Ascension Health HIPAA Web Site
Maintained by Don Stry, Information Services Division
(812) 228-2131 Email: dstry@ascensionhealth.org
Section: Recommended HIPAA Security Practices

Updated 04/04/00

(From the Entrust Technologies paper “Creating a Common-Sense Healthcare Security Strategy” at www.entrust.com)

  1. Individual Authentication of Users: For accountability, each individual should have a unique identifier or log-on ID for use in logging onto the organization’s information systems. Procedures need to be established foe issuing and revoking identifiers. Computer workstations should be programmed to automatically log off if left idle for a specified period of time. Healthcare organizations should move toward implementing stronger, enterprise-wide practices, such as single-session or encrypted authentication protocols and token-based authentication systems. Authentication systems should require users to log on only once during each session and allow access to any of the systems, functions, or databases to which they have access privileges.
  2. Access Controls: Procedures should be in place for ensuring that users can access and retrieve only that information that they have a legitimate need to know. Consider software tools that help ensure that the information made available to users complies with their access privileges.
  3. Audit Trails: Organizations should maintain retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access the information or record accessed, and the user ID under which access occurred. Procedures need to be established for reviewing audit logs to detect inappropriate accesses. To become compliant, organizations should be able to maintain logs of all internal accesses to clinical information. To ensure the integrity of data contained in electronic medical records, organizations that use computer-based systems to handle critical records and function should use technologies for electronic authentication that will be capable of identifying individuals who enter or alter information in the electronic record.
  4. Physical Security and Disaster Recovery: Organizations should limit unauthorized physical access to computer systems, displays, networks, and medical records; they should plan for providing basic system functions and ensuring access to medical records in the event of an emergency; they should store backup data in safe places or in encrypted form.
  5. Protection of Remote Access Points: Organizations with centralized Internet connections should install a firewall that provides strong, centralized security and allows outside access to only those systems critical to outside users. Organizations with multiple access points should consider other forms of protection to protect the host machines that allow external connections. Organizations should also require a secure authentication process for remote and mobile users such as those using home computers. Organizations that do not implement either of these approaches should allow remote access only over dedicated lines.
  6. Protection of External Electronic Communications: Organizations should encrypt all patient identifiable information before transmitting it over public networks, such as the Internet. Policies should be in place should be in place to discourage the inclusion of patient identifiable information in unencrypted email.
  7. Software: Organizations should exercise and enforce discipline over user software. At a minimum, they should install virus-checking programs on all servers and limit the ability of users to download or install their own software.
  8. System Assessment: Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis.
  9. Security and Confidentiality Policies: Organizations should develop explicit and clear security and confidentiality policies that express their dedication to protecting health information. These policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information.
  10. Information Security Officers: Organizations should identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The information security officer should maintain contact with relevant national information security organizations.
  11. Education and Training: Organizations should establish programs to ensure that all users of information systems receive some minimum level of training on relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems.
  12. Sanctions: Organizations should develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title. Organizations should adopt a zero-tolerance policy to ensure that no violation goes unpunished.


    13. <<Back