a)(3).
  • Providing for appropriate workforce clearance can help reduce the likelihood of data breaches and HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to provide the appropriate level of access to individually identifiable health information to all members of the workforce.
  • The level of access to individually identifiable health information for workforce members shall be based upon the nature of each workforce member’s job and its associated duties and responsibilities. Workforce members shall have access to all of the individually identifiable health information that they need to do their jobs, but no more access than that.
  • No member of the workforce shall have access to a higher level of individually identifiable health information than the level for which they have been cleared.
  • The designated Privacy Ocial shall develop specic procedures to ensure that the intent of this policy is executed in fact.
  • Workforce clearance shall specically incorporate various levels of background screening to ensure that persons with criminal records or histories of nancial or legal diculties do not have inappropriate access to individually identifiable health information.
  • The designated HIPAA Ocial or HIPAA Ocer, or other responsible party (if no Privacy Official has been designated), shall coordinate background screening requirements with Human Resources and legal counsel to ensure that appropriate background screening requirements are established and met, which can include pre employment and post-employment screening.
  • It is the Policy of AMELIA to fully document all workforce clearance-related activities and efforts.

5. Procedures

  • Human Resources shall review prospective workforce members’ backgrounds during the hiring process and, as appropriate, shall perform verication checks on prospective workforce members. Human Resources shall analyze prospective workforce members’ access to and expected abilities to modify or change EPHI as one of the bases for the type and number of verication checks conducted. Verication checks may include:
    • Conrmation of claimed academic and professional experience and qualications;
    • Professional license validation;
    • Credit check; and
    • Criminal background check.
  • AMELIA workforce members who access EPHI will sign confidentiality agreements in which they agree not to provide EPHI to or to discuss confidential information with unauthorized persons.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

ACCESS TERMINATION POLICY

1. Introduction

AMELIA has adopted this Access Termination Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the termination of individual access to individually identifiable health information and Protected Health Information for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the termination of workforce member access to individually identifiable health information and Protected Health Information, in accordance with the requirements at § 164.308(a)(3).
  • Prompt and appropriate termination of workforce member access to individually identifiable health information and Protected Health Information can greatly reduce the likelihood of data breaches and HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to terminate any workforce member’s access to individually identifiable health information and Protected Health Information when their employment relationship with our organization ends, or when the workforce member has been sanctioned for serious oenses or violations of policy, in accordance with our Sanction Policy.
  • Termination of workforce member access to individually identifiable health information and Protected Health Information must be eected immediately upon the occurrence of a triggering event, such as termination of employment or a positive nding of a serious policy violation or HIPAA offense.
  • In no case shall the termination of access to individually identifiable health information and Protected Health Information be delayed more than 30 minutes from the moment of such a triggering event.
  • It is the Policy of AMELIA to fully document all access termination-related activities, in accordance with our Documentation Policy.

5. Procedures

  • When a workforce member provides notice of his or her intention to end employment at AMELIA, Human Resources and the workforce member’s supervisor shall give reasonable notice to the persons responsible for terminating access to the EPHI for the departing workforce member so that access can be terminated when s/he leaves.
  • AMELIA shall log, track, and securely maintain receipts and responses to such termination of access notices, including the following information:
    • Date and time of notice of workforce member departure received;
    • Date of planned workforce member departure;
    • Description of access to be terminated; and
    • Date, time, and description of actions taken.
  • When AMELIA workforce members need to be terminated immediately, AMELIA shall remove or disable their information system privileges before they are notied of the termination, when feasible. Information system privileges include workstations and server access, data access, network access, email accounts, and inclusion on group email lists.
  • Physical access to areas where EPHI is located shall be terminated as appropriate. AMELIA will be alert to situations where workforce members are terminated and may pose risks to the security of EPHI.
  • if departing workforce members have used cryptography on EPHI, AMELIA shall ensure that cryptographic keys are available to the appropriate managers or administrators.
  • A workforce member who ends employment with AMELIA shall not retain, give away, or remove from AMELIA premises any EPHI. At the time of his or her departure, the workforce member shall provide EPHI in his or her possession to his or her supervisor. AMELIA reserves the right to pursue any and all remedies against workforce members who violate this provision. Departing workforce members’ supervisors shall determine the appropriate handling of any EPHI that departing workforce members possess.
  • AMELIA shall deactivate or change physical security access codes used to protect EPHI Systems of departing workforce members, when known.
  • AMELIA will implement a documented procedure for return to AMELIA at the time of departure supplied equipment and property that contains or allows access to EPHI, and will disable and remove, by the time of, or if not feasible, immediately after, the workforce member’s departure, access to EPHI Systems held by the workforce member. AMELIA track and log the return of such equipment and property with the workforce member’s name, date and time equipment and property was returned, and identification of returned items, and shall securely maintain the tracking and logging information. The equipment and property that may contain, or allow or enable the workforce member to access, EPHI include:
    • Mobile/portable devices;
    • Name tags or name identification badges;
    • Security tokens;
    • Access Cards;
    • Building, desk, or oce keys; etc.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

ACCESS AUTHORIZATION POLICY

1. Introduction

AMELIA has adopted this Access Authorization Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the authorization and granting of access to individually identifiable health information and Protected Health Information to workforce members of AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to access authorization, in accordance with the requirements at § 164.308(a)(4).
  • The implementation of appropriate processes to grant workforce members access to individually identifiable health information and Protected Health Information can help ensure that our uses and disclosures of individually identifiable health information are lawful and appropriate.

4. Policy Statement

  • It is the Policy of AMELIA to grant workforce members an appropriate level of access to individually identifiable health information that is based on their work-related duties and responsibilities.
  • The level of access to individually identifiable health information and Protected Health Information granted to each member of the workforce shall be independent of the technology used to access such information, and shall apply to access through a workstation, transaction, program, process, or other mechanism.
  • It is the Policy of AMELIA to fully document all access authorization-related activities and efforts.

5. Procedures

  • The IT departament in collaboration with management will determine which job functions require privileged access to the systems. The determination will be based on a need-to-know basis and minimum privilege principle. In this sense, access must be granted only on the basis of a valid business need and shall be documented.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

ACCESS ESTABLISHMENT AND MODIFICATION POLICY

1. Introduction

AMELIA has adopted this Access Establishment and Modication Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs establishment and modication of access to individually identifiable health information and Protected Health Information for workforce members of AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the establishment and modication of workforce member access to individually identifiable 1 health information and Protected Health Information, in accordance with the requirements at § 164.308(a)(4).
  • Establishing, maintaining, and modifying appropriate levels of workforce member access to individually identifiable health information and Protected Health Information can help reduce the likelihood of data breaches and HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to provide a lawful and appropriate level of access to individually identifiable health information for each and every workforce member.
  • Such access to individually identifiable health information shall be granted based on the nature and duties of the workforce member’s job.
  • Higher levels of access shall be provided only to those who need it.
  • Any workforce member’s ability to access individually identifiable health information shall be modied immediately when the nature of their job changes and requires a dierent level of access, whether greater or lesser.
  • It is the Policy of AMELIA to fully document all access establishment and modication-related activities and efforts, according to our Documentation Policy.

5. Procedures

  • Human Resources must ensure that status changes such as termination or change in job role are reected in permission/rights granted to individuals. Reviews are triggered by the notication to the system administrator of any status changes. This is necessary to ensure that access rights for each individual are consistent with established policies and job roles and functions.
  • Any modifications of workforce members’ access rights are logged and tracked, documentation of which is securely maintained. The tracking must include:
    • Date and time rights is being modified;
    • Identification of workforce members whose access is being modified;
    • o Description of modified access rights;
    • Reason for modification of access rights.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

SECURITY REMINDERS POLICY

1. Introduction

AMELIA has adopted this Security Reminders Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the creation and implementation of Security Reminders for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to security reminders, in accordance with the requirements at § 164.308(a)(5).
  • The frequent use of appropriate security reminders and other information security awareness resources can reduce the likelihood of data breaches and HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to develop or acquire and to use appropriate information security reminders, or other information security awareness resources, on a regular basis.
  • The designated Privacy Ocial shall assume responsibility for developing or acquiring such reminders and resources, and for implementing a plan and program ensuring their frequent use.
  • It is the Policy of AMELIA to fully document all information security reminder-related activities and efforts, according to our Documentation Policy.

5. Procedures

  • AMELIA shall frequently, but at least twice a year, share with the workforce information security reminders. For the purposes of deciding which content to include in said activities, AMELIA shall consult latest materials available, including those resources made available at https://www.nist.gov/cyberframework.
  • AMELIA [*] Shall subscribe the Spanish National Cybersecurity Center (INCIBE) alert system for the purposes of knowing the latest information in the subject https://www.incibe.es/suscripciones.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

MALWARE PROTECTION POLICY

1. Introduction

AMELIA has adopted this Security Reminders Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the creation and implementation of Security Reminders for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to security reminders, in accordance with the requirements at § 164.308(a)(5).
  • The use of appropriate techniques, technologies, and methods to protect information systems from malicious software (“malware”) is a proven approach to reducing the likelihood of data breaches, system malfunctions, and HIPAA violations.

4. Policy Statement

  • It is the Policy of AMELIA to develop and apply a rigorous program of techniques, technologies, and methods to guard against, detect, and report the presence of malicious software.
  • Responsibility for malware protection shall reside with Operation Department, who shall ensure that the most effective and appropriate techniques, technologies, and methods are continuously used to protect our information systems, and the individually identifiable health information they contain, from malicious software.
  • It is the Policy of AMELIA to fully document all malware protection-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  • AMELIA shall adopt the following practices to prevent malware derived problems:
    • The anti-virus and anti-malware software must not be disabled or bypassed.
    • The settings for the anti-virus and anti-malware software must not be altered in a manner that will reduce the effectiveness of the software.
    • The automatic update frequency of the anti-virus and anti-malware software must not be altered to reduce the frequency of updates
    • Every virus/malware that is not automatically cleaned by the anti-virus and anti-malware software constitutes a security incident and must be reported to IT and Opertion Deparment.
    • AMELIA shall adopt suitable controls to prevent and detect the introduction of malicious code and unauthorized mobile code.
    • The information system automatically updates malicious code protection mechanisms e.g. automatic updates of anti-virus and anti-malware software.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

LOG-IN MONITORING POLICY

1. Introduction

AMELIA has adopted this Security Reminders Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the creation and implementation of Security Reminders for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining tolog-in monitoring, in accordance with the  requirements at § 164.308(a)(5).
  • Regular monitoring of log-ins and log-in attempts is a proven approach to controlling access to sensitive information systems and data, and to detecting inappropriate information systems activity.

