UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#1 Access Control Policy  

POLICY: The College of Optometry is required to maintain a mechanism for access control that restricts access to individually identifiable health information and allows access only to those workforce members with a business need for such access.

PURPOSE: To limit or restrict access to the electronic information systems that maintain electronic protected health information to allow access only to those workforce members that have been granted access rights.

PROCEDURE:

1) Members of the College of Optometry’s workforce are granted access to the electronic information systems that maintain the College of Optometry’s electronic protected health information on the basis of their job duties and title. The following describes the assigned access rights at the College of Optometry:

ADMIN level—HIPAA Security Officer, Center Manager, software & hardware specialists (system managers)
DOCTOR level— College of Optometry faculty and students
OPTICAL level—dispensary staff
UMSLFD level—front desk staff

2) Members of the College of Optometry’s workforce are granted access only to the minimum necessary electronic protected health information that they require to perform their job duties.

3) The College of Optometry maintains an access list that is reviewed periodically, but at least annually, to ensure that workforce members have access only to that electronic protected health information necessary to perform their job duties and functions.

4) Students in the College of Optometry will be granted access to the information systems containing electronic protected health information only when their clinic privileges are in effect. Student access to these information systems will be revoked when the student is on externship. Student access will be restored when the student has returned for clinic assignment.

5) Student access to information systems containing electronic protected health information will be revoked permanently upon leaving the College of Optometry, either by graduation or otherwise.

6) Faculty and staff access to information systems containing electronic protected health information will be revoked upon leaving the College of Optometry, either by termination, reassignment, retirement, or voluntary departure.

7) Student, faculty and staff login IDs, including login IDs no longer in use by that student, faculty or staff member, will be maintained by the HIPAA Security officer for auditing purposes.


UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#2 Risk Analysis Policy

 POLICY: The College of Optometry will conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the College of Optometry.

PURPOSE: The College of Optometry recognizes that there exist potential vulnerabilities associated with collecting, storing, maintaining and transmitting electronic protected health information. This policy seeks to address those vulnerabilities in an effort to mitigate them.

PROCEDURE:

1) A Risk Analysis of the College of Optometry’s repositories of electronic protected health information will be conducted by the HIPAA Security Officer. This Risk Analysis will:

2) The HIPAA Security Officer will annually review the Risk Analysis, in order to update the Analysis, and reassess the potential risk and vulnerabilities to the integrity, confidentiality, and availability of the electronic protected health information in each repository. If necessary, the HIPAA Security Officer will assign a new level of risk to each repository based on his/her annual review of the Risk Analysis.

3) Based on the results of the Risk Analysis, the College of Optometry will take such steps as are reasonable to mitigate the risks assessed to each repository of electronic protected health information.


UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#3 Unique User Identification Policy  

POLICY: The College of Optometry must be able to uniquely identify and monitor access to the networks, systems and applications which contain the College of Optometry’s electronic protected health information for the purpose of access control to that information.

PURPOSE: This policy requires that each member of the College of Optometry’s workforce be assigned a unique method of identification, such as unique name or password, for identifying and tracking use access to electronic protected health information.

PROCEDURE:

1) Any member of the College of Optometry’s workforce who requires access to any network, system or application that accesses, transmits, receives or stores electronic protected health information must be provided with a unique user identification method.

2) When requesting access to any network, system, or application that accesses, transmits, receives or stores electronic protected health information, a workforce member must use their own unique user identification method.

3) Workforce members must not allow other individuals to sue their unique user identification method to access the College of Optometry’s electronic protected health information.

4) It is the responsibility of workforce members to ensure that their assigned unique user identification method is appropriately protected and only used for legitimate access to networks, systems, or applications. If workforce members believe their unique user identification method has been compromised, they must report that security incident to the HIPAA Security Officer.

5) Each workforce member at the College of Optometry has a unique use ID/password for access to the workstation desktop. A separate and distinct use ID/password is necessary to access electronic protected health information at the College of Optometry.


UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#4 Emergency Access Policy  

POLICY: The College of Optometry must ensure that access is available to critical electronic protected health information during an emergency situation.

