Disclaimer: CMA/PrivaPlan PrivaGuide: Establishing a Security Policy.

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns. 

PrivaGuide: Establishing a Security Policy

 By Harry E. Smith, CISSP

 Introduction

 The HIPAA privacy rule requires that HIPAA covered entities document the policies and procedures that they have adopted in order to meet HIPAA privacy standards and implementation specifications.  HIPAA does not dictate which specific policies and procedures must be adopted – this is left to the individual organizations to decide.  We recommend that, at a minimum, each organization document its privacy and security policies and procedures.  The difference between privacy and security policies is:

• PRIVACY POLICY – The privacy policy specifies which practices are allowed and which practices are not allowed with respect to uses and disclosures of protected health information (PHI).  The organization’s privacy policy sets bounds on employee activities that relate to the basic privacy rights of patients and health plan members.
• SECURITY POLICY – The security policy specifies which practices are allowed and which practices are prohibited with respect to data stored on and transmitted between computers.  The organization’s security policy establishes a standard of due care to prevent the accidental exposure of sensitive health information.

Creating Your Security Policy

You will find a “Security Policy Draft” in the “Policies and Procedures” section.  It is called a “draft” rather than a “template” because you need to do more than simply to customize a standard form.  You must change the sample text in the security policy draft to reflect the actual policies of your organization.

Begin with customizing the security policy draft.  Read the legal disclaimer and customization instructions at the beginning of the document and then delete them.  (This information is for your use in customizing the document; it is not intended to be read by your organization’s employees.)  Replace any text in angle brackets (for example, “”) with text that is appropriate to your organization.  Complete any formatting (such as the inclusion of company logos) that is necessary to make this policy document consistent with other documents in your organization.

Next, read the sample text beginning at the section marked “Assignment of Privacy and Security Responsibilities.”  Each of these sections deals with a basic element of HIPAA security protection.  To the extent possible, you should reword each section to reflect the specific practices that your organization will follow.  For example, you may decide that certain functions may only be performed by certain personnel or within certain departments or with a certain form of management approval.  Try not to make the policy statement too detailed; remember that the details will be spelled out in the various procedures that are designed to implement the policy.

When you are finished customizing the sample text, you may want to consider other security-related rules that your organization wishes to establish, even if they are not strictly required by HIPAA.  For example, you may wish establish guidelines for the use of the world wide web or for email.  These items should be added to the security policy document.

Where appropriate, you may wish to include sanctions provisions.  Sanctions are the disciplinary measures that will occur in the event of careless disregard or deliberate violation of any of these rules.  Alternatively, you could keep the documentation of sanctions in a separate sanctions policy.

As a final step to crafting your organization’s security policy, make sure the appropriate management personnel have reviewed the document and agreed that it is in its final form.  Remember that this is an expression of the rules of conduct to be followed by all members of your organization and that there are serious consequences for those who break the rules.

About the Author:

Harry E. Smith, CISSP

Mr. Smith is a founder and principal of Timberline Technologies LLC, a Colorado-based information security consulting company.  He has over 25 years experience in the information security field and has completed consulting engagements with such organizations as IBM, Kaiser Permanente and the U. S. Customs Service.  Mr. Smith is also one of the co-founders of PrivaPlan Associates, Inc.  He is a certified information systems security professional (CISSP) and currently serves as president of the Denver chapter of the Information Systems Security Association (ISSA).

Mr. Smith can be contacted by email at Harry_E_Smith@TimberlineTechnologies.com.