4. Policy Statement

  • It is the Policy of AMELIA to establish a program of regular monitoring and review of log-ins and log-in attempts.
  • The designated Privacy Ocial, shall assume responsibility for log-in monitoring and analysis, and for ensuring that such activities are executed on a continuous basis.
  • Discrepancies and potentially inappropriate or illegal activities shall immediately be brought to the attention of senior management, legal counsel, and/or Human Resources, as appropriate.
  • It is the Policy of AMELIA to fully document all log-in monitoring-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  • Access to AMELIA’ network, systems and communications shall be logged and monitored to identify potential misuse of systems or information. Logging activities shall include regular monitoring of system access to prevent attempts at unauthorized access and conrm access control systems are effective.
  • Log servers and documents shall be kept secure and only made available to personnel authorized by Amelia’s CTO These logs shall be kept as long as necessary or required for functional use or appropriate regulation or law.
  • AMELIA’ information systems (servers, workstations, rewalls, routers, switches, communications equipment, etc.) shall be monitored and logged to:
    • Ensure use is authorized;
    • Manage, administer, and troubleshoot systems;
    • Protect against unauthorized access;
    • Verify security procedures and access;
    • Verify system and operational security;
    • Comply with AMELIA’ policies and procedures; and
    • Detect and prevent criminal or illegal activities.
  • Amelia’s Security Manager shall implement automated audit trails for all critical systems and components. As a minimum, these logs shall be used to reconstruct the following events:
    • Individual user accesses to systems and sensitive information;
    • All actions taken by any individual with administrative privileges;
    • Access to audit trails;
    • Invalid logical access attempts and failures;
    • Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with administrative privileges;
    • Initialization, stopping, or pausing of the audit logs
    • Creation and deletion of system level objects.
  • Underlying requirements: All systems that handle confidential information, accept network connections, or make access control (authentication and authorization) decisions shall record and retain audit logging information to:
    • Determine the activity that was performed;
    • Who or what performed the activity, including where or on what system the activity was performed (subject);
    • Systems and objects involved;
    • When the activity was performed; and
    • Status (such as success vs. failure), outcome, and/or result of the activity.
  • AMELIA shall implement a suitable logging infrastructure and configure all critical devices, systems, and applications with logged audit trails. Amelia’s CTO shall ensure important events and audit trails are logged. File integrity monitoring/change detection software shall review logs and issue alerts if the log data is altered.
  • Support sta shall be assigned to review and monitor the logs for systems under their control. Logs shall be reviewed on a regular and on-going basis. The frequency of review shall be determined according to the sensitivity of the information stored, the function of the system, and other system requirements as determined by the Amelia’s CTO. Procedures should verify that logging is active and working properly to:
    • Ensure events are properly classified;
    • Review logging for performance delays;
    • Ensure compliance related logging cannot be bypassed;
    • Verify access to log les is properly restricted;
    • Assist with investigations.
  • Logs shall be created whenever the following activities are performed by a system, application, or user:
    • Creating, reading, updating, or deleting confidential information, including confidential authentication information such as passwords;
    • Initiating or accepting a network connection;
    • Authenticating user access and security authorizations;
    • Granting, modifying, or revoking access rights to include new user or group additions, user privilege modications, le or database object permissions, rewall rules, and user password changes;
    • Conguring systems, networks, or services for maintenance and security changes including installation of software patches and updates, or other installed software;
    • Changing statuses of application process startup, shutdown, and/or restart;
    • Application process aborts, failures, or abnormal conditions due to resource limits or thresholds (such as for CPU, memory, network bandwidth, disk space, or other key system resources), failure of network services, or hardware faults;
    • Detection of suspicious/malicious activity such as from an intrusion detection or prevention system, anti-virus, or anti-spyware system.
  • System log elements: System events and activities that shall be monitored and logged are as follows:
    • System administrator and system operator activities
    • System start-ups and shutdowns;
    • Logging start-ups and shutdowns;
    • Backups and restorations/rollbacks;
    • Exceptions and security events;;
    • Database commits and transactions;
    • Protection software and hardware (rewalls, routers, etc.);
    • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems;
    • Modifications to data characteristics including permissions, location, le type;
    • Authentication successes and failures (e.g., log in, log out, failed logins)
  • Application log elements: Third party and custom application software logging requires more than just relying on server-based system logs. Application logs help identify security incidents, establish baselines, provide information about problems and unusual conditions, assist with incident investigation, and help detect intrusions and errors. Application events and activities that shall be monitored and logged include:
    • Application authentication (e.g., successes, failures, logouts);
    • Data audit trails (e.g., access to sensitive data, adding data, modifying data, deleting data, exporting and importing data);
    • Input validation failures (e.g., protocol violations, unacceptable encodings, invalid parameter names and values);
    • Output validation failures (e.g., database record mismatch, invalid data encoding);
    • Suspicious behavior (e.g., multiple records deleted in a short period of time, invalid access attempts);
    • Session management failures (e.g., cookie session identification value modifications);
    • Application errors and events (e.g., syntax and runtime errors, connectivity problems, third party service error messages, le system errors, sequencing failure);
    • Higher-risk functionality (e.g., adding and deleting users, changes to access privileges, use of administrative privileges, access by application administrators, and access to sensitive data);
    • Legal compliance services (e.g., permissions to transfer information, terms of use, and
      parental consent);
    • Security events or warnings.
  • Logging elements: Log entries can contain a number of elements based on the type and function of the audited system/process. Generally, automated audit trails shall include the following information:
    • Host name, system component, or resource;
    • Date/Time Stamp;
    • Application ID (e.g., name and version);
    • Initiating Process ID or event origination (e.g., entry point URL, page, form);
    • Code location (e.g., module, subroutine);
    • User initiating action (e.g., user ID);
    • Event type;
    • Result status (e.g., success, failure, defer);
    • Legal compliance services (e.g., permissions to transfer information, terms of use, and parental consent);
    • Resource (e.g., identity or name of affected data, component);
    • Location (e.g., IP address or location);
    • Severity of event (e.g., emergency, alert, fatal error, warning, information only);
    • Other (e.g., parameters, debug information, system error message).
  • Formatting and storage: The system shall support the formatting and storage of audit logs to ensure integrity enterprise-level analysis and reporting. Mechanisms known to support these goals include but are not limited to the following approaches:
    • Collecting Microsoft Windows Event Logs from servers by a centralized logging management system;
    • Storing logs in a documented format and sent via reliable network protocols to a centralized log management system;
    • Storing log entries in a SQL database that generates audit logs in compliance with the requirements of this policy.
  • Information security issues: Logs are one of the primary tools used by system administrators and management to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems. Detailed procedures that support this policy shall be developed to protect against and limit log security risks such as:
    • Controls that limit the ability of administrators and those with operating system command line access to disable, damage, or circumvent access control and audit log mechanisms;
    • Protecting the contents of system logs from unauthorized access, modication, and/or deletion;
    • Limiting outside access to logging systems to extreme or emergency circumstances. Any emergency access should be authorized by IT department and use of tools bypassing security controls should be documented;
    • Limiting changes to the auditing policies to stop logging of an unauthorized activity. Log settings should be set to track and record user policy changes.
  • Administrative responsibilities: The IT deparment shall be responsible for:
    • Separating duties between operations and security monitoring;
    • Ensuring a regular review of activity audit logs, access reports, and security incidents;
    • Approving the types of logs and reports to be generated, review activities to be performed, and procedures that describe the specics of the reviews;
    • Procedures that specify monitoring log-in attempts, reporting discrepancies, and processes used to monitor log-in attempts;
    • Procedures that specify audit controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems;
    • Procedures ensure that the audit controls meet security requirements by recording and examining activity related to sensitive information;
    • Securing audit trails by limiting viewing to those with a job-related need;
    • Protecting audit trail les from unauthorized modifications;
    • Ensuring audit trail les are promptly backed up to a centralized log server or media.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

PASSWORD MANAGEMENT POLICY

1. Introduction

AMELIA has adopted this Security Reminders Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the creation and implementation of Security Reminders for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to password management, in accordance with the requirements at § 164.308(a)(5).
  • The creation and management of strong passwords is one of the simplest and most effective methods of protecting access to electronic systems containing, transmitting, receiving, or using individually identifiable health information.
  • The monitoring of successful and unsuccessful Log-In attempts is a well established method of detecting malicious intrusions, and intrusion attempts, into information systems by unauthorized persons.

4. Policy Statement

  • It is the Policy of AMELIA to require the use of strong passwords and pass-phrases by all workforce members who access, use, or maintain systems that contain, transmit, receive, or use individually identifiable health information.
  • The responsibility for implementing this policy and any attendant procedures is hereby assigned to the designated HIPAA Ocial or HIPAA Ocer, or other responsible party (if no Privacy Ocial has been designated), who shall develop and implement this policy in coordination with the most senior information technology personnel.

5. Procedures

  • All passwords or pass-phrases used to access systems containing, transmitting, receiving, or using individually identifiable health information shall be a minimum of eight (8) characters in length, and must include non-alphanumeric characters or symbols in them.
  • Passwords and pass-phrases must be changed by users or management at least every six months.
  • In the event of an information system compromise, as determined by the designated Privacy Official, some or all workforce-member passwords and pass-phrases may need to be changed. This determination shall be made by the designated Privacy Official.
  • Under no circumstances shall passwords or pass-phrases be written down and kept at or near computers and workstations where they may be found by others.
  • Any workforce member who loses, misplaces, forgets, or experiences any compromise of their password or pass-phrase shall immediately notify the designated Privacy Ocial. Such notication of password or pass-phrase compromise must be made immediately to the contact indicated herein, but in no case shall such notication be delayed more than one hour.
  • Proper password management shall be emphasized in HIPAA training programs, in security reminders, and in any HIPAA awareness resources used by this organization.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

POLICY ON SECURITY INCIDENT PROCEDURES

1. Introduction

AMELIA has adopted this Policy regarding Security Incident Procedures in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs responses to Security Incidents involving the breach or compromise of Protected Health Information for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to security incident procedures, in accordance with the requirements at § 164.308(a)(6) and at § 164.400 to 164.414.
  • Appropriate responses to security incidents may include, but are not limited to:
    • Rapid identification and classication of the severity of security incidents.
    • Determination of the actual risk to individually identifiable health information, and the subject(s) thereof
    • Repairing, patching, or otherwise correcting the condition or error that created the security incident.
    • Retrieving or limiting the dissemination of individually identifiable health information, if possible
    • Making an immediate report of a breach, if required, to the affected Covered Entity who supplied the information to us.
    • Mitigating any harmful eects of the security incident.
    • Fully documenting security incidents, along with their causes and our responses.
    • Expanding our knowledge of security incident prevention, through research, analyses of security incidents, and improved training and awareness programs for workforce members.
  • Compliance with HIPAA’s data protection requirements is mandatory and failure to comply can bring severe sanctions and penalties.

