• Risk analysis.
  
• Risk management.
  
• A sanction policy.
  
• A security policy.

• Risk analysis, a process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place. Serious consideration should be given to whether to record in normal minutes versus attorney-client privilege.
  
• Risk management, a process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.
  
• Sanction policies and procedures (statements regarding disciplinary actions that are communicated to all employees, physicians, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment, and contract penalties). They must include employee, physician, agent, and contractor notice of civil or criminal penalties for misuse or misappropriation of health information and must make employees, physicians, agents, and contractors aware that violations may result in notification to law enforcement officials and regulatory, accreditation, and licensure organizations.
  
• Security policy, a statement(s) of information values, protection responsibilities, and organization commitment. The framework within which an entity establishes needed levels of information security to achieve the desired confidentiality goals.

• Creation, Administration, and oversight of prevention, detection, containment, correction of security breaches involving risk analysis and risk management.
  
• Establishment of:
  •accountability
  •management controls (policies and education)
  •electronic controls
  •physical security
  •penalties for the abuse and misuse of assets (both physical and electronic)

Requirement

• Changing combination locks.
• Removal from access lists.
• Removal of user account(s).
• Turn in of keys, tokens, or cards that allow access.

Policies/Procedures

• Formal documented instructions, which include appropriate security measures, for the ending of an employee's employment or an internal/external user's access.
• Documented procedure for changing combinations of locking mechanisms, both on a recurring basis and when personnel knowledgeable of combinations no longer have a need to know or require access to the protected facility or system.
• Physical eradication of access privileges.
• Documented procedure for termination or deletion of an individual's access privileges to the information, services, and resources for which they currently have clearance, authorization, and need-to-know when such clearance, authorization and need-to-know no longer exists. Transfers, either job-to-job or department-to-department, should be treated in a similar manner.
• Formal, documented procedure to ensure all physical items that allow a terminated employee to access a property, building, or equipment are retrieved from that employee, preferably before termination.

http://www.misti.com/ - MIS Training Institute

http://www.nitc.state.ne.us/standards/index.html - Nebraska Information Technology Commission

http://www.nchica.org - North Carolina Healthcare Information and Communications Alliance

http://www.its.uiowa.edu/cio/policy/ - The University of Iowa CIO Office

http://www.wedi.org/public/articles/HIPAA_Glossary.pdf - WEDI HIPAA Glossary

http://www.hipaadvisory.com - HIPAA Advisory from Phoenix Health Systems

http://nahhsnet.org/hipaa.htm - Nebraska Hospital Association