Purpose
To establish the administrative, physical, and technical safeguards that protect PHI and other confidential information in compliance with HIPAA Security Rule, HHSC/CLASS Waiver standards, TMHP policies, and relevant state/federal law.

2.1 Administrative Safeguards

1. Security Management Process

   • Risk Analysis: Conduct regular risk analyses (annually, at minimum) to identify threats/vulnerabilities.

   • Risk Management: Implement controls to mitigate identified risks.

2. Workforce Security

   • Authorization & Supervision: Clearly define who has authorized access to PHI and under what conditions (align with the DUA’s “Authorized Users” and “Authorized Purposes”).

   • Termination Procedures: Remove access promptly upon workforce separation or change in role.

3. Training

   • Annual Security Training: All workforce members must receive HIPAA security training annually and whenever policy or system changes occur.

   • Documentation: Keep records of training dates, attendees, and materials.

4. Incident Response & Reporting

   • Define the process for reporting suspected or confirmed security incidents, including immediate notification to HHSC if Texas HHS Confidential Information is involved.

   • Outline escalation procedures and documentation requirements.

2.2 Physical Safeguards

1. Facility Access Controls

   • Limit physical access to servers, file cabinets, or any location storing PHI.

   • Implement visitor sign-in logs, ID badges, locked doors, alarm systems, etc.

2. Workstation Use & Security

   • Position screens away from public view.

   • Require time-out/screensaver lock after inactivity.

3. Device & Media Controls

   • Inventory hardware and electronic media that store PHI.

   • Implement secure disposal of paper records and electronic media containing PHI (e.g., shredding, wiping, degaussing).

2.3 Technical Safeguards

1. Access Control

   • Unique User IDs: Each user has a unique login to track usage.

   • Role-Based Access: Grant system access based on job function (“minimum necessary”).

   • Automatic Logoff: Configure system timeouts.

   • Encryption: Encrypt data at rest and in transit where feasible (especially any transmissions via external networks, including those with TMHP).

2. Audit Controls

   • System activity logs for login attempts, file access, etc.

   • Periodic audit log reviews and risk detection.

3. Integrity Controls

   • Use anti-malware, antivirus, and routine system scans to maintain data integrity.

4. Transmission Security

   • Secure channels (VPN, TLS, SFTP) when transmitting PHI.

   • Policies preventing unencrypted PHI from being emailed externally without proper safeguards.

2.4 Contingency Planning

• Data Backup & Disaster Recovery: Describe procedures for regular data backups and restoration testing.

• Emergency Mode Operation: Ensure continuity of essential operations in the event of a disaster or outage.

2.5 Sanctions & Enforcement

• Appropriate Disciplinary Measures: Noncompliance leads to sanctions, documented in workforce HR policies.

• Monitoring & Audit: Ongoing monitoring ensures compliance with the DUA, CLASS Waiver, TMHP rules, and HIPAA Security Rule.

2.6 Policy Updates

• Annual Review: Conduct at least once per year or when significant system or regulatory changes occur.

• 60-Day Requirement: Update promptly when new HHSC/CLASS or DUA security requirements are identified.