4. Policy Statement

  • It is the Policy of AMELIA to rapidly identify and appropriately respond to all security incidents, regardless of their severity.
  • Responsibility for responding to and managing security incidents shall reside with the designated HIPAA Ocial or HIPAA Ocer (or specify other responsible party).
  • The designated HIPAA Ocial or HIPAA Ocer or, specify other responsible party shall develop specic forms and procedures that shall be implemented in response to security incidents.
  • It is the Policy of AMELIA to fully document all security incidents and our responses thereto, in accordance with our Documentation Policy and HIPAA requirements.

5. Procedures

  • AMELIA has appointed the CTO and the DPD as Security Incident Manager (SIM), who shall be responsible for managing incident response procedure during each availability window.
  • When an information security incident is identied or detected, users must notify their immediate manager immediately. The manager must immediately notify the SIM on call for proper response. The following information must be included as part of the notication:
    • Description of the incident;
    • Date, time, and location of the incident;
    • Person who discovered the incident;
    • How the incident was discovered;
    • Known evidence of the incident;
    • Affected system(s).
  • Within 48 hours of the incident being reported, the SIM shall conduct a preliminary investigation and risk assessment to review and conrm the details of the incident. If the incident is conrmed, the SIM must assess the impact to AMELIA and assign a severity level, which will determine the level of remediation effort required:
    • High: the incident is potentially catastrophic and/or disrupts AMELIA’ day-to-day operations; a violation of legal, regulatory or contractual requirements is likely.
    • Medium: the incident will cause harm to one or more business units within AMELIA and/or will cause delays to a business unit’s activities.
    • Low: the incident is a clear violation of organizational security policy but will not substantively impact the business
  • The SIM, in consultation with management, shall determine appropriate incident response activities in order to contain and resolve incidents.
  • The SIM must take all necessary steps to preserve forensic evidence (e.g., log information, les, images) for further investigation to determine if any malicious activity has taken place. All such information must be preserved and provided to law enforcement if the incident is determined to be malicious.
  • If the incident is deemed as High or Medium, the SIM must work with the senior management to create and execute a communications plan that communicates the incident to users, the public, and others affected.
  • The SIM must take all necessary steps to resolve the incident and recover information systems, data, and connectivity. All technical steps taken during an incident must be documented in AMELIA’ incident log, and must contain the following:
    • Description of the incident;
    • Incident severity level
    • Root cause (e.g., source address, website malware, vulnerability);
    • Evidence;
    • Mitigations applied (e.g., patch, re-image);
    • Status (open, closed, archived);
    • Disclosures (parties to which the details of this incident were disclosed to, such as customers, vendors, law enforcement, etc.).
  • After an incident has been resolved, the SIM must conduct a postmortem that includes root cause analysis and documentation any lessons learned.
  • Depending on the severity of the incident, the Chief Executive Ocer (CEO) may elect to contact external authorities, including but not limited to law enforcement, private investigation firms, and government organizations as part of the response to the incident.
  • The Privacy Official shall determine the need to notify Covered Entities of the incident to fulll Business Associates Agreement’s duties.
  • The SIM must notify all users of the incident, conduct additional training if necessary, and present any lessons learned to prevent future occurrences. Where necessary, the Human Resources must take disciplinary action if a user’s activity is deemed as malicious.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

DATA BACKUP POLICY

1. Introduction

AMELIA has adopted this Data Backup Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Data Backups for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to data backups, in accordance with the requirements at § 164.308(a)(7) and elsewhere in the Regulations.
  • The ability to create and maintain retrievable, exact copies of individually identifiable health information generally, and Electronic Protected Health Information specically, is a critical element of our business operations and our ability to respond to unexpected negative events.
  • The storage of data backups in a separate location, removed from our normal business operations (“offsite”) is an essential element of any successful data backup plan.
  • Timely access to health information is crucial to providing high quality health care, and to our business operations.
  • Physicians, healthcare providers and others must have immediate, around-the-clock access to patient information.
  • No existing media are absolutely guaranteed to provide long-term storage without loss or corruption of data.
  • A number of risks to health information exist, such as power spikes or outages, fire, ood, or other natural disaster, viruses, hackers, and improper acts by employees and others.

4. Policy Statement

  • It is the Policy of AMELIA to create and maintain complete, retrievable, exact backups of all individually identifiable health information generally, and Electronic Protected Health Information specically, held, processed, or stored in the course of business operations, in full compliance with all the requirements of HIPAA.
  • All data backups shall be created and maintained in such manner as to ensure the maximum degree of data integrity, availability, and confidentiality are maintained at all times.

5. Procedures

  • Amelia’s CTO iss responsible for performing daily backups on AMELIA’ network, including shared drives containing application data, patient information, nancial data, and crucial system information.
  • AMELIA will back up all such data automatically, per AWS at night.
  • [*], or his or her designee will, no later than 0900 the next day, place the backup media into the media vault located in [*].
  • The media vault meets re and disaster standards for media and will be kept locked at all times. Only Amelia’s CTO, the system administrator, and their designees have access to the media vault.
  • In the event that the secured media vault is not available or properly functioning, Amelia’s CTO, the system administrator, or their designees will remove backup media to a secured offsite location until the media vault becomes available.
  • Amelia’s CTO, the system administrator, or their designees will use AWS at the start of each business day to validate the accuracy, completeness, and integrity of the backup performed the previous night.
  • Individuals so validating the backup will generate daily reports and log them in the network log in the system administrator’s oce. The system administrator will maintain such reports for a minimum of 30 days.
  • Any errors will be acted upon immediately. Responsible personnel will use contract technical support as needed to resolve problems and ensure the validity of backup data.
  • Responsible personnel will clean the tape or other backup unit(s) according to the manufacturer’s recommended guidelines, currently once per week.
  • A rotation of four data tapes must be maintained at all times.
  • Amelia’s CTO will ensure replacement of backup tapes or media according to manufacturer’s recommended guidelines, currently annually.
  • IT department is responsible for testing the validity of backup data and the ability to restore data in the event of a computer system problem, failure, or other disaster at least monthly and more often if necessary to ensure data integrity, availability, and confidentiality.
  • Successful restore functions must be logged in the network log. Any problems identied during the restore function must be acted on immediately and no later than the same business day that they occur. Responsible personnel will use contract technical support as needed to resolve problems and ensure the validity of backup data.
  • All personnel who detect or suspect a data backup problem should immediately report the same to Amelia’s CTO. Such personnel should follow up immediate notication with a written memorandum that includes the following information:
    • Narrative of the data backup problem.
    • How long the problem has existed.
    • Suggested solutions.

6. Compliance and Enforcement

All information technology managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA)

DISASTER RECOVERY POLICY

1. Introduction

Amelia has adopted this Disaster Recovery Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

Amelia hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs contingency Disaster Recovery Planning for Amelia. All personnel of Amelia must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

3. Assumptions

  • Amelia hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • Amelia must comply with HIPAA and the HIPAA implementing regulations pertaining to disaster recovery, in accordance with the requirements at § 164.308(a)(7).
  • HIPAA requires Amelia to establish and implement processes and procedures for responding effectively to emergencies or other occurrences (re, vandalism, system failure, and natural disaster, etc.) that damage systems containing electronic protected health information.
  • A disaster may occur at any time, not necessarily during work hours.
  • Amelia must remain operational with as little disruption of business operations and patient care as possible.
  • Continuity of patient care requires uninterrupted access to patient information.
  • In a dangerous emergency, evacuating personnel has priority over preserving information assets.
  • The following conditions can destroy or disrupt Amelia’ information systems:
    • Power interruption.
    • Fire.
    • Water
    • Weather and other natural phenomena, such as earthquakes
    • Sabotage and vandalism.
    • Terrorism.

4. Policy Statement

It is the policy of Amelia to establish and implement processes and procedures to create and maintain retrievable exact copies of electronic protected health information.

5. Procedures

Preventive Measures

  • Amelia’s security manager shall ensure that the following preventive measures, as applicable, are implemented and documented:
    • Retain dictation on disk for three months (or specify other time period).
    • Back up computerized les according to our Data Backup Policy.
    • Store backup media tape in the o-site media vault, according to our Data Backup Policy
    • Maintain and replace backup tapes according to our Data Backup Policy
    • Test integrity of backup system no less than monthly (or specify other time period), according to our Data Backup Policy.
    • Store media properly. For example, laser discs must be stored in sleeves of plastic,
      paper, or combination of the two, placed in cardboard jackets or boxes, and stored on
      edge on metal shelving, properly labeled.
    • Color-code all media as to priority of evacuation: red is rst priority; yellow is second priority; green is third priority
    • Protect by uninterruptible power supplies all servers and other critical equipment from damage in the event of an electrical outage.
    • Locate le servers and other critical hardware in rooms with Halon re protection systems which limit damage to the immediate area of the re. In the event of a catastrophic re, backup data must be installed on other/replacement hardware.
    • In the event of a re or ood, turn o and unplug electrical equipment when contact with water is imminent.
    • In the event of a re or ood, seal room(s) to contain re or water and/or use strategies to protect information and equipment from re or from water falling from above as appropriate.
    • Training in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
  • Amelia’s security manager must implement and document the following:
  • The following conditions can destroy or disrupt Amelia’ information systems:
    • Ensure that major hardware is covered under Amelia’ property and casualty, and or other appropriate insurance policy or policies
    • Ensure that uninterruptible power supply, re protection, and other disaster prevention systems are functioning properly, periodically check these systems, and train employees in their use.

Priority Tasks during Emergencies

  • As applicable, and under appropriate circumstances, all workforce members should:
    • Remain calm.
    • Activate the alarm. That is, pull the re alarm or call 911 as appropriate.
    • Evacuate if necessary. If personnel are injured, ensure their evacuation and call emergency assistance as necessary.
    • If a re occurs that you believe you can ght, use the nearest re extinguisher.
    • If safe, close all doors as you leave
    • Obtain portable phone(s) to communicate
    • Notify concerned re, police, security, administration, and others as necessary.
    • Notify other departments of situation and emergency protocols.
    • If computers have not automatically powered down, initiate procedures to orderly shut down systems, when possible
    • If a re or ood occurs, disconnect power if possible.
    • If a re or ood occurs, try to prevent further damage from water by covering areas with plastic sheets with adequate drainage.
    • Move records/equipment/storage media away from area being ooded. Organize health information logically and label clearly for continued access.
    • Arrange for transportation of paper records to a salvage, restoration, or reconstruction company.
    • Respond to requests for records via portable phone rather than computer
    • Continue to provide patient charts as requested by physicians or other parties.

