Madison County HIPAA Information Security Policy V2.5 Original Version Adopted: May 10, 2005 by Madison County Board of Supervisors Version 1.2 Adopted: July 30, 2009 by Government Operations Committee Version 2.4 Adopted: October 31, 2013 by Government Operations Committee Version 2.5 Adopted: March 27, 2014 by Government Operations Committee Contents Purpose ...................................................................................................................................................... 1 Scope .......................................................................................................................................................... 2 Amending the Madison County HIPAA Information Security Policy.......................................... 2 Violating the Madison County Information Security Policy .......................................................... 2 Part 1 - Management ............................................................................................................................... 3 County Staff Responsibilities ........................................................................................................... 3 Procedure: ........................................................................................................................................... 3 Information Systems ........................................................................................................................... 3 Procedure: ........................................................................................................................................... 3 Centralized Responsibility for HIPAA/HITECH Information Security ..................................... 4 Responsibilities: ................................................................................................................................ 4 Information Security Incident Response ....................................................................................... 5 Annual Information Systems Planning Process Required ....................................................... 5 Risk Analysis, Assessment and Management ............................................................................. 5 User Responsibilities: ......................................................................................................................... 6 Procedure: ........................................................................................................................................... 6 Security Awareness Training and Awareness ............................................................................. 6 Procedure: ........................................................................................................................................... 6 Contingency Planning ........................................................................................................................ 7 Procedure: ........................................................................................................................................... 7 Acceptable and Unacceptable Use Definitions ............................................................................ 8 Acceptable Use ..................................................................................................................................... 8 Disclosure of Information System Vulnerabilities....................................................................... 9 Procedure: ........................................................................................................................................... 9 Reporting Security Incidents ............................................................................................................ 9 Procedure: ........................................................................................................................................... 9 Part 2 Technical ........................................................................................................................................ 9 The County’s Information Systems Connections ....................................................................... 9 Procedure: ........................................................................................................................................... 9 System Privileges/Access ............................................................................................................... 10 Procedure: ......................................................................................................................................... 10 County ITS User Login Process ..................................................................................................... 10 Procedure: ......................................................................................................................................... 11 County User Computer Lockdown/Logoff Process .................................................................. 11 Procedure: ......................................................................................................................................... 11 Password Protection and Network Security ............................................................................... 11 Procedure: ......................................................................................................................................... 11 Information Systems Backup.......................................................................................................... 12 Procedure: ......................................................................................................................................... 12 System Logs Enabled ....................................................................................................................... 12 Malicious Code ................................................................................................................................... 13 Procedure: ......................................................................................................................................... 13 Device Security ................................................................................................................................... 13 Procedure: ......................................................................................................................................... 13 Encryption ............................................................................................................................................ 14 Procedure: ......................................................................................................................................... 14 Transfer of Computer Equipment and Media ............................................................................. 14 Procedure: ......................................................................................................................................... 14 Electronic Storage Media Disposal ............................................................................................... 14 Procedure: ......................................................................................................................................... 14 Physical Security for IT Equipment ............................................................................................... 14 Procedure: ......................................................................................................................................... 15 Copy Machines and Other Equipment Having Data Storage Capability ............................. 15 Procedure: ......................................................................................................................................... 15 Breach Definitions ............................................................................................................................. 15 Breach Notification Procedures ..................................................................................................... 15 Appendix A: Glossary ........................................................................................................................... 17 Appendix B: County Staff Responsibility ........................................................................................ 20 Purpose Access to Madison County's (“the County”) information systems has been provided to only authorized County entities, employees, consultants, contractors, interns, volunteers and temporary workers (“Users”) for the benefit of providing service by the County to residents of the County. All County Users have the responsibility to comply with County policies and procedures to help protect and maintain the County’s information assets against accidental or intentional disclosure or compromise. All County Users have the responsibility to maintain and protect the County’s public image and to use the County’s information systems in a productive and appropriate manner while performing official County business. It is important to also note the following: 1. “County Entities”, for the purposes of this policy, shall include all County departments, offices, etc. 2. County Users, for the purposes of this Policy, shall refer only to those users that have been approved to have access to electronic Protected Health Information (ePHI). 3. All references to ePHI and other