Additionally, the security
official shall ensure accomplishment of the following responsibilities:
• Establish,
implement and amend policies and procedures with respect to ePHI
that are designed to ensure compliance with federal and state laws,
the HIPAA Security Rule and DHA requirements.
• Maintain
current knowledge of applicable federal and state security laws.
• Monitor
and, where feasible, adopt industry best practices of ePHI technologies and
management.
• Serve as a liaison to the Director,
TROs and DHA Officials as defined above.
• Cooperate
with DHA, HHS, OCR, other legal authorities, and organizational personnel
in any compliance reviews or investigations.
• Perform
security risk assessments annually and conduct related ongoing compliance
monitoring activities as applicable.
• Establish
a process for receiving, documenting, tracking, investigating, and
taking action on all complaints concerning the organization’s security
policies and procedures in coordination and collaboration with other
similar functions. Case files of documentation associated with a
complaint shall be retained in accordance with
Chapter 9.
• Coordinate
with the contractor’s Privacy Official to review complaints involving security
issues and include such complaints as specified in
the Monthly Complaint Report. Details for reporting are identified
in DD Form 1423, CDRL, located in Section
J of the applicable contract.
• Establish
a process to identify, respond to, document and report suspected
or known cybersecurity incidents and their outcomes in accordance
with applicable DoD cybersecurity requirements under its contract.
• Ensure
that a written or electronic copy of all policies and procedures,
and all documentation of actions, activities or assessments that
required documentation is maintained according to the Record Management
Schedule in accordance with
Chapter 9.
• Oversee,
direct, and ensure delivery of security training and orientation
in accordance with
Chapter 1, Section 5, paragraph 8.0.
• Initiate,
facilitate, and promote activities to foster information security
awareness within the organization and related entities.
• In
coordination with key personnel, develop, implement, test, and revise
the following plans and others as required to ensure data integrity,
confidentiality, and availability, as required by the HIPAA Security
Rule:
• Contingency
plans, disaster recovery plans, emergency mode operation plans, backup
plans, physical security plans, and contingency operations plans.
These plans shall be developed in conjunction with any continuity
of operations plan for Information Technology (IT) systems and data
required by applicable DoD cybersecurity guidance.
• Collaborate
with other departments and subcontractors to continue to ensure appropriate
administrative, technical, and physical safeguards are in place
to protect the confidentiality, integrity and availability of ePHI.
• Ensure
consistent action is taken for failure to comply with security policies
for employees in the workforce in accordance with contractor’s policies
and procedures.