Priority Disaster Recovery Tasks

  • As applicable, and under appropriate circumstances, all workforce members should:
    • Prevent personnel from entering the area until ocials or building inspectors have determined that the area is safe to reenter.
    • Not permit unauthorized personnel to enter the affected area.
    • Determine the extent of the damage and whether additional equipment/supplies are needed.
    • Determine how long it will be before service can be restored, and notify departments.
    • Replace hardware as necessary to restore service.
    • Work with vendors as necessary to ensure that support is given to restore service.
    • Notify insurance carriers
    • Retrieve and upload backup les if necessary to restore service.
    • Air-dry oppy disks, if any, using a hair dryer on “air,” not “heat.” When dry, copy disk.
    • For water damage, wipe o CD-ROMs and laser discs with distilled water, working out from the center in a straight line, and then wipe o water or dirt with a soft, dry, lint-free cloth. Air-dry. Do not use a hairdryer. For dirt or smoke damage, wipe out from the center with a clean, soft cloth. Then wash o any remaining dirt with distilled water.
    • Remove water-damaged paper records by the wettest rst. Freeze wet items to stabilize.
    • Wrap paper records to prevent them from sticking together. Label the wrapped records.
    • Contact re, water, and storm damage restoration company. Contract for services as needed
    • Reconstruct/reacquire documents from the following:
      • Dictation system.
      • Word processing system.
      • Computer system
      • Holders of document copies.
    • Move records and equipment back to home location.
    • Weather and other natural phenomena, such as earthquakes
    • Catch up on ling.
    • Ensure that backup procedures are followed.
    • Document data that cannot be recovered in patient record.
    • Meet with management and sta to identify opportunities for improvement.

Additional Disaster Recovery Tasks

  • The following tasks must be assigned to specic persons or positions:
    • Determine whether additional equipment and supplies are needed.
    • Notify vendors or service representatives if there is need for immediate delivery of components to bring the computer systems to an operational level even in a degraded mode.
    • If necessary, check with other vendors to see whether they can provide faster delivery.
    • Rush order any supplies and equipment necessary.
    • Notify personnel that an alternate site will be necessary and where it is located.
    • Coordinate moving equipment and support personnel to the alternate site.
    • Bring recovery materials from osite storage to the alternate site.
    • As soon as hardware is up to specications to run the operating system, load software and run necessary tests
    • Determine priorities of software that must be available and load those packages in order. Post these priorities in a conspicuous location
    • Prepare backup materials and return them to the offsite storage area.
    • Set up operations at the alternate site if necessary.
    • Coordinate activities to ensure that the most critical tasks, such as immediate patient care, are being supported as needed.
    • Ensure that periodic backup procedures are followed according to our Data Backup Policy.
    • Plan to phase in all critical support.
    • Keep administration, medical sta, information personnel, and others informed of the status of the emergency mode operations.
    • Coordinate with administration and others for continuing support and ultimate restoration of normal operations.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with Amelia’ Sanction Policy (18-BA).

EMERGENCY MODE OPERATIONS POLICY

1. Introduction

AMELIA has adopted this Emergency Mode Operations Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Emergency Mode Operations and planning for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to emergency mode operations planning, in accordance with the requirements at § 164.308(a)(7).
  • Individually identifiable health information must be protected during emergencies, even as it is protected during normal operations. This Emergency Mode Operations Policy is designed to ensure the protection and availability of individually identifiable health information and Protected Health Information during emergencies requiring AMELIA to operate in “emergency mode”.
  • Our Emergency Mode Operations Plan must be implemented and executed in coordination with other emergency and/or disaster plans and procedures, as appropriate and necessary

4. Policy Statement

  • It is the Policy of AMELIA to establish this Emergency Mode Operations Policy to implement procedures to enable continuation of critical business processes for the protection of individually identifiable health information while operating in emergency mode.
  • It is the Policy of AMELIA to fully document all emergency planning and preparedness activities and efforts, in accordance with our Documentation Policy.
  • Our Emergency Mode Operations Plan shall be executed whenever AMELIA must operate in “emergency mode”.
  • “Emergency Mode” shall be in eect and activated whenever one or more of the following conditions applies:
    • Electrical power is unavailable for more than eight hours.
    • Fire, ood, storm or other natural disaster renders our normal business facility unavailable or unusable for more than eight hours.
    • Any other condition renders our normal business facility unavailable or unusable for more than eight hours.

5. Procedures

Responsibility and Role Assignments

The following personnel are hereby assigned to lead the functions listed below during emergency mode operations…

Computing Resources
Internet and Email
Customer Contact
ePHI Records
Other Business Records
Legal Issues
Internal Communications
Physical Security
Remediation &
Restoration
Vendor/Partner Relations
[*]

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

POLICY ON TESTING AND REVISION OF CONTINGENCY AND EMERGENCY PLANS AND PROCEDURES

1. Introduction

AMELIA has adopted this Policy on Testing and Revision of Contingency and Emergency Plans and Procedures in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Testing and Revision of Contingency and Emergency Plans and Procedures for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the testing and revision of emergency and contingency plans and procedures, in accordance with the requirements at § 164.308(a)(7).
  • Emergency and contingency plans, and the procedures associated with them, must be periodically tested and revised to ensure that they meet the emergency preparedness needs of AMELIA.
  • Individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA) must be aorded the same degree of security and privacy protection during the execution of any emergency or contingency plan as such information would receive during normal business operations.

4. Policy Statement

  • It is the Policy of AMELIA to periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.
  • It is the Policy of AMELIA that all individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA) shall be aorded the same degree of security and privacy protection during the execution of any emergency or contingency plan as such information would receive during normal business operations.

5. Procedures

  • Emergency and contingency plans are the responsibility of the designated Security Manager, who shall ensure that all such plans are up-to-date and meet our emergency preparedness requirements.
  • Emergency and contingency plans shall be reviewed, and revised, if necessary, at least annually. Copies of all such plans shall remain on file and be available to all personnel.
  • Emergency and contingency plans shall be rehearsed, with all team members participating in such rehearsals, at least annually.
  • The designated Security Manager shall fully document all emergency preparedness plans, including emergency and contingency plans, and all the revisions thereto, in accordance with our Documentation Policy and the requirements of HIPAA.
  • Amelia has also implemented this policy in accordance with ISO 27001.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

POLICY ON DATA AND APPLICATIONS CRITICALITY ANALYSES

1. Introduction

AMELIA has adopted this Policy on Data and Applications Criticality Analyses in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Data and Applications Criticality Analyses for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the analysis of the relative criticality of both data and applications, in accordance with the requirements at § 164.308(a)(7).
  • A thorough assessment and understanding of the relative criticality of both data and applications is essential to emergency preparedness, and to effectively protecting individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA) during emergencies and during normal business operations.

4. Policy Statement

  • It is the Policy of AMELIA to assess the relative criticality of all data, so that such data may be properly protected during emergencies and during normal business operations.

5. Procedures 

  • Data to be subject to criticality analysis shall include individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • Criticality analysis shall be the responsibility of IT department who shall work in cooperation with legal counsel and other internal parties as necessary to execute and document such analyses.
  • Criticality analyses shall determine and document the relative criticality of each type or category of data and applications that AMELIA possesses and/or uses to the continuity and success of our operations.
  • The most critical data and applications shall be given the highest priority in terms of investment and emergency protection preparations; with less critical categories or types of data and applications receiving proportionately less funding and attention, as appropriate.
  • In conducting data and applications analyses, IT departmentshall employ the technical guidance and recommendations of the National Institute of Standards and Technology (“NIST”), and/or other information technology “best practices”, as appropriate.
  • IT deparment shall fully document all analyses of the relative criticality of both data and applications, in accordance with our Documentation Policy and the requirements of HIPAA.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

POLICY ON EVALUATING THE EFFECTIVENESS OF SECURITY POLICIES AND PROCEDURES

1. Introduction

AMELIA has adopted this Policy on Determining the Effectiveness of Security Policies and Procedures in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs periodic Evaluations of the Effectiveness of Security Policies and Procedures for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the periodic evaluation of the effectiveness of security policies and procedures, in accordance with the requirements at § 164.308(a)(8).
  • Security policies and procedures, including emergency and contingency plans and procedures, must be evaluated periodically to determine their potential effectiveness in genuine emergencies.

4. Policy Statement

  • It is the Policy of AMELIA to periodically evaluate security policies and procedures, including emergency and contingency plans and procedures, in order to improve their effectiveness.

5. Procedures

  • It shall be the responsibility of Security Manager to periodically conduct such technical and nontechnical evaluations.
  • Security Manager shall work in coordination with legal counsel, information technology, senior management, and any other persons, departments or parties necessary in order to conduct such evaluations.
  • Such technical and nontechnical evaluations shall be conducted at least every year.
  • The results of such technical and nontechnical evaluations shall be internally published and shall be available to senior management and to all parties with responsibility for emergency preparedness.
  • The purpose of such evaluations is to improve the effectiveness of our security policies and procedures, including emergency and contingency plans and procedures, so that they best protect our business, our assets, our personnel, and the individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA) that we possess or use.
  • Security Manager shall fully document our periodic technical and nontechnical evaluations to determine the effectiveness of our security policies and procedures, including emergency and contingency plans and procedures, in accordance with our Documentation Policy and the requirements of HIPAA.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

BUSINESS ASSOCIATES POLICY

1. Introduction

AMELIA has adopted this Business Associates Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs relationships with, and operations involving Business Associates of AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to Business Associates, in accordance with the requirements at § 164.308(b)(1), § 164.410, § 164.502(e), § 164.504(e), and HITECH Act § 13401.
  • In cooperation with our organization, sub-contractors who are Business Associates work with, use, transmit, and/or receive individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), which is aorded specific protections under HIPAA.
  • AMELIA has the primary responsibility in all Business Associate relationships to ensure that individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), is properly protected and safeguarded.
  • The HIPAA (“Omnibus”) Final Rule specically identies the following types of entities as Business Associates:
    • Subcontractors
    • Patient safety organizations.
    • HIOs — Health Information Organizations (and similar organizations). HHS declined to specically dene HIOs in the Omnibus Rule but chose the term “HIO” because it includes both Health Information Exchanges (HIEs) and regional health information organizations.
    • E-Prescribing gateways.
    • PHRs — Personal Health Record vendors that provide services on behalf of a covered entity. PHR vendors that do not offer PHRs on behalf of CEs are not BAs.
    • Other rms or persons who “facilitate data transmission” that requires routine access to PHI.
  • The “Minimum Necessary Standard” now applies directly to Business Associates. HIPAA now applies the Minimum Necessary standard directly to Business Associates and their subcontractors. When using, disclosing or requesting PHI, all these entities must make reasonable efforts to limit Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  • Subcontractors of Business Associates are now Business Associates themselves. A subcontractor is defined as a person or entity to whom a Business Associate delegates a function, activity, or service involving Protected Health Information, and who is not a member of the Business Associate’s own workforce.
  • As a Business Associate itself, AMELIA is required to enter into a Business Associate contract with any subcontractor who is a Business Associate of ours.

