1. Administrative Procedures

[Please label written comments or e-mailed comments about this section with the subject: ADMINISTRATIVE PROCEDURES]

In this proposed rule, the administrative requirements and supporting implementation features are presented at § 142.308(a). We would require each to be documented. We would require the documentation to be made available to those individuals responsible for implementing the procedures and would require it to be reviewed and updated periodically. The following matrix depicts the requirements and supporting implementation features for the Administrative Procedures category. Following the matrix is a discussion of each of the requirements under that category.

a. Certification

Each organization would be required to evaluate its computer system(s) or network design(s) to certify that the appropriate security has been implemented. This evaluation could be performed internally or by an external accrediting agency.

We are, at this time, soliciting input on appropriate mechanisms to permit independent assessment of compliance. We would be particularly interested in input from those engaging in health care electronic data interchange (EDI), as well as independent certification and auditing organizations addressing issues of documentary evidence of steps taken for compliance; need for, or desirability of, independent verification, validation, and testing of system changes; and certifications required for off-the-shelf products used to meet the requirements of this regulation.

We also solicit comments on the extent to which obtaining external certification would create an undue burden on small or rural providers.

b. Chain of Trust Partner Agreement

If data are processed through a third party, the parties would be required to enter into a chain of trust partner agreement. This is a contract in which the parties agree to electronically exchange data and to protect the transmitted data. The sender and receiver are required and depend upon each other to maintain the integrity and confidentiality of the transmitted information. Multiple two-party contracts may be involved in moving information from the originating party to the ultimate receiving party. For example, a provider may contract with a clearinghouse to transmit claims to the clearinghouse; the clearinghouse, in turn, may contract with another clearinghouse or with a payer for the further transmittal of those claims. These agreements are important so that the same level of security will be maintained at all links in the chain when information moves from one organization to another.

c. Contingency Plan

We would require a contingency plan to be in effect for responding to system emergencies. The organization would be required to perform periodic backups of data, have available critical facilities for continuing operations in the event of an emergency, and have disaster recovery procedures in place. To satisfy the requirement, the plan would include the following:

• Applications and data criticality analysis,
• A data backup plan,
• A disaster recovery plan,
• An emergency mode operation plan, and
• Testing and revision procedures.

d. Formal Mechanism for Processing Records

There would be a formal mechanism for processing records, that is, documented policies and procedures for the routine and nonroutine receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information. This is important to limit the inadvertent loss or disclosure of secure information because of process issues.

e. Information Access Control

An entity would be required to establish and maintain formal, documented policies and procedures for granting different levels of access to health care information. To satisfy this requirement, the following features would be provided:

• Access authorization policies and procedures.
• Access establishment policies and procedures.
• Access modification policies and procedures.

Access control is also discussed later in this document in the personnel security requirement and under the physical safeguards, technical security services, and technical security mechanisms categories.

f. Internal Audit

There would be a requirement for an ongoing internal audit process, which is the in-house review of the records of system activity (for example, logins, file accesses, security incidents) maintained by an entity. This is important to enable the organization to identify potential security violations.

g. Personnel Security

There would be a requirement that all personnel with access to health information must be authorized to do so after receiving appropriate clearances. This is important to prevent unnecessary or inadvertent access to secure information. The personnel security requirement would require entities to meet the following conditions:

• Assure supervision of personnel performing technical systems maintenance activities by authorized, knowledgeable persons.
• Maintain access authorization records.
• Insure that operating, and in some cases, maintenance personnel have proper access.
• Employ personnel clearance procedures
• Employ personnel security policy/procedures.
• Ensure that system users, including technical maintenance personnel are trained in system security.

h. Security Configuration Management

The organization would be required to implement measures, practices, and procedures for the security of information systems. These would be coordinated and integrated with other system configuration management practices in order to create and manage system integrity. This integration process is important to ensure that routine changes to system hardware and/or software do not contribute to or create security weaknesses. This requirement would include the following:

• Documentation.
• Hardware/software installation and maintenance review and testing for security features.
• Inventory procedures.
• Security testing.
• Virus checking.

i. Security Incident Procedures

There would be a requirement to implement accurate and current security incident procedures. These are formal, documented instructions for reporting security breaches, so that security violations are reported and handled promptly. These instructions would include the following:

• Report procedures.
• Response procedures.

j. Security Management Process

A process for security management would be required. This involves creating, administering, and overseeing policies to ensure the prevention, detection, containment, and correction of security breaches. We would require the organization to have a formal security management process in place to address the full range of security issues. Security management includes the following mandatory implementation features:

• Risk analysis.
• Risk management.
• A sanction policy.
• A security policy.

k. Termination Procedures

There would be a requirement to implement termination procedures, which are formal, documented instructions, including appropriate security measures, for the ending of an employee’s employment or an internal/external user’s access. These procedures are important to prevent the possibility of unauthorized access to secure data by those who are no longer authorized to access the data. Termination procedures would include the following mandatory implementation features:

• Changing combination locks.
• Removal from access lists.
• Removal of user account(s).
• Turn in of keys, tokens, or cards that allow access.

l. Training

This proposed rule would require security training for all staff regarding the vulnerabilities of the health information in an entity’s possession and procedures which must be followed to ensure the protection of that information. This is important because employees need to understand their security responsibilities and make security a part of their day-to-day activities. The implementation features that would be required to be incorporated follow:

• Awareness training for all personnel, including management, (this is also included as a requirement under physical safeguards).
• Periodic security reminders.
• User education concerning virus protection.
• User education in importance of monitoring login success/failure, and how to report discrepancies.
• User education in password management.