By Jack Anderson
January 29, 2019
The HIPAA Security Rule requires organizations to take “reasonable and appropriate” precautions against risks to the integrity, availability and security of protected information. The rule specifies 18 “standards” such as Transmission Security and Workstation use. The 18 standards are further divided into 41 administrative, physical and technical safeguards. Some of these safeguards such as risk analysis and data backup plan are “required”, while others such as automatic logoff and encryption are “addressable” and their associated standards may be achieved in a variety of ways.
An example of a Safeguard: AC-1
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
The group writes, reviews, and updates a policy controlling access to information. Someone is tasked to do this job. This person should have security experience. The group gives the policy to all staff. All staff understands the security policy. The purpose of the security policy is to protect customer information. The policy includes details about how the group protects customer information. Computers that process customer information must be secured. The security system defenses are outlined in the policy. The security policy outlines the types of information that are controlled. The policy tells how information is controlled and who is allowed to access information. The policy assigns security duties to employees.
AC-1 Policy Template (Compliance Helper)
<Organization Name> <Date of Current Revision>
HIPAA Rule Policy/Procedure
ACCESS CONTROL POLICY AND PROCEDURES AC-1
<Organization Name> develops, disseminates, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
Assigned Responsibility: <Administrator><IT Contractor>
HIPAA References: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i) , 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)
List of Organizational Entities:
<List Organizational Entities here.>
Policy Clauses:
The purpose of the security policy is to protect customer information. The organization writes, reviews, and updates a policy controlling access to protected information. This policy applies to each of the listed organizational entities.
For each of the listed organizational entities, enter the
<organizational entity name>
<information to which the entity is allowed access, i.e. “all” or “some – specified”>
<conditions required for access, i.e. “valid identification” or “need to know”, etc.>
Responsible party <list name or title> is tasked to specify this policy. This person should have security experience.
The organization gives the policy to all staff, including members of all organizational entities. All staff are trained in and understand the security policy.
This policy includes details listed below about how the group restricts customer information within each organizational entity <Note: may require IT support.>, including a description of:
Entity identification procedure
Individual identification procedures
Implemented access control technology, i.e. password/user-id, biometrics, token, other. <Note: erase items that do not apply.>
Computers that process customer information must be secured using the restrictions listed above.
Safeguard Review: Review applicability annually.
Editing, adopting and implementing Policy AC-1 meets the requirements for Safeguard AC-1 and is scored appropriately in the NIST CSF Risk Assessment.