4. Policy Statement

  • It is the Policy of AMELIA to establish and maintain lawful working relationships with our own Business Associates that are in full compliance with all the requirements of the HIPAA Final “Omnibus” Rule.

5. Procedures

  • Responsibility for maintaining appropriate and lawful relationships with Business Associates shall reside with the designated Privacy Ocial, who shall ensure that all aspects of our Business Associate relationships are appropriate and lawful, and who shall ensure that individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), is properly protected and safeguarded by our Business Associates.
  • With regard to our own Business Associates (sub-contractors), the duties and responsibilities of the designated Privacy Ocial, shall include, but are not limited to the following:
    • Ensure that all Business Associate contracts meet all HIPAA requirements and standards, including those requirements and standards amended by the HITECH Act, the HIPAA “Omnibus” Final Rule, and any requirements of State laws in the state(s) where we operate.
    • Ensure that individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), is properly protected and safeguarded by our Business Associates.
    • Ensure that Business Associates understand the importance and necessity of protecting individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), whether in electronic form (“ePHI”) or hardcopy form.
    • Ensure that Business Associates have proper and appropriate safeguards in place for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), before entrusting such information to them.
    • Ensure that Business Associates understand and are properly prepared to detect and respond to breaches of individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • The designated Privacy Ocial, shall fully document all Business Associate-related contracts and activities, in accordance with our Documentation Policy and the requirements of HIPAA.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

CONTINGENCY OPERATIONS POLICY

1. Introduction

AMELIA has adopted this Contingency Operations Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Contingency Operations planning and implementation for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to contingency operations, in accordance with the requirements at § 164.310(a)(1-2).
  • Contingency Operations, for purposes of this policy document, are defined as processes and procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  • Contingency operations plans and procedures, in combination with other emergency preparedness plans and procedures, shall be documented, analyzed, revised and updated periodically in accordance with other established emergency preparedness and documentation polices and procedures.

4. Policy Statement

  • It is the Policy of AMELIA to be fully prepared to protect individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), during emergencies and contingency operations.
  • Responsibility for planning and executing contingency operations shall reside with Amelia’s CTO, who shall prepare, analyze, test, and update plans for contingency operations on a periodic basis.
  • The primary purpose of our contingency operations procedures is to allow our organization to restore lost data in the event of an emergency.
  • It is the Policy of AMELIA to fully document all contingency operations plans and procedures, in accordance with our Documentation Policy.
  • The core objectives of contingency planning include the capability to:
    • Restore operations at an alternate site (if necessary);
    • Recover operations using alternate equipment (if necessary); and
    • Perform some or all of the affected business processes using other means.
  • The contingency plan will be developed for the entire enterprise. The contingency plan must address IT system components such as:
    • Local, wide area and wireless networks including Internet access (if critical to the operation of the business);
    • Server systems such as le, application, print and database;
    • Web sites;
    • Security systems such as rewalls, authentication servers, and intrusion detection;
    • Desktop, laptop systems.

5. Procedures

AMELIA will follow the recommendations of The National Institute of Standards and Technology (NIST) in the area of contingency planning. The NIST recommends following seven 2 key steps to address the requirements of contingency planning. These seven key steps for contingency planning are:

  • Develop the contingency policy objective statement
  • Conduct a Business Impact Analysis (BIA)
  • Identify preventive controls
  • Develop recovery strategies
  • Create the contingency plan
  • Conduct testing and training
  • Review and maintenance.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

FACILITY SECURITY POLICY

1. Introduction

AMELIA has adopted this Facility Security Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009
(Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Facility Security for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to facility security, in accordance with the requirements at § 164.310(a)(1-2).
  • In addition to other technical and administrative safeguards, strong facility security is an essential element of our efforts to provide protection for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to provide strong facility security, in addition to other technical and administrative safeguards, in order to provide protection for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document all facility security-related activities and efforts, in accordance with our Documentation Policy and our Maintenance Records Policy.

5. Procedures

  • Primary responsibility for facility security is hereby assigned to Amelia’s CTO, who shall analyze the security of our facility and implement devices, tools and techniques to strengthen our facility to a reasonable level, to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  • The analyses of our facility security should include, but are not limited to, the following factors:
    • Windows and doors;
    • Roofs and the potential for roof access;
    • Locks and keys;
    • Electronic access control systems;
    • Video cameras and video surveillance systems;
    • Electronic alarms and related systems;
    • Employee, partner, vendor and guest access;
    • Vehicle parking security;
    • Routine and non-routine deliveries.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

ACCESS CONTROL AND VALIDATION POLICY

1. Introduction

AMELIA has adopted this Access Control and Validation Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Access Control and Validation for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to access control and validation, in accordance with the requirements at § 164.310(a)(1-2).
  • Access control and validation procedures are designed to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision.
  • Strong access control and validation procedures are an essential element of protecting individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to implement and support strong and ongoing access control and validation procedures, in full compliance with all the requirements of HIPAA.
  • It is the Policy of AMELIA to fully document access control and validation procedures, in accordance with our Documentation Policy.

5. Procedures

  • Responsibility for developing, testing, analyzing, and periodically updating access control and validation procedures shall reside with Amelia’s CTO and Operation Manager.
  • The development and implementation of specic access control and validation procedures shall be conducted in accordance with guidance and information provided by the National Institute of Standards and Technology (“NIST”), or other information technology “best practices”.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA)

FACILITY SECURITY MAINTENANCE RECORDS POLICY

1. Introduction

AMELIA has adopted this Facility Security Maintenance Records Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the disposition of records pertaining to maintenance of the physical security of AMELIA’ facilities. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to facility security maintenance records, in accordance with the requirements at § 164.310(a)(1-2).

4. Policy Statement

  • It is the Policy of AMELIA to create and maintain complete facility security maintenance records, in full compliance with all the requirements of HIPAA.
  • Facility security maintenance records are created to document repairs and changes to physical elements of a facility related to security, as detailed in our Facility Security Plan.
  • It is the Policy of AMELIA to fully document facility security maintenance records-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  • Responsibility for the creation and updating of facility security maintenance records is hereby assigned to Amelia’s Security Manager, who shall establish procedures for maintaining such records in appropriate form.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

WORKSTATION USE POLICY

1. Introduction

AMELIA has adopted this Workstation Use Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Information Workstation Use for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to workstation use, in accordance with the requirements at § 164.310(b) and § 164.310(c).
  • The establishment and implementation of an effective workstation use policy is a crucial element in our overall objective of providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to configure, operate, and maintain our information workstations in full compliance with all the requirements of HIPAA.
  • Our objective in these efforts is to providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • Specic procedures shall be developed to specify the proper functions, procedures, and appropriate environments of workstations that access individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document all workstation use-related activities and efforts, in accordance with our Documentation Policy and the requirements of HIPAA.

5. Procedures

  • Responsibility for the development and implementation of this workstation use policy, and any procedures associated with it, shall reside with Amelia’s Security Manager, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Monitoring of Workstation Use – To appropriately manage information assets and enforce security policies, AMELIA logs, reviews, and monitors access to data (ePHI and non-EPHI).
  • Removal of Workforce Members Privileges – AMELIA may revoke any user’s privileges, including but not limited to, user accounts and access to secured areas, when it is deemed necessary to preserve the integrity, confidentiality, and availability of facilities, user services, and data.
  • Location – Workstations that contain or have access to ePHI should not be located in publicly accessible areas. If a workstation must be located in a public area, extra precautions must be taken to ensure that unauthorized access to ePHI is not possible from the workstation and that safeguards exist to prevent incidental viewing of ePHI. See the Workstation Security Policy (44-BA).
  • Use outside the Work Area – AMELIA workforce members must take the following steps to protect portable and other hand-held devices including, but not limited to, personal 2 computers, tablets, phones, laptops that are used outside the physical boundaries of AMELIA:
    • ePHI stored in a portable device must be encrypted.
    • Protect the equipment from loss or damage. Do not expose the equipment to extreme heat or cold or other potentially harmful environmental conditions.
    • Protect the equipment from theft.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

WORKSTATION SECURITY POLICY

1. Introduction

AMELIA has adopted this Workstation Security Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Workstation Security for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to workstation use, in accordance with the requirements at § 164.310(b) and § 164.310(c).
  • The establishment and implementation of an effective workstation security policy is a crucial element in our overall objective or providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to establish and maintain this workstation security policy in full compliance with all the requirements of HIPAA.
  • Responsibility for the development and implementation of this workstation security policy, and any procedures associated with it, shall reside with [*], who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic procedures shall be developed to implement physical safeguards for all workstations that access individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), to restrict access to authorized users only.
  • It is the Policy of AMELIA to fully document all workstation use-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

Computer workstation users shall consider the sensitivity of the information that may be accessed and minimize the possibility of unauthorized access. The following procedures shall be in force to manage technical, physical, and administrative controls and safeguards for AMELIA’ workstations:

  • Physical safeguards: Physical access to workstations shall be restricted to authorized personnel. Employees shall prevent unauthorized viewing of information on a screen by:
    • Ensuring monitors are positioned away from public view;
    • If necessary, privacy screen lters or other physical barriers to prevent public viewing shall be installed;
    • Manually activating a password protected screen saver when sta leave their desk;
    • Exiting running applications and closing any open documents;
    • Ensuring workstations are logged o at the end of each business day;
    • Sta shall keep food and drink away from workstations in order to avoid accidental spills.
  • Operational Safeguards: Employees shall use workstations for authorized business purposes only and only approved personnel may install software on workstations. All sensitive information must be stored on network servers. Sta shall comply with all applicable policies and procedures related to desktop computing.
  • Management and administration: AMELIA’ IT team shall ensure that all workstations use a surge protector and/or a UPS battery backup. Workstations shall have all critical security updates and patches installed in a timely manner.
  • Audit Controls and Management: On-demand documented procedures and evidence of practice should be in place for this operational policy as. Satisfactory examples of evidence and compliance include:
    • Spot user checks for compliance with general workstation computing policies;
    • Documented patch logs for workstations showing patches, dates, and systems installed;
    • Verication of UPS and/or surge protection installed on physical equipment.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

MEDIA DISPOSAL POLICY

1. Introduction

AMELIA has adopted this Media Disposal Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009
(Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Media Disposal for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to media disposal and disposition, in accordance with the requirements at § 164.310(d)(1-2).
  • Media containing individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), must be completely erased, properly encrypted, or totally destroyed in its nal disposition, or the data residing on such media is subject to recovery and subsequent misuse or theft.

