This installment addresses administrative security requirements
This installment begins a review of the administrative safeguards; it will be followed by a review of the physical and technical safeguards. The administrative safeguards contain nine standards, with several implementation specifications, some required and some addressable. The focus of these safeguards is on administrative actions and procedures to manage the pharmacy's security measures and workforce. Part 1 features four of the nine standards. Part 2 will cover the balance.
The pharmacy must implement procedures to prevent, detect, contain, and correct security violations. Four implementation specifications are associated with this standard, all of which are required.
Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (PHI).
Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the security standards.
Sanction policy: Apply appropriate sanctions against employees who fail to comply with the security policies and procedures.
Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs and security incident tracking reports.
The pharmacy must identify a "security official" to be responsible for developing and implementing the required policies and procedures. Because this standard contains the necessary instructions for implementation (that is, appoint a security official), no specifications are associated with it. In complying with this standard, the pharmacy must appoint an employee to serve as the security official, just as the pharmacy appointed a privacy official for the privacy standards implemented in 2003. Because the existing privacy official may be the person most familiar with HIPAA, he or she should be considered for appointment as the security official.
The pharmacy must implement procedures to ensure that all pharmacy employees authorized to access electronic PHI have appropriate access to it, and prevent access by employees not authorized to have access. Three implementation specifications are associated with this standard, all of which are addressable.
Authorization and/or supervision: Implement procedures for the authorization and supervision of employees who work with electronic PHI or in areas where it might be accessed.
Workforce clearance procedure: Implement procedures to determine that the access of an employee to electronic PHI is appropriate.
Termination procedures: Implement procedures for terminating access to electronic PHI when the employment ends, or as required by determinations made through the workforce clearance procedure.
The pharmacy must implement procedures for authorizing access to electronic PHI, consistent with the use and disclosure requirements of the privacy standards. Three implementation specifications are associated with this standardone required and two addressable as designated below. Note that the required specification applies only to a healthcare clearinghouse.
Isolating healthcare clearinghouse functions (Required): If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic PHI from unauthorized access by the larger organization.
Access authorization (Addressable): Implement procedures for granting access to electronic PHIfor example, through access to a workstation, transaction, program, process, or other mechanism.
Access establishment and modification (Addressable): Implement procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
The essential beginning point with these first four standards is the risk analysis. You must identify the risks and vulnerabilities to your electronic PHI before you can take steps to eliminate or minimize them. This involves identifying the location of all of the pharmacy's electronic PHI, evaluating the information systems currently used to maintain it, and recognizing what security measures are already in place.
While April 2005 may seem like a long time off, the risk analysis must be performed now. Several pharmacy groups and industry sources have tools to assist you in complying with the security standards, including a comprehensive risk analysis.
Walter Fitzgerald. A look at administrative safeguards--Part 1.
Aug. 23, 2004;148:68.