In compliance with the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d), Hearn Trucking LLC has adopted the following Information Security Policy (“Policy”) to ensure reasonable protection of Protected Health Information (“PHI”) and Electronic Protected Health Information (“EPHI”).
This Policy is limited to Hearn Trucking LLC and it’s Covered Entities and applies to the security of PHI and EPHI (as defined by the Code of Federal Regulations 45 C.F.R. 160.103) as well as the security of any Information Systems that store or process EPHI. Covered Entities include Employee Group Health Plan. This Policy also applies to technology service providers, either internal or external to the company, as defined by each Covered Entity.
These Policies will be reviewed by the Management of Hearn Trucking LLC and Covered Entities on an annual basis or as deemed necessary based on charges in technology that effect the protection of PHI and EPHI. In accordance with the Code of Federal Regulations, 45 C.F.R. 164.306(b)(2)(i), all integrations in the Policy will be retained for a minimum of 6 years.
Violations of this Policy may result in suspension or loss of the violator’s use, privileges, with respect to Hearn Trucking LLC Information Systems, and/or discipline up to and including termination of employment or contractor status with the Company. Additional civil, criminal and equitable remedies may apply.
Exceptions to this Policy must be approved by the Information Security Office and formally documented. Policy exceptions will be viewed on a periodic basis for appropriateness.
Roles and Responsibilities
1. The HIPAA Security Officer is a Hearn Trucking LLC employee who is responsible for coordination compliance with the HIPPA Security Rule as defined by the Code of Federal Regulations, 45 C.F.R. 160, 162 and 164. Each covered entity must designate a HIPPA Security Officer. The HIPPA Security Officer may delegate his or her responsibilities to other Hearn Trucking LLC employees.
2. The HIPPA Security Officer is responsible for:
– Understanding how PHI and EPHI are used within the Covered Entity and by and Business Associate of the Covered Entity.
– Understanding relevant security and privacy requirements dictated by HIPAA.
– Implementing appropriate procedures to support this Policy.
– Implementing a recurring awareness program to ensure Covered Entity personnel understand their obligations under this Policy.
– Ensuring the Covered Entity adheres to this Policy and its supporting procedures.
– Ensuring that any exceptions to this Policy or its supporting procedures are approved by the Information Security Department and formally documented.
– Coordinating with the Information Security department to identify and evaluate threats to the confidentiality and integrity of EPHI.
– Coordinating with the Information Security Officer to respond to actual or suspected breaches in the confidentiality and integrity of EPHI.
3. For the purpose of this Policy, a User is an employee or contractor of the Covered Entity who is authorized to access Hearn Trucking LLC Information Systems provided by the Covered Entity.
4. A User is responsible for::
– Abiding by the Policy and its supporting procedures.
– Reporting actual or suspected breaches in the confidentiality or integrity of EPHI to the HIPAA Security Officer.
– Reporting suspicious requests for PHI or EPHI to the HIPAA Security Officer.
5. Each Covered Entity must:
– Have a designated HIPAA Security Officer.
– Conduct a security risk assessment annually, at a minimum, to measure the potential risks and vulnerabilities to the confidentiality, integrity and availability of EPHI.
– Implement reasonable and appropriate administrative, technical and physical safeguards to protect the confidentiality, integrity and availability of EPHI.
6. Prior to conducting business with a third party that involves the storage or processing of EPHI, a Covered Entity must coordinate with the third-party to sign a Business Associate Contract that includes provisions for the third-party to reasonably safeguard EPHI.
Issue Specific Information Security Policy
7. Access to EPHI must be:
– Authenticated in such a manner as to positively and uniquely identify the user.
– Authorize by a designated Data Owner.
– Consistent with the rule of least privilege, meaning a user is granted the minimum level of access necessary to preform authorized job responsibilities.
– Reviewed annually, at a minimum, to ensure such access is still appropriate.
– Revoked when such access is no longer necessary to preform authorized job responsibilities.
8. All accounts that can be used to access EPHI must be protected with a strong password as defined by the Information Security Department.
9. All Information Systems that store, process or otherwise access EPHI, including User workstations, must be configured such that:
– A screen saver is activated after a period of inactivity.
– The Information System locks, requiring re-authentication, after a period of inactivity.
– Open sessions are automatically disconnected after a period of inactivity.
Business Continuity Management
10. All Covered Entities Must:
– Maintain retrievable backup copies of all EPHI that must also meet the requirements of this Policy.
– Periodically test the effectiveness of backup copies of EPHI.
– Develop, implement and maintain a Business Continuity and Disaster Recovery Plan that includes provisions for the continuity of Information Systems that store or process EPHI.
Employee Owned Assets
11. Employee owned Information Systems must not be used to store or process EPHI.
12. All EPHI must be encrypted during transmission over public networks such as the Internet.
13. All Covered Entities must take reasonable measures to encrypt stored EPHI.
Information Security Awareness
14. All employees and contractors of a covered Entity must undergo periotic security awareness training specific to the requirements of HIPAA.
Information Security Breaches
15. All Covered Entities must regular monitor Information Systems, that store or process EPHI, for security events.
16. All security incidents must be addressed in a manner that is consistent with the guidance and procedures published by the Information security Department.
17. All Hearn Trucking LLC personnel must be positively and uniquely identified prior to gaining physical access to Information Systems that store or process EPHI.
18. Physical access to Information Systems that store or process EPHI must be controlled in a manner that prevents unauthorized physical access.
19. All repairs and alterations to physical security controls that aid in the protection of PHI and/or EPHI must be documented and available for review by the HIPAA Security Officer.
20. All recycling and disposal of electronic storage media that is used to store EPHI or that was previously used to store EPHI must be consistent with guidance and procedures published by the Information security department.
21. All physical relocation of Information Systems that store or process EPHI must be documented and available for review by the HIPAA Security Officer
22. All covered Entity personnel must maintain a workspace that is clear of PHI or EPHI whenever that workspace is unattended.