4. Policy Statement

  • It is the Policy of AMELIA to dispose of all media containing individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), in full compliance with all the requirements of HIPAA.
  • Responsibility for proper media disposal and disposition shall reside with Operation Manaeger, who shall develop procedures to ensure the proper disposition of all such media.
  • It is the Policy of AMELIA to fully document all media disposal-related activities and efforts, in accordance with our Documentation Policy (03-BA).

5. Procedures

  • When a device or document containing PHI is no longer necessary, the employee responsible for the process in which the document is employed has the duty to ensure that the PHI is securely and permanently disposed of. Said obligation also applies to any back-ups or duplicate copies of the documents.

RECORDS STORED ON ELECTRONIC DEVICES (AND THE DEVICE IS NOT TO BE REUSED)

Situation Required Action
Regardless of the type of personal information
they contain
The device shall be physically destroyed, or formatted, in such a way that information is non-retrievable. IT Services shall ensure this step is correctly performed.

NETWORK BASED COMPUTER RECORDS

Situation Required Action
Containing PHI The standard le deletion routines are sucffient for network-based les.
Containing sensitive
PHI
Apply the standard le deletion routines and contact IT Services to ensure that backup les are appropriately deleted

PAPER RECORDS

Situation Required Action
Containing PHI
they contain
Shred the document using shredding machines provided by AMELIA.
Containing sensitive
PHI

they contain
Employ a confidential, industry-standard waste disposal
operator.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA)

MEDIA RE-USE POLICY

1. Introduction

AMELIA has adopted this Media Re-Use Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009
(Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes

2. Scope of Policy

This policy governs the Re-Use of Information Storage Media for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to media disposal and disposition, in accordance with the requirements at § 164.310(d)(1-2).
  • Media containing individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), must be completely erased or sanitized (“wiped”) 1 before any re-use of such media may take place, or the data residing on such media is subject to corruption, compromise, or loss.

4. Policy Statement

  • It is the Policy of AMELIA to properly erase and or sanitize (“wipe”) all media containing individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), before any media may be re-used.
  • Responsibility for proper media re-use shall reside with the Operation Manager, who shall develop procedures to ensure the proper disposition of all such media before any re-use.
  • It is the Policy of AMELIA to fully document media re-use and disposition-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

RECORDS STORED ON ELECTRONIC DEVICES
(AND THE DEVICE IS TO BE REUSED)

Situation Required Action
The PHI forms part of a
database not
exclusively allocated to
hosting said data

they contain
PHI should be removed using the internal erasure procedure of the relevant software. E.g., Outlook: “Delete” function, followed by “Delete from Trash” function. E.g., Excel: “Row Deletion” function.
Files containing PHI
A le-wiping utility should be used. This can be undertaken by relevant IT Services/professionals who you should contact to provide assistance. Employees are expected to use relevant system tools (Windows Bin or Apple MacOS Trash) to assist in the deletion process.
When re-using
they contain
Device should be formatted

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA)

HARDWARE AND MEDIA ACCOUNTABILITY POLICY

1. Introduction

AMELIA has adopted this Hardware and Media Accountability Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American
Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes

2. Scope of Policy

This policy governs the Accountability of Information Systems Hardware and Media for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements at § 164.310(d)(1-2).
  • Proper protection of individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), requires that we maintain records of the movements of hardware and electronic media, and any person responsible therefore.

4. Policy Statement

  • It is the Policy of AMELIA to maintain records of the movements of hardware and electronic media, and any person responsible therefore, in full compliance with all the requirements of HIPAA.
  •  Responsibility for the development and implementation of this hardware and media accountability policy, and any procedures associated with it, shall reside with Amelia’s Security Manager, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic procedures shall be developed to ensure that we maintain records of the movements of hardware and electronic media, and any person responsible therefore.
  • It is the Policy of AMELIA to fully document all hardware and media accountability-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  • AMELIA must create a record to track and maintain records of the internal and external movement of storage devices and media containing ePHI. Tracking includes recording the chain of custody and each party responsible for the device or media while in transit.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

DATA BACKUP AND STORAGE POLICY

1. Introduction

AMELIA has adopted this Data Backup and Storage Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Data Backup and Storage for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to data backup and storage, in accordance with the requirements at § 164.310(d)(1-2) and § 164.308(a)(7).
  • The ability to create and maintain retrievable, exact copies of individually identifiable health information generally, and electronic protected health information specically, is a critical element of our business operations and our ability to respond to unexpected negative events.
  •  The storage of data backups in a separate location, removed from our normal business operations (“offsite”) is an essential element of any successful data backup plan.
  • Timely access to health information is crucial to providing high quality health care, and to our business operations
  • Physicians and others must have immediate, around-the-clock access to patient information.
  • No existing media are absolutely guaranteed to provide long-term storage without loss or corruption of data.
  • A number of risks to health information exist, such as power spikes or outages, fire, flood, or other natural disaster, viruses, hackers, and improper acts by employees and others.

4. Policy Statement

  • It is the Policy of AMELIA to create retrievable, exact copies of electronic protected health information, when needed, before any movement or maintenance of data processing equipment that could result in the loss or compromise of electronic protected health information.
  • Amelia’s CTO is responsible for performing appropriate backups on AMELIA’ network, including shared drives containing application data, patient information, financial data, and crucial system information.

5. Procedures

  • [*] will back up all such data as necessary, per [*]’s programmed standards, before any movement or maintenance of data processing equipment that could result in the loss or compromise of electronic protected health information.
  • [*] or his or her designee will, no later than 0900 the next day, place the backup media into the media vault located in [*].
  • The media vault meets re and disaster standards for media and will be kept locked at all times. Only [*], the system administrator, and their designees have access to the media vault.
  • In the event that the secured media vault is not available or properly functioning, [*], the system administrator, or their designees will remove backup media to a secured osite location until the media vault becomes available.
  • Any errors will be acted upon immediately. Responsible personnel will use contract technical support as needed to resolve problems and ensure the validity of backup data.
  • Responsible personnel will clean the tape or other backup unit(s) according to the manufacturer’s recommended guidelines, currently once per week.
  • [*] will ensure replacement of backup tapes or media according to manufacturer’s recommended guidelines, currently annually.
  • [*] is responsible for testing the validity of backup data and the ability to restore data in the event of a computer system problem, failure, or other disaster at least monthly, and more often if necessary to ensure data integrity, availability, and confidentiality.
  • Successful restore functions must be logged in the network log. Any problems identified during the restore function must be acted on immediately and no later than the same business day that they occur. Responsible personnel will use contract technical support as needed to resolve problems and ensure the validity of backup data.
  • All personnel who detect or suspect a data backup problem should immediately report the same to the [*]. Such personnel should follow up immediate notication with a written memorandum that includes the following information:
    • Narrative of the data backup problem.
    • How long the problem has existed.
    • Suggested solutions.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

UNIQUE USER I.D. POLICY

1. Introduction

AMELIA has adopted this Unique User I.D. Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009
(Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the issuance, maintenance, and security of Unique User I.D.’s for access to AMELIA’s information systems. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the use of unique user I.D.’s, in accordance with the requirements at § 164.306, and § 164.312(a)(1).
  • The use of unique user I.D.’s is an essential element in our overall effort to protect individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to exclusively use unique user I.D.’s for all information system access and activities, in full compliance with all the requirements of HIPAA.
  • Responsibility for the development and implementation of this unique user I.D. policy, and any procedures associated with it, shall reside with Amelia’s Security Manager, who shall ensure that access to all our information systems and data is accomplished exclusively through the use of unique user I.D.’s.
  • Nothing in this policy shall limit the use of additional security measures, including login and access measures, that may further enhance the security and protection we provide to individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document all unique user I.D.-related activities and efforts, in accordance with our Documentation Policy (03-BA).

5. Procedures

  • The unique identification can take the form of the following examples:
    • User’s full name (e.g., JohnWDoe).
    • Form of full name (e.g., SASmith).
    • Badge number (e.g., WV724966).
    • Combination of name and badge number (e.g., jhardWV966)
    • Serial Number (e.g., 123456789).
    • Other unique alphanumeric identifier.
  • Each unique identification shall be properly recorded.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

EMERGENCY ACCESS POLICY

1. Introduction

AMELIA has adopted this Emergency Access Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Access to Protected Health Information during emergencies for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to emergency access procedures, in accordance with the requirements at § 164.104, § 164.306, and § 164.312(a)(1).
  • The establishment of emergency access procedures further strengthens the protections we offer to individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to establish and implement emergency access procedures, in full compliance with all the requirements of HIPAA.
  • These emergency access procedures apply to access to individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • Responsibility for the development and implementation of our emergency access procedures shall reside with Amelia’s CTO, who shall ensure that these procedures are maintained, updated as necessary, and implemented fully throughout our organization and
    must be responsible for for supervising employees activity in access activities.
  • Specic procedures shall be developed to ensure that authorized workforce members can access individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA) during emergencies.
  • These Emergency Access Procedures shall be developed and implemented in combination with our emergency preparedness and response plans.
  • It is the Policy of AMELIA to fully document our emergency access procedures development and implementation, in accordance with our Documentation Policy and the requirements of HIPAA.

5. Procedures

AMELIA must understand the importance of emergency access procedures, including the process of approval, follow-up, and oversight.

Moreover, good communication between Amelia’s CTO, Amelia’s DPO and the Tech Team is required in order to have a coordinated control of the process and procedures for emergency access.

