Additionally,
the security official shall ensure accomplishment of the following responsibilities:
• Establish,
implement and amend policies and procedures with respect to ePHI
that are designed to ensure compliance with federal and state laws,
the HIPAA Security Rule and DHA requirements.
• Maintain current knowledge
of applicable federal and state security laws.
• Monitor and, where
feasible, adopt industry best practices of ePHI technologies and
management.
• Serve
as a liaison to the Director, TROs and DHA Officials as defined
above.
• Cooperate
with DHA, HHS, OCR, other legal authorities, and organizational personnel
in any compliance reviews or investigations.
• Perform security risk
assessments annually and conduct related ongoing compliance monitoring
activities as applicable.
• Establish a process
for receiving, documenting, tracking, investigating, and taking action
on all complaints concerning the organization’s security policies
and procedures in coordination and collaboration with other similar
functions. Case files of documentation associated with a complaint
shall be retained in accordance with
Chapter 9.
• Coordinate with the
contractor’s Privacy Official to review complaints involving security
issues and include such complaints as specified in
the Monthly Complaint Report. Details for reporting are identified
in DD Form 1423, CDRL, located in Section
J of the applicable contract.
• Establish a process
to identify, respond to, document and report suspected or known
cybersecurity incidents and their outcomes in accordance with applicable DoD
cybersecurity requirements under its contract.
• Ensure that a written
or electronic copy of all policies and procedures, and all documentation
of actions, activities or assessments that required documentation
is maintained according to the Record Management Schedule in accordance
with
Chapter 9.
• Oversee, direct, and
ensure delivery of security training and orientation in accordance
with
Chapter 1, Section 5, paragraph 8.0.
• Initiate, facilitate,
and promote activities to foster information security awareness within
the organization and related entities.
• In coordination with
key personnel, develop, implement, test, and revise the following
plans and others as required to ensure data integrity, confidentiality,
and availability, as required by the HIPAA Security Rule:
• Contingency
plans, disaster recovery plans, emergency mode operation plans, backup
plans, physical security plans, and contingency operations plans.
These plans shall be developed in conjunction with any continuity
of operations plan for Information Technology (IT) systems and data
required by applicable DoD cybersecurity guidance.
• Collaborate with other
departments and subcontractors to continue to ensure appropriate
administrative, technical, and physical safeguards are in place
to protect the confidentiality, integrity and availability of ePHI.
• Ensure consistent
action is taken for failure to comply with security policies for employees
in the workforce in accordance with contractor’s policies and procedures.