Running Header: Project Preparation: Security Program Charter 1

Micah Geertson
CSOL 540
09/13/2019

Project Preparation:
Security Program Charter
Project Preparation: Security Program Charter 2

Table of Contents
Security Program Charter: HIC, Inc. ....................................................................................................... 2
Scope ............................................................................................................................................... 2
Mission ............................................................................................................................................ 2
Ownership....................................................................................................................................... 3
Policy Coverage .............................................................................................................................. 3
References .................................................................................................................................................... 4
Project Preparation: Security Program Charter 3

Security Program Charter: HIC, Inc.

The purpose of this document is to outline the Security Program Charter for HIC, Inc. in

order to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

so as to preserve the confidentiality, integrity, and availability of protected health information

(PHI). In accordance with the Office for Civil Rights (OCR), this security coverage will apply to

all electronic PHI transactions (OCR, 2013). As such, the scope of this HIC, Inc. security policy

will include procedures and rules governing the protection of PHI as outlined in 45 CFR Part

160, Part 162, and Part 164. These rules include: Unique Identifiers Rule (National Provider

Identifier), HIPAA Privacy Rule, Transactions and Code Sets Rule, HIPAA Security Rule, and

the Enforcement Rule (HIPAA Survival Guide, 2013).

Mission

Based on the aforementioned HIPAA requirements, it is up to HIC, Inc. to provide a

sound security policy to protect all forms of data related to each protected heath information

record. This includes having plans for risk management should a data breach occur, backup and

recovery plans in case of system outages, plans for interoperability between local and federal law

enforcement to share data related to criminal activity as well as report all successful breaches to

the OCR. Plans for each of these will be created and modeled after the National Institute of

Standards and Technology’s Special Publication 800-66 Revision 1 - An Introductory Resource

Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)

Security Rule.
Project Preparation: Security Program Charter 4

Ownership

The overall governing policies should be researched, defined and revised in partnership

between all HIC, Inc. Director and above executives. Final approval will be made by HIC, Inc.’s

Chief Executive Officer (CEO) with the Chief Information Security Officer’s (CISO)

endorsement. Post-approval phase will require the CISO to disseminate the policies amongst

junior executives for execution and implementation of the security policies. HIC, Inc. junior

executives will ensure employee compliance with the implemented policies and it is the job of

the CISO to ensure that the implemented policies retain their integrity and continue to meet the

standards outlined by HIPAA.

Policy Coverage

As previously mentioned, junior executives will be responsible for ensuring that their

departments are complying with HIC, Inc. security policy. Enforcement will begin with Tier 1

management to ensure that their direct reports are aware of and following the security policy.

All inappropriate conduct in relation to this security policy will be reported, at minimum, to the

Director of that department and result in suspension or termination depending upon the severity

of the misconduct. Should an exception to this policy be required, it must present proper

justification and adhere to HIPAA federal regulations to begin its flow upward to receive Board

of Director approval prior to being signed off as an exception.

References
A Brief Background on the HIPAA Rules and the HITECH Act . (n.d.). Retrieved from HIPPA
Rules: http://www.hipaasurvivalguide.com/hipaa-rules.php

NIST. (2008, October). National Institute of Standards and Technology’s Special Publication
800-66 Revision 1 - An Introductory Resource Guide for Implementing the Health Insurance
Portability and Accountability Act (HIPAA) Security Rule. Retrieved from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf

Office for Civil Rights. (2013, July 26). Summary of the HIPAA Privacy Rule. Retrieved from
Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-
regulations/index.html