DHHS Home Page NC DHHS On-Line Manuals  
       DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageNext Page

DHHS Directive Number III-48

Title:

Delegation of Authority to the Chief Information Security Officer and Privacy and Security Office

Effective Date:

August 21, 2012

Revision History

August 21, 2012; October 5, 2010

Authority:

G.S. 143B-10

Purpose:

To delegate, clarify and specifically confirm certain authorities of the Secretary of the Department of Health and Human Services (DHHS) to the Privacy and Security Office (PSO). These authorities are delegated under the supervision of the Chief Information Security Officer (CISO), and shall be reported to the Secretary’s Office through the Assistant Secretary for Finance and Business Operations for the department.

The DHHS Privacy and Security Office supports the mission of the Department of Health and Human Services by providing the department and departmental divisions/offices with privacy, security, business continuity, and Health Insurance Portability and Accountability Act (HIPAA) oversight; security consulting, monitoring and testing services; privacy, security, business continuity and HIPAA policy and planning services.

Privacy oversight services shall include, but not be limited to, assistance in: (1) privacy compliance monitoring; (2) short and long term privacy goal planning; (3) assistance in privacy incident and complaint resolution.

Security oversight services shall include, but not be limited to, assistance in: (1) security compliance monitoring; (2) short and long term security goal planning; (3) system-wide security and protection against both deliberate and accidental intrusions and disasters; (4) project review and approval for privacy, security, and Business Continuity Planning (BCP) requirements; (5) risk management implementation and coordination.

Security consulting, monitoring, incident response and testing services shall include, but not be limited to, assistance in: (1) application, network/system, administrative, physical and software security planning; (2) telecommunications and network security design; (3) network security monitoring; (4) application and system security testing and validation; (5) forensic analysis, investigation and incident response assistance.

Business continuity oversight services shall include, but not be limited to, assistance in: (1) BCP and Continuity of Operations Planning (COOP) compliance monitoring; (2) short and long term BCP and COOP goal planning; (3) technical assistance and consultation in all areas related to BCP, disaster recovery and COOP of the department and departmental divisions/offices; (4) development and review of BCP, disaster recovery and COOP plans; (5) coordination and delegation of BCP, COOP and disaster recover efforts.

HIPAA oversight services shall include, but not be limited to, assistance in: (1) HIPAA compliance monitoring; (2) short and long term HIPAA goal planning; (3) technical assistance and consultation in all areas related to HIPAA Privacy and Security, Transaction Code Identifier, and National Provider Identifier (NPI); (4) coordination of HIPAA activities with federal, state and local third-party agencies (5) serve as a liaison for HIPAA outreach.

Privacy, security, business continuity and HIPAA policy and planning services shall include, but not be limited to, assistance in: (1) privacy, security, business continuity and HIPAA policies, standards, procedures, and guidelines research, analysis, and development; (2) coordination of internal and external privacy, security, business continuity and HIPAA policy review; (3) privacy, security, business continuity and HIPAA policy compliance monitoring; (4) Statewide privacy, security, business continuity and HIPAA policy guidance; (5) privacy, security, business continuity and HIPAA policies, standards, procedures deviation approval.

DHHS Chief Information Security Officer

DHHS shall designate a Chief Information Security Officer who will assume the management and leadership role in the administration of the DHHS Privacy and Security Office. The CISO shall serve as both the Security Official and Privacy Official for the department.

For the purpose of creating a transparent and collaborative departmental privacy and security effort, all division/office Privacy and Security Officials, Business Continuity and HIPAA Coordinators shall have a “dotted-line” reporting relationship to the Chief Information Security Officer.

Delegation of Authority

As provided in G.S. 143B-10(a), the Secretary of the Department of Health and Human Services delegates the following functions concerning departmental security management and administration to the DHHS Privacy and Security Office:

This delegation of authority shall not deprive the Secretary from performing, in lieu of the Chief Information Security Officer, any of the acts set forth above. This delegation of authority may be amended or withdrawn by the Secretary at any time and without notice. This delegation of authority shall not apply to any action, which by law, state policy, or Governor's Executive Order, may only be executed by the Secretary.

 

 

 

 

 

___________________________

 

Al Delia, Secretary

 

Department of Health and Human Services

Previous PageTop Of PageNext Page



  For questions or clarification on any of the information contained in these manuals, please contact the DHHS Office of the General Counsel.  


       DHHS Manual Home Policy Admin Letters Change Notices Archive Search Index Help Feedback