  • Once the decision has been made, the Amelia’s CTO will contact the IT department to begin the process of granting temporary computer access controls to another individual.
  • The IT department will verify the decision before proceeding.
  • The IT Department will implement the technical steps to grant temporary access to another individual, according to the type of emergency and access privileges.
  • The IT Department will then test the changes to verify that the temporary individual has the appropriate emergency access.
  • If a problem still exists, the IT Department will re-evaluate the technical steps and x any problems.
  • Once the privileges for emergency access are successfully in place, the IT Department will oversee and monitor the emergency access.
  • Once the emergency resides, the IT Department will remove the temporary emergency access and return the access controls to the original state.
  • The IT Department will contact the Amelia’s Security Manager iin follow-up fashion to verify that all access controls have been returned to the original state.

If the emergency impacts, or has the potential to impact to individuals or a security compromise, the IT Department has the right to take the necessary action without permission during an emergency situation.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

AUTOMATIC LOG-OFF POLICY

1. Introduction

AMELIA has adopted this Automatic Log-O Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009
(Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and
under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the implementation of Automatic Log-Os for AMELIA’ information systems. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to the use of automatic log-o applications, in accordance with the requirements at § 164.306 and § 164.312(a)(1-2).
  • The establishment and implementation of an effective automatic log-o policy is a crucial element in our overall objective or providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to always use automatic log-o applications or systems on all workstations and computers, in full compliance with the requirements of HIPAA.
  • Responsibility for the development and implementation of this automatic log-o policy, and any procedures associated with it, shall reside IT department, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic procedures shall be developed to specify the proper functions and procedures of our automatic log-o systems on all computers and workstations that access individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document automatic log-o-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  • AMELIA has to implement reasonable and appropriate electronic procedures on e-PHI Systems to terminate electronic sessions after a period of inactivity through an automatic logo mechanism.
  • The approval of the automatic logo times must be done by [*]. [*] should determine which period of time should elapse before access is automatically terminated.
  • The length of time that a user is allowed to stay logged on depends on
    1. the type of information (e-PHI vs not e-PHI);
    2. the sensitivity of the information that can be accessed from the computer and;
    3. the relative security of the environment in which the system is located.
  • Electronic sessions are terminated and workforce members logged out of e-PHI Systems after five minutes of inactivity.
  • For highly sensitive e-PHI Systems, automatic logo occurs after five minutes.
  • IT department has the duty of periodically inspecting systems to ensure that the automatic session logo capability is configured correctly.
  • In addition to the automatic logo mechanisms, the employees are instructed to terminate electronic sessions on e-PHI Systems when such sessions are completed and to logoff from or lock workstations when they expect to be away from their workstations for an extended period of time and at the end of each day. The employees must be acknowledged for the log-o and ensure that they are complied with it.
  • Logoff settings should be configured such that electronic sessions on systems containing ePHI are terminated after a specied period of inactivity.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

ENCRYPTION AND DECRYPTION POLICY

1. Introduction

AMELIA has adopted this Encryption and Decryption Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the Encryption and Decryption of Protected Health Information for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  •  AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to encryption and decryption, in accordance with the requirements at § 164.312(a)(1-2).
  • The establishment and implementation of an effective encryption and decryption policy is a crucial element in our overall objective or providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to establish and maintain this encryption and decryption policy in full compliance with all the requirements of HIPAA.
  • Responsibility for the development and implementation of this encryption and decryption policy, and any procedures associated with it, shall reside with Amelia’s Security Manager, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic procedures shall be developed to specify the proper usage and application of encryption and decryption for all computers and workstations that access individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document all encryption and decryption-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  1. ACCESS
    The [*] or their designee shall ensure:
    • Policies, procedures, scenarios, and processes must identify Confidential Information or PII that must be encrypted to protect against persons or programs that have not been granted
      access.
    • AMELIA has to implement appropriate mechanisms to encrypt and decrypt Confidential Information or PII whenever deemed appropriate. Internal procedures shall specify how AMELIA transmits PHI as well as how often the information is transmitted.
    • When encryption is needed based on data classication to protect PHI during transmission, the procedures shall specify the methods of encryption used to protect the transmission of
      PHI.
    • Logical user access is managed separately and independently of native operating system authentication and access control mechanisms when disk encryption is used rather than file or column level database encryption.
  2. ENCRYPTION KEY LENGTH
    • AMELIA uses software encryption technology to protect PHI. To provide the highest-level security while balancing throughput and response times, encryption key lengths should use current industry standard encryption algorithms for the PHI.
    • The use of proprietary encryption algorithms are not allowed unless reviewed by qualied experts outside of the vendor in question and approved by AMELIA management.
  3. AT REST ENCRYPTION
    • Full disk encryption avoids security breaches and will be the preferred method for user
      devices containing PHI

    PHI at rest on computer systems owned by and located within AMELIA controlled spaces,
    devices, and networks should be protected by one or more of the following mechanisms:

    • Disk/File System Encryption.
    • Use of Virtual Private Networks (VPN’s) and Firewalls with strict access controls that authenticate the identity of those individuals accessing the PHI
    • Supplemental compensating or complimentary security controls including complex passwords, and physical isolation/access to the data
    • Strong cryptography on authentication credentials (i.e. passwords/phrases) shall be made unreadable during transmission and storage on all information systems
    • Password protection to be used in combination with all controls including encryption.
    • File systems, disks, and tape drives in servers and Storage Area Network (SAN) environments are encrypted using industry standard encryption technology
    • Computer hard drives and other storage media that have been encrypted shall be sanitized to prevent unauthorized exposure upon return for redistribution or disposal
  4. PORTABLE DEVICE ENCRYPTION
    Portable devices (e.g. smart-phones, ash cards, SD cards, USB le storage) represent a
    specic category of devices that contain data-at-rest. Many incidents involving unauthorized
    exposure of PHI are the result of stolen or lost portable computing devices. The most reliable
    way to prevent exposure is to avoid storing PHI on these devices.
    As a general practice, PHI shall not be copied to or stored on a portable computing device or
    AMELIA-owned computing device. However, in situations requiring PHI to be stored on such
    devices, encryption reduces the risk of unauthorized disclosure in the event that the device
    becomes lost or stolen. The following procedures shall be implemented when using portable
    storage:
    • Hard drives (laptops, tablets, smartphones and personal digital assistants) shall be encrypted using products and/or methods approved by the IT Department. Unless otherwise approved by Amelia’s CTO, such devices shall have full disk encryption with double authentication.
    • Devices shall not be used for the long-term storage of any PHI.
    • All devices shall have proper and appropriate protection mechanisms installed including approved anti-malware/virus software, personal firewalls with unneeded services and ports turned off, and properly configured applications.
    • Removable media including CD’s, DVD’s, USB ash drives, etc. shall not be used to store PHI.
  5. IN-TRANSIT ENCRYPTION
    In-transit encryption refers to transmission of data between end-points. The intent of these
    policies is to ensure that PHI transmitted between companies, across physical networks, or
    wirelessly is secured and encrypted in a fashion that protects PHI from a breach.
    Amelia’s CTO shall ensure:
    • Formal transfer policies, protocols, procedures, and controls are implemented to protect the transfer of information through the use of all types of communication and transmission facilities.
    • Strong cryptography and security protocols (e.g. TLS, IPSEC, SSH, etc.) are used to safeguard PHI during transmission over open public networks. Such controls include:
      • Only accepting trusted keys and certicates, protocols in use only support secure versions or congurations, and encryption strength is appropriate for the encryption methodology in use.
      • Public networks include but are not limited to the Internet, Wireless technologies, 1, Bluetooth, and cellular technologies.
      • PHI transmitted in e-mail messages are encrypted. Any PHI transmitted through a public network (e.g., Internet) to and from vendors, customers, or entities doing business with AMELIA must be encrypted or transmitted through an encrypted tunnel (VPN) that include current transport layer security (TLS) implementations.
      • Wireless (Wi-Fi) transmissions used to access AMELIA computing devices or internal networks must be encrypted using current wireless security standard protocols
      • Encryption or an encrypted/secured channel is required when users access AMELIA’ PHI remotely from a shared network, including connections from a Bluetooth device or smarthphone
      • Secure encrypted transfer of documents and PHI over the internet uses current secure le transfer programs such as SFTP and secure copy command (SCP).
  6. ENCRYPTION KEY MANAGEMENT
    Effective enterprise public and private key management is a crucial element in ensuring encryption system security. Key management procedures must ensure that authorized users can access and decrypt all encrypted PHI using controls that meet operational needs. AMELIA key management systems are characterized by following security precautions and attributes:
    • AMELIA uses procedural controls to enforce the concepts of least privilege and separation of duties for sta. These controls apply to persons involved in encryption key management or who have access to security-relevant encryption key facilities and processes.
    • Amelia’s CTOshall verify backup storage for key passwords, les, and PHI to avoid single point of failure and ensure access to encrypted PHI.
    • Key management should be fully automated.
    • Keys in storage and transit must be encrypted.
    • Private keys must be kept confidential.
    • Application and system resource owners should be responsible for establishing data encryption policies that grant exceptions based on demonstration of a business need and an assessment of the risk of unauthorized access to or loss of PHI.

