POLICY STATEMENT:

As required under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule’s ‘Evaluation Standard’ § 164.308(a)(8) Source 1 must perform periodic evaluations, based initially upon the HIPAA security safeguards implemented. The purpose of this policy is to ensure that Source 1 will conduct periodic assessments of the administrative, physical, and technical safeguards in place within the organization designed to protect ePHI transmitted or maintained by the organization.

PURPOSE:

This policy applies to all Source 1 employees tasked with evaluating and maintaining the security of Electronic Protected Health Information (“ePHI.”)

DEFINITIONS:

Electronic Protected Health Information (ePHI): Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.

REQUIREMENTS:

Source 1 will:

1. Source 1 will establish a process to review and maintain reasonable and appropriate security measures to comply with the HIPAA Security Rule. When establishing criteria for periodic evaluations, the factors listed below should be taken into consideration:

1. • The history of significant changes to Source 1 business practices and IT systems, particularly those storing, processing, or transmitting ePHI.
   • Regulatory changes that impact how ePHI is to be safeguarded by Source 1.
   • Implementation of new software affecting the storage, processing, and/or transmission of ePHI.
   • Major security incidences that have occurred within the organization such as instances of unauthorized access to ePHI or the theft of any information assets (e.g., mobile devices, storage media, etc.) that contain ePHI.
2. Prior to a new business associate being given access to sensitive information, authorization, authentication and data protection mechanisms should be reviewed.

3. Evaluations must be completed by a team designated by Source 1’s Information Security Officer. The evaluation may be conducted or certified by a third party if the Source 1 HIPAA Security Officer deems it necessary and appropriate.
   
   
4. Source 1’s Information Security Officer will determine in advance the programs, departments, and/or staff that will participate in the evaluation. At a minimum, all HIPAA-covered components will be addressed in the evaluation. Source 1 may choose to include other parts of the organization that are not impacted by HIPAA.
   
   
5. An identification of threats and risks to ePHI and ePHI Systems.
   
   
6. Testing and evaluation of Source 1’s security controls and processes to determine whether they have been implemented properly and whether those controls and processes appropriately protect ePHI. An authorized employee, or approved outside organization, must be designated by the Information Security Officer and Management to conduct the testing.
   
   
7. Vulnerability assessments and penetration testing of information systems if deemed reasonable and appropriate.
   
   
8. ePHI discovery (elucidating where ePHI is stored, processed, and transmitted within Source 1 owned information assets)
   
   
9. Source 1 will document the process of its evaluation, its analysis of the results and its plan for taking corrective actions, the results of which will be presented by the Information Security Officer to appropriate Source 1 Management.
   
   
10. The Information Security Officer may consult with legal resources to obtain input regarding assessment activities.

Sharing Patient Information with Other Health Care Professionals:

• The privacy rule allows employees to communicate and coordinate with other care providers.
  • Allowed to share information with doctors, hospitals, and EMS care regarding treatment, payment, and health care operations without signed consent from the patient.
  • Can use health information for research purposes.
  • Can use email, phone, or fax machines to communicate with other health care workers and patients if safeguards are being used.

Sharing Patient Information with Family Members:

• Allowed to give patient information to family, friends, etc., if patient identifies as they are involved within their care.
• Allowed to give information regarding patient condition or location to patient’s family or individuals responsible for their care.

ENFORCEMENT:

Any Source 1 employee found to be in violation of this policy may be subject to the Source 1 disciplinary process or termination.