Comprehensive, systematic, and effective risk prevention and management practices sustain the organization's ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.
Examples: In regards to element (a), the organization may limit access to authorized personnel by:
limiting access based on staff role within the organization;
ensuring the electronic system requires strong passwords/passcodes for access to confidential information, requires passwords/passcodes to be regularly changed, locks the user out of the system for incorrect login attempts, and automatically times out after a period of inactivity and prompts reauthentication;
disabling the equipment, passwords, and access of former employees; and
ensuring the system is capable of tracking who accesses confidential information in the system and recording when information is altered or deleted, also known as audit logs.
In regards to element (e), secure storage of paper records can include:
locked file cabinets;
a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or
a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys.
Other important considerations can include procedures related to information taken off-site by staff.
Examples: A disaster recovery plan is a set of procedures put in place to protect and recover an organization’s IT infrastructure to ensure the continuation of business in the event of a disaster. The plan clearly defines what disaster means for the organization’s administrative operations and service delivery. It also includes specific guidance on when primary systems are considered nonfunctional/shut down, at what point secondary systems should be activated, who has the authority to make that determination, and how to inform staff and stakeholders that a disaster has occurred.
Factors that increase the effectiveness of a disaster recovery plan include:
training staff on response procedures;
practicing procedures/conducting downtime drills;
testing disaster recovery systems on an ongoing basis; and
The organization's practices reflect full implementation of the standard.
Practices are basically sound but there is room for improvement; e.g.,
Some aspects of the procedures need further development.
Practice requires significant improvement; e.g.,
Procedures are very basic and provide minimal guidance to staff; or
Procedures are still under development and have only been partially implemented.
Implementation of the standard is minimal or there is no evidence of implementation at all.
The organization ensures its electronic system for managing health records or protected health information limits access to information in accordance with confidentiality rules and the person's privacy preferences to the greatest extent possible.
If the electronic health record system employed by the organization is not able to meet all client privacy preferences and/or all of the necessary confidentiality rules, the organization informs the service recipient of the system’s limitations and obtains consent for the exchange of electronic health information based on those restrictions.
NAThe organization does not electronically manage health records or protected health information.
Examples: The HIPAA Security Rule and Meaningful Use criteria provide strong guidance to organizations regarding the capabilities of electronic health record (EHR) systems. Using a certified EHR is the best way to meet the Meaningful Use criteria. Organizations that are unable to acquire a certified EHR are encouraged to still strive to meet Meaningful Use recommendations in their selection and use of EHR systems.