    Amelia’s CTO shall ensure:

    • Decryption keys are not associated with user accounts.
    • Documentation and procedures exist to protect keys used to secure stored PHI against disclosure and misuse.
    • Restrict access to cryptographic keys to the fewest number of custodians necessary.
    • Cryptographic keys are stored in the fewest possible locations.
    • Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened or keys are suspected of being compromised.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

AUDIT CONTROLS POLICY

1. Introduction

AMELIA has adopted this Audit Controls Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, afnd under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Audit Controls for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to audit controls, in accordance with the requirements at § 164.312(b).
  • The establishment and implementation of an effective audit controls policy is a crucial element in our overall objective or providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to establish and maintain appropriate and effective audit controls in full compliance with the requirements of HIPAA.
  • Responsibility for the development and implementation of this audit controls policy, and any procedures associated with it, shall reside Amelia’s COO, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic procedures shall be developed to specify the proper usage and application of audit controls for all computers, workstations, and systems that access individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document all audit control-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  • Each department or program included in the AMELIA will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy.
  • Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.
  • Audits will be required in the following situations:
    • Inappropriate access
    • Tracking unauthorized disclosures of ePHI
    • Detecting performance problems and aws in applications
    • Detecting potential intrusions and other malicious activity
    • Providing forensic evidence during investigation of security incidents and breaches
  • It will be necessary to x audit control revisions in order to guarantee the PHI security compliance. The inspections will be carried out every year.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

DATA INTEGRITY CONTROLS POLICY

1. Introduction

AMELIA has adopted this Data Integrity Controls Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Data Integrity Controls for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to data integrity controls, in accordance with the requirements at § 164.312(c)(1-2).
  • The purpose of this Integrity Controls Policy is to ensure that electronic Protected Health Information (“PHI” and “ePHI”, as defined by HIPAA) has not been altered or destroyed in an unauthorized manner.
  • The establishment and implementation of an effective data integrity controls policy is a crucial element in our overall objective or providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to establish and maintain appropriate and effective data integrity controls in full compliance with the requirements of HIPAA.
  • Responsibility for the development and implementation of this data integrity controls policy, and any procedures associated with it, shall reside with Amelia’s CTO and COO, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic procedures shall be developed to specify the proper usage and application of data integrity controls for all computers, workstations, and systems that access individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document all data integrity controls-related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

  • Each department or program included in AMELIA will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

PERSON OR ENTITY AUTHENTICATION POLICY

1. Introduction

AMELIA has adopted this Person or Entity Authentication Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Authentication of Persons or Entities seeking access to Electronic Protected Health Information in the possession of AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to person or entity authentication, in accordance with the requirements at § 164.312(d).
  • The purpose of this Person or Entity Authentication Policy is to ensure that electronic Protected Health Information (“PHI” and “ePHI”, as defined by HIPAA) can only be accessed by persons or entities who are in fact who they claim to be, and not imposters.
  • The establishment and implementation of an effective Person or Entity Authentication Policy is a crucial element in our overall objective or providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to establish and maintain this Person or Entity Authentication Policy in full compliance with all the requirements of HIPAA.
  • Responsibility for the development and implementation of this Person or Entity Authentication Policy, and any procedures associated with it, shall reside [*], who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic procedures shall be developed to specify the proper authentication of persons and entities who request access to individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA) on our computers, workstations and systems.
  • It is the Policy of AMELIA to fully document all person or entity related activities and efforts, in accordance with our Documentation Policy.

5. Procedures

Authentication is the mechanism that verifies that an individual is who they claim to be. It is the first step in gaining access to any secured computing environment and is the basis for allowing or denying access to sensitive information. Authentication is based on one or more of the three following factors:

    • Something that the person knows such as a password
    • Something that the person has such as a smart card or token
    • Something the person is such as a fingerprint.
    • This policy sets a minimum acceptable level of authentication for users or entities at AMELIA.
    • AMELIA limits authentication attempts to its e-PHI maintained in its system to no more than three unsuccessful attempts in direct access mode.
    • There is no limit of unsuccessful attempts in AMELIA system access mode; however, each unsuccessful attempt in AMELIA systems mode is logged.
    • Authentication attempts that exceed the limit result in:
      • Disabling of relevant account for a period of time
      • Logging of event
      • Notification to the departmental security officer.
    • AMELIA immediately removes authentication credentials for persons or entities no longer requiring access to e-PHI and periodically validates that no redundant authentication credentials have been issued.
    • Authentication credentials are protected by passwords. AMELIA’ personnel are instructed to keep two authentication credentials confidential. With respect to e-PHI maintained in locations other than the AMELIA system, MENTHIKS verifies that a person or entity seeking access to e-PHI is the one claimed by requiring strong password protection as indicated in the Password Management Policy (29-BA).

RESPONSIBILITIES:

  • All individuals identified in the scope of this policy are responsible for:
    • Using, as instructed, any authentication method required by the Security Officer
    • Abiding by all requirements set forth for the protection of passwords at Tulane University.
  • The [*] is responsible for:
    • Evaluating and implementing strong authentication solutions when appropriate.
    • Ensuring the password administration options of all software packages are set to reflect the password requirements outlined above
    • Monitoring compliance of the workforce to this policy and responding to any security incidents which may arise from it Employees who violate this policy will be subject to disciplinary action up to and including termination of employment.

Anyone who knows or has reason to believe that another person has violated this policy should report the matter promptly to his or her supervisor or [*]. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation. Where possible, every effort will be made to handle the reported matter confidentially. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action up to and including termination of employment.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

DATA TRANSMISSION SECURITY POLICY

1. Introduction

AMELIA has adopted this Data Transmission Security Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs Data Transmission Security for AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations pertaining to data transmission security, in accordance with the requirements at § 164.312(e)(1) and § 164.312(e)(2).
  • The purpose of our Data Transmission Security Policy and Procedures is to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
  • The establishment and implementation of effective Data Transmission Security Procedures is a crucial element in our overall objective or providing reasonable protections for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

4. Policy Statement

  • It is the Policy of AMELIA to establish and implement technical security measures to guard against unauthorized access to Electronic Protected Health Information that is being transmitted over an electronic communications network, in full compliance with the requirements of HIPAA.
  • Responsibility for the development and implementation of these Data Transmission Security Procedures shall reside with [*], who shall ensure that these procedures are maintained, updated as necessary, and implemented fully throughout our organization.
  • Specic Data Transmission Security Procedures shall be developed to protect individually identifiable health information, including Electronic Protected Health Information (“EPHI”, as defined by HIPAA).
  • It is the Policy of AMELIA to fully document all Data Transmission Security Procedures, activities, and efforts, in accordance with our Documentation Policy and the requirements of HIPAA.

5. Procedures

  • Each department or program included in AMELIA will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy.
  • Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.

6. Compliance and Enforcement

All managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).

MOBILE DEVICE POLICY

1. Introduction

AMELIA has adopted this Mobile Device Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).

AMELIA hereby acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, under the regulations implementing HIPAA, other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded ow of health information for lawful and appropriate purposes.

2. Scope of Policy

This policy governs the use of mobile devices that can access, use, transmit, or store
Individually Identifiable Health Information (“IIHI”), and Protected Health Information (“PHI”) in the custody of AMELIA. All personnel of AMELIA must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

Officers, agents, employees, Business Associates, contractors, affected vendors, temporary workers, and volunteers must read, understand, and comply with this policy in full and at all times.

3. Assumptions

  • AMELIA hereby recognizes its status as a Business Associate under the definitions contained in the HIPAA Regulations.
  • AMELIA must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements at 45 CFR Parts 160 and 164, as amended.
  • Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to: civil monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity.
  • Full compliance with HIPAA strengthens our ability to meet other compliance obligations, and will support and strengthen our non HIPAA compliance requirements and efforts.
  • Full compliance with HIPAA reduces the overall risk of inappropriate uses and disclosures of Protected Health Information (PHI), and reduces the risk of breaches of confidential health data.
  • The requirements of the HIPAA Administrative Simplication Regulations (including the HIPAA Privacy, Security, Enforcement, and Breach Notication Rules) implement sections 1171-1180 of the Social Security Act (the Act), sections 262 and 264 of Public Law 104-191, section 105 of 492 Public Law 110-233, sections 13400-13424 of Public Law 111-5, and section 1104 of Public Law 111-148.

4. Policy Statement

  • It is the Policy of AMELIA to extend all the privacy and security protections required by HIPAA to Protected Health Information accessed, used, transmitted, and stored on mobile devices operated by members of our workforce.
  • It is the Policy of AMELIA to include privacy and security issues related to mobile devices in our Risk Management process and analyses, to better understand risks inherent in the use of such devices.
  • This Policy applies to all electronic computing and communications devices which may be readily carried by an individual and are capable of receiving, processing, or transmitting Protected Health Information, whether directly through download or upload, text entry,
    photograph or video, from any data source, whether through wireless, network or direct connection to a computer, other Mobile Device, or any equipment capable of recording, storing or transmitting digital information (such as copiers or medical devices). Mobile Devices include, but are not limited to smartphones, digital music players, hand-held computers, laptop computers, tablet computers, and personal digital assistants (PDAs).
  • This Policy applies to personally-owned Mobile Devices as well as Mobile Devices owned or leased by, and provided by AMELIA.
  • Mobile Devices which cannot be or have not been configured to comply with this Policy are prohibited.
  • It is the Policy of AMELIA to limit the access, use, transmittal, and storage of Protected Health Information exclusively to those mobile devices that can be configured and operated to deliver privacy and security comparable to the non-mobile data processing systems and devices that we operate.
  • It is the Policy of AMELIA to limit the access, use, transmittal and storage of Protected Health Information on mobile devices to the Minimum Necessary, as that term is defined in the HIPAA Regulations.
  • It is the Policy of AMELIA to train workforce members on the safe and secure usage of mobile devices that are utilized to access, use, transmit, or store Protected Health Information.
  • It is the Policy of AMELIA to fully document all mobile device-related activities which involve Protected Health Information, in accordance with our Documentation Policy and the requirements of HIPAA.

5. Procedures

  • No Mobile Device may be used for any purpose or activity involving information subject to this Policy without prior registration of the device and written authorization by the IT and Operation Department Authorization will be given only for uses of Mobile Devices conrmed to have been configured to be compliant with this Policy.
  • Any access, use, transmittal or storage of Protected Health Information subject to this Policy by a Mobile Device, and any use of a Mobile Device in any AMELIA facility or oce, including an authorized home oce or remote site, must be in compliance with all AMELIA policies at all times.
  • Authorization to use a Mobile Device may be suspended at any time:
    • If the User fails or refuses to comply with this Policy;
    • In order to avoid, prevent or mitigate the consequences of a violation of this Policy;
    • In connection with the investigation of a possible or proven security breach, security incident, or violation of AMELIA’ policies;
    • In order to protect life, health, privacy, reputational or nancial interests; to protect any assets, information, reputational or nancial interests of AMELIA;
    • Upon request of a supervisor or department head in which the User works; or upon the direction of Amelia’s Security Manager.
  •  Authorization to use a Mobile Device terminates:
    • Automatically upon the termination of a User’s status as a member of AMELIA’ workforce;
    • Upon a change in the User’s role as a member of AMELIA’ Workforce, unless continued authorization is authorized in writing.
    • If it is determined that the User violated this or any other AMELIA policy, in accordance with AMELIA’ Sanction policy (18-BA).
  • The use of a Mobile Device without authorization, while authorization is suspended, or after authorization has been terminated is a violation of this Policy.
  • At any time, any Mobile Device may be subject to audit to ensure compliance with this and other AMELIA policies. Any User receiving such a request shall transfer possession of the Mobile Device to IT Department/Security Oce/etc at once, unless a later transfer date and
    time is indicated in the request, and shall not delete or modify any information subject to this Policy which is stored on the Mobile Device after receiving the request.

6. Compliance and Enforcement

All AMELIA managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination in accordance with AMELIA’ Sanction Policy (18-BA).