PURPOSE: The College of Optometry will establish procedures for obtaining necessary electronic protected health information during an emergency.

PROCEDURE:

1) In the event of an extended system failure, the College of Optometry will record all necessary patient information on paper and input the information into the electronic system once services has been restored.

2) In the event of a system failure, the ITS System Administrator is able to restore critical data from backup tapes to recover from system data corruption or server hardware failure.

3) In the event of complete catastrophic situation, ITS System Administrators will have the ability to perform a disaster recovery of the Rosalie server to other hardware stored in a separate location and to pull a backup tape from an offsite storage facility to restore system data.


UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#5 Risk Management Policy

 POLICY: The College of Optometry must implement security measures and safeguards for each repository of electronic protected health information sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The level, complexity, and cost of such security measures and safeguards must be commensurate with the risk classification in the Risk Analysis of each such repository.

PURPOSE: The College of Optometry will implement security measures sufficient to reduce the risks and vulnerabilities of each repository of electronic protected health information to a reasonable and appropriate level.

PROCEDURE:

1) Pursuant to the risk levels assigned in the Risk Analysis, the College of Optometry will address the risks and vulnerabilities of each repository of electronic protected health information and will implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.

2) To the extent the College of Optometry reassesses the potential risks and vulnerabilities of each repository of electronic protected health information as part of an annual review, the College of Optometry will update the security measures and safeguards for each such repository to address any new risks and vulnerabilities identified.

3) As part of the annual review of the Risk Analysis, the College of Optometry will review the security measures and safeguards previously implemented to determine whether those existing security measures and safeguards remain reasonable and appropriate.

4) Any security measures and safeguards implemented for each repository of electronic protected health information must be documented and submitted to the HIPAA Security Officer for approval.

UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#6 Sanction Policy

POLICY: Members of the workforce of the College of Optometry must abide by and fully comply with the College of Optometry’s HIPAA Security Policies and Procedures.

PURPOSE: To ensure that all workforce members abide by and fully comply with all of the HIPAA Security Policies and Procedure of the College of Optometry, the College of Optometry will appropriately discipline and sanction workforce members for any violation of the HIPAA Security Policies and Procedures.

PROCEDURE:

1) The HIPAA Security Officer will investigate any security incident or allege security violation in a timely manner.

2) As a result of his/her investigation, should the HIPAA Security Officer conclude that a member of the College of Optometry’s workforce is responsible for a security incident or violation, the HIPAA Security Officer will report the findings of his/her investigation to the supervisor of that member of the workforce, together with a recommendation of possible sanction. Possible sanctions include but are not limited to re-training, verbal and written warnings, loss of clinic privileges, and termination.

3) The Collected Rules and Regulations of the University of Missouri, as well as applicable personnel policies and procedures, shall be complied with at all times in issuing sanctions to members of the College of Optometry’s workforce as a result of a security incident or violation.

4) HIPAA Security incidents and/or violations include, but are not limited to, the following:

UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#7 Information System Activity Review Policy  

POLICY: The College of Optometry must regularly review and monitor access to the electronic protected health information to ensure that improper or unauthorized access has not been made to that information.

PURPOSE: The College of Optometry will implement internal audit procedures to regularly review records of information system activities, such as audit logs, access reports, and security incident tracking reports.

PROCEDURE:

1) An internal audit procedure will be established and implemented to regularly review records of system activity; this procedure may utilize audit logs, activity reports, or such other mechanisms to document and manage system activity.

2) Audit logs, activity reports, or other mechanisms must be reviewed at intervals commensurate with the associated risk to the information system or the electronic protected health information contained on that information system.

3) An Audit Control and Review Plan will be created and approved by the HIPAA Security Officer. This Plan will set forth theprocedures to review all audit logs and activity reports.

4) Security incidents, such as unauthorized access attempts, will be logged and reported immediately to the appropriate system managers, as well as the HIPAA Security Officer, who will conduct an investigation of the incident.

UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#8 Media Re-Use and/or Disposal Policy  

POLICY: The College of Optometry must ensure that electronic protected health information is not improperly disclosed upon the re-use or disposal of the hardware and/or software media containing that information.

