(1) The Director of Information Services shall be the county-wide HIPAA security officer.
(2) The HIPAA security officer must ensure the confidentiality, integrity, and availability of all electronic protected health information created, received, maintained or transmitted by the county; protect against any reasonably anticipated threats or hazards to the security or integrity of such information; protect against any reasonably anticipated uses or disclosures of such information that are not permitted under the HIPAA privacy regulations; and ensure compliance by the county’s workforce. To accomplish these responsibilities, the HIPAA security officer shall:
(a) Develop, adopt with the approval of the county executive, and maintain HIPAA security policies and procedures:
(i) To prevent, detect, contain, and correct security violations;
(ii) To ensure that all members of the county workforce have appropriate access to electronic protected health information (including technical procedures);
(iii) To prevent access to electronic protected health information by those workforce members who do not have authority under the HIPAA privacy regulations (including technical procedures);
(iv) To address security incidents;
(v) To respond to emergencies or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damage systems that contain electronic protected health information;
(vi) To create and maintain retrievable exact copies of electronic protected health information and to restore any loss of data;
(vii) To enable continuation of critical business processes for protection of security of electronic protected health information while operating in emergency mode;
(viii) To limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed;
(ix) That specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information;
(x) That govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility;
(xi) To address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored;
(xii) For removal of electronic protected health information from electronic media before the media are made available for re-use;
(xiii) To protect electronic protected health information from improper alteration or destruction;
(xiv) To verify that a person or entity seeking access to electronic protected health information is the one claimed; and
(xv) Such policies and procedures necessary to comply with amendments or additions to the HIPAA security standards.
(b) Implement a security awareness and training program for all members of the county workforce (including management);
(c) Perform a periodic technical and nontechnical evaluation, based initially upon the HIPAA security standards and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which the county’s security policies and procedures meet the requirements of the HIPAA security standards;
(d) Implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users only;
(e) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information;
(f) Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network; and
(g) Establish, with the approval of the county executive, and publish the sanctions for employees who fail to comply with the county’s HIPAA security policies and procedures. Sanctions will be appropriate to the nature of the violation and will not apply to whistleblower activities, nor to complaints or investigations. (Added by Ord. 03-035, Apr. 9, 2003, Eff date Apr. 21, 2003).