Security Guidelines of Administrative Simplification

• Documented formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data.
• Contingency – Data Backup, Disaster Recovery, Emergency Mode
• Information Access Control – Access Authorization, Access Establishment, Access Modification
• Personnel Security – Personnel clearance including custodial services
• Security Configuration Mgmt – Hardware/software installation and maintenance
• Virus checking
• Security Incident Procedures – Report/Response Procedures
• Security Mgmt. Process – Risk analysis and Management
• Sanction and Security policy
• Termination Procedures – locks changed, removal from access lists and user account(s)
• Training – User ed. Concerning virus protection and password management

Physical Safeguards

• The protection of physical computer systems and related buildings an equipment form fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities.
• Media Controls – Access control, Accountability, Data Backup and Storage, Disposal
• Physical Access Controls – Disaster Recovery, Emergency Mode Operation, Equipment Control
• (limited access) Need-to-Know Procedures for personnel access
• Policy and guidelines on workstation use
• Secure workstation locations
• Security Awareness Training (including business associates like transcription companies)

Technical Security Services

• Include the processes that are put into place to protect and to control and monitor information access.
• Access Control – Applies primarily to EMR and includes: Context-based, Role-based, and User-Based
• Access, Encryption, and Emergency access procedures
• Audit Controls
• Authorization Control – Role-based and User-Based access
• Data Authentication
• Entity Authentication – Requisite: Auto Logoff and Unique User ID, plus at least one of the following:
• Password, PIN, Tele-callback, Token, Biometric signature

Technical Security Mechanisms

• Include the processes that are put into place to prevent unauthorized access to data that is transmitted over a communications network.
• Communications/Network controls – Requisite: Integrity Controls and Message Authentication
• plus one of the following:
• Access Control, Encryption
• If using a network, add:
• Alarm, Audit Trail, Entity Authentication, Event Reporting