PURPOSE: The College of Optometry will implement appropriate procedures to be followed governing the re-use, removal and destruction of hardware and electronic media containing electronic protected health information.

PROCEDURE:

1) Prior to destroying or disposing of any storage device or removable media, care must be taken to ensure that the device or media does not contain electronic protected health information. This will be accomplished by:

a) server disks: disks will be reformatted, re-initialized with disk array utility, and will be physically destroyed with a degausser which will render the disk inoperative and unusable by damaging the physical disk platter and read heads and drive motors, in compliance with most current U.S. Department of Defense (DoD) specifications.

b) Backup tapes: backup tapes will first be reformatted before re-use by Optometry, and if found to be unreadable or damaged, will be physically destroyed with a degausser, providing “deep erasure” for the media that will completely eliminate recorded data from the tape. This method of erasure exceeds the level of erasure that is provided to hard disk drives and renders the tape as clean as an unused tape, in compliance with most current DoD specifications.

c) Workstation hard drives: When a workstation that contains no patient information is replaced under the DSP program, the hard drives are cleaned with a utility call gDisk.exe that conforms to most current DoD specifications. If the workstation is going to be completely removed from service or is found to have patient information on it, the physical hard disk is destroyed with the use of a degausser which will render the disk inoperative and unusable by damaging the physical disk platter and read heads and drive motors, in compliance with most current DoD specifications.

2) No electronic protected health information is to be stored on the workstations, only on the Rosalie server. Workforce generated patient information is to be saved on the system server. Workforce members are only to access and generate electronic protected health information when utilizing clinic workstations.

3) Software installed on each workstation deletes any workforce generated electronic protected health information after each work session.

4) Electronic protected health information in any form is not to be saved or stored on any transportable media, laptop computers or handheld devices.

5) Workstations are configured to prevent any permanent downloads of external software applications.

UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#9 Incident Response and Reporting Policy  

POLICY: The College of Optometry must ensure that known or suspected security incidents are reported and investigated, so that any harmful effects of such incidents are mitigated to the extent possible.

PURPOSE: The College of Optometry will investigate all known or suspected security incidents, and will mitigate as possible any harmful effects of such incidents.

PROCEDURE:

1) All incidents, threats or violations that affect or may affect the confidentiality, integrity, or availability of electronic protected health information of the College of Optometry must be reported to the HIPAA Security Officer.

2) The HIPAA Security Officer shall investigate each such reported incident, threat or violation, and shall recommend updates or fixes to such threatened or actual security incidents.

3) The HIPAA Security Officer will maintain a record of all reported security incidents, including a summary of the outcome of his/her investigation.

4) The HIPAA Security Officer shall recommend such measures as are reasonable and appropriate to mitigate any harmful effects of a security incident.

UMSL COLLEGE OF OPTOMETRY
HIPAA SECURITY POLICIES AND PROCEDURES:

#10 Security Awareness and Training Policy  

POLICY: Security training is necessary for all workforce members who access protected health information. This training must include overall security awareness, periodic reminders, virus awareness, password managements, and user-specific topics necessary for individual workstation security. Security training is also necessary to ensure that the workforce members of the College of Optometry who come in contact with electronic protected health information are properly trained and made aware of security policies, procedures, potential threats, and incidents.

PURPOSE: To implement a security awareness and training program for all members of the workforce of the College of Optometry.

PROCEDURE:

1) The College of Optometry will establish a formal, documented security awareness training program for all staff members that addresses, at a minimum, the following topics:

2) The College of Optometry will establish a formal, documented security awareness program tailored to system users that addresses, at a minimum:

3) The College of Optometry will provide security awareness training to all members of the workforce who come in contact with electronic protected health information on an annual basis, and may provide periodic security awareness reminders to all workforce members.

4) All new workforce members at the College of Optometry will be provided security awareness training within two weeks of their appointment at the College.

5) Security awareness training will cover general HIPAA Security Policies and Procedures, and specific College of Optometry HIPAA Security Policies and Procedures, and will include: