policy creation statement, computer science homework help


Question Description

Remote Access Security Policy

Organization: XYZ Health Care Provider:

XYZ Health Care is a provider of health services to senior citizens. It performs its mission with a virtual force of Registered Nurses and Nurse Practitioners. The nurses visit their elderly patients in their homes and monitor their health. At the end of the day, the nurses are required to connect back to corporate networks and upload all of the patient records for the day. Keep in mind that this organization is subjected to HIPAA rules and its required to make the data available to its patients and authorized patient representatives within 48 hours.

Some of the RISKS:

  • Brute force user ID and password attacks
  • Users or employees unaware of the risks, threats, and dangers of the Internet and shard WI-FI or broadband Internet Access
  • Multiple Access attempts and logon retries
  • Unauthorized access to IT Systems, applications, and data
  • Privacy data or confidential data is compromised remotely
  • Data leakage occurs in violation of data classification standard
  • A remote worker’s laptop is stolen
  • A remote worker requires access to the patient medical records system through the Public Internet

Scope: Control Identification and Creation of a Remote Access Policy

Using or textbooks, internet and other resources, identify the necessary components / sections within a security policy and then craft the actual policy for XYZ Healthcare and address the risks within policy that are prevalent with Remote Access.

Your submission must include the following:

  • 1)Control Matrix: A listing of the risk and 1 or more countermeasure to address the risk. (25 points)
  • 2)A Section that identifies the necessary components of the policy and why they are important: This does not refer to the controls but more specifically sections within the policy. (You may research the Internet or SANS for sample policies, the sections were also discussed in class). (15 points)
  • 3)The actual policy, when developing the policy please ensure that it can be used at XYZ Healthcare. (60 Points)

Paper Requirements

  • 1)APA Format (Where applicable)
  • 2)Minimum of 3 - 5 references
  • 3)no plagiarism

Unformatted Attachment Preview

The HIPAA Privacy Rule’s Right Of Access and Health Information Technology THE HIPAA PRIVACY RULE’S RIGHT OF ACCESS AND HEALTH INFORMATION TECHNOLOGY BACKGROUND AND INTRODUCTION Since its inception, the HIPAA Privacy Rule’s right of an individual to access protected health information (PHI) about him or her held by a covered entity has operated in a primarily paper- based environment. While it has been common for covered entities to create, maintain, and exchange PHI in paper form, an increasing number of covered entities are beginning to utilize new forms of health information technology (health IT), which often involve the transition of PHI from paper to electronic form. Many health care providers, for example, are adopting comprehensive electronic health records (EHRs) to enhance the quality and efficiency of care they deliver. Health IT also may create mechanisms by which individuals can electronically request access to their PHI and by which covered entities can respond by providing or denying access electronically. An individual’s right to access his or her PHI is a critical aspect of the Privacy Rule, the application of which naturally extends to an electronic environment. The Privacy Rule establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their PHI, to the extent it is maintained in the designated record set(s) of a covered entity. The Privacy Rule’s specific, yet flexible, standards also address individuals’ requests for access and timely action by the covered entity, including the provision of access, denial of access, and documentation. See 45 C.F.R. § 164.524. Health IT has the potential to facilitate the Privacy Rule’s right of access from both an individual’s and a covered entity’s perspective. Because the right of access operates regardless of the format of the PHI, its application in an electronic environment is similar to that in a paper-based environment. Several provisions, however, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, may apply slightly differently and, thus, require additional consideration. The discussion that follows addresses an individual’s right to request access electronically, a covered entity’s electronic provision or denial of access and other specific applications of the Privacy Rule that will assist covered entities in tailoring their compliance appropriately. 1 The HIPAA Privacy Rule’s Right Of Access and Health Information Technology The guidance also is meant to serve as a stepping stone for covered entities that are considering how an individual’s access rights may be fulfilled within an electronic health information exchange environment. To that end, the guidance demonstrates how the Privacy Rule’s access standard provides a strong foundation from which covered entities can develop policies and procedures which also meet several of the objectives enumerated in the Individual Access Principle identified within The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. REQUESTS FOR ACCESS The Privacy Rule allows covered entities to require that individuals make requests for access in writing, provided they inform individuals of such a requirement. See 45 C.F.R. § 164.524(b)(1). In addition, the Privacy Rule has always considered electronic documents to qualify as written documents. Thus, the Privacy Rule supports covered entities’ offering individuals the option of using electronic means (e.g., email, web portal) to make requests for access. TIMELY ACTION The Privacy Rule requires covered entities to respond to requests for access in a timely manner. Except as otherwise specified, the Privacy Rule requires the individual be notified of the decision within 30 days of the covered entity’s receipt of the request. See 45 C.F.R. § 164.524(b)(2)(i). While the Privacy Rule establishes the 30 days as an outside limit, it does not preclude covered entities from responding sooner. Indeed, a covered entity may have the capacity through the use of some electronic systems to provide automated access to an individual’s PHI or respond to requests with immediate access, twenty-four hours a day. Not all electronic systems, however, may allow for the provision of immediate access, and the covered entity’s response time-frame will normally depend, in part, on its system capacity. As in a paper-based system, other factors also will impact a covered entity’s response time in an electronic environment. For example, the Privacy Rule’s 30 day parameter was originally conceptualized to allow covered entities sufficient time to accommodate normal business functions (e.g., interpretation of test results), as well as those unusual circumstances that might delay a response (e.g., reporting suspected child abuse). Similar allowances may be necessary in an electronic health information environment as well. As a practical matter, individuals might expect, when making a request of a technologically sophisticated covered entity, that their requests could be responded to instantaneously or well before the current required time-frame. This might be the case, for example, when access is provided through a direct view or portal into a health care provider’s EHR. Providing more timely access than the Privacy Rule requires may be a means by which covered entities distinguish themselves within the market. 2 The HIPAA Privacy Rule’s Right Of Access and Health Information Technology PROVISION OF ACCESS WHO MAY EXERCISE THE RIGHT OF ACCESS? Individuals and Personal Representatives. While the Privacy Rule’s right of access belongs primarily to the individual who is the subject of the PHI, the Privacy Rule also generally requires that persons who are legally authorized to act on behalf of the individual regarding health care matters be granted the same right of access. See 45 C.F.R. § 164.502(g)(1). The Privacy Rule defers to state law to determine when a person has the legal authority to act on behalf of an individual with regard to health care matters. Health care powers of attorney and parental rights, for example, are two legal bases by which state law may be determinative of a person’s authority to act on behalf of an individual. The Privacy Rule’s personal representative requirement ensures that certain people will have access to an individual’s PHI when the individual is incapacitated or otherwise unable to exercise the right of access on his or her own behalf. The Privacy Rule would require that covered entities grant personal representatives with the right of access on behalf of an individual in an electronic environment, just as they do today with regard to paper-based information. Covered entities will want to make sure, however, that they have the capacity to identify, authenticate, and properly respond to requests from these individuals, whether electronically or otherwise, as the Privacy Rule requires. Verification. The Privacy Rule requires covered entities to develop and implement reasonable policies and procedures to verify the identity of any person who requests PHI, as well as the authority of the person to have access to the information, if the identity or authority of the person is not already known. See 45 C.F.R. § 164.514(h)(1). These verification requirements apply to individuals who request access to their PHI that is maintained in a designated record set. The Privacy Rule refrains from defining specific or technical verification requirements and largely defers to the covered entity’s professional judgment and industry standards to determine what is reasonable and appropriate under the circumstances. Verification may be obtained either orally, or in writing (which may be satisfied electronically), so long as the requisite documentation, statements or representations are obtained where required by a specific Privacy Rule disclosure provision, and that the appropriate steps are ultimately taken to verify the identity and authority of individuals or personal representatives who are otherwise unknown. Therefore, covered entities that receive and/or respond to access requests electronically should revisit their verification and documentation policies and procedures to ensure that they are reasonable in light of the electronic environment within which they are operating. 3 The HIPAA Privacy Rule’s Right Of Access and Health Information Technology CONTENT ‐ DESIGNATED RECORD SETS An individual’s right of access generally applies to the information that exists within a covered entity’s designated record set(s), including: (1) a health care provider’s medical and billing records, (2) a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems, and (3) any information used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the covered entity. See 45 C.F.R. § 164.501 (definition of “designated record set”). Covered entities that use electronic records (e.g., EHRs or electronic claims systems) will want to remain cognizant that the right of access applies regardless of the information’s format. The term “designated record set,” therefore, cannot be limited to information contained in an electronic record, but also will include any non-duplicative, electronic or paper-based information that meets the term’s definition. While overlap may initially exist between electronic and paper-based record sets, covered entities will likely find their access-related obligations to be less time and labor intensive the more PHI they convert to being electronic. Further, a covered entity that utilizes a business associate to maintain or otherwise operate its electronic records will want to ensure the business associate is obligated to share non- duplicative information pursuant to electronic access requests. The same would be true if a health information organization (HIO), as a business associate, maintains an electronic repository of some or all of a covered entity’s PHI. FORM OR FORMAT OF ACCESS PROVIDED The Privacy Rule requires covered entities to provide access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format. If the PHI is not readily producible in the form or format requested, access must be provided in a readable hard copy form, or in the alternative, some other form or format as agreed to by the covered entity and the individual. The covered entity also may provide the individual with a summary of the PHI or may provide an explanation of the PHI which has been provided, so long as the individual agrees to the alternative form and associated fees. See 45 C.F.R. § 164.524(c)(2). To the extent individuals request that access to their PHI be provided in an electronic form or format, covered entities’ utilization of electronic records will likely increase the amount of PHI that is “readily producible” in electronic form, thereby benefiting both the requesting individual, as well as the covered entity: Electronic access may provide individuals with more timely access to more information in a more convenient manner. For example: Electronic copies of PHI may be downloaded to USB thumb-drives or copied to compact discs relatively quickly and may provide individuals with a more convenient means of transporting and maintaining the information. 4 The HIPAA Privacy Rule’s Right Of Access and Health Information Technology EHRs may enable covered entities to offer individuals an immediate and ongoing view into the covered entity’s designated record set(s), either through a personal health record (PHR) or otherwise, while limiting the time, expense, and labor that may be required otherwise in order to provide access to the individual. Electronic access also may be a means by which covered entities can limit the time, resources and other expenses required to provide the individual with access. • • • Electronic copies of PHI that are downloaded to USB thumb-drives or copied to compact discs may require less labor and overhead than access to paper records would require.  Covered entities may find that providing individuals with electronic access to PHI could save them time and resources by limiting, if not eliminating, the need to provide hard copies of the information or some other, more expensive, form or format.  Providing such “readily producible” electronic access may have the secondary effect of enhancing their communication with individuals, which may in turn, lead to improved quality of care and strengthened consumer satisfaction.  The right of access also affords covered entities the option of making alternative agreements with individuals as to the form or format of access provided. If, for example, a covered entity’s default administrative safeguards policies and procedures limit the provision of electronic access to stand-alone devices and secure, web-based portals, and an individual requests access via electronic mail (e-mail), the Privacy Rule would permit alternative agreements which satisfy both parties, so long as reasonable safeguards are otherwise in place.  To the extent that individuals request access to their PHI in hard-copy form, the covered entity must provide such access, even if the information is stored in an electronic record.  DENIAL OF ACCESS  GROUNDS FOR DENIAL  The Privacy Rule contemplates circumstances under which covered entities may deny an individual access to PHI and distinguishes those grounds for denial which are reviewable from those which are not.  Unreviewable grounds for denial are: situations involving (i) psychotherapy notes, information compiled for use in legal proceedings, and certain information held by clinical laboratories; (ii) certain requests which are made by inmates of correctional institutions; (iii) information created or obtained during research that includes treatment if certain conditions are met; (iv) denials permitted by the Privacy Act; and (v)  5 The HIPAA Privacy Rule’s Right Of Access and Health Information Technology information obtained from non-health care providers pursuant to promises of confidentiality. See 45 C.F.R. § 164.524(a)(2). Reviewable grounds for denial are: (i) disclosures which would cause endangerment of the individual or another person; (ii) situations where the PHI refers to another and disclosure is likely to cause substantial harm; and (iii) requests made by a personal representative where disclosure is likely to cause substantial harm. See 45 C.F.R. § 164.524(a)(3). IMPLEMENTATION OF DENIAL The Privacy Rule further requires that denials of access be timely, written, provided to individuals in plain language, with a description of the basis for denial, and if applicable, contain statements of the individual’s rights to have the decision reviewed and how to request such a review. In addition, the notice of denial must inform the individual of how complaints may be filed with the covered entity or the Secretary of HHS. If access to some of the PHI is denied, the covered entity must, to the extent possible, give the individual access to any other PHI requested, after excluding the PHI to which the covered entity has a ground to deny access. See 45 C.F.R. § 164.524(d)(1). A covered entity may satisfy the Privacy Rule’s writing requirement for denials electronically, though its denial still must be based on the grounds identified by the Privacy Rule, and must comply with each of the Privacy Rule’s procedural requirements. In cases where the covered entity is able to receive and process a request for access by the individual electronically and provide access in an electronic format, the denial of the request, in whole or in part, may also be done electronically. As emphasized above, the form of the denial does not change the covered entity's obligations regarding the basis for the denial or the content of the notification to the individual. However, where the covered entity provides individuals with electronic access to some or all of their health information, through a PHR or similar means, and the access is available to the individual at any time and without a request, it becomes more difficult to determine whether a denial of access has occurred and when notice to the individual is required. For example, the requirements in the Privacy Rule are flexible enough to permit a covered entity to notify the individual in advance of the types of PHI to which it intends to deny access and for which the Privacy Rule does not provide a right of review. See 45 C.F.R. § 164.524(a)(2). Such advance notification would not be appropriate, however, for other types of PHI to which a covered entity may deny access because the denial must be based on the specific exercise of professional judgment by a licensed health care professional and are subject to the individual's right to request a review of the denial by another licensed health care professional. In these cases, the individual must be aware of the fact that he or she has been denied access to certain information for which the individual has a right to request a review. See 45 C.F.R. § 164.524(a)(3). The covered entity's policies and procedures for the provision of electronic access must appropriately provide for these individualized grounds for denial of access. 6 The HIPAA Privacy Rule’s Right Of Access and Health Information Technology FREQUENTLY ASKED QUESTIONS Q1: In an electronic health information exchange environment, what is a designated record set for purposes of an individual’s right of access under the HIPAA Privacy Rule? A1: To the extent covered entities maintain their own electronic records systems, their choice to link those systems to a network for electronic health information exchange purposes would not necessarily change the status of information maintained within their designated record sets. That is, information that meets the definition of a designated record set remains part of the designated record set even if that information is linked to a network. See 45 C.F.R. § 164.501 (definition of “designated record set”). Covered entities should be aware, however, that whatever information they import into their electronic records via a network may become an integrated part of their designated record set(s). Network participation alone, however, would not make all other information about the individual that is accessible through the network part of a covered entity’s designated record set. Thus, the ability to link to information through a network does not obligate a covered entity to provide access to the designated record set of another entity participating in the network. Q2: How would a covered entity or health information organization (HIO), acting on its behalf, know if someone were a personal representative for the purpose of granting access under the HIPAA Privacy Rule? A2: The Privacy Rule’s verification standard requires that covered entities develop and implement reasonable policies and procedures to verify the identity and authority of such persons, if otherwise unknown to them, before granting them access to protected health information (PHI). See 45 C.F.R. § 164.514(h). Once verified, the personal representative can then be given the appropriate credentials for authentication and access through an electronic system. The Privacy Rule allows covered entities to rely on their professional judgment, as well as industry standards, in designing reasonable verification and authentication processes ...
Purchase answer to see full attachment

Tutor Answer

School: Rice University


Its policy involves setting up rules and characterization of models especially for remote access
to XYZ data assets of health care providers which may include systems, applications and
electronic protected health information (EPHI). Remote access is very important because it
ensures that only the authorized individuals can access the information of a particular patient
and thus ensures maximum protection of patient`s health and personal information. The
following are some of HIPAA policies.
Usage of Internet:
Internet services will be provided based on strict guidelines especially pertaining to one`s job
responsibilities. Moreover, there will be no internet access unless if there is identification of
business needs first.
Remote accessing:
This entails restriction of unlawful and illegal activities I the system by unauthorized users.
Internet use for recreational purposes and other general uses is specifically meant for workers
and other specialist within the organization but not to any outsider/stranger. Thus, it is the duty
of workers and other personnel with remote access to ensure that essential security is
maintained through the system...

flag Report DMCA

I was on a very tight deadline but thanks to Studypool I was able to deliver my assignment on time.

The tutor was pretty knowledgeable, efficient and polite. Great service!

Heard about Studypool for a while and finally tried it. Glad I did caus this was really helpful.

Similar Questions
Related Tags

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors