HIPAA Security Manual

1. Introduction

This manual outlines the policies, procedures, and controls implemented by Morro Bay Recovery (MBR) to comply with the security standards and implementation specifications of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

1.1 Purpose

The purpose of this manual is to describe the safeguards in place to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that MBR creates, receives, maintains, or transmits.

1.2 Scope

This manual applies to all members of the MBR workforce, including employees, contractors, volunteers, and other persons whose conduct is under the direct control of MBR, regardless of whether they are authorized users of ePHI. It covers all ePHI in any form or medium that is created, received, maintained, or transmitted by MBR or on its behalf.

2. Background

2.1 HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information. The standards are outlined in 45 CFR Part 160 and Subparts A and C of Part 164. As a covered entity under HIPAA, MBR must comply with the applicable standards, implementation specifications, and requirements of the Security Rule.

2.2 Security Rule Safeguards

The Security Rule specifies three types of safeguards required for compliance:

  • Administrative Safeguards - policies, procedures, and administrative actions to manage the selection, development, implementation, and maintenance of security measures.
  • Physical Safeguards - physical measures, policies, and procedures to protect electronic systems, equipment, and the facility housing ePHI from natural and environmental hazards and unauthorized intrusion.
  • Technical Safeguards - technology and the policies and procedures for its use that protect ePHI and control access.

3. Administrative Safeguards

3.1 Security Management Process

MBR has implemented policies and procedures to prevent, detect, contain, and correct security violations, including conducting risk analysis and risk management. Responsibility for security management has been assigned to MBR Management. The security process will be periodically reviewed and updated as needed.

3.2 Assigned Security Responsibility

MBR Management has been designated as the organization's Security Officer and is responsible for overseeing compliance with the HIPAA Security Rule. Duties include conducting risk analysis, developing risk management plans, and implementing security measures.

3.3 Workforce Security

Policies and procedures have been implemented to ensure that all workforce members have appropriate access to ePHI, prevent those who do not have access from obtaining access, and define authorization and supervision practices. Processes have been established related to hiring, access authorization, access establishment and modification, and termination.

3.4 Information Access Management

Policies and procedures have been implemented for authorizing access to ePHI based on job role and function. Access levels are periodically reviewed and updated as needed.

3.5 Security Awareness and Training

All workforce members receive mandatory security training upon hire and annually thereafter. Training covers HIPAA regulations, managing security threats, safeguards and procedures at MBR, and the consequences of non-compliance.

3.6 Security Incident Procedures

Policies and procedures are in place for detecting and responding to suspected or known security incidents. Response activities include mitigating harmful effects, documenting incidents and their outcomes, and incorporating lessons learned into future preventive measures.

3.7 Contingency Planning

Contingency plans have been developed for responding to emergency situations that may damage systems containing ePHI. The plans outline procedures for data backup, disaster recovery, emergency mode operation, testing, and revisions.

3.8 Evaluation

Technical and non-technical evaluations are regularly conducted to assess how MBR's security policies and procedures meet the HIPAA Security Rule requirements. Evaluations include risk analysis and information system activity reviews.

3.9 Business Associate Agreements

Business associate agreements ensuring protection of ePHI are maintained for all third parties that create, receive, maintain, or transmit ePHI on behalf of MBR. Agreements outline security safeguards business associates must implement and are reviewed periodically.

4. Physical Safeguards

4.1 Facility Access Controls

Access to facilities with systems containing ePHI is restricted to authorized workforce members. Policies and procedures outline facility security features, access validation, visitor management, and maintenance records.

4.2 Workstation and Device Security

Policies and procedures are implemented to restrict physical access to workstations, electronic media, and handheld devices that access or store ePHI to only authorized users. Security features such as workstation locks, automatic logoffs, and encryption are used.

4.3 Device and Media Controls

Policies and procedures govern the receipt, removal, and off-site transport of electronic media and mobile devices containing ePHI. Movement of devices and media is tracked and encrypted as appropriate. Media is securely wiped, destroyed, or re-used in accordance with federal standards.

5. Technical Safeguards

5.1 Access Control

Unique user IDs and role-based access controls are used to limit access to ePHI to authorized users and prevent those without permission from obtaining access. Emergency access procedures are in place for ePHI access during crisis situations.

5.2 Audit Control

System activity such as logins, logoffs, and data access is logged and periodically reviewed to identify potential security incidents. Logs are retained for at least six years.

5.3 Transmission Security

Integrity controls and encryption are implemented to guard ePHI against unauthorized modification during electronic transmission.

5.4 Integrity Controls

Security measures such as virus scanning and intrusion detection are used to protect ePHI from improper alteration or destruction.

6. Organizational Policies and Procedures

MBR maintains written policies, procedures, records of security activities, and all other documentation required under the HIPAA Security Rule for six years. Policies are regularly reviewed and updated to comply with federal standards. Workforce members are trained on policies and procedures.

7. Compliance and Enforcement

The Security Officer will periodically audit departments handling ePHI for compliance with this manual. Workforce members who fail to comply with security policies and procedures are subject to disciplinary action up to and including termination. Willful neglect of HIPAA Security Rule requirements can result in civil and criminal penalties.

Contact Information

If you have any questions or comments please contact us:

Morro Bay Recovery
2460 Main Street,
Morro Bay, California, 93442
+1 (805) 772-2212