Additionally,
the security official shall ensure accomplishment of the following responsibilities:
• Establish, implement and amend policies
and procedures with respect to ePHI that are designed to ensure
compliance with federal and state laws, the HIPAA Security Rule
and DHA requirements.
• Maintain current knowledge of applicable
federal and state security laws.
• Monitor and, where feasible, adopt industry
best practices of ePHI technologies and management.
• Serve as a liaison to the Director, TROs
and DHA Officials as defined above.
• Cooperate with DHA, HHS, OCR, other legal
authorities, and organizational personnel in any compliance reviews
or investigations.
• Perform security
risk assessments annually and conduct related ongoing compliance
monitoring activities as applicable.
• Establish a process for receiving,
documenting, tracking, investigating, and taking action on all complaints
concerning the organization’s security policies and procedures in
coordination and collaboration with other similar functions. Case files
of documentation associated with a complaint shall be retained in
accordance with
Chapter 9.
• Coordinate with the contractor’s Privacy
Official to review complaints involving security issues and include
such complaints as specified in the Monthly Complaint Report.
Details for reporting are identified in DD Form 1423, CDRL,
located in Section J of the applicable contract.
• Establish a process to identify, respond
to, document and report suspected or known cybersecurity incidents
and their outcomes in accordance with applicable DoD cybersecurity
requirements under its contract.
• Ensure that a written or electronic copy
of all policies and procedures, and all documentation of actions,
activities or assessments that required documentation is maintained
according to the Record Management Schedule in accordance with
Chapter 9.
• Oversee, direct, and ensure delivery of
security training and orientation in accordance with
Chapter 1, Section 5, paragraph 8.0.
• Initiate, facilitate, and promote activities
to foster information security awareness within the organization
and related entities.
• In coordination with key personnel,
develop, implement, test, and revise the following plans and others
as required to ensure data integrity, confidentiality, and availability,
as required by the HIPAA Security Rule:
• Contingency plans, disaster recovery
plans, emergency mode operation plans, backup plans, physical security
plans, and contingency operations plans. These plans shall be developed
in conjunction with any continuity of operations plan for Information
Technology (IT) systems and data required by applicable DoD cybersecurity
guidance.
• Collaborate with other departments and
subcontractors to continue to ensure appropriate administrative,
technical, and physical safeguards are in place to protect the confidentiality,
integrity and availability of ePHI.
• Ensure consistent action is taken for failure
to comply with security policies for employees in the workforce
in accordance with contractor’s policies and procedures.