Additionally, the security
official shall ensure accomplishment of the following responsibilities:
• Establish, implement and amend
policies and procedures with respect to ePHI that are designed to ensure
compliance with federal and state laws, the HIPAA Security Rule
and DHA requirements.
• Maintain current knowledge
of applicable federal and state security laws.
• Monitor and, where feasible,
adopt industry best practices of ePHI technologies and management.
• Serve as a liaison to the Director,
TROs and DHA Officials as defined above.
• Cooperate with DHA, HHS, OCR,
other legal authorities, and organizational personnel in any compliance
reviews or investigations.
• Perform security risk assessments
annually and conduct related ongoing compliance monitoring activities
as applicable.
• Establish a process for receiving,
documenting, tracking, investigating, and taking action on all complaints
concerning the organization’s security policies and procedures in
coordination and collaboration with other similar functions. Case
files of documentation associated with a complaint shall be retained
in accordance with
Chapter 9.
• Coordinate with the contractor’s
Privacy Official to review complaints involving security issues
and include such complaints as specified in the Monthly
Complaint Report. Details for reporting are identified in DD Form
1423, CDRL, located in Section J of
the applicable contract.
• Establish a process to identify,
respond to, document and report suspected or known cybersecurity incidents
and their outcomes in accordance with applicable DoD cybersecurity
requirements under its contract.
• Ensure that a written or electronic
copy of all policies and procedures, and all documentation of actions,
activities or assessments that required documentation is maintained
according to the Record Management Schedule in accordance with
Chapter
9.
• Oversee, direct, and ensure
delivery of security training and orientation in accordance with
Chapter 1, Section 5, paragraph 8.0.
• Initiate, facilitate, and promote
activities to foster information security awareness within the organization
and related entities.
• In coordination with key personnel,
develop, implement, test, and revise the following plans and others
as required to ensure data integrity, confidentiality, and availability,
as required by the HIPAA Security Rule:
• Contingency plans, disaster
recovery plans, emergency mode operation plans, backup plans, physical
security plans, and contingency operations plans. These plans shall
be developed in conjunction with any continuity of operations plan
for Information Technology (IT) systems and data required by applicable
DoD cybersecurity guidance.
• Collaborate with other departments
and subcontractors to continue to ensure appropriate administrative,
technical, and physical safeguards are in place to protect the confidentiality, integrity
and availability of ePHI.
• Ensure consistent action is
taken for failure to comply with security policies for employees
in the workforce in accordance with contractor’s policies and procedures.