Skip Navigation

Certification Rules Committee weighs member comments

Bookmark and Share

Feb. 14, 2014

The comment period for the 2014 NAID Certification Application opened Jan. 2 and closed Feb. 1. The following suggestions and changes will be reviewed:

  • 2014 changes discussed during the comment period pertained to HIPAA risk assessment:
    • NAID Certification Auditor Reports made available to members upon request
    • Report any data breaches directly to NAID:
      • Should a certified company experience a security data breach incident that requires them to notify their customer(s) by applicable state and/or federal laws, the company must also notify NAID. This will allow NAID to ensure that any non-compliance issues with the certification criteria and/or NAID Code of Ethics are corrected in a timely manner
    • Security data breach incidence response plan:
      • The company has a written response plan in place for handling data security breach incidents. This plan must include a post-incident business impact analysis and a process for documenting all incidents and their outcomes, in accordance with HIPAA Security Rule 164.308(a)(6)(ii).
    • Access Employee Training Program:
      • Access employees must be trained to comply with the NAID AAA Certification requirements. Training must meet the requirements of HIPAA Security Rule 164.308(a)(d)(i).
    • Acquisition and relocation audits:
      • Require companies that have undergone a change in ownership or a relocation of plant-based operations to submit to an audit within six months of the change.
    • Notify NAID of CCTV system outages or loss of data:
      • If there is a problem with the CCTV system that results in loss of data, certified companies must notify NAID within 48 hours. This allows NAID to provide guidance and verify that the system is brought back into compliance in a reasonable amount of time. It also benefits the certified company by ensuring that if an audit does occur during the CCTV downtime, it will not count against the company, provided NAID was notified within the required timeframe and the company has corrected the issue.

NAID is currently in the process of presenting the comments to the appropriate committees. At the moment, there is not an exact timeline for completion but NAID committees will approve and implement the changes shortly.