Free preview: HIPAA Security Management Policy

Policy Statement

[Practice Name] must maintain a documented, ongoing security management process to prevent, detect, contain, and correct security violations affecting ePHI. The process consists of four required activities: (1) an accurate and thorough risk analysis, (2) a risk management program that reduces identified risks to a reasonable and appropriate level, (3) application of sanctions against workforce members who fail to comply with security policies, and (4) regular review of information system activity records.

The Security Official designated under the Security Official Designation and Responsibilities policy is accountable for executing this process and reporting its status to the practice owner or managing dentist at least annually. All subordinate security policies of [Practice Name], including the ePHI Access Control Policy, the Contingency and Disaster Recovery Plan, and the Security Incident Response Procedure, derive their authority from this policy.

Designation of the Security Official

[Practice Name] designates [Name], serving in the role of [Role, e.g. Office Manager / Security Official], as the HIPAA Security Official. The Security Official’s full duty list, decision-making authority, and time allocation guidance are documented in the companion policy titled Security Official Designation and Responsibilities. The designation must be recorded in writing, signed by the practice owner, and updated within 30 calendar days whenever the role changes hands.

Security Risk Analysis

The Security Official must conduct or commission an accurate and thorough risk analysis that identifies where ePHI is stored, received, maintained, or transmitted; the threats and vulnerabilities that could affect it; the likelihood and impact of each threat; and the resulting risk level. The analysis must cover, at minimum: the [practice management system] and its server or cloud hosting arrangement, digital imaging and x-ray capture stations, intraoral camera and scanner software, workstations at the front desk and in operatories, email and patient texting platforms, backup media, mobile devices, and any remote access used by billing services or IT vendors.

Risk Analysis Frequency and Triggers

A full risk analysis must be performed at least annually. In addition, the Security Official must update the risk analysis within 60 days after any of the following triggering events:

• Migration of the [practice management system] or imaging system to a new vendor or to cloud hosting.
• Opening, closing, or relocating an office location.
• A security incident or breach handled under the Security Incident Response Procedure or the Breach Notification Procedure.
• Adoption of a new technology that handles ePHI, such as a patient texting platform, online scheduling tool, or teledentistry service.
• A change in ownership, merger, or acquisition of the practice.