---

Security Standard: Security Management Process Implement reasonable and appropriate administrative safeguards to include policies and procedures to prevent, detect, contain, and correct security violations. There will be a periodic review and update of the Policy and Procedures Manual. Implementation specifications:

---

HIPAA Compliance meetings that include Risk Analysis and Risk Management are held regularly.

---

The opportunity for workforce member suggestions to improve ePHI confidentiality, integrity, and availability is provided.

---

The Sanction Policy will be reviewed periodically

---

Access reports. A provision of the 2002 HIPAA Privacy Rule says that covered entities are responsible for protected health information (PHI) contained within a designated record set, or DRS, and the current proposed rule would extend that requirement to include a new right to a consolidated access report. The College of Healthcare Information Management Executives says "the ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities...CHIME is extremely concerned about the entire concept of access reports," said Pam McNutt, senior vice president and chief information officer at Dallas-based Methodist Health System and chair of CHIME's Policy Steering Committee. "We believe the access logs, report filters, and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a DRS." Based upon this rationale, It appears the inclusion of Access Reports may not be cost-effective, reasonable, and appropriate for a small health care practice, and therefore is not included at this time. Furthermore, the lack of Access reports does not appear to compromise medical safety. This issue will be reconsidered in the future.

---

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. A Security Official and Privacy Official are assigned and are responsible for the development and implementation of security and privacy measures of ePHI in accordance with HIPAAA regulations. The Security and Privacy Official can be the same person, but are not required to be. The Security and Privacy Officers are identified in the summary section of the Policy & Procedure Manual

---

Security Standard: Workforce Security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information. Implementation specifications:

---

Members of management or other workforce members will periodically review the list of persons with access to e-PHI to insure they are correct and current.

---

Because this area is addressable rather than required, and due to the limited scope of this practice and cost prohibitions, it does not appear appropriate or necessary to develop a contingency plan, a scenario-based walkthrough, or live testing. This policy will be periodically reviewed.

---

The standard evaluation has been conducted at the time this policy and procedure manual was first endorsed. A re-evaluation will occur.

---

All Business Associates who create, receive, maintain, or transmit ePHI have been identified. Contacts or agreements have been supplied to them. These Business Associate Agreements are documented, signed, and stored to ensure privacy and accountability relating to the confidentiality, integrity, and availability of ePHI. This process will be reevaluated periodically.

---

This process will be periodically reviewed.

---

The access control and validation procedures will be reviewed regularly.