Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
technical_safeguards [2016/06/15 18:53] jillian_nadette_de_leon |
technical_safeguards [2016/07/04 16:00] (current) jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 10: | Line 10: | ||
| (C) Access establishment and modification (addressable). Based upon the access authorization policy of the data controller and/or data processor, policies and procedures on the establishment, documentation, review and modification of a user's rights to access a workstation, transaction, program or process shall be implemented.\\ | (C) Access establishment and modification (addressable). Based upon the access authorization policy of the data controller and/or data processor, policies and procedures on the establishment, documentation, review and modification of a user's rights to access a workstation, transaction, program or process shall be implemented.\\ | ||
| - | II. Unique user identification (required). A process for unique user identification shall be made within a policy and procedure of the health facility.\\ | + | II. User identification (required). A process for unique user identification shall be made within a policy and procedure of the health facility.\\ |
| 1. Implement specifications: \\ | 1. Implement specifications: \\ | ||
| - | (A) There shall be a unique user name and/or number for identifying user identity throughout all levels of the organization.\\ | + | (A) There shall be a user name and/or number for identifying user identity throughout all levels of the organization.\\ |
| (B) User identity shall not be shared, delegated or assigned to a group or individual.\\ | (B) User identity shall not be shared, delegated or assigned to a group or individual.\\ | ||
| - | (C) Unique user identity that was previously used shall not be reused for new and/or existing users.\\ | + | (C) User identity that was previously used shall not be reused for new and/or existing users.\\ |
| III. Emergency Access Procedure (Required). Procedures for obtaining necessary electronic health information during an emergency.\\ | III. Emergency Access Procedure (Required). Procedures for obtaining necessary electronic health information during an emergency.\\ | ||
| Line 37: | Line 37: | ||
| I. Recording of information (required). Recorded information must include, but is not limited to, unique user identified, date and time of use/access, location (if applicable).\\ | I. Recording of information (required). Recorded information must include, but is not limited to, unique user identified, date and time of use/access, location (if applicable).\\ | ||
| II. Audit Data Life Span (addressable). A policy shall be made by health facilities to specify the length of time the data must be stored and how it will be destroyed.\\ | II. Audit Data Life Span (addressable). A policy shall be made by health facilities to specify the length of time the data must be stored and how it will be destroyed.\\ | ||
| - | III. Access to Audit Data (addressable). The Medical Records Officer alongside with the Privacy Officer and/or Health Information Security Committee shall be authorized to audit data. | + | III. Access to Audit Data (addressable). The Medical Records Officer alongside with the Privacy Officer shall be authorized to audit the shared health record. |
| **C. Integrity Controls**\\ | **C. Integrity Controls**\\ | ||
| Line 49: | Line 49: | ||
| (F) Transmission encryption (required). Data transmission via wireless networks or the internet shall always be encrypted. \\ | (F) Transmission encryption (required). Data transmission via wireless networks or the internet shall always be encrypted. \\ | ||
| (G) Proper Handling of Mechanical Components. Training on the proper use and handling of CPUs, Servers, flash drives, external hard drives shall be given to the user of electronic systems. (addressable)\\ | (G) Proper Handling of Mechanical Components. Training on the proper use and handling of CPUs, Servers, flash drives, external hard drives shall be given to the user of electronic systems. (addressable)\\ | ||
| - | (H) Back-up components such as servers, flashdrives, external hard drives shall be stored away from possible electromagnetic interference. (addressable)\\ | + | (H) Back-up components such as servers, flash drives, external hard drives shall be stored away from possible electromagnetic interference. (addressable)\\ |
| (I) Offline modes and Caching. Electronic systems shall have online and offline modes. (addressable)\\ | (I) Offline modes and Caching. Electronic systems shall have online and offline modes. (addressable)\\ | ||
| (J) Interface Integration of Information Systems. Data transmission from electronic medical records shall follow a standard for integration and interfacing to facilitate interoperability and data compatibility. (addressable)\\ | (J) Interface Integration of Information Systems. Data transmission from electronic medical records shall follow a standard for integration and interfacing to facilitate interoperability and data compatibility. (addressable)\\ | ||
| Line 61: | Line 61: | ||
| **F. Storage Security**\\ | **F. Storage Security**\\ | ||
| Implementation Specifications:\\ | Implementation Specifications:\\ | ||
| - | (A) Data stored in portable data storage devices (e.g. USB drive, portable hard drives, etc.) must be encrypted. | + | (A) Data stored in portable data storage devices (e.g. Flash drive, portable hard drives, etc.) must be encrypted. |
| (B) Data stored in cloud storage services (e.g. Dropbox, OneDrive, Google Drive, etc.) must be encrypted. | (B) Data stored in cloud storage services (e.g. Dropbox, OneDrive, Google Drive, etc.) must